Holistic strategy on IT supply chain needed before it’s too late, experts tell commission

Best listening experience is on Chrome, Firefox or Safari.  Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Remember that horror movie when the main character realizes the killer is calling from inside the house?

That’s kind of what the United States is going through right now with its IT systems. The government is slowly realizing the hardware and software its using is coming from foreign entities and with the Internet of Things becoming more prevalent that’s leaving a lot of networks vulnerable.

Advertisement

The U.S.-China Economic and Security Review Commission heard from cyber experts March 8 and the prognosis wasn’t good.

Jennifer Bisceglie, CEO and president of Interos Solutions, testified before the commission and stated that the government is lacking a broad, overarching policy to deal with the issue.

“Our concern is that with 5G and the IoT there is no way to control access to our critical infrastructure, to our personally identifiable information, to our national secrets and national security. With 5G making the speed of connections to other people, other companies, other entities at a hyper pace, the concern is how do we protect ourselves and what protections and policies can we put in place that are repeatable and scalable?” Bisceglie said.

What makes things particularly vulnerable is the inter connectivity of IT systems today. If one government agency slacks, it could affect the government as a whole. What’s bad news for the government is without an overarching policy outlining how IT systems should be bought, regulated and protected, agencies and industry don’t have a security standard to hold themselves to, leaving room for intrusions.

“The federal acquisition regulations (FAR) right now are written is such a way that cheapest is best. There has not been a sufficient lashing of the FAR to the NIST cybersecurity framework and guidelines such that there are minimum threshold floors on particular technologies and supply chains necessary,” James Mulvenon, general manager of the special programs division at SOS International said.

So what can the government do to protect its systems? Some of the mechanisms are already in place with the Federal IT Acquisition Reform Act (FITARA) and the Modernizing Government Technology Act (MGT), but they are not always being used properly.

“The biggest gap is that security, especially around the multi-tiered supply chain, is mentioned nowhere in any of those acts or policies. You have FITARA that’s very much around financial to make sure the chief information officers have control over the technology within their agencies. You have the MGT Act, which focused on bringing new commercial technologies in, nothing around security… There are pieces out there but there is no comprehensive look at supply chain risk and that’s what we asked them for today is the whole of government,” Bisceglie said.

Bisceglie noted that there are some polices with teeth, but they are not implemented government-wide.

The commission put in place the Wolf provisions, which Bisceglie said ties money to the agencies for security.

The Office of Management and Budget also put out a circular that makes sharing of information easier.

Bisceglie suggests using proper risk management practices before buying foreign parts for important IT systems. Those practices would be tied to appropriations, docking funds if the agencies don’t comply.

That’s especially important as agencies use funds from the MGT Act to modernize their IT systems.

Bisceglie said it’s important for the government to explicitly tell industry what security standards it needs so companies can meet that standard during the acquisition cycle.

Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.