Senate bill looks to secure the IT supply chain

A new bipartisan Senate bill looks to build capacity inside the federal government to evaluate supply chain risks with an eye to making sure the government buys secure tech.

The Federal Acquisition Supply Chain Security Act of 2018 from Sens. Claire McCaskill (D-Mo.) and James Lankford (R-Okla.) would establish a new senior cadre of supply chain specialists to monitor the technology acquisition pipeline for cybersecurity threats. The bill also invests the government with new authorities to take action to mitigate risks.

In their statement announcing the bill, Lankford and McCaskill cite the government's recent crackdown on Russian cybersecurity vendor Kaspersky Labs and trade sanctions imposed and then modified against Chinese telecommunications manufacturer ZTE.

"We can't simply respond to supply chain threats piecemeal, we’ve got to have a system in place to assess these risks across the government, and that’s what this bipartisan bill does," McCaskill said.

The bill would establish a new cross-agency Federal Acquisition Security Council to set policy and share information and requires the government adopt standards for measuring supply chain risk and a governmentwide strategy for supply chain security. These assessments would be used by agencies to identify potentially risky IT products. This bill also would require that all IT products available for governmentwide purchase to carry a risk assessment.

The proposed new council includes members from the Office of Management and Budget, the General Services Administration, the National Institute of Standards and Technology, the Department of Homeland Security, the Pentagon and the intelligence community, and would be chaired by a senior OMB official.

The bill also gives agency heads enhanced authority to exclude contractors and subcontractors on supply chain security grounds. According to the bill text, such procurement actions by agency heads are not subject to protest in the General Accountability Office's Procurement Law Division or in the Court of Federal Claims. While agency heads will have to provide written explanations for such decisions, those justifications may wind up being classified.

"This bipartisan bill will help to clarify each government [agency's] role and responsibility and protect the federal government from IT security threats through strengthening supply chain risk management," Lankford said in a statement.