Cybersecurity

Senate passes bill to establish governmentwide supply chain council

BY By julia.m Royalty-free stock vector ID: 779956477 

The Senate passed legislation Dec. 18 that would establish an interagency council with broad authority to develop rules of the road for federal supply chain security.

The Federal Acquisition Supply Chain Security Council will be charged with steering the development of National Institute of Standards and Technology guidelines on supply chain risk management, crafting information-sharing protocols between federal and non-federal entities, establishing a lead agency to oversee the information-sharing process and looking into broadly applicable contracting solutions, such as subscription services or machine learning-enhanced analysis, that can guide procurement decisions.

Crucially, it will also develop the criteria for exclusion or removal orders issued by cabinet secretaries to prohibit agencies from purchasing certain products or mandate removal of software from their information systems based on supply chain risks.

The Department of Homeland Security secretary would have the authority to issue such orders on behalf of all civilian federal agencies, while the secretary of Defense and director of national intelligence would have authority over their own agencies.

The bill, originally sponsored by outgoing Sen. Claire McCaskill (D-Mo.), must still pass the House and be signed by the president. McCaskill could not be reached for comment.

"The Senate passage of this bill helps the federal government move in the right direction to strengthen cybersecurity vulnerabilities," said Sen. James Lankford (R-Okla.), one of the bill's co-sponsors. "We must have a process in place to address security threats in our supply chain before they become security realities. We should learn from past mistakes in purchasing and close our security gaps."

The federal government has executed similar authorities on a piecemeal basis in the past, citing security threats. DHS issued a directive to civilian agencies in 2017 that banned the purchase of Kaspersky Labs products and ordered agencies to purge any existing software from their information systems, while DOD banned the purchase of Huawei and ZTE products while restricting their use for military personnel.

However, as it has become more clear that the decentralized rules governing supply chain economics created similar potential risks from other companies and contractors, U.S. officials and Congress have searched for a more holistic solution.

The Cybersecurity and Infrastructure Security Agency at DHS has stood up its own supply chain task force composed of government agencies, vendors and other private sector organizations.

A company subject to such exclusion or removal orders is not able to protest bids through the Government Accountability Office. Legal challenges are restricted to the United States Court of Appeals for the District of Columbia, and a decision may only be overturned if it is found to be "arbitrary, capricious, an abuse of discretion," was taken "in excess of statutory jurisdiction" or lacking "substantial support in the administrative record" to justify the action.

The amended version that passed the Senate also specifies that the government may not simply ban products or companies "based solely on the fact of foreign ownership of a potential procurement source" if otherwise qualified to contract with the federal government.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


Featured

  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.