Federal CISO floats potential for new supply chain regs
- By Derek B. Johnson
- Apr 16, 2019
The federal government's top IT security chief floated the possibility of new regulations to shore up protections and transparency in the technology supply chain and canvassed industry for feedback.
While speaking at a cybersecurity event in Virginia hosted by the Intelligence National Security Alliance, Federal Chief Information Security Officer Grant Schneider questioned whether the U.S. government and suppliers have even worked out a successful model to weigh security risks in purchasing and acquisition. Such a model, he said, would naturally lead individuals, the private sector and federal agencies to discriminate against low-cost, low-security parts and components in favor of costlier, more secure ones.
"We're very much looking for feedback on how we do market incentives, where we can focus in the federal government, because I don't believe that the free market is necessarily going to get us there in cybersecurity," Schneider said. "At least, it's not going to get us there fast enough."
One potential tool: new regulations. Thus far, the Trump administration has been characterized by its zeal for cutting government regulations. However, that enthusiasm -- as well as an administration policy of cutting two existing regulations for every new one introduced -- may actually work in favor of more action in the supply chain security space.
"As much as we are from an administration standpoint focused on reducing regulation, I will tell you that with the two [regulations] out for every one that comes in [rule], we … have headspace if we need to bring a regulation in around cybersecurity, and I actually think this is a place where we could do that, if it makes sense," Schneider said.
Late last year, Congress passed legislation that created a new interagency and industry council to examine how best to tweak federal acquisition and procurement rules to deal with emerging cyber threats and increasingly complex supply chains that even primary contractors can't sort out. Schneider, who also serves as senior director of cybersecurity policy on the National Security Council and co-chair of the Federal Acquisition Supply Chain Security Council, said the new panel will hold its first meeting later this month, but it is still largely focused on establishing a charter and developing a strategic plan.
Large companies and contractors often have the resources and financial incentive to pore through what has become a byzantine technology supply chain where dozens if not hundreds of designers, manufacturers and suppliers collaborate to build a single finished product. Smaller or mid-sized companies frequently do not scrutinize the security of their suppliers, and every partner they rely on for parts and components represents another potential weak link that nation-states or criminal groups can exploit.
Last month, a survey for the National Defense Industrial Association found that a plurality of small and medium-sized defense contractors said they didn't read or understand documents spelling out baseline federal standards on cybersecurity and protecting unclassified information systems.
One common complaint from respondents in that survey: Companies don't see enough upside to following the rules. For example, some firms reported not wanting to spend the money necessary to comply with Defense Federal Acquisition Regulations because it might put them at a cost disadvantage relative to suppliers who didn't. Further, there was widespread skepticism that the Department of Defense was willing to cut off noncompliant firms.
"There is concern [among respondents] over whether the DOD is serious enough to be willing to reduce its supplier base during a time where there is trepidation regarding whether there are enough capable suppliers to serve DOD readiness and sustainment needs," the report said.
That, in effect, is the problem Schneider and other U.S. officials are trying to solve.
"I think big companies are going to spend because of the potential consequences," he said. "I think mid-size and smalls are going to say, ‘Yeah, we'd be really, really mad, but I can't afford it and what are the odds? The odds are low that I'm going to be the mid-size company that gets had and goes out of business with this,' and therefore they're going to question making those investments."
Derek B. Johnson is a former senior staff writer at FCW.