CISA supply chain assessment hits the home stretch
- By Troy K. Schneider, Anoushka Deshmukh
- Jul 22, 2019
The recently established Federal Acquisition Security Council is ramping up resources to help agencies better understand and manage their supply chain security risks.
FASC "is going to serve as the governance structure to elevate the security within federal acquisition processes" the Cybersecurity and Infrastructure Security Agency's Bob Kolasky said at a July 16 FCW briefing on supply chain security. A key part of that effort, he said, is to "create an information repository that can be called on … to help make smarter procurement decisions." The goal, he stressed, is not to pick preferred vendors or "be anti-competitive, but to draw on the best information we have."
Kolasky, who directs CISA's National Risk Management Center, said his team is supporting the FASC efforts, which also include guidance on "how to use removal or exclusion authorities," when the risk is deemed extreme -- as was the case for Kaspersky Labs and Huawei products. A wide range of interim steps are available to agencies when the risk is less severe -- or unavoidable, as is sometimes the case with overseas telecommunications infrastructure -- but "you're allowed to take steps to keep bad things off your system," Kolasky said. "There's a right to due process, but we also have a right to not do business with companies whose products and services might undermine our systems."
Kolasky said his office also was pushing hard on the supply chain security assessment required by President Donald Trump's May executive order, saying it would inform new regulations for industry being crafted by the Commerce Department secretary. That assessment is due in mid-August.
"We are looking across the [information and communications technology] supply chain and identifying the most critical nodes," he said. While that's an ambitious task given executive order's tight deadline, Kolasky said, "the way we've approached it is setting up an overall framework that can -- as data gets better, as information gets better -- continue to get to more fidelity at making distinction across the risk spectrum and we can start to understand where the suppliers are in those."
Other participants in FCW's July 16 event agreed that better data is key. Commander Robert Winters, the executive officer for the Naval Supply Systems Command's Business Systems Center, pointed to the recently launched Navy Data Platform as an essential tool for managing risk.
"Having a platform of choice like this where we're going to have a single source of truth will help us get to those indirect effects where we can now see what we don't know about risks in the supply chain," he said.
Deborah Pierre-Louis, the State Department's director for the Office of Policy, Liaison and Training in the Bureau of Information Resource Management, suggested the larger challenge may be making sense of the available data. "We are getting so much information. How do people know what to act on and how seriously to take it?" she asked. "I believe the information is there -- it’s just deciding if this information applies to you and how do you plan on using it."
KPMG Principal Tony Hubbard, meanwhile, predicted that a key challenge will be connecting CISA's governmentwide data with the agency-specific efforts. "Each agency is obviously going to have their own inventory and suppliers," he said, "but when you elevate that to the most critical across the critical infrastructure arena, they have to have a sense of … the most critical providers out there."
If done right, Kolasky said, these efforts will benefit not only federal agencies but the broader IT supply chain. "We drive a lot of the marketplace, obviously," he said of government's purchasing. "The more we use our own purchasing power to improve processes … the more we improve the security of overall IT supply chain."
Troy K. Schneider is editor-in-chief of FCW and GCN.
Prior to joining 1105 Media in 2012, Schneider was the New America Foundation’s Director of Media & Technology, and before that was Managing Director for Electronic Publishing at the Atlantic Media Company. The founding editor of NationalJournal.com, Schneider also helped launch the political site PoliticsNow.com in the mid-1990s, and worked on the earliest online efforts of the Los Angeles Times and Newsday. He began his career in print journalism, and has written for a wide range of publications, including The New York Times, WashingtonPost.com, Slate, Politico, National Journal, Governing, and many of the other titles listed above.
Schneider is a graduate of Indiana University, where his emphases were journalism, business and religious studies.
Click here for previous articles by Schneider, or connect with him on Twitter: @troyschneider.
Anoushka Deshmukh is an intern with Public Sector 360, writing for GCN, FCW and Defense Systems.