DHS developing supply chain security initiative

The Department of Homeland Security launched an internal supply chain cybersecurity initiative to determine where government agencies and private companies are lacking, the agency's top cyber official Jeanette Manfra announced at a Brookings Institution tech event in Washington, D.C., Feb. 14.

The move comes in the wake of the agency's management of a governmentwide ban on Kaspersky Lab software because of the company's alleged ties to Russian intelligence.

"We can't just all throw up our hands and say, 'It's too complicated, I'll never know where the code is coming from.' At some point we will know; we can figure it out -- collectively," Manfra, who is the assistant secretary for cybersecurity, said during a panel discussion commemorating the fourth anniversary of the National Institute for Standards and Technology cybersecurity framework and the future of cybersecurity.

Working on supply chain issues isn't new for DHS, but the new initiative, launched via an internal memo earlier this year, is "a focused effort with dedicated staff," Manfra said.

"We need to have improved ability for DHS, [General Services Administration], the intel community to be in a position to help inform procurement decisions by the federal government and other agencies throughout the civilian government," Manfra told reporters following the event. "We're working on building those mechanisms and DHS' role in pulling that altogether, and also working with industry experts to refine what are the supply chain risks that we should be concerned about."

Manfra also mentioned NIST as a partner during the panel discussion.

DHS' supply chain effort doesn't have a "done" date, as Manfra put it, but is more of a "potentially enduring function" that serves as a "concerted effort to take all of the potential gaps that may be in the federal system or industry and figure out what is the role of DHS."

A DHS official told FCW via email the initiative will provide actionable information about supply chain risks and mitigations to users, buyers, manufacturers and sellers of tech products. It will also identify risks to federal networks and other national or global stakeholders.

"As we develop this capability, we are collaborating with our public and private sector partners to ensure the initiative meets the supply chain risk management needs of our diverse stakeholder groups," the official said.