DHS: Agencies need greater authority to protect tech supply chain

Department of Homeland Security officials told a congressional committee they would support additional authorities to better emphasize security in technology supply chain management throughout the federal government.

The topic was discussed as the House Homeland Security committee convened to review a DHS initiative kicked off in February to examine supply chain vulnerabilities among federal agencies. Representative Peter King (R-N.Y.) lamented that the federal government is "behind the curve" in supply chain security, saying it's "clear that additional tools, policies, resources and legal authorities are urgently needed to address this challenge."

Soraya Correa, chief procurement officer at DHS, told the committee that current contracting and acquisition rules are not set up to adequately track and mitigate threats that flow from the convoluted and multi-layered global supply chain. In many cases, DHS contracting officers are not given specific intelligence about a supply chain threat. Instead, they are "advised broadly" that a risk exists and given general guidance for how to respond.

In unclassified procurements, which Correa said made up the vast majority of purchases at DHS, the contracting officer's actions are restricted because the process is designed to emphasize not security but due process and fair and the equitable treatment of all potential vendors.

DHS CIO John Zangardi said that while mitigation through existing government laws and policies is the preferred "least harm" solution for dealing with supply chain risks, that "gaps exist in the department's authority to use intelligence to support its procurement decisions when a significant supply chain risk cannot be mitigated."

A day earlier, the Trump administration submitted a legislative proposal to Congress that would create an interagency council empowered to set supply chain security policy for the federal government. A similar bill was introduced last month by Sens. James Lankford (R-Okla.) and Claire McCaskill (D-Mo.).

Zangardi expressed support for the administration's proposal in his opening comments, arguing it would give DHS and other agencies the flexibility needed to share information and swiftly cut off companies that pose a potential risk.

King floated the possibility of granting DHS similar authority granted to Department of Defense through the 2011 National Defense Authorization Act to consider the impact of supply chain risks when dealing with national security systems. Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications at DHS, concurred, adding that other executive branch agencies should have the same capability.

The hearing comes as Congress and the executive branch have taken increasingly aggressive actions over the past year to cut off the federal government's reliance on companies suspected of having ties to foreign governments or who may pose a cybersecurity risk. Russian antivirus firm Kaspersky Labs as well as Chinese telecommunications companies Huawei and ZTE have all been the subject of both regulatory and procurement restrictions and were repeatedly referenced by lawmakers during the hearing.

The push is causing both federal agencies and contractors to balance security with the realities of the global supply chain, where vendors routinely outsource individual components of their products to countries that will provide the lowest costs.

Last month, an official from the Office of the Director of National Intelligence told FCW that the government is communicating with private companies in an effort to convey "the total cost of ownership" with respect to supply chain decisions and that country of origin was "a very relevant factor."

Manfra echoed those comments, saying that cybersecurity officials were focusing on the legal environments of certain countries and not necessarily specific companies.

"What we're looking at is less about the company and more about the laws that company is compelled to follow. Both Chinese and Russian laws compel access [to data] that we're concerned about," she said.