Senate passes bill to establish governmentwide supply chain council

The Senate passed legislation Dec. 18 that would establish an interagency council with broad authority to develop rules of the road for federal supply chain security.

The Federal Acquisition Supply Chain Security Council will be charged with steering the development of National Institute of Standards and Technology guidelines on supply chain risk management, crafting information-sharing protocols between federal and non-federal entities, establishing a lead agency to oversee the information-sharing process and looking into broadly applicable contracting solutions, such as subscription services or machine learning-enhanced analysis, that can guide procurement decisions.

Crucially, it will also develop the criteria for exclusion or removal orders issued by cabinet secretaries to prohibit agencies from purchasing certain products or mandate removal of software from their information systems based on supply chain risks.

The Department of Homeland Security secretary would have the authority to issue such orders on behalf of all civilian federal agencies, while the secretary of Defense and director of national intelligence would have authority over their own agencies.

The bill, originally sponsored by outgoing Sen. Claire McCaskill (D-Mo.), must still pass the House and be signed by the president. McCaskill could not be reached for comment.

"The Senate passage of this bill helps the federal government move in the right direction to strengthen cybersecurity vulnerabilities," said Sen. James Lankford (R-Okla.), one of the bill's co-sponsors. "We must have a process in place to address security threats in our supply chain before they become security realities. We should learn from past mistakes in purchasing and close our security gaps."

The federal government has executed similar authorities on a piecemeal basis in the past, citing security threats. DHS issued a directive to civilian agencies in 2017 that banned the purchase of Kaspersky Labs products and ordered agencies to purge any existing software from their information systems, while DOD banned the purchase of Huawei and ZTE products while restricting their use for military personnel.

However, as it has become more clear that the decentralized rules governing supply chain economics created similar potential risks from other companies and contractors, U.S. officials and Congress have searched for a more holistic solution.

The Cybersecurity and Infrastructure Security Agency at DHS has stood up its own supply chain task force composed of government agencies, vendors and other private sector organizations.

A company subject to such exclusion or removal orders is not able to protest bids through the Government Accountability Office. Legal challenges are restricted to the United States Court of Appeals for the District of Columbia, and a decision may only be overturned if it is found to be "arbitrary, capricious, an abuse of discretion," was taken "in excess of statutory jurisdiction" or lacking "substantial support in the administrative record" to justify the action.

The amended version that passed the Senate also specifies that the government may not simply ban products or companies "based solely on the fact of foreign ownership of a potential procurement source" if otherwise qualified to contract with the federal government.