How two supply chain security efforts can co-exist

Officials say a pair of newly created entities established by the federal government to reduce cybersecurity risks to the technology supply chain are designed to be complementary, but the partial government shutdown complicated and delayed efforts to sync up the dual efforts.

Last year, the Department of Homeland Security stood up a supply chain task force composed of representatives from federal agencies, private-sector technology companies and industry groups. Nine months later, Congress passed the Secure Technology Act, a law that creates a new Federal Acquisition Supply Chain Security Council to build greater cybersecurity resilience into federal procurement and acquisition rules.

While both bodies are focused on shoring up vulnerabilities in the technology supply chain, representatives from DHS and the Office of the Director of National Intelligence said at a March 27 event hosted by the Atlantic Council that work streams for both efforts will feed into and complement, not duplicate, one another.

"The council is intended to harmonize supply chain risk management choices across government, to work on acquisition regulation and to really help set a standard, create a mechanism by which we can more reliably identify exclusions or major threats to federal supply chain," said John Costello, a senior advisor to the Cybersecurity and Infrastructure Security Agency at DHS in response to a question from FCW.

The supply chain task force, on the other hand, is envisioned as a vehicle to tackle more long-term foundational issues of supply chain risk management and cooperation between government and industry.

Earlier this month, Bob Kolasky, co-chair of the task force, said the group has split up into multiple work streams focused on creating a general inventory of supply chain activities across the government, improving information sharing, developing criteria for how to make risk-based decision frameworks, recommending qualified bidder and manufacturer lists and looking into procurement rules to incentivize the purchase of products from original manufacturers or authorized resellers.

Costello said that on information sharing, the task force is still in the early phases of mapping out "how do we do that?"

"What does that even look like, how do we even standardize that like we're doing with STIX and TAXII [machine readable threat information feeds] and Indications of Compromise?" he asked.

The task force's findings on those questions and others, like establishing criteria for threats to information and communications technology products and services, will serve as critical private-sector input for efforts by the council to shape and update procurement rules across the government. It could also help the council, empowered to establish criteria for exclusion orders, to determine the conditions under which agencies might be justified in barring a particular company or product from government networks.

Kolasky said the task force expects to have a set of recommendations ready by the summer, right around the time the council is expected to finish its own strategic plan. He cited "continuing to make the connection" between the work of the two bodies as "a principal way that private sector input is getting in to helping us in the federal government think through elevating the importance of supply chain security into our acquisitions process."

Joyce Corell, assistant director for the Supply Chain and Cyber Directorate at ODNI, said that the government isn't worried about duplicating work streams or turf battles, noting that there is a large amount of overlap in federal representation on both bodies. However, she said that early efforts to coordinate between the task force and the council were hampered by the partial government shutdown. The Secure Technology Act was signed into law Dec. 21, 2018, one day before the shutdown forced the DHS supply chain task force to close down operations.

"The synchronization didn't happen smoothly due to the partial government shutdown," Corell told FCW.

Like Costello, Corell said she views the task force's role as just one of a number ways the private sector and public can funnel feedback to the council on how to approach federal acquisition and procurement reform. For example, any change in federal regulations recommended by the council would go through the normal regulatory process, including being published in the Federal Register and a public comment period.