CISA supply chain assessment hits the home stretch

The recently established Federal Acquisition Security Council is ramping up resources to help agencies better understand and manage their supply chain security risks.

FASC "is going to serve as the governance structure to elevate the security within federal acquisition processes" the Cybersecurity and Infrastructure Security Agency's Bob Kolasky said at a July 16 FCW briefing on supply chain security. A key part of that effort, he said, is to "create an information repository that can be called on … to help make smarter procurement decisions." The goal, he stressed, is not to pick preferred vendors or "be anti-competitive, but to draw on the best information we have."

Kolasky, who directs CISA's National Risk Management Center, said his team is supporting the FASC efforts, which also include guidance on "how to use removal or exclusion authorities," when the risk is deemed extreme -- as was the case for Kaspersky Labs and Huawei products. A wide range of interim steps are available to agencies when the risk is less severe -- or unavoidable, as is sometimes the case with overseas telecommunications infrastructure -- but "you're allowed to take steps to keep bad things off your system," Kolasky said. "There's a right to due process, but we also have a right to not do business with companies whose products and services might undermine our systems."

Kolasky said his office also was pushing hard on the supply chain security assessment required by President Donald Trump's May executive order, saying it would inform new regulations for industry being crafted by the Commerce Department secretary. That assessment is due in mid-August.

"We are looking across the [information and communications technology] supply chain and identifying the most critical nodes," he said. While that's an ambitious task given executive order's tight deadline, Kolasky said, "the way we've approached it is setting up an overall framework that can -- as data gets better, as information gets better -- continue to get to more fidelity at making distinction across the risk spectrum and we can start to understand where the suppliers are in those."

Other participants in FCW's July 16 event agreed that better data is key. Commander Robert Winters, the executive officer for the Naval Supply Systems Command's Business Systems Center, pointed to the recently launched Navy Data Platform as an essential tool for managing risk.

"Having a platform of choice like this where we're going to have a single source of truth will help us get to those indirect effects where we can now see what we don't know about risks in the supply chain," he said.

Deborah Pierre-Louis, the State Department's director for the Office of Policy, Liaison and Training in the Bureau of Information Resource Management, suggested the larger challenge may be making sense of the available data. "We are getting so much information. How do people know what to act on and how seriously to take it?" she asked. "I believe the information is there -- it’s just deciding if this information applies to you and how do you plan on using it."

KPMG Principal Tony Hubbard, meanwhile, predicted that a key challenge will be connecting CISA's governmentwide data with the agency-specific efforts. "Each agency is obviously going to have their own inventory and suppliers," he said, "but when you elevate that to the most critical across the critical infrastructure arena, they have to have a sense of … the most critical providers out there."

If done right, Kolasky said, these efforts will benefit not only federal agencies but the broader IT supply chain. "We drive a lot of the marketplace, obviously," he said of government's purchasing. "The more we use our own purchasing power to improve processes … the more we improve the security of overall IT supply chain."