Are new supply chain regulations the answer?
The U.S. CISO and other IT leaders are looking for ways to strengthen federal procurement rules and secure an increasingly complex supply chain BY DEREK B. JOHNSON
T he federal government’s top IT security chief has floated the possibility of new regulations to
enhance protections and transparency in the technology supply chain and has asked industry for feedback.
At an April event hosted by the Intel- ligence and National Security Alliance, U.S. Chief Information Security Officer Grant Schneider questioned whether the U.S. government and suppliers have a successful model to weigh security risks in purchasing and acquisition. Such a model would naturally lead indi- viduals, the private sector and federal agencies to discriminate against low- cost, low-security parts and compo- nents in favor of costlier, more secure ones, he added.
“We’re very much looking for feed- back on how we do market incentives [and] where we can focus in the federal government because I don’t believe that the free market is necessarily going to get us there in cybersecurity,” Schneider said. “At least, it’s not going to get us
there fast enough.”
One potential tool: new regulations.
Thus far, the Trump administration has been characterized by its zeal for cutting government regulations. However, that enthusiasm — as well as an administra- tion policy of cutting two existing regu- lations for every new one introduced — could work in favor of more action on the supply chain security.
“As much as we are, from an adminis- tration standpoint, focused on reducing regulation, I will tell you that with the two [regulations] out for every one that comes in [rule], we...have headspace if we need to bring a regulation in around cybersecurity,” Schneider said. “And I actually think this is a place where we could do that, if it makes sense.”
Late last year, Congress passed leg- islation that created the Federal Acqui- sition Security Council, an interagency and industry group that will explore how to adjust acquisition and procure- ment rules to deal with emerging cyber- threats and increasingly complex supply
chains that even primary contractors can’t sort out. Schneider, who serves as co-chairman of the new council and senior director of cybersecurity policy for the National Security Council, said the new panel was scheduled to hold its first meeting with agencies in April but was still largely focused on estab- lishing a charter and developing a stra- tegic plan.
Large companies often have the resources and financial incentives to keep a close eye on a byzantine sup- ply chain where dozens if not hundreds of designers, manufacturers and suppli- ers collaborate to build a technology product. Smaller or midsize companies, however, frequently do not scrutinize the security of their suppliers, and every partner they rely on for parts and com- ponents represents another potential weak link that nation-states or crimi- nal groups could exploit.
In a March survey for the National Defense Industrial Association, many small and midsize defense contractors
36 May/June 2019 FCW.COM