Procurement
said they did not read or understand documents that spell out baseline fed- eral standards on cybersecurity and the protection of unclassified information systems.
One common complaint from sur- vey respondents: Companies don’t see a strong enough upside to following the rules. For example, some firms said they did not want to spend the money to comply with defense acquisition regu- lations because it might put them at a cost disadvantage with suppliers that
didn’t. Further, there was widespread skepticism that the Defense Department was willing to stop working with non- compliant firms.
“There is concern [among respon- dents] over whether the DOD is seri- ous enough to be willing to reduce its supplier base during a time where there is trepidation regarding whether there are enough capable suppliers to serve DOD readiness and sustainment needs,” the report states.
That, in effect, is the problem Schnei-
der and other U.S. officials are trying to solve.
“I think big companies are going to spend because of the potential conse- quences,” he said. “I think midsize and smalls are going to say, ‘Yeah, we’d be really, really mad, but I can’t afford it and what are the odds? The odds are low that I’m going to be the midsize company that gets had and goes out of business with this.’ And, therefore, they’re going to question making those investments.” n
How two supply chain security efforts can coexist
Officials say two new federal entities established to reduce cybersecurity risks to the technology supply chain are designed to be complemen- tary, but the partial government shutdown complicated and delayed efforts to sync up their efforts.
Last year, the Department of Homeland Security created the Information and Communica- tionsTechnology (ICT) Supply Chain Risk ManagementTask Force, composed of represen- tatives from federal agencies, technology companies and industry groups. Soon after, Congress passed the Strength- ening and Enhancing Cyber Capabilities by Utilizing Risk Exposure (SECURE)Technol- ogy Act, which mandated the creation of the Federal Acquisi- tion Security Council to build greater cybersecurity resilience into procurement and acquisi- tion rules.
Although both groups are focused on reducing vulner- abilities in the technology supply chain, representatives from DHS and the Office of the Director of National Intelligence said at an Atlantic Council event in March that the two groups’ efforts will feed into
and complement, not duplicate, one another.
The Federal Acquisition Security Council “is intended to harmonize supply chain
risk management choices across government, to work
on acquisition regulation and to really help set a standard, create a mechanism by which we can more reliably identify exclusions or major threats to the federal supply chain,” John Costello, a senior counselor to the director of DHS’ Cybersecu- rity and Infrastructure Security Agency, told FCW.
DHS’ supply chain task force, on the other hand, is envisioned as a vehicle for tackling more long-term foundational issues of risk management and coop- eration between government and industry.
Bob Kolasky, who leads CISA’s National Risk Manage- ment Center and is co-chairman of the DHS task force, said the group has split into multiple activities that include creating
a general inventory of supply chain activities across the gov- ernment, improving informa- tion sharing, developing criteria for how to make risk-based decision frameworks, recom- mending qualified bidder and
manufacturer lists, and looking into procurement rules to incen- tivize the purchase of products from original manufacturers or authorized resellers.
Costello said the task force
is still in the early phases of exploring how to facilitate
and standardize information sharing. Finding the answers
to those questions and others, such as establishing criteria
for threats to ICT products and services, will serve as critical opportunities for the private sector to have input into the council’s efforts to shape and update the government’s pro- curement rules.That input could also help the council determine the conditions under which agencies might be justified in barring a particular company
or product from government networks.
Kolasky said the task force could make its recommenda- tions as early as this summer, around the time the Federal Acquisition Security Council
is expected to finish its own strategic plan. He added that connecting the work of the two groups represents “a principal way that private-sector input is getting in to help us in the fed- eral government think through
elevating the importance of supply chain security in our acquisition process.”
Joyce Corell, assistant direc- tor of the Supply Chain and Cyber Directorate at ODNI, said government officials are not concerned about duplicating work or opening turf battles,
in part because there is a large amount of overlap among fed- eral representatives in the two groups. However, she added that early efforts to coordinate activities were hampered by the partial government shutdown. The SECURETechnology Act was signed into law on Dec.
21, 2018, one day before the shutdown forced the DHS sup- ply chain task force to suspend operations.
Like Costello, Corell said
she views the task force’s role as just one of a number of ways for the private sector and the public to share ideas with the council on how to reform federal acquisition and procure- ment. For example, any change in federal regulations recom- mended by the council would go through the normal regula- tory process, including publica- tion in the Federal Register and a public comment period.
— Derek B. Johnson
38 May/June 2019 FCW.COM