One of the key phrases of the Federal Acquisition Supply Chain Council’s 2019 strategy is the unique recognition that “before the enactment of the SECURE Technology Act [in 2018]there was no centralized construct to unify federal supply chain risk management (SCRM) activities.
More than three years later, it appears that the effort to unify supply chain risk management efforts is in trouble.
For example, since November, at least six agencies have issued notices or requests for information/proposals to industry seeking feedback on how to do more to protect their supply chains.
From General Services Administration to the Army Contracts Command to the Department of Homeland Security, there seems to be widespread recognition that whatever agencies are doing today is not enough.
Each of the opinions seeks to address different aspects of this challenge, but the common theme is clear: more data, more help and more is needed to tackle this ever-increasing challenge.
“The need for careful consideration of supply chain risks was highlighted during the cybersecurity breach of 2020, where multiple federal government information technology (IT) systems were compromised by foreign opponents. Initial reports believe that foreign adversaries have exploited supply chain vulnerabilities in several widely used information and communications technology (ICT) products,” the Centers for Medicare and Medicare Services wrote in their RFI of January 28. “While supply chain management practices are well entrenched in federal procurement policy and procedures, certain products and services require careful consideration due to significant inherent risks associated with their supply chain. Recent legislation and executive actions have also heightened the need for greater scrutiny when procuring ICT and electrical system components.
The most recent effort comes from the National Institute of Standards and Technology. It will be publish an RFI Tuesday asking for feedback on how to update its cybersecurity framework both generally and more specifically around supply chain risk management.
NIST asks four specific questions about C-SCRM and the National Initiative for Enhancing Cybersecurity in Supply Chains (NIICS), which it spear last August.
Among the questions NIST is seeking comment on are the biggest challenges to C-SCRM, possible approaches, tools, standards and guidelines, and how best to integrate these cyber efforts together.
CMS seeks data to combat threats
Other initiatives focus on solving agency-specific problems.
CMS is looking for help internally, specifically to identify and utilize features that would allow them to mitigate potential malicious threats from hardware and software code as well as counterfeit products.
“The government is interested in learning more about (1) the supply chain risk due diligence information that will be provided; and (2) the tool, product, or system solution used to provide due diligence information,” RFI said.
The deadline for the CMS RFI was February 15.
The GSA’s recent RFI is more focused on its contracts and directly related to the efforts of the Federal Acquisition Security Council (FASC).
“The GSA seeks cyber supply chain information to define and integrate cyber supply chain security control requirements in relation to ICT product and/or service offerings offered on the GSA market”, GSA stated in an RFI since last January. “The information sought in this RFI will provide guidance on establishing the level of cybersecurity supply chain risk management (C-SCRM) security controls that the GSA should require from suppliers regarding offerings. of ICT products and services in the GSA market.”
The GSA posed 11 questions in the RFI, ranging from best practices for categorizing software and hardware products to evidence vendors should provide to validate how they meet C-SCRM standards, guidelines, or best practices.
The GSA is asking for responses from industry by February 28.
Counterfeit products remain a concern
This RFI continues to build on the efforts of the FASC, some of which are led by the GSA. For example in October, GSA spear the Cyber Supply Chain Risk Management Acquisition Community of Practice.
“One of the first major initiatives that ACoP C-SCRM will support is the GSA and Cybersecurity and Infrastructure Security Agency (CISA) co-leading a collaborative effort with agencies to mature integrating C-SCRM into the acquisition process. The result will be increased maturity on strategy, governance and operations based on lessons learned. We look forward to connecting with everyone in government federal as we begin this collaborative journey through our campaigns to build stronger C-SCRM acquisition programs,” the October announcement said.
Similar themes emerged from the efforts of the Army Contracts Command and the Social Security Administration.
SSA’s solicitation was to bring in the expertise of a third party to provide electronic supply chain counterfeit (ERAI) reporting and avoidance services on major agency purchases.
“This solution will provide the SSA with targeted and predictive insights to help certify, monitor and analyze IT vendors, which will ultimately mitigate risk to the agency,” said the Tender declared.
VAC organized a symposium with industry in early December as part of its efforts to “learn about supply chain initiatives for the defense industrial base, to increase transparency, resilience and identify potential strategies for risk mitigation”.
While the ACC did not focus solely on cybersecurity, its event highlighted the need “to develop policy, regulatory, legislative, and investment recommendations to strengthen American manufacturing capability and the industrial base of the defense”.
The Department of Homeland Security has stopped short of issuing an RFI, but has told the industry it will hold them more accountable for cyber hygiene efforts.
Eric Hysen, Director of Information for DHS, and Paul Courtney, Director of Procurement for DHS, written in the notice of February 2 to contractors that it will provide a self-assessment to better understand how vendors adhere to leading cybersecurity and cyber hygiene practices as a condition of contract award.
“By releasing this questionnaire to our vendors, we plan to establish a statistically viable assessment of overall cyber hygiene risk across DHS that will guide further work toward a better cyber posture and help establish direction. future development of the program, including government-led assessments,” the notice states. “This process is again a critical step in our progress toward maturing our cyber supply chain risk management program. (C-SCRM) and homeland protection.”
The 8 Supply Chain Provisions of the NDAA
These individual efforts are in addition to new Congressional requirements in the Defense Authorization Act of 2022. NDAA Subtitle E contains eight provisions relating to the Department of Defense’s management of its supply chain .
Again, while many of these mandates are broader than cyber, Congress has identified the need for the DoD to leverage data and analytics tools to reduce risk in its supply chain.
To this end, the NDAA directs the DoD to “develop a supply chain risk assessment framework,” which should provide a map of supply chains that supports analysis, monitoring, and reporting. regarding high-risk sub-contractors and the risks to these supply chains.
The NDAA also directs the DoD to appoint an internal organization and develop milestones for the deployment of the risk assessment framework and supporting technologies.
“We note the potential of advanced, commercial data analytics systems and technologies to provide new capabilities for assessing and analyzing defense supply chains. For example, advances in decision science, commercial data analytics systems, and machine learning techniques can be applied to such an effort,” said the NDAA said. “We recommend that the Secretary of Defense consider the development of a database to integrate the current disparate data systems that contain defense supply chain information and to help ensure availability, interoperability and centralized reporting of data to support effective mitigation and remediation of identified issues. supply chain vulnerabilities. We note that the secretary must ensure that systems are scalable to support multiple users, include robust cybersecurity capabilities, and are optimized for information sharing and collaboration.
It’s hard to argue against any of these efforts, whether it’s CMS or SSA or all of an entire agency’s contracts like those of the GSA and DoD.
The question remains whether FASC will bring some semblance of oversight and governance to these programs or will it take a thousand blooming flowers and tens of millions of dollars spent before a forcing function — as if SolarWinds weren’t enough — to bring order to C-SCRM.