On March 16, ITI filed comments to the U.S. Department of Defense (DoD) recommending methods effectively implement Sec. 5949 of the National Defense Authorization Act (NDAA) for Fiscal Year 2023--a major provision that restricts the federal government from buying electronic equipment that contains semiconductors made from three identified Chinese manufacturers. As the premier global tech trade association, we emphasized in our comments the importance of finding a balance between national security and preserving an efficient and flexible procurement process.
Sec. 5949 is only one part of an ever-growing patchwork of supply chain requirements for federal contractors, many of which merely target a named entity or focus entirely on a source’s country of origin. While ITI strongly supports the U.S. Congress’ goal of ensuring the federal information and communications technology (ICT) supply chain is free of equipment that has been compromised or tampered with, the federal government can much more effectively realize this goal by consolidating this patchwork into a streamlined, risk-based approach to ICT supply chain risk management (SCRM) that enables the government to quickly and nimbly address real security risks. Further, this piecemeal approach is likely to have unintended negative impacts to overall supply chain resiliency for critical products and services. Here’s how the federal government can act quickly to develop and optimize a risk-based approach:
- Leverage the Federal Acquisition Security Council (FASC) as the focal point for federal supply chain risk management
The FASC, created in the 2018 SECURE Technology Act, is an interagency body comprised of subject matter experts across the government, making it the ideal nucleus for all initiatives related to securing the federal ICT supply chain. The FASC is tasked with first, conducting objective risk assessments of an IT product’s source and second, when necessary, recommending the exclusion or removal of problematic equipment from federal networks. To ensure the FASC is well-positioned to serve in this crucial role, it must be fully funded with annual appropriations, engage closely with industry partners to ensure best practices are being leveraged, and be equipped to freely share concrete, actionable threat information with a variety of audiences.
- Incentivize federal agencies’ adoption of supply chain risk management best practices
In December 2020, the U.S. Government Accountability Office (GAO) surveyed 23 government agencies' adherence to best practices to manage supply chain risks as identified by the National Institute of Standards and Technology (NIST). None of the agencies had fully implemented all seven practices, and concerningly, 14 agencies had not implemented any of the practices, indicating a government-wide need for support in improving agency SCRM posture. To rectify this troubling finding, ITI recommends that policymakers look for ways to incentivize individual agencies to improve their SCRM practices. This could include adding adherence to SCRM guidance released by the FASC to the U.S. House Committee on Oversight and Accountability’s Federal Information Technology Acquisition Reform Act (FITARA) Scorecard or eliminating the Technology Modernization Fund (TMF) five-year payback requirement for agencies that comply with identified SCRM-related best practices.
- Target risk mitigation actions as narrowly as possible
If the FASC recommends the exclusion or removal of a product determined to present an unacceptable risk, any further action taken by the relevant government official (the Secretary of Homeland Security, the Defense Secretary, or the Director of National Intelligence) should be designed to address the specific risk present while minimizing disruption to the procurement process. This means these actions should be narrowly targeted to address a clearly articulable security risk, tied to products that present the highest levels of risk, and time limited to give the impacted company sufficient ability to mitigate the risk. The 2017 Department of Homeland Security (DHS) Binding Operational Directive (BOD) removing Kaspersky anti-virus products and solutions from federal networks is a good example of a tailored, risk-based mitigation action.
- Consider the nature and context of the use of equipment, rather than limiting federal market access through broad “Buy America” requirements
In developing effective ICT SCRM policy, government officials must consider not only the equipment that will be used, but also the nature and context of the use itself. Policymakers must focus closely on where the use occurs and how connected this use is to the contract, mission, or data that the government considers sensitive. For instance, a contractor’s overseas use of equipment in a system that is air-gapped from the entity’s U.S.-based operations is extremely unlikely to pose a risk to government systems.
Rather than imposing a broad “Buy American” procurement restriction that assumes a domestically manufactured product is automatically more secure, policymakers should prioritize the purchase of commercial, best-in-class solutions, and require enhanced security protocols that are commensurate with the government’s use case and the circumstances of the procurement. Purchasing commercial, best-in-class solutions—which are generally developed with the benefit of global supply chains—ensures the U.S. government’s continued access to innovative capabilities. This practice also promotes supply chain resiliency by expanding the diversity of the U.S. government’s supplier base, which should consider existing trade obligations and relationships with international partners.
Moreover, because instances of tampering or the insertion of a counterfeit part into the supply chain can happen in any country (including the U.S.), government officials should consider a multitude of other factors when determining a vendor’s level of maturity, such as if the company adheres to NIST SP 800-161 or international standards such as International Standards Organization (ISO) 20243 or requires security-related attestations from its subcontractors or suppliers.
Supply chains have grown ever more complex. Only by adopting a true government-wide and risk-based approach will the government be able to ensure resilient and secure supply chains that meet its needs and adhere to its duty to protect our nation’s security.