The Department of Homeland Security in July expects to begin rolling out announcements related to a top-down framework it is developing for managing risks to critical infrastructure, including the supply chain, a senior department official said on Wednesday.

“We need to develop a framework across the federal government for internal purchasing, on how to have a risk informed, more appropriate risk management approach to procurement,” Christopher Krebs, undersecretary for the National Protection and Programs Directorate, said at the Security Industry Association’s Government Summit. He said this approach will lead to “smarter procurement,” but another aspect of it is that when the government knows that a company’s computer networks have been “breached or otherwise compromised, what are the mechanisms in place that we can take risk management activities against that.”

Christopher Krebs, Undersecretary of the National Protection and Programs Directorate at DHS
Christopher Krebs, Undersecretary of the National Protection and Programs Directorate at DHS

In addition to the supply chain, Krebs said industrial control systems are also at the top of the department’s cyber risk concerns.

In a media gaggle after his speech, Krebs declined to go into detail about the forthcoming announcements but said they stem from the evolution of DHS’ thinking around risk management.

“What you are seeing is a kind of manifestation, a maturation, whatever you want to call it, of where we’re putting our priorities and how we’re thinking about risk going forward,” he told reporters. The supply chain and industrial control systems are at the top of the risk profile, he said.

“These are in part driven by the risk picture, the risk environment, the supply chain, but also our natural authorities,” Krebs said.

Last September, DHS banned the use of Russian cyber security software by federal civilian agencies over concerns that Kaspersky Labs products could be exploited by the Russian government and other malicious cyber actors.

Homeland Security Secretary Kirstjen Nielsen told Congress this spring that her department is looking to rid Kaspersky software from any private sector entities that do business with the federal government. Congress in the fiscal year 2018 defense authorization bill prohibits Kaspersky’s products from being used by the federal government and any organizations working with the government.

All options are on the table for how DHS will address supply chain cyber security risks, Krebs told reporters. Asked by a reporter whether DHS would use a Binding Operational Directive like it did with Kaspersky’s products against two Chinese information technology companies, Huawei and ZTE, Krebs said these directives are a “last resort” and that there “are other ways we can address the risk.”

Like Kaspersky, the U.S. intelligence community has concerns that the products sold by the two Chinese companies for use in telecommunications systems and networks may provide channels for cyber espionage by China’s government.