Working with partners in government and industry, the Department of Homeland Security (DHS) has initiated an assessment of potential supply chain risks facing federal civilian agencies in their procurements and is also working with industry to understand these risks, a department official said on Wednesday.

The initiative began this year and is in the early stages of scoping to “narrow down” the focus and to better understand supply chain risks and what can be done about them, Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications, said as part of a panel discussion on cyber security hosted by the Brookings Institution. She wants a “dedicated staff” focused on supply chain risks and believes it could be an “enduring” effort, although that will sort out over time.

DHS Assistant secretary for the Office of Cyber Security and Communications. Photo: Department of Homeland Security.
DHS Assistant secretary for the Office of Cyber Security and Communications. Photo: Department of Homeland Security.

“We need to have a more concerted effort to take all of the potential gaps that may be in … the federal system or within industry and kind of figure out what is the role of DHS,” Manfra told reporters after the panel. “So that’s really what the initiative is looking at. It’s more of an internal … assessment. It’s talking to industry. It’s talking to government agencies. It’s figuring out, ‘Are there gaps in how we manage supply chain risk? What can we do about those gaps?”

Manfra said her team has talked with manufacturers and software vendors but declined to name companies that DHS is working with for this effort. In the federal space she mentioned the General Services Administration (GSA), the Defense Department, intelligence community, and the National Institute of Standards and Technology.

In working with the GSA, DHS wants to be “ensuring that the right due diligence is done for contractors or for products … that has that sort of cyber risk in addition to other risks that the government is more used to thinking about,” Manfra said, adding that supply chain risk isn’t factored into government procurement processes. The primary government concern is “high value assets” that would have a large impact to the government if something happened, she said.

The issue of cyber security in the supply chain becomes “very complex, very quickly,” she said, adding that ultimately putting attention here will deliver results.

“I do believe we can’t just throw up our hands and say, ‘It’s too complicated, I’ll never know where the code is coming from,’” she said during the panel discussion. “At some point we will know and we can figure it out, the collective we.”

Tom Wheeler, chairman of the Federal Communications Commission the last four years of the Obama administration, suggested during the panel discussion that the government type certify products that can connect to the Internet to provide “cyber assurance” and mitigate cyber concerns for customers. He said the FCC already does type acceptance on electronic products that could potentially affect airwaves.

“Nobody in the supply chains is asking any question about cyber security,” Wheeler said. “Mostly they’re saying, talk to me about price.”

With industry, Manfra said DHS is talking to engineers and laying out what it believes the risks are and asking them what they think the risks are. If a “mutual understanding” of risk can be achieved, then the discussion and move to examining if “there are ways to technically mitigate that risk that everybody can be sort of satisfied with.”

She agreed with Wheeler that it is a good idea to give consumers confidence around the cyber security of devices that are connected to the Internet, an area called the Internet of Things.

The department has examined supply chain cyber security previously, including in the area of software assurance, but the new effort will be more focused and with “dedicated staff,” Manfra said.