The Trump Administration this week sent proposed legislation to Congress to help federal agencies strengthen the cyber security of their supply chains and two House Republicans said on Thursday that they will soon offer similar legislation aimed at the Department of Homeland Security.
Rep. Scott Perry (R-Pa.) said at a congressional hearing that the tools DHS currently has to contend with cyber risks to its supply chains are “reactive” and that it needs additional authorities “to decisively act when a threat to its supply chain has been identified.”
Perry said that he, along with Rep. Peter King (R-N.Y.), will soon introduce a bill to give DHS the authorities it needs to protect is supply chain from security threats.
“Modeled after statutory authority given to the Department of Defense in 2011, this legislation will empower the Secretary of DHS to block entities who pose a security risk from being a DHS vendor,” Perry, chairman of the House Homeland Security Committee’s Oversight and Management Efficiency panel, said in his prepared remarks early in the hearing. “The legislation will also encourage information sharing across the department when a supply chain risk has been identified.”
The hearing was hosted by Perry’s subcommittee and the Counterterrorism and Intelligence panel, which is chaired by King. The hearing featured open and closed sessions and focused on the DHS supply chain.
DHS officials attending the hearing provided a joint written statement for the record that said the administration on Tuesday shared its legislative proposal with Congress called the Federal Information Technology Supply Chain Risk Management Improvement Act of 2018.
John Zangardi, the chief information officer for DHS, said in his opening remarks that the “The administration has been working to establish a strategic statutory framework to protect our federal supply chain by conducting supply chain risk assessments, creating mechanisms for sharing supply chain information, and establishing exclusion authorities, both within agencies and in a centralized manner to be utilized when justified.”
Sen. Claire McCaskill (D-Mo.), the ranking member on the Senate Homeland Security and Governmental Affairs Committee, on Thursday issued a statement applauding the administration’s legislative proposal, saying it mirrors a bill that she and Sen. James Lankford (R-Okla.) introduced in June that would create a federal council to assess national security threats to the information technology supply chain.
Last year, following warnings from the intelligence community, DHS moved to ban the use of a Russian software firm’s cyber security products from federal networks. The Defense Department also banned the use of Kaspersky Lab’s products.
Congress is also attempting to impose a long-term ban on the federal government from acquiring products from China’s telecommunications equipment makers ZTE and Huawei over concerns the Chinese government’s relationship with these companies could create a backdoor through their products to spy on the U.S. The Commerce Department currently has a ban in place against ZTE from selling to American suppliers due to sanctions violations but an agreement has been reached to drop the prohibition.
“The information and communications technology supply chain is a source of significant risk,” Jeanette Manfra, assistant secretary for the DHS Office of Cybersecurity and Communications, told the panel. “The globalization of our supply chain results in component parts, services and manufacturing from sources distributed around the world.”
The joint written statement, which included Manfra, said that cyber supply chain threats are no longer “emerging,” and instead are “pervasive.”
Manfra mentioned several technology vulnerabilities, including counterfeits, intentional mislabeling, “unauthorized production, tampering, theft and insertion of malicious software or hardware.” These risks could harm government and critical infrastructure systems, she added.
Soraya Correa, the chief procurement officer for DHS, welcomed the prospect for new legislative authorities to enhance her department’s cyber security risks in the supply chain and “protect its systems and networks.” She also said that these authorities are needed across the federal government to promote consistency.
Consistent authorities across government “can improve understanding and ease implementation for industry, especially for new companies and small businesses,” and make it easier for departments and agencies to train, implement and manage these tools, Correa said.
Some issues facing DHS regarding supply chain risks include contracting officers not being allowed to receive specific intelligence, and instead are “advised broadly” on risks, and depending on circumstances, are either provided mitigation strategies when applicable or told a risk can’t be mitigated, Correa said. In classified procurements, there are sufficient authorities to address risks, she said.
In unclassified procurements, which represent the “vast majority” of the department’s buying efforts, the hands of contracting officers are “restricted because the process is designed to balance the equities of the contracting parties, ensuring due process for contractors and full disclosure of the government’s reasons for pursuing contractual remedies in the event of performance or integrity failure,” she said.
Correa added that existing federal acquisition regulations for commodities and services aren’t designed for vulnerabilities or attacks by exploitation of adversaries in mind in mind, “especially those associated with the globalized information and communications technology supply chain.”
For contracts that have been awarded, current authorities allow for temporary stop work orders, contract terminations, and contractor suspensions and debarments, Correa said, pointing out though that these tools “were not designed address a security threat based on intelligence information.”
Perry said during his opening remarks that information gathered during the hearing would be used shape his pending legislation.