The head of the new federal supply chain council said Thursday the group is utilizing new authorities, such as leveraging classified information, to more rapidly advise both the Pentagon and Department of Homeland Security on products and companies that pose risks to federal networks.
Grant Schneider, the federal chief information security officer, told attendees at a CyberScoop
event, the new Federal Acquisition Security Council (FASC) is working on new avenues to share risk information on potential supply chain threats with the private sector.
“This council is put together to do a number of things, to share information across the federal government on the supply chain assessments and risk information. It’s also about how we share that information with the private sector,” Schneider said.
FASC was established under the Secure Technologies Act, signed last December, creating a central body to issue supply chain security recommendations to DHS, DoD and the intelligence community.
Schneider has previously said the council’s ability to initiate supply chain reforms in a more systematic manner was intended to fix the previous “whack-a-mole” approach to making security recommendations (Defense Daily, April 25).
The council is also leveraging its authority to utilize and protect classified intelligence, over just open-source information, which is allowing officials to make threat assessment quicker than in the past.
Schneider cited DHS’ 2017 decision to ban the federal government from using Russian software company Kaspersky’s products, noting that under the current model a decision could have been made potentially years in advance.
“Had we been able to do that with classified information, we probably could have issued it a year, or even two years, sooner. But we didn’t want to leverage classified information and then have to turn that over in a discovery motion as soon as the court cases started,” Schneider said.
Following his discussion, Schneider told reporters the council is continuing to study potential supply chain threats and is working through a standard practice of how long decisions should be deliberated before advising relevant agencies.
“I think that will vary from each product to company. Hopefully, at some point in the future, we’ll have an idea of how long that process will take but I don’t think we know right now,” Schneider said.