Amid concerns that software and telecommunications products provided by companies in Russia and China could be used to spy on the U.S. government and industry, two Senators have introduced a bill that would create a federal council to assess national security threats to the supply chain from information technology and provide guidance to agencies to aid in their understanding of these risks when making procurement decisions.
“We can’t simply respond to supply chain threats piecemeal, we’ve got to have a system in place to assess these risks across the government, and that’s what this bipartisan bill does,” Sen. Claire McCaskill (D-Mo.), ranking member on the Senate Homeland Security and Governmental Affairs Committee, said in a statement on Tuesday. Sen. James Lankford (R-Okla.) joined McCaskill in introducing Federal Acquisition Supply Chain Security Act (FASCSA) of 2018 (S. 3085).
The proposed council would be chaired by the White House Office of Management and Budget with members also from the General Services Administration, the Department of Homeland Security, the Office of the Director of National Intelligence, the FBI, Defense Department, the Commerce Department’s National Institute of Standards and Technology, and any other executive agencies determined by the chairperson.
In addition to assessing threats and vulnerabilities to the supply chain from acquiring information technology, the legislation directs the council to share information with federal agencies, the intelligence community, and in some cases the private sector about the risk assessments, develop standards for managing risks to the supply chain, and where an agency excludes a source, determine whether the source of a particular technology should be disqualified from all executive agencies.
Lankford in a statement said the bill “will help to clarify each government agency’s role and responsibility and protect the federal government from IT security threats through strengthening supply chain risk management. The government needs to continue to work toward strengthening cyber security vulnerabilities and this bill will help move us in the right direction.”
The bill also mandates a government-wide strategy to address supply chain security.
A joint press release from the two senators cites national security issues from Russia’s Kaspersky Labs and China’s ZTE Corporation. The federal government is already banning the use of Kaspersky’s cyber security software in its systems out of concerns it could create a backdoor into federal networks.
The Senate this week voted to ban the sale of U.S. parts to telecommunications and information technology provider ZTE, a global company that has violated U.S. sanctions and raised concerns from the intelligence community that its technology could also provide a backdoor to spy on the U.S.