Sep 06 2018

DHS Stands to Gain Authority to Police IT Supply Chain Risk in New Bill

The Securing the Homeland Security Supply Chain Act of 2018 would allow the agency to bar IT contractors from working with it if they pose a national security risk.

The Department of Homeland Security’s efforts to bolster federal IT supply chain security just got a boost.

On Sept. 4, the House approved by voice vote a bill, HR 6430, the Securing the Homeland Security Supply Chain Act of 2018, which would grant the DHS secretary the power to block an IT vendor from working with DHS if it poses a risk to national security.

That falls short of the recent call from Christopher Krebs, undersecretary of DHS’ National Protection and Programs Directorate, who has said DHS would push Congress to pass legislation that would grant it wide latitude to quickly bar companies that might pose cybersecurity risks from all civilian government supply chains.

“I am hopeful, [as] this bill moves through the process, that we will also have an opportunity to consider legislation that provides similar authority to ensure national security vetting is incorporated into the wider government procurement process,” said Rep. Peter King, the bill’s sponsor, according to CyberScoop. The bill now moves on to the Senate for consideration.

Bill Would Grant DHS Power to Block IT Vendors that Pose Risks

Under the terms of the bill, the DHS secretary may bar an IT vendor from contracting with DHS after “obtaining a joint recommendation, in unclassified or classified form,” from the agency’s CIO and chief acquisition officer, “including a review of any risk assessment made available by an appropriate person or entity, that there is a significant supply chain risk in a covered procurement.”

Meanwhile, as MeriTalk reports:

While the bill generally requires DHS to notify contractors of a ban beforehand and provide them an opportunity to protest, it also grants the DHS Secretary the authority to waive or delay that notice and institute a ban immediately in the interest of national security.”

Congress would need to be informed of all potential bans, which would need to be reviewed on an annual basis, according to the bill.

Notably, the bill would cover all IT, “including cloud computing services of all types,” as well as telecommunications equipment and services and “hardware, systems, devices, software, or services that include embedded or incidental” IT.

The bill defines supply chain risk as “the risk that a malicious actor may sabotage, maliciously introduce an unwanted function, extract or modify data, or otherwise manipulate the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered article so as to surveil, deny, disrupt, or otherwise manipulate the function, use, or operation of the information technology or information stored or transmitted on the covered articles.”

DHS Seeks Info on How to Monitor IT Supply Chain Risks.

In August, DHS issued a request for information on ways it can streamline risk assessments to the government’s IT supply chain, based on publicly and commercially available unclassified data.

“DHS seeks information about capabilities that address risk as a function of threat, vulnerability, likelihood, and consequences, and aggregate multiple data sets into structured archives suitable for analysis and visualization of the relationships of businesses, individuals, addresses, supply chains, and related information,” the RFI states.

DHS wants information about capabilities that enable it to identify and mitigate threats from hardware, software and devices “that may contain potentially malicious functionality, are counterfeit, are vulnerable due to deficient manufacturing practices within the supply chain, or are otherwise determined to enable or constitute a threat to the United States.”

Additionally, DHS wants to identify and mitigate supply chain risks “presented by ICT-based services (e.g., cloud services, managed services), as well as service providers that use ICT and the ICT contains, transmits, or processes information provided by or generated for the stakeholder to support the operations or assets of a stakeholder entity (e.g., professional services),” the RFI says.

TommL/Getty Images