Joyce Corell leads efforts at the National Counterintelligence and Security Center to protect the nation’s technology supply chain.

Jul 25 2019

Q&A: ODNI’s Joyce Corell on Federal Supply Chain Security

Federal task forces and national security agencies are leading the charge for additional protections to the nation’s technology supply chain.

As more foreign-based IT companies are suspected of being influenced by malicious nation-states, Joyce Corell and the National Counterintelligence and Security Center lead efforts to detect risks to the nation’s supply chain.

Concerned about the possibility that overseas vendors could be introducing threats into the federal technology supply chain, the Trump administration has been taking steps to protect agencies from potentially risky products, including barring some products from the government shopping list. A law passed in 2018 also requires agencies to have supply chain risk management programs. Joyce Corell, assistant director for supply chain and cyber at the NCSC, part of the Office of the Director of National Intelligence, discusses efforts to minimize the dangers to the nation’s technology supply chain with FedTech.

FEDTECH: Why wasn’t supply chain risk a ­bigger issue earlier

CORELL: Supply chain risk management is not an intellectually difficult concept to understand. But when you talk about it across government organizations, it’s bureaucratically difficult to comprehend how to do it well. Counter-intelligence and security — we’re only one piece of the mission space. You have the mission owners, like the CIOs of the world, who have some responsibilities to manage risk. You have your acquisition and procurement people who are on the pointy end of decision-making. You have your security — guns, gates and guards people. There are a variety of disciplines that need to come together to discuss what we think the risk is. How do we handle the risk? What mitigation works in this situation that doesn’t work in that situation? Many times, one line of business assumes the other guy has it handled.


FEDTECH: How does an agency create a supply chain risk management program?

CORELL: One, you have to identify a senior person who is going to be your risk manager or create a governance process. Then you need to look at procurement decisions: Which ones, if something goes bad, have the highest consequence? The National Oceanic and Atmospheric Administration uses weather satellites. You can’t rip-and-replace a satellite. Your decision-­making and your risk tolerance for a high-impact system is going to be different than if you’re buying cellphones. Then, can you draw down the risk in any of those areas? Because this is risk management, not risk avoidance. The private sector is still wrestling with this as well.

Joyce Corell, Assistant Director for Supply Chain and Cyber at the NCSC, Office of the Director of National Intelligence
From a risk perspective, there are things that we are not yet thinking of as a potential vector."

Joyce Corell Assistant Director for Supply Chain and Cyber at the NCSC, Office of the Director of National Intelligence

FEDTECH: What else should agencies watch for?

CORELL: It depends on the consequences and what the adversary is interested in. From a risk perspective, there are things that we are not yet thinking of as a potential vector. The Department of Energy doles out grant money for research for energy/electricity delivery. Who’s that grant money going to? What is the new technology being injected into our energy/electricity delivery system? Are they thinking about the risk posed by third parties in that environment when those monies are doled out? I probably don’t need to repeat that the theft of intellectual property and the access to IP is how China feeds its IT ecosystem. In the excitement to invent, let’s not forget the consequences of not attending to your security or protecting your intellectual property.

MORE FROM FEDTECH: See how DHS plans to beef up the AI capabilities of its CDM dashboard.

FEDTECH: Is one type of agency more at risk for this kind of tampering, beyond the obvious classified agencies?

CORELL: I think all agencies have their own crown jewels. The Social Security Administration has all kinds of personally identifiable information about Americans. The education community has all kinds of information. When you apply for school loans, you’re coughing up everything; they have a lot of information about people’s finances.

VIDEO: See how public-private sector partnerships help the FBI manage cybersecurity threats.

FEDTECH: Who has the best position to spot risks in the supply chain?

CORELL: Your defense contractors, who are building the stuff, might be in a position to detect that something has gone wrong. Agencies should have tools in place to see if anything is exiting the hardened perimeter. The intelligence community does what the intelligence community does. But in the commercial sector, there is vast, untapped information available from commercial data providers. People are only just beginning to recognize that there’s a lot of information you can get about risk if you purchase information from commercial data providers.

FEDTECH: There are so many layers.

CORELL: Yes. The government has struggled in this context, where we talk to our first-tier supplier, then they will have a supplier and the suppliers will have suppliers. Sometimes companies will say, “We don’t know our suppliers’ suppliers.” There are legal terms tossed around — they can’t force their subcontractors to tell them who their subs are, because that might give one company a competitive edge over another.

One classic topic is information sharing. From my perspective, there’s all this pressure on the intelligence community: Share more, share more. My question for industry is not, “What do you do with all of that?” It’s, “What information can I give you that will make a difference in your decision to do business with a third party?” 

When industry is thinking about their third-party risk, they go from, “Sure, I’ll do business with you,” to “I don’t really want to do business with you because you’re sketchy. But you’re the only game in town, so I’ll do business with you.” What information tips the company over to “No, I’m not going to do business with you”? This is an area industry is still thinking through.

FEDTECH: Is it possible to have one set of best practices for both government and private sector?

CORELL: I think there are common best practices. One is to think about security as the fourth pillar. When you’re buying goods and services, the community that does the purchasing looks at cost, schedule and performance. Those are the three pillars. 

Historically, people working in the supply chain environment have said, “Performance, doesn’t that include ­security?” Well, it doesn’t. From a performance perspective, does this pen function as a pen? I pushed the button down; it’s a pen, right? I can meet performance criteria and not know that something extra is in there — the microphone talking to my little ballpoint pen. Security really needs to be the fourth pillar.

Photography by Cameron Davidson

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT