Last week, the President of the United States of America issued a new executive order declaring a national state of emergency to protect the U.S. information and communications technology (ICT) services supply chain, also known as the C-SCRM.
This advancement is a much welcome step towards putting together a national strategy for supply-chain risk and I commend the administration for viewing supply chain risk as an investment in the security of our national information infrastructure– not an expense.
I have been honored to have had the opportunity to testify in front of Congress four times and have always emphasized the need for the Federal Government to demonstrate forward-looking policies and the promotion of supply chain transparency. Having advocated for more proactive supply chain risk management, I’m pleased to see that the reporting requirements outlined in this Executive Order (EO) reflect this. There is, however, much work to be done.
The EO authorizes the Secretary of Commerce (Secretary), in consultation with other cabinet officials, the ability to ban or prohibit transactions if they deem that the transaction involves information and communications technology, or services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary. (Trump, 2019)
This is a positive step in the right direction however, a few fundamental questions remain. What processes or commercial technologies should the agencies actually use to assess the inclusion of ‘services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary’ for reporting requirements? This cannot be successfully done with people and annual reporting. In addition, how do agencies know what concrete actions they should take and who it is that has the authorities for mitigation?
The EO tasks Commerce to work with other cabinet members to publish, within 150 days, rules or regulations for implementing the EO. As I’ve mentioned in many of my testimonies, it’s critical that Federal Government leadership provide implementable contracting language, updated acquisition processes, and employee training (from the Program owner to the Contracting Officer) to ensure agencies not only know what and why they are taking action, but how to enforce it. And when it comes to enforcing these actions – budget is integral.
In order to proactively identify and mitigate future supply chain risk to federal ICT systems, it is critical to have an understanding of emerging technologies, their pedigree, and their interconnectivity. Without budget to allocate to commercial solutions that can deliver this type of insight, the authorized agencies will not be able to do their assigned job and the current business climate will continue.
Over the last 12 months, the Federal Government has increased the authorities for modernizing government technology and for the Federal IT Acquisition Reform Act (FITARA), as it relates to who is responsible for risk in the supply chain for each agency. This said, there is no requirement for metrics of the impact for SCRM programs as part of any of these efforts – just that they exist. Having declared this as a state of emergency, I hope that as the U.S. Government moves forward with the implementation of this EO, not only are agency heads tapped for authorization, but additional funds are allocated – via supply chain risk assigned line items – to support agencies in identifying risk in their supply chain and mitigating – beyond the simple documented reporting requirements. True risk management and reduction in the supply chain is an ongoing and operational process that takes leadership, funding and proper resourcing. This is not a compliance or economic only situation. There are real threats to real technologies and services that the US, global competitiveness, and national security depend on for everything from mission readiness for the Department of Defense to personnel record protection across our Federal agencies.
Finally, I’ve always emphasized the need to have someone primarily responsible for combating threats against the Federal supply chain and I’m pleased to see the Director of National Intelligence (ODNI), as well as the Secretary of Homeland Security (DHS), tasked with leading the charge. While the Director, in consultation with the heads of relevant agencies, will be responsible for producing written periodic assessments of classified threat intelligence against the supply chain, it’s important that we consider an unclassified way to share this intelligence with the broader Federal enterprise. DHS can help with this if they have the available commercial technology solutions and open source sharing policies in place. A large number of critical personnel across the Federal Government, as well as their support contractors, do not hold clearances and desperately need a mechanism to effectively implement the vital measures necessary to secure our Federal supply chain – this must be acknowledged and planned for from the beginning or we will never win this fight.
This EO signifies a new and much needed focus on supply chain risk management from the U.S. Government. I look forward to seeing this program develop – and hope that the necessary authorities and resources are afforded to agencies so that they can ensure our nation’s security as well as the security of its people, no matter which countries are being focused on.