There are more than 30 different supply chain security related efforts going on across government.
There are the big ones you know about like the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) initiatives and the National Institute of Standards and Technology’s Special Publication 800-161 update.
There are smaller ones like NASA SEWP’s crosswalk between 800-161 and the Open Trusted Technology Provider Standard from the Open Group. The General Services Administration also quietly put out a cyber supply chain risk management strategy in March that just saw the light about a month ago.
Basically, the proliferation of supply chain security efforts has the potential to wreak havoc on industry and agencies alike.
John Miller, the senior vice president of policy and general counsel for the Information Technology Industry Council and a member of the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force—sponsored by the National Risk Management Center (NRMC) in the Cybersecurity and Infrastructure Agency in the Homeland Security Department, said the tipping point is near.
“If we are going to get this policy right, we need to have all the efforts coordinated and holistic. That will, among other things, create a better policy and make it easier for companies to comply,” said Miller at an event sponsored by the Center for Cybersecurity Policy and Law and NIST in early August.
The one organization that could bring all of these efforts under one umbrella is emerging from behind its Wizard of Oz curtain.
44-page final rule with few changes
The Federal Acquisition Security Council (FASC) finalized its processes, procedures and practices by releasing its final rule on Aug. 26.
The FASC, which Congress created as part of the Secure Technology Act, released the interim final rule last September. It provided the structure to how the council will oversee the supply chain risk management processes, practices and procedures.
The council changed little in the final rule, focusing mostly on technical, structural and other minor areas to help clarify and/or simplify the 44-page rule.
Only six entities submitted comments and few led to any even minor changes across the two main subparts.
One of the sections establishes the role of the FASC’s information sharing agency (ISA). The final rule gives the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency that responsibility. Through the ISA, the FASC will work with CISA to standardize “processes and procedures for submission and dissemination of supply chain information and facilitates the operations of a supply chain risk management (SCRM) task force under the FASC. This FASC task force consists of designated technical experts who assist the FASC in implementing its information sharing, risk analysis and risk assessment functions.”
It also prescribes mandatory and voluntary information sharing criteria and associated information protection requirements.
The other subpart outlines the FASC’s procedures to evaluate the supply chain risks brought by companies or products. It also describes how the council will recommend to DHS, the Defense Department and the Office of the Director of National Intelligence that the three lead agencies issue orders requiring the removal of products or services or excluding specific companies from future procurements. The section also details the process for issuing removal orders and exclusion orders as well as agency requests for waivers.
Waiver requires compelling justification
Joyce Corell, the assistant director for supply chain and cyber directorate at the National Counterintelligence and Security Center in the Office of the Director of National Intelligence (ODNI), said it was important for the final rule to increase the transparency and consistency of the exclusion and removal processes.
“When we need to as a council make a recommendation and we’ve gotten information that gives us pause about a particular high-risk vendor and we’ve realized there is no mitigation available other than excluding or removing that vendor from our systems, we need to have sound criteria and repeatable processes in place,” Corell said during the Center for Cybersecurity Policy and Law and NIST event. “That is what this rulemaking is about so that we have that analytic integrity and rigor behind those risk assessments.”
Among the most “significant” changes is the new language specifying new requirements that agencies must meet to request to be excepted from the removal or exclusion order. These include providing a compelling justification and other mitigation approaches.
“Those agencies must submit their request in writing to the official who issued the order and provide specified information, including a compelling justification for the waiver and a description of any forms of risk mitigation to be undertaken if the waiver is granted,” the final rule stated.
Another area where the FASC changed the rule was in response to several commenters who asked for “further clarification of the protections that would be afforded to non-federal entities who voluntarily share information with the FASC.”
Liability protections remain unclear
The council added language to the final rule to describe the protection to information that is not otherwise publicly or commercially available that non-federal entities (NFEs) and others submit to the FASC.
“If such information is marked by the submitting NFE with the legend, ‘Confidential and Not to Be Publicly Disclosed,’ the FASC will not release the marked material to the public, except to the extent required by law,” the final rule stated.
The FASC says, however, that it “retains broad discretion to disclose information submitted by NFEs to appropriate recipients in a range of circumstances. The FASC recognizes that its retention of such broad discretion may dissuade some NFEs from submitting sensitive information. At this time, however, the FASC has chosen to prioritize greater sharing of information in appropriate circumstances over the possibility of receiving more supply chain risk information from NFEs. If the FASC determines over time that the federal government’s interests would be better served by a different weighing of priorities, the FASC may revise the rule accordingly.”
This idea of dissuading sharing of information as well as repercussions came up more than once in comments.
For instance, one commenter asked if NFEs would receive liability protection as provided under the Cybersecurity Information Sharing Act of 2015. The FASC said the final rule doesn’t address this issue, but it is coordinating with FASC member agencies to consider any intersections between CISA 2015 and the FASC’s authorities and may provide further guidance.
Another example that commenters brought up was if NFEs submit false or inaccurate information and whether they should have to “attest” to the accuracy of the information. The FASC didn’t adopt that recommendation either, saying it will continue to conduct due diligence and review information from multiple sources.
Chris DeRusha, the federal chief information security officer and chairman of the council, said now that the final rule is out, the FASC can focus on finalizing its 2022 strategic plan.
“We are thinking through how to provide the right guidance. Do we need to do some new policies on supply chain risk management for agencies to help with that? How are we doing to get the right risk information to agencies and how do we assess that to make sure we are taking all the appropriate steps?” DeRusha said at the event. “We are happy to get through some of the core things we need to do to become a mature council and shift our focus to more strategic objectives.”
The FASC’s first strategic plan, released last summer, outlined the three pillars and corresponding strategic objectives.
- Standards, guidelines and practices for federal SCRM programs,
- Information sharing, and
- Stakeholder engagement.
Each pillar includes several statutory mandates and strategic activities to implement those requirements.
“I know a lot of people have been saying ‘what is taking so long to get stuff up and running.’ It’s incredibly important to get the processes right. We want to be risk based. When we go into exclusion and removal orders we want to make sure those processes are sound,” said Jon Boyens, a senior advisor for information security in the Information Technology Laboratory at NIST at the event. “Going forward, if folks look at the Secure Technology Act, the exclusion and removal order is a big piece, but we will start focusing on some of the other pieces like information sharing and the supply chain risk management practices and guidance to the agencies that are really asking for it, and how those agencies function with the FASC.”