The strength of a new federal acquisition council on supply-chain security lies in its ability to directly involve classified information in agencies’ decisions to buy products and services, according to a senior White House official.
The new regime contrasts from previous “Whac-A-Mole” approaches that were confined to the unclassified space, Federal Chief Information Officer Grant Schneider said Thursday at the 2019 Security Through Innovation Summit, presented by McAfee. He chairs the nascent interagency Federal Acquisition Security Council, which was established by a law signed by President Donald Trump in December. The law allows classified information to be used to support risk assessments while assuring the intelligence community that data is protected, Schneider added.
“The Binding Operational Directive on Kaspersky was completely through open-source [information],” Schneider said, referring to a 2017 federal order that, due to security concerns, banned civilian agencies from using products made by Moscow-based Kaspersky Lab. “If we had written a Binding Operational Directive on Kaspersky using classified information, we might have done it several years ago.”
U.S. officials have long argued that Russian authorities could leverage local laws to access Kaspersky Lab data for intelligence operations – a charge that the antivirus maker denies.
But federal officials’ supply chain concerns run far deeper than one particular country or product. They worry about maintaining visibility into the vast ecosystem of gear bought by agencies and companies in the face of offshoring and ever-greater network connectivity.
Those concerns have spawned multiple policy initiatives in the last year, including the acquisition council and a separate Department of Homeland Security-run task force that trades threat information with industry.
Examples of sophisticated breaches of global tech vendors have only added urgency to those policy efforts.
Schneider, a former CIO of the Defense Intelligence Agency, made clear how high the supply chain is on his list of security concerns.
“My bigger concern that keeps me up at night is ‘is there going to be a trusted supply chain in the future?’ he said.
One important task for the new acquisition council is developing criteria for making recommendations on equipment, products and services that “we shouldn’t allow to do business with the federal government,” Schneider added. The body will have its first meeting at the end of the month, he said.