Supply Chain Intelligence Directorate Aims to Inform Sourcing “Risk Calculus”

The National Center for Counterintelligence and Security is taking advantage of a time when agencies and policy makers are more attuned to online supply chain security issues, as intelligence officials work through channels such as the Federal Acquisition Safety Council to identify potential technology risks.

The National Defense Authorization Act of 2020 created a Supply Chain and Counterintelligence Risk Management Task Force to share sensitive information with the federal procurement community. The working group is chaired by the Director…

READ MORE

The National Center for Counterintelligence and Security is taking advantage of a time when agencies and policy makers are more attuned to online supply chain security issues, as intelligence officials work through channels such as the Federal Acquisition Safety Council to identify potential technology risks.

The National Defense Authorization Act of 2020 created a Supply Chain and Counterintelligence Risk Management Task Force to share sensitive information with the federal procurement community. The working group is chaired by the Director of NCSC.

Jeanette McMillian, deputy director of supply chain and cybersecurity at NCSC, says the task force has played a crucial role in helping to inform agencies’ “risk calculation” for what they buy.

“We don’t make the decisions,” she said. “We’re just making sure that whatever decision is made is actually informed with as much information as we have at hand at the time.”

McMillian said the task force’s primary means of information sharing is through the Federal Acquisition Security Council, which is led by the White House Office of Management and Budget, and is responsible for coordinating interagency policy. on supply chain cyber threats.

“If we can go to a board, we kind of hit all the right angles in terms of providing that information in a timely manner,” she said. “And we’ve also been able to participate in many other Department of Commerce, Department of Energy initiatives as they fulfill their roles in the supply chain. And [the Department of Homeland Security]especially in regards to some of the information on cybersecurity risks that they were able to produce for some of their efforts to educate cyber defenders. »

The Secure Technology Act, which created the FASC, also required agencies to implement supply chain risk management programs. McMillian says the counterintelligence directorate is there to help provide these agencies with information about supply chain risks that the intelligence community has on hand.

“There’s that balance of risk where we think we can provide that information, particularly where departments and agencies have eaten their vegetables, if you will, and done the hard work of managing chain risk. supply and understand where their risk appetite happens to be,” she says.

Agencies and lawmakers have taken steps to exclude certain suppliers from federal supply chains. First, DHS banned Kaspersky products from agency information systems in 2017 due to the cybersecurity firm’s alleged ties to Russian security services.

And then Section 889 of the 2019 NDAA banned five Chinese telecommunications and technology vendors, including Huawei and ZTE, from federal agency networks and contractors.

The FASC has also been given the authority to issue removal and exclusion recommendations for agencies to eliminate companies or products deemed too risky from the federal supply chain. But so far, the council has yet to exercise these powers.

McMillian says the advice focused on understanding risk tolerance across the federal enterprise and how agencies can mitigate concerns based on their individual needs.

“These are the people who understand these systems,” she said. “They understand their mission and they understand what they need to bring into their environment and when. But having that information and making sure it gets passed to the federal agencies that make those decisions every day is what’s critical for us at the National Counterintelligence and Security Center.

Meanwhile, in June, President Joe Biden signed legislation that would require the General Services Administration to create a standard supply chain security training program for federal employees making procurement decisions.

McMillian says pushing more supply chain security training toward procurement and other types of public servants is also an important focus area for his leadership.

“We just want to make sure people understand that supply chains are global, that they will stay global,” she said. “So they need to make sure they focus on what’s in their supply chain and where it’s coming from. They should also understand that they may not know exactly where their third-party producers, suppliers, and developers are bringing this information. And these third parties may introduce risks that they should fully understand before signing up.

About Catherine Sturm

Check Also

Russian supplies will fall by 2 million barrels a day under sanctions

International sanctions on Russian crude will cut the supply of 2 million barrels per day …