Sens. James Lankford, R-Okla., and Claire McCaskill, D-Mo., today introduced legislation that would create a Federal Acquisition Security Council to oversee creation of a government-wide strategy to address supply IT chain security and mitigate supply chain security threats from IT equipment and service purchases.
The senators said the bill would put civilian Federal agencies on a more equal footing with defense and intelligence agencies regarding IT supply chain threats by making them work together to develop strategies to reduce risk.
“For years, the Intelligence Community was aware of the risk that Kaspersky Labs antivirus products posed to national security, but that information was not widely shared with other government agencies,” the senators asserted, adding that their bill “raises awareness across the government by breaking down silos between national security and civilian agencies and requires them to develop a strategy together that confronts supply chain risk management in government purchasing of IT.”
The bill – the Federal Acquisition Supply Chain Security Act (FASCSA) – would charge the new council with developing policy and procedures for agencies to use when purchasing IT products and services.
Agencies with membership on the council would include the Office of Management and Budget (OMB), General Services Administration, Homeland Security Department, Director of National Intelligence, Federal Bureau of Investigation, Defenses Department, and the National Institute of Standards and Technology. An OMB representative would chair the council.
Through that membership structure, the bill “bridges the information gap between the Intelligence Community, the Department of Defense, and the rest of the government on technology vulnerabilities and characteristics that could jeopardize our national security,” the senators said.
“FASCSA arms the heads of civilian agencies with vital information earlier in the purchasing process so they can make informed decisions based on clear standards for risk tolerance, and it requires greater accountability and transparency in the process,” they said.
Besides establishing the new council, the bill would: mandate development of supply chain vulnerability risk criteria; require the council to consult with the private sector on developing policies for supply chain risk assessments; require individual Federal agencies to assess risk of their existing IT products “that pose the greatest threat” and prior to buying new equipment; mandate risk assessments of IT products before they are made available for government-wide purchase; and “grant agencies the authority to mitigate threats to IT acquisitions for reasons of national security and threats to the public interest.”
The council would have six months to create a strategic plan, and would have to report to Congress on its activities annually.
“This bipartisan bill will help to clarify each government agencies’ role and responsibility and protect the Federal government from IT security threats through strengthening supply chain risk management,” Sen. Lankford said in a statement. “The government needs to continue to work toward strengthening cybersecurity vulnerabilities and this bill will help move us in the right direction,” he added.
“Cybersecurity is a 21st century problem we’re still trying to tackle with 20th century solutions … We can’t simply respond to supply chain threats piecemeal, we’ve got to have a system in place to assess these risks across the government, and that’s what this bipartisan bill does,” Sen. McCaskill said.