Congress and the White House are zeroing in on supply chain threats.
Two House Republicans are working on legislation that would expand the Homeland Security Department’s authority to deny contracts to companies that pose cybersecurity supply chain threats while the Trump administration is pushing an even more expansive proposal.
The bill in the House will be modeled on authorities Congress gave the Defense Department in 2011 that were implemented in 2015, said Rep. Scott Perry, R-Pa., who is drafting the bill with Rep. Peter King, R-N.Y.
Under those rules, Pentagon contracting officers can bar vendors that pose a security risk from competing for contracts before they’re awarded and halt contractors from hiring risky subcontractors after an award.
Under current Homeland Security Department rules, contracting officers working on unclassified contracts can’t bar vendors before an award based on information provided by intelligence agencies, Soraya Correa, the department’s chief procurement officer, who testified before two House Homeland Security panels Thursday.
Intelligence agencies are only allowed to tell contracting officers that a particular vendor poses a security concern and whether the concern can be mitigated, not what the concern is, Correa told the committee’s oversight panel, chaired by Perry, and its intelligence panel, chaired by King.
“Federal acquisition regulations and their underlying statues were designed around the procurement of products and services that were neither anticipated to be vulnerable to, nor the target of, sophisticated foreign intelligence activity,” Correa said.
She urged lawmakers to expand Homeland Security contracting officers’ ability to respond to supply chain threats before a contract award.
That authority should also extend to other federal agencies, said Jeanette Manfra, who leads Homeland Security’s cyber division.
Perry’s and King’s offices did not immediately respond to a Nextgov query for more details about their proposed legislation or if they’re seeking Democratic cosponsors.
A separate legislative proposal floated by the White House Thursday would give the Homeland Security Department broad authority to bar contractors that present cybersecurity risks from civilian government contracts based on the advice of a “critical information technology supply chain risk evaluation board.”
The proposal would give similar power to the Pentagon for defense contracts and to the Office of the Director of National Intelligence for intelligence contracts.
The proposal would also create a cyber supply chain council, which would include members from the White House, intelligence community and the Homeland Security, Defense and Justice departments. That council would write guidance to help agencies share information about supply chain risks and help develop shared services and contracts to reduce those risks.
That portion of the proposal resembles a bill introduced in June by Sens. Claire McCaskill, D-Mo., and James Lankford, R-Okla.
The legislative proposals are part of a broader effort to rid government supply chains of software and hardware that can be exploited by cyber criminals or adversary nations, such as Russia and China.
Congress passed legislation in December barring the Russian anti-virus company Kaspersky Lab from federal and contractor networks and is finalizing similar legislation targeting the Chinese companies Huawei and ZTE.
Homeland Security is also launching a program to vet other agencies’ supply chains for cyber vulnerabilities. That program only has two dedicated employees so far, but recently got a funding boost and will grow significantly over the next two years, Manfra testified.
The department’s supply chain work is initially focusing on the government’s highest value systems that are most likely to be targeted by foreign adversaries, Manfra told Nextgov in a podcast interview this spring.
A Government Accountability Office report, also released Thursday, described substantial vulnerabilities across the government supply chain that “could create an unacceptable risk to federal agencies.”
Thursday’s GAO report looked back to a 2012 audit, which found serious supply chain deficiencies at the Justice, Energy and Homeland Security departments and fewer at the Defense Department.
Those agencies have implemented all of GAO’s recommendations since the 2012 report except for Homeland Security, which hasn’t fully implemented a recommendation to monitor the effectiveness of new supply chain security measures, GAO said.
Editor's Note: This article and its headline have been updated to include information about the White House's proposal.