Homeland Security is Pushing Hard for More Supply Chain Authority

New York – The Homeland Security Department is stumping hard for a legislative proposal that will give it broad authority to expeditiously bar companies that might pose cyber threats from civilian government supply chains, Undersecretary Chris Krebs said Tuesday.

The proposal, which the White House put together with the department’s help, has not yet been formally introduced as legislation. A House Homeland Security Committee staffer told Nextgov, however, that committee leaders will push for the proposal if they believe it has a strong chance of passing both chambers.

If the Trump administration proposal can’t win broad support, House Homeland leaders will push for a narrower bill that would broaden the department’s supply chain authority but only for Homeland Security’s own networks, the staffer said.

Homeland Security is also offering technical guidance on that bill, Krebs told reporters during a department cybersecurity summit in New York. He said he’s confident some version of the plan can become law before the close of this Congress in January.

The push comes as Homeland Security is conducting a broad review of government supply chains for cyber threats, such as hardware and software components produced inside adversary nations that might be used for nation-state spying.

Homeland Security is examining several specific companies as part of that effort, a department official told Nextgov, but the official declined to discuss particular companies.

The department’s most aggressive move to protect supply chains to date was an October directive ordering civilian agencies to remove software from Russian anti-virus maker Kaspersky from their networks.

That directive was later backed up by legislation. Congress passed similar legislation barring the Chinese companies Huawei and ZTE Wednesday. That bill's now awaiting the president's signature.

Congress granted Homeland Security the authority to issue those mandatory cybersecurity directives in 2014 in an effort to increase the department’s authority over governmentwide cyber protections.

Editor's note: This story was updated to reflect passage of the National Defense Authorization Act shortly after the story was published.