House Passes Bill Expanding DHS’ Power to Block Risky Contractors from Government Networks

The House passed legislation Tuesday that would dramatically broaden the Homeland Security Department’s power to block contractors and subcontractors that officials determine present cybersecurity and national security risks to the department’s technology supply chain.

The bill, which is modeled on an authority already granted to the Defense Department, comes after Congress took action in the past year to boot the Russian anti-virus maker Kaspersky Lab and the Chinese telecom firms Huawei and ZTE from federal networks.

“There is no question that nation-states and criminal actors are constantly trying to exploit U.S. government and private sector systems to steal information or to insert potentially harmful hardware or software,” the bill’s sponsor, Rep. Peter King, R-N.Y., said on the House floor.

The House-passed bill is narrower than a Trump administration proposal that would allow Homeland Security to prohibit questionable contractors across the civilian government. King said Tuesday that he hopes the House will get an opportunity to vote on the broader proposal.

Homeland Security’s top cyber official, Chris Krebs, has also pushed for the broader bill, describing it as a way to deal with companies that might pose a threat to government networks before they have access to those networks rather than afterward when it can be exceptionally laborious and some damage may be already done.

Homeland Security first moved to ban Kaspersky from federal networks in October 2017, for example, but the requirement for contractors to be scrubbed of the Russian anti-virus won’t take effect until October of this year.

The House-passed bill would require Homeland Security to notify contractors before a ban in most circumstances and allow them to protest the ban or make efforts to mitigate the problem. Once in effect, however, the bans could not be challenged by a federal court or through the Government Accountability Office’s bid protest process.

The bill does not yet have a Senate counterpart and there are only a few weeks of legislative work before the close of this Congress in January, diminishing the bill’s likelihood for becoming law.

The House also passed Tuesday:

• A bill that would put the power of legislation behind the Homeland Security Department’s Continuous Diagnostics and Mitigation program, which deliverers billions of dollars of pre-vetted cybersecurity goods and services to federal agencies.
• A bill that would standardize contractor fitness standards across various divisions of the Homeland Security Department.
• A bill that would create an unmanned aircraft systems coordinator position in the department. UAS is the technical name for drones.
• A bill to create a chief data officer at the Homeland Security Department.