The program will be based primarily on unclassified information, the department said.
A new program to ensure the cybersecurity of the government’s supply chain will be based on unclassified, public information whenever possible, according to a question-and-answer sheet the Homeland Security Department posted Thursday.
The document, which was posted to a government contracting site, contains Homeland Security responses to industry questions following a formal request for information and meeting with industry about the supply chain initiative in September.
Homeland Security intends to share the companies it’s reviewing with the intelligence community, the document states. In most cases, however, intelligence agencies will just suggest particular areas Homeland Security should focus on or identify companies that require especially close attention.
Intelligence agencies won’t share the classified basis for those suggestions, the document states.
In some rare cases, there will be classified information that shows a company poses too great a risk to be a federal government contractor that’s not available in an unclassified form, Homeland Security acknowledged. But those cases will likely be rare, the department said, noting that “there is a high degree of correlation between what you can find in open sources in terms of derogatory information and what we find in classified sources.”
Homeland Security is considering releasing a formal request for proposals to contractors that might provide components of the supply chain vetting system but hasn’t finalized the details yet, according to the information sheet. That request will likely come out during the current fiscal year, which began Oct. 1 and ends Sept. 30, the department said.
Homeland Security launched the government supply chain initiative after two high profile incidents in the past year during which Homeland Security or Congress imposed bans on federal contracts that included technology from specific companies that posed a threat of foreign spying.
The department is working on a separate supply chain initiative with industry that will be managed out of the department’s new National Risk Management Center.
Once Homeland Security has established its government supply chain review process, the department hopes to share what it finds as broadly as possible, including with contractors and other government stakeholders, according to the question and answer sheet.
The department is working with its legal counsel on how to do that without violating companies’ privacy rights, the sheet states.
Homeland Security is also working out how to ingest enough information to make smart decisions about companies’ cybersecurity risks without taking in a flood of information that is too voluminous or complex to analyze, the department said.
Another focus is developing a process for reviewing the department’s findings so companies that aren’t deemed too risky based on outdated information, the sheet states.
The department hopes to build on some unclassified supply chain work that’s already been done by the Commerce and Justice departments and NASA, the document states.
Homeland Security began the process of banning the Russian company Kaspersky Lab from civilian government contracts in October 2017 and Congress later banned the company from all government agencies and contractors in December.
Congress similarly banned the Chinese companies Huawei and ZTE this year.
Those actions both came after the companies were already on government networks and after years of mounting concerns about spying risks.
One main goal of the supply chain initiative is to address risks from similar companies far earlier in the acquisition process, Homeland Security Undersecretary Chris Krebs has said.
Currently, however, Homeland Security currently lacks the authority to make buying decisions for other agencies.
The Trump administration floated a legislative proposal in July that would give the department broad authority to bar contractors that pose supply chain risks across the civilian government.
The administration is holding off on any executive supply chain actions while it sees if that bill passes, federal Chief Information Security Officer Grant Schneider told reporters Thursday.