The proposed acquisition rule will require only original manufacturers or vetted resellers supply some components.
A government and industry task force that will meet for the first time this month and is charged with improving U.S. information and communications technology supply chains will focus on three main workstreams, a Homeland Security Department cyber official said Thursday.
The first stream will focus on developing a recommended update to federal acquisition rules, said Emile Monette, who leads Homeland Security’s supply chain risk management efforts and is the task force’s government co-chair.
The new rule will likely require that components of certain sensitive technology systems are only supplied by the original manufacturer or by an approved reseller, Monette told a Commerce Department advisory board.
The broader goal is to ensure that counterfeit and gray market components that might carry shoddy or malicious software don’t make their way into federal networks, he said.
The two thorniest parts of the process will likely be defining which systems the new rules should apply to and defining what counts as an authorized reseller, he said.
In some cases, manufacturers do intensive vetting of their authorized resellers, but, in other cases, the process is more ad hoc, he said.
“Some of them are just: Did you sell 500 units last month? Now you’re a gold star reseller,” Monette said.
The second workstream will focus on developing criteria for how companies and other organizations can vet possible vulnerabilities in the software and hardware they’re buying, Monette said. The third one will focus on how federal agencies and companies can develop lists of approved products, he said.
The National Security Council is also examining the issue and the Homeland Security Department is partnering with the General Services Administration on an effort to include cybersecurity vetting earlier in the government buying process.
The task force will include 60 total members, Monette told reporters after his presentation, 20 each from the information technology sector, the communications sector and government.
The task force’s executive committee, which will meet before the full committee, will include about half as many members, Monette said.
The large size of the task force may become unwieldy, he said, but was necessitated by the breadth of stakeholders in the issue. Homeland Security intends for members to all do significant research and other work between meetings to advance task force goals, he said.
“The table stakes for being a member is you’re going to do work,” he said. “It’s not come here and just go to meetings.”
The ultimate goal, Monette said, is for government and other organizations to put more effort toward vetting what goes into their networks so they can spend less money protecting and defending those networks later on.
“The total cost of ownership will be reduced,” he said. “It’s one place where an ounce of prevention is worth a pound of cure.”