The goal is to reduce the risks of adversaries gaining entry to agencies through their supply chains.
Senators from both sides of the political aisle introduced new legislation Friday to confront cybersecurity vulnerabilities in the federal government’s information technology procurement and lifecycle process.
The Supply Chain Counterintelligence Training Act, introduced by Sens. Gary Peters, D-Mich., and Ron Johnson, R-Wis., seeks to establish a counterintelligence training program for federal insiders who work on supply chain risk management to ensure that everyone involved can identify and mitigate threats that arise during government buying.
“America’s adversaries use any means necessary to gain access to valuable and sensitive government information, including possibly inserting compromising code into products or enlisting untrustworthy IT support personnel to exploit government systems,” Peters said in a statement.
The bill aims to create a governmentwide approach to securing information and communications technology.
“Counterintelligence training for the federal workers buying and selling goods and services for the government is critical at a time when our adversaries are seeking every possible entry point to breach our systems and steal information,” Johnson said in a statement. “This type of training will help close a potential gap in our cyber and physical security defenses.”
The legislation requires leadership from the Office of Management and Budget, National Intelligence, Homeland Security Department and General Services Administration to “establish and implement” a counterintelligence training program for agency insiders with supply chain risk management responsibilities.
It also directs agencies to regularly update Congress on the program’s implementation.
A spokesperson from the Committee on Homeland Security and Governmental Affairs also told Nextgov that the bipartisan bill “aims to prevent adversaries from gaining a foothold in the nation’s technological supply chain—a risk that has become more salient for cybersecurity professionals in recent years due to the risks associated with acquiring products from companies like Kaspersky and Huawei.”
In 2017, DHS ordered agencies to remove Kaspersky-branded products from U.S. systems and President Trump signed a law instituting a governmentwide ban on all Kaspersky Lab software, citing the company’s close ties to Russian intelligence, and requirements under Russian law that can mandate Kaspersky pass information from U.S. systems to the Russian government.
More recently, security experts and government leaders have warned that Chinese-made rail cars and 5G telecommunications products are susceptible to similar risks.