But the group has yet to offer many concrete policies to keep agencies from falling victim.
The Cybersecurity and Infrastructure Security Agency recently published a list of recommendations for fighting the growing array of threats to the government’s tech supply chain. But the guidance focuses more on future efforts than concrete policies.
In a report released last week, the agency summarized the findings of its Information and Communications Technology Supply Chain Risk Management Task Force, a group of agency and industry experts created last year to help the government steer clear of compromised tech and telecom products. The task force was divided into four working groups focused on different facets of risk management: information sharing, threat evaluation, qualified bidder and manufacturer lists, and procurement policy.
The guidance comes as the government looks to find more scalable and sustainable strategies to keep nefarious actors from doing business with federal agencies or their contractors.
In the report, the task force said it identified multiple legal and policy barriers that kept industry and government from adequately sharing supply chain threats information. Information about potential bad actors and their associated threats is essential to locking down the supply chain, but disclosing that information may leave organizations in legal hot water, the group said.
And even information that’s publicly available can sometimes be difficult to obtain, they added. Going forward, the task force plans to examine the obstacles to information sharing and develop specific policy recommendations to lower those barriers.
“The result of these legal considerations could set forth the guidelines for addressing the process, operational and financial barriers that restrict effective implementation,” they wrote in the report.
The task force also cataloged dozens of supply chain-related threats that agencies face today, including counterfeit parts, cyber vulnerabilities and economic risks. Though the inventory can’t be released due to “its sensitive nature,” a CISA official told Nextgov it includes approximately 190 different threats.
Federal leaders could use that information to evaluate their security posture and model future threat scenarios, ultimately leading to more “risk-informed decision[s],” the task force said.
In the report, the task force detailed 11 factors agencies should consider when determining whether to use a qualified bidder or manufacturer list. The group also reiterated its recommendation that federal agencies only purchase products from “original manufacturers or their authorized resellers.”
Going forward, the task force intends to develop more actionable strategies the government can use to evaluate supply chain risk from different vendors, as well as standardized methods for vendors to market their supply chain risk management practices.
“The task force looks forward to continuing the momentum into year two ... and make advancements on capabilities needed to enhance the ability for organizations to reduce risk to their supply chains,” Bob Kolasky, assistant director of CISA’s National Risk Management Center and co-chair of the task force, said in a statement.