Procurement plays into U.S. counterintel strategy

Educating industry and federal procurement workers on the basics of cyber threats is part of a holistic supply chain security strategy, said the head ODNI's National Counterintelligence and Security Center.

cybersecurity (vs148/

Injecting more security knowledge into both commercial and agency procurement processes can take some of the sting out of protecting the supply chain, according to Bill Evanina, director of Office of the Director of National Intelligence's National Counterintelligence and Security Center.

"The awareness of the supply chain threat is not new, but we haven't felt the pain yet. I don't want to get to a place where we have a cyber 9/11 or the heat goes off in major cities," he said.

Great cybersecurity tools, Evanina said, reside in industry. "The government has to be more open to take off-the shelf and use it in government" effectively and securely, he said. "We're not there yet."

Agency contracting employees, as well as industry contractors, he said, should be aware of who is handling solicitations, what website a solicitation is on and who is looking at it. "People that procure aren't part of the protection apparatus" meant to secure federal agencies' operations, he said. Procurement workers should have training to understand that, he said.

"If you train every procurement officer for at least an hour a year on the basic threats that are out there and how you as a procurement official can protect your company, your organization, we will be light years ahead of where we are now," Evanina said.

Federal agencies could get some help addressing supply chain security issues from the commercial side. The National Counterintelligence Strategy, set to be released on Feb. 10, will foster a broader, more inclusive approach to fighting cyberattacks, but it also looks at some tactics in that fight, including secure procurement practices.

Supply chain security is "pretty scary," Shaun Khalfan, vice president and chief information security officer at Freddie Mac, said in his remarks at the conference. The layer of suppliers involved in technology systems is increasingly deep, he said. Freddie Mac partners with companies that do detailed analysis of their own supply chains and conducts continuous assessments of its biggest vendors, according to Khalfan.

The Bureau of Alcohol, Tobacco, Firearms and Explosives works through the Department of Justice's supply chain and procurement risk operation, said Mason McDaniel, the agency's CTO. Products that come into the agency, he said, are checked for security and supply chain vulnerabilities. That research, he said, can add costs to products, however. "It can drive some people nuts," he said.