A Biden administration might require even more of private-sector entities than President Trump has on the issue.
The Information Technology Industry Council suggests a Biden administration direct its attention to the Federal Acquisition Security Council in forming comprehensive, uniform supply chain security policy, but that group does not have authority over private-sector activities.
“While we appreciate policymakers’ recognition of the very real challenge of securing federal [information and communications technology] networks and infrastructure, the best way to ensure government stakeholders can nimbly react to and mitigate supply chain threats would be to streamline this confusing patchwork of requirements,” reads a blog post ITI published Tuesday pointing to a “sprawling array of new supply chain-related laws, executive orders, regulations and agency actions.”
ITI said the Federal Acquisition Security Council is in a prime spot to serve in a central role consolidating the government’s approach to supply chain security.
The FASC is an interagency group chaired by the Office of Management and Budget with the authority to develop criteria, facilitate information sharing and recommend removal or exclusion orders to federal departments and agencies. Except with regard to government contractors, those orders would not apply to private sector entities.
But examples of the many supply chain security policies ITI cited for streamlining under the FASC include executive orders that would also limit products and services private entities within the energy and ICT sectors could import from foreign adversaries.
Indications from the Biden team suggest the President-elect’s administration would continue to scrutinize products and services used in critical infrastructure—the vast majority of which is owned and operated by the private sector—with ties to Russia and China, and go even further than President Trump in imposing requirements on private companies.
“As president, Joe Biden will … require companies to develop plans to address potential supply chain disruptions for critical products,” reads the Biden-Harris campaign site. “Biden will work with Congress and direct regulatory agencies to require companies that manufacture, distribute, and use designated critical products in the U.S. to regularly identify potential supply chain vulnerabilities and develop plans for addressing them. Where necessary to protect critical infrastructure and supplies, he will impose targeted restrictions on imports from nations such as China and Russia that pose national security threats.”
ITI’s advice for the Biden administration pointed to its “principles for improved policymaking and enhanced cooperation on national security, technology, and trade.” Those stress the government cooperating robustly with industry.
Former federal Chief Information Security Officer Grant Schneider, now senior director of cybersecurity services at the law firm Venable, was point on developing the rule. He acknowledged the importance of private-sector contribution to the process and identified three elements necessary to make public-private engagement effective.
“When I chaired the FASC I understood the importance of working with industry to ensure government was not missing relevant information which may only be available to industry,” Schneider told Nextgov. “In order to be successful and truly enhance our national security the partnership must meet three criteria; first, it must include supply chain experts from a broad set of industries including technology, telecom, healthcare, financial services, and others, secondly the information sharing must be bi-directional information sharing between industry and government, third, information shared between the government and industry must be adequately protected.”