The Government Accountability Office told lawmakers enforcement, through expanded reporting, of agencies’ supply chain security activity is “the thing that has to happen.”
The National Institute of Standards and Technology will first take stock of work they’ve already done and may not ultimately develop new standards to meet its obligations under an executive order issued in May responding to a string of major breaches into federal and critical infrastructure networks.
“Our preliminary look at fulfilling the requirements within the executive order will be to identify existing guidance or even specifics within existing guidance that we can call out and consolidate for use by the agencies,” said Matthew Scholl, chief of the Computer Security Division at NIST’s Information Technology Laboratory. “We want to identify and cite work that exists, rather than create new work.”
Scholl testified before House Science Committee panels Tuesday along with Vijay D’Souza, director of information technology and cybersecurity at the Government Accountability Office, on how the government can improve software supply chains. The issue is at the fore following the SolarWinds compromise which had cascading impacts, including for federal agencies, as hackers were able to distribute malware disguised as a legitimate software update coming from the commonly used IT management company.
Rep. Jay Obernolte, R-Calif., ranking member of Science’s Subcommittee on Investigations and Oversight, noted that the May 12 executive order intstructs NIST to either identify or develop standards and best practices to inform guidance for agencies going forward. He asked Scholl which of the two NIST is leaning toward.
Scholl said after conducting an inventory of current publications, “we will work with both our industry and our interagency partners to see if there are any critical gap areas in that existing work, and then that will form the nucleus for any new created items that we'll have to make. The timelines are short for getting out our initial deliverables, and so that is going to be our approach.”
Rep. Haley Stevens, D-Mich, chair of the committee’s panel on research and technology, was concerned NIST would be overextended given its new responsibilities under the executive order and the agency’s allotted funding. She also cited GAO reports noting agencies’ failure to execute guidance NIST has already issued for securing their supply chains.
“NIST’s entire cybersecurity and privacy portfolio was funded at only $78 million in last year’s budget. I worry that we are increasingly asking NIST’s experts to do exponentially more work, more quickly, with inadequate resources,” Stevens said. “Moreover, GAO has found that federal agencies are not adopting the guidance already on the books to deal with software supply chain threats. Additional guidance may be necessary, but we must also ensure agencies prioritize implementation of the guidance that already exists, and provide adequate resources for them to do so.”
GAO’s D’Souza essentially agreed with this. Elaborating on parts of a report the government watchdog made public in December, fresh off the SolarWinds hack, he said NIST guidance on supply chain security has been around since 2015 and that the Office of Management and Budget had directed agencies to begin thinking about the issue since at least 2016.
GAO audited 23 agencies based on seven best practices they identified from NIST’s work surrounding oversight, identification and documentation of risks. None had implemented all of the foundational practices and 14 hadn’t implemented any of them. The agencies told GAO they were awaiting further guidance.
“To be fair,” D’Souza said, “It's important to note that there are a lot of federal activities underway.”
NIST is currently updating its work and hopes to reissue it in 2022, and there’s a task force at the Cybersecurity and Infrastructure Security Agency working on information sharing and product vetting procedures, he said. And most importantly, agencies are waiting on clarity on all this from the Federal Acquisition Security Council. That interagency group, chaired by OMB, issued an interim rule last August but hasn’t taken any action since, D’Souza said.
Responding to a question about whether there are any consequences for agencies not following supply chain security guidance, D’Souza said the FASC—which will have the power to recommend banning the federal government from using risky IT products—will be instrumental.
“It's really the FASC ... that is going to have sort of the enforcement ability here, and they have not done a lot in this area,” he said. “They issued a strategic plan, they issued an interim rule, but more needs to be done there.”
D’Souza was also sympathetic to agencies being pulled in different directions, especially without reporting mechanisms to force their attention to supply chain security, which he said is now obviously important to address “right away” in light of the SolarWinds event. Inspectors general who conduct audits in accordance with the Federal Information Security Modernization Act did add one metric about supply chain management to their rubric after the hacking campaign, but they and OMB should update their annual reporting requirements to include the area, he said.
“Agencies always face more things to do than they have time for, so they have to make a decision about what are they going to devote the most time to,” he said. “But if the status of their supply chain security programs is routinely reported on and measured by Congress and measured by OMB, and there's more transparency around these issues, I think that they will make progress in these areas. I think that's basically the thing that has to happen.”