Agencies Seek Comments on Supply Chain Security of Critical Software

The departments of Commerce and Homeland Security are looking to incorporate comments on cybersecurity design details into a report on the supply of information and communications technology required by executive order.

Stakeholders can submit comments over the next 45 days according to a notice Commerce’s Bureau of Industry and Security published in the Federal Register Monday. 

Executive Order 14017, issued Feb. 24, instructed the secretaries of Commerce and Homeland to publish within a year a report that determines critical sectors and subsectors of information and communications technology and the state of their supply chains. 

“For the purposes of this report,” the notice reads, “the scope of the ICT industrial base shall consist of hardware that enables terrestrial distribution, broadcast/wireless transport, satellite support, data storage to include data center and cloud technologies, and end user devices including home devices such as routers, antennae, and receivers, and mobile devices; ‘critical’ software (as defined by the National Institute of Standards and Technology in relation to Executive Order 14028); and services that have direct dependencies on one or more of the enabling hardware.”

The broad order in February was made as the administration also sought to address supply chain resilience across the economy, including for pharmaceutical and health care supplies in the wake of COVID-19. The “critical software” provisions in Executive Order 14028, issued May 12,  were focused exclusively on cybersecurity and followed the infamous supply-chain attack of government contractor SolarWinds. 

Areas highlighted for comment in Monday’s Federal Register notice tracked closely with those identified in the executive order and relate to cross-cutting supply-chain concerns. Commenters should address “gaps in domestic manufacturing capabilities, including nonexistent, extinct, threatened, or single-point-of-failure capabilities,” for example. But the notice suggests officials are also looking to go much deeper on issues specific to information and communication technology.

Stakeholders are encouraged to comment on the “resilience and capacity of American manufacturing supply chains, including ICT design, manufacturing, and distribution, and the industrial base—whether civilian or defense—of the United States to support national and economic security, information security, emergency preparedness” and the “information and cybersecurity practices and standards of the ICT sector,” according to the notice. 

Officials also asked stakeholders to identify for coordination any activities that could be considered duplicative of the work being done in accordance with the February executive order.

One body that has been working to more comprehensively scrutinize supply chain security for the information and communications technology sector is the Federal Acquisition Security Council. A final rule to implement the FASC was issued Aug. 26.