Supply chain security threats will receive more direct attention in 2020, culminating with guidance from the newly-created Federal Acquisition Supply Chain Council, according to the federal government’s top cyber official.
The council, created in late 2018 under the SECURE Technologies Act, is comprised of various high-level officials from the intelligence community, civilian agencies and the Pentagon, and charged with collecting supply chain threat data from agencies and providing them guidance in addressing such threats.
Speaking Tuesday at an event hosted by Nextgov and Defense One, Federal Chief Information Security Officer Grant Schneider previewed what to expect from the council—which he chairs—in the coming year. Chief among them, Schneider said, is providing guidance to federal agencies legally obligated to create supply chain risk management programs.
“The law says each agency needs a program and we need to give them guidance,” Schneider said. “We need to figure out what information we need to collect around supply chain risk management and where to have that information shared from.”
Schneider added that is it “getting harder and harder in the global economy to understand” where the components in IT systems come from. Agencies must grapple with “what’s inside the box, who built it, what was their intent,” and whether a nation-state actor could exert control over it.
To provide agencies better guidance in composing supply chain risk management programs, Schneider said the council aims to improve how agencies share information.
“We need to figure out what information we need to collect around supply chain risk management and where to have that information shared from,” Schneider said.
He added that the council is in the process of determining which agency will take the lead on information sharing. That agency will become the key repository in collecting data from agencies and sharing it back to other agencies and the private sector. Having all that information is one place, Schneider said, ensures the council has “good insight” as it develops guidance to send back to government agencies.
“If an agency decides not to buy something for really good reasons, we need to make sure we understand those reasons and we know what risk we’re accepting elsewhere in the supply chain,” Schneider said.