July 21, 2014

WASHINGTON – In joint comments released today by the Information Technology Alliance for Public Sector (ITAPS) and its parent organization, the Information Technology Industry Council (ITI), the technology sector groups offer several key information and communications technology (ICT) supply chain risk management recommendations to the federal government in line with industry practices.  The comments are in response to the second draft of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-161, Supply Chain Risk Management Practices (SCRM) for Federal Information Systems and Organizations

With complex supply chains spanning multiple countries where products and services are developed, made, assembled, and distributed across the world, ITAPS and ITI share the government’s interest in SCRM of ICT.  The comments note the tech sector’s deep involvement in establishing successful supply chain security practices to maintain the highest levels of integrity in their products and services, regardless of whether they are sold to commercial or government markets.  In comments reflecting this deep-seated experience, the groups offered key takeaways for policymakers to consider, including:

  • Better explain to agencies the need to focus SCRM on high-impact systems:  "...as NIST is aware, there are inherent risks in all IT systems (just as there is inherent risk in all aspects of business overall) and prioritization of security resources among these systems—including SCRM activities—is essential. The goal should be to focus government and private-sector cybersecurity resources, which are not infinite, where they offer the most benefit for mitigating risk by lowering vulnerabilities, deterring threats, and minimizing the consequences of incidents."
  • Expand narrative promoting a “dialogue” between acquirers and ICT suppliers:  "Ongoing discussions are essential to increase the chances of successful procurements where suppliers can meet agency needs at an appropriate cost (and where agency needs are realistic)."
  • Use industry SCRM practices:  "We remain concerned the agencies’ acquirers and program managers do not and will not have the necessary expertise in how suppliers manage and secure their supply chains to know which SCRM controls are and are not effective, feasible, and/or cost-prohibitive."
  • Streamline the size of the SP: "In general, the volume of information is still arduous and presented with an unnecessary level of complexity."
  • Vendor notice of denial/non-compliance and appeal:"...particularly for ongoing SCRM policy compliance issues, we suggest another mechanism be put in place to ensure that a disqualified supplier can know why they are excluded from consideration and has a process to appeal."
  • GSA training guidance: "[once] finalized...GSA will need to train contracting officers on how to use it...ITAPS and ITI companies would be pleased to contribute our knowledge and lessons learned to the government’s efforts so that we can all benefit from ICT SCRM."

The NIST SP seeks to provide guidance to U.S. federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations by showing agencies how to incorporate SCRM into their organization's risk management activities.

To view the full submission, click here.

About ITAPS. ITAPS, a division of the Information Technology Industry Council (ITI), is an alliance of leading technology companies building and integrating the latest innovative technologies for the public sector market. With a focus on the federal, state, and local levels of government, as well as on educational institutions, ITAPS advocates for improved procurement policies and practices, while identifying business development opportunities and sharing market intelligence with our industry participants. Visit itaps.itic.org to learn more. Follow us on Twitter @ITAlliancePS.

About ITI.  ITI is the premier advocacy and policy organization for the world’s leading innovation companies. ITI navigates the relationships between policymakers, companies, and non-governmental organizations, providing creative solutions that advance the development and use of technology around the world. Visit itic.org to learn more. Follow us on Twitter @ITI_TechTweets.

Public Policy Tags: Cybersecurity, Public Sector