March 31, 2021

WASHINGTON, D.C. – To ensure the United States is well- positioned to proactively address supply chain risks, global tech trade association ITI issued comprehensive recommendations for how the U.S. government can secure its information and communications technology (ICT) supply chain today.

A recent report authored by the U.S. Government Accountability Office found that none of the 23 agencies it examined had implemented all seven best practices identified by the National Institute of Standards and Technology (NIST) to manage supply chain risks, and more than half of the agencies surveyed had not implemented any of the practices. Several agencies reported that they were waiting on government-wide guidance from the Federal Acquisition Security Council (FASC) before they were prepared to start implementing the practices.

In recommendations to public sector policymakers, ITI advocates that the patchwork of existing supply chain policies be streamlined into a single, risk-based approach led by the FASC. ITI also urges policymakers to reconsider what constitutes a “trusted supplier,” to optimize information sharing policies to incentivize industry participation, to invest in supply chain risk management (SCRM), and to hold individual agencies accountable for their SCRM posture.

“ITI’s recommendations reflect the technology industry’s longstanding commitment to and partnership with the U.S. government to protect supply chains and U.S. national security, while also ensuring government has the innovative products and services to complete its missions,” said Gordon Bitko, ITI’s senior vice president of policy and former CIO of the Federal Bureau of Investigation.

“The recognition from policymakers that malicious actors can exploit and attack ICT supply chains has led to a confusing patchwork of supply chain laws, regulations, executive orders and individual agency actions. The risks posed to the ICT supply chain are complex and constantly evolving. Mitigating these risks requires a coherent, streamlined approach, developed in coordination with industry, that can better secure government and other critical infrastructure systems,” Bitko added.

ITI’s recommendations address five key objectives:

Realigning Government-wide Supply Chain Risk Management Policy Under the Federal Acquisition Security Council:

  • All federal supply chain risk management policy, especially those that seek to exclude or remove a source from government networks, should be streamlined into a single risk-based approach led by the Federal Acquisition Security Council (FASC).
  • The U.S. Department of Homeland Security ICT Supply Chain Risk Management Task Force should be made permanent and designated as the official means for the FASC's required collaboration with industry.

Reimagining What it Means to Be a Trusted Supplier:

  • Country of origin should no longer be the principal supply chain risk consideration and IT acquisition policy should be restructured to allow vendors to proactively demonstrate actions they take to protect their networks and supply chains through enhanced cybersecurity program certifications and product security mechanisms.

Investing in Federal ICT Supply Chain Risk Management:

  • Policymakers should create a formal Program Management Office within the U.S. Office of Management and Budget to manage the FASC’s operations.

Holding Federal Agencies Accountable for Their SCRM Posture:

  • IT spend, including Technology Modernization Fund (TMF) dollars, should be tied to a federal agency's supply chain risk management performance.
  • Agencies’ adherence to SCRM best practices should be imputed into the Federal Information Technology Acquisition Reform Act (FITARA) Scorecard.

Optimizing Information Sharing Processes:

  • Federal personnel should improve transparency for the federal government's use of discovered zero-day security vulnerabilities and the Vulnerabilities Equities Process (VEP).
  • Policymakers should create a bi-directional risk information sharing environment that allows vendors to freely share information without fearing legal repercussions.

See ITI’s full recommendations for public sector policymakers - How the U.S. Government Can Secure its ICT Supply Chain – here.

Public Policy Tags: Supply Chain, Public Sector