New OMB Final Rule Shows the Biden Administration is Taking the Right Approach to Federal IT Supply Chain Security

The Biden Administration, like the Trump Administration before it, has made securing IT supply chains a top priority. In 2021, the new administration released two key executive orders: one focused on supply chain resilience for four critical sectors, and one cybersecurity-focused set of directives that included security requirements for vendors supplying the federal IT infrastructure. But even before President Biden’s inauguration, multiple supply chain related policies were put in place with long-lasting implications: the most impactful of these is the creation of the Federal Acquisition Security Council (FASC).

Established in the bipartisan 2018 SECURE Technology Act, the FASC is an interagency body that serves as a focal point for all federal IT supply chain policy, providing guidance throughout the government and coordinating closely with industry partners. The FASC is also granted an important authority to assess the risk of any potentially problematic IT equipment and, when necessary, recommend its removal from federal networks.

On August 26, 2021, the U.S. Office of Management and Budget (OMB) published a final rule detailing the roles and responsibilities of the FASC. The rule made multiple encouraging changes to the way supply chain policy will be managed that align with recommendations ITI provided in a white paper published earlier this year. Most impactfully, the FASC final rule included language clarifying that even though an IT vendor’s country of origin might be considered as a risk factor, no risk decision will be made solely based on foreign ownership or control. This encouraging change affirms the Biden Administration’s recognition that the IT supply chain risk landscape is vast and complex, and looking only at country of origin is an insufficient and limiting factor to protecting the federal IT supply chain. In fact, the recent COVID-19 crisis has illuminated the importance of having a geographic diversity in supply to reduce the impact of pandemics, natural disasters, and other geography-specific events. When done appropriately, sourcing from non-U.S. countries can benefit U.S. economic security and resiliency.

In addition, the final rule noted that the federal government’s supply chain risk management activities may benefit from greater consistency and coordination, and that the government intends to work towards those goals. This aligns with ITI’s recommendation to streamline the current patchwork of supply chain risk management policies into one holistic, inter-agency approach. In recognition that effective supply chain risk management depends on industry being able to freely share risk information, the final rule also clarifies that the FASC will not release confidential information shared by industry with the public.

As technology products continue to innovate and as the technological marketplace becomes increasingly more globalized, IT supply chain threats will proliferate. ITI strongly supports the FASC and the Biden Administration in carrying out the important work of combatting these threats. Moving forward, we hope that the FASC continues to transparently embrace industry as an equal partner through the publication of procedural documents and the creation of a permanent public-private information sharing mechanism.

Public Policy Tags: Cybersecurity, Public Sector