WASHINGTON, DC – U.S. Senators Gary Peters (D-MI) and Ron Johnson (R-WI), Ranking Member and Chairman of the Senate Homeland Security and Governmental Affairs Committee, and U.S. Senators Ron Wyden (D-OR) and Tom Cotton (R-AR), members of the Senate Select Committee on Intelligence, are calling for stronger coordination of supply chain risk management for information and communications equipment across the federal government. In a letter, the Senators pressed the Federal Acquisition Security Council (FASC) to develop a strategic information sharing plan to bolster national security and better protect U.S. government systems in the Executive branch, Congress and the Judicial branch.
“Both Congress and the Executive branch have devoted considerable time identifying ways to enhance the supply chain security of information and communications technology (ICT) on U. S. government systems,” the Senators wrote. “The government must ensure that information used to secure executive agency computer systems and networks is shared with ICT professionals in Congress and the Judiciary.”
Last year, President Trump signed into law new legislation establishing the Federal Acquisition Security Council (FASC) with the goal of reducing federal supply chain risks by creating a “combined information-sharing environment” for individual agencies. FASC is also responsible for facilitating information sharing within the federal government, including between the Intelligence Community and federal employees who make purchasing decisions on behalf of civilian agencies. The Senators noted that Congress and the Judiciary have neither the resources nor expertise to replicate this risk management work, leaving both branches at risk of introducing insecure information and communications technology which could be vulnerable to national security threats. Congress has previously been the target of cyber-attacks by foreign adversaries, and computer systems and technology across the federal government are vulnerable to attempted intrusions by foreign adversaries.
The text of the letter is copied below and available here:
We write urging the Federal Acquisition Security Council (FASC) to develop a strategic plan for sharing supply chain security information with Congress and the judiciary to better protect U.S. government systems and enhance our national security. Both Congress and the Executive branch have devoted considerable time identifying ways to enhance the supply chain security of information and communications technology (ICT) on U. S. government systems. As a result, the U.S. has started putting mechanisms in place to improve supply chain risk management (SCRM), primarily as it relates to executive agencies. That work is vitally important, but executive agency solutions do not always mean whole of government solutions. The government must ensure that information used to secure executive agency computer systems and networks is shared with ICT professionals in Congress and the judiciary.
Last Congress, President Trump signed into law a measure creating the FASC. The FASC is responsible for identifying and recommending supply chain risk management standards, guidelines, and practices for “executive agencies, other Federal entities, and non-Federal entities with respect to supply chain risk.” Specifically, the FASC is charged with facilitating information sharing within the federal government. As the Intelligence Community (IC) analyzes the ICT SCRM threats and shares that information, through the FASC, with civilian agencies making security and acquisition decisions, it is important that this information also be provided to the other two branches of government.
Neither Congress nor the judiciary has the resources, expertise, or mission to replicate the IC’s SCRM work, meaning that the comprehensive “whole of government” approach the FASC was intended to achieve will likely only benefit one branch of the federal government. This leaves Congress and the courts at risk of introducing insecure ICT that is vulnerable to the national security threats assessed by the IC and FASC.
The threat is not hypothetical. Americans may accept the principle of the separation of branches of government, but our adversaries don’t abide by that principle. The 2018 National Cyber Strategy notes that “adversaries have increased the frequency and sophistication of their malicious cyber activities.” For the past three years, the U.S. Courts Information Systems and Cybersecurity Annual Report has highlighted the need to “counter a range of threats posed by hacking, computer viruses, and other malicious acts.” A recent Center for Strategic and International Studies report on Russian targeting of the judiciary’s system notes, “[t]here is an immediate need to expand both the content and the reach of threat awareness among practitioners in the justice system so that they are cognizant of the threat and can be ready to respond.”
Adversaries abroad have similarly targeted Congress, most recently documented in a number of attempted hacks of Senate offices. This threat goes back over a decade, with one notable incident in 2008 impacting a number of Congressional computers. These adversaries are likely are using every tool at their disposal to compromise the ICT used every day by Congressional offices, committees, and staff.
Congress created the FASC to advance a critical information-sharing mission that includes identifying criteria for sharing information with both federal agencies and non-federal entities. To ensure that the federal government maintains a true whole-of-government SCRM policy in line with Congressional intent, we urge the FASC to develop a strategic plan that will specifically incorporate information sharing with the judiciary and Congress. As such, we request that FASC provide information to the Senate Sergeant at Arms, the House of Representatives Chief Information Officer, and their appropriate counterparts in the Judiciary that includes, but is not limited to, threat briefings on ICT.
Thank you for your attention to this serious matter. We look forward to receiving a written response detailing how FASC will implement its new strategic plan by October 23, 2019.