WASHINGTON – Today, in the aftermath of national security issues surrounding the use of Kaspersky and ZTE products, Senators Claire McCaskill (D-Mo.) and James Lankford (R-Okla.) introduced a bipartisan bill to ensure government agencies consider the supply chain risks to national security and the public interest when buying information technology (IT). The legislation would establish a Council to equip the government with the policies and processes for sharing information and evaluating supply chain risks earlier in the IT purchasing cycle. The measure would also provide the government with critical authorities to mitigate threats when they are discovered.
For years, the Intelligence Community was aware of the risk that Kaspersky Labs antivirus products posed to national security, but that information was not widely shared with other government agencies. The bill raises awareness across the government by breaking down silos between national security and civilian agencies, and requires them to develop a strategy together that confronts supply chain risk management in government purchasing of IT.
“Cybersecurity is a 21st century problem we’re still trying to tackle with 20th century solutions—and that simply can’t happen in an area that affects the lives and livelihoods of all Americans,” said McCaskill, the top Democrat on the Senate Homeland Security and Governmental Affairs Committee and senior member of the Armed Services Committee. “We can’t simply respond to supply chain threats piecemeal, we’ve got to have a system in place to assess these risks across the government, and that’s what this bipartisan bill does.”
“The nation continues to work to protect our cybersecurity, and we need to have a system in place that will allow us to address risks before it becomes an issue nationwide,” said Lankford. “This bipartisan bill will help to clarify each government agencies’ role and responsibility and protect the federal government from IT security threats through strengthening supply chain risk management. The government needs to continue to work toward strengthening cybersecurity vulnerabilities and this bill will help move us in the right direction.”
The Federal Acquisition Supply Chain Security Act (FASCSA) of 2018 creates a government-wide approach to addressing the problem of supply chain security in federal acquisitions by establishing a Federal Acquisition Security Council to develop the policies and processes for agencies to use when purchasing information technology. The legislation bridges the information gap between the Intelligence Community, the Department of Defense, and the rest of the government on technology vulnerabilities and characteristics that could jeopardize our national security. FASCSA arms the heads of civilian agencies with vital information earlier in the purchasing process so they can make informed decisions based on clear standards for risk tolerance, and it requires greater accountability and transparency in the process.
The bill includes provisions that would:
- Establish a Federal Acquisition Security Council that brings together key federal agencies to share information and build the policies and procedures to mitigate supply chain security threats from IT purchases;
- Mandate the development of criteria for assessing the supply chain risk posed by vulnerabilities in and characteristics of IT products and services;
- Require the Council to consult with the private sector on the development of policies and processes for conducting supply chain risk assessments;
- Require a government-wide strategy to address supply chain security;
- Require each agency to conduct risk assessments of existing IT products that pose the greatest threat and prior to buying new IT products and services;
- Mandate risk assessments of IT products before they are made available for government-wide purchase; and
- Grant agencies the authority to mitigate threats to IT acquisitions for reasons of national security and threats to the public interest.
Read a copy of the Senators’ legislation HERE.