Getting Supply Chain Risk Management Right in Federal Procurement
The Senate Appropriations Committee released legislative language today to fund the Commerce, Justice, and Science (CJS) agencies in fiscal year (FY) 2015. Among its numerous provisions is the committee’s version of a new Section 515 that embodies the requirements the CJS agencies must take to factor in supply chain risks when procuring information technology (IT) systems.
We applaud the important changes in this Senate proposal, which was approved last Thursday by the full appropriations committee, and prefer it to the enacted version of Section 515 which was included in the January 2014 Omnibus Appropriations bill (P.L. 113-76). That version -- an improvement over yet another prior law, Section 516 -- did not quite shed itself of a troubling reference to added scrutiny of goods and services connected specifically to China. Product security is a function of how, not where, a product is made. The most effective way to address cybersecurity is holistic and risk-based -- and allows federal cybersecurity resources to be put where they are most needed. Further, these previously enacted provisions put the U.S. tech sector at a disadvantage overseas, compromising U.S. economic security and job stability in the sector as some foreign governments have used the “country-of-origin” discrimination to justify their own actions to keep U.S.-based companies out of their markets.
We are pleased Senate appropriators are taking a significant step by removing the reference to China and welcome the narrowing to only “high-impact” IT systems for which the bill’s additional scrutiny is required. High-impact IT systems are, by definition, those most critical to agency missions, and for which heightened risk management practices are needed. According to GSA, approximately 20% of federal systems are classified as high-impact. Including moderate-impact systems, as the FY 2014 language did, unnecessarily subjects too many systems to unwarranted scrutiny. High-impact systems are more critical and focusing on them will enable impacted federal agencies to stay ahead of the security innovation curve in the acquisition process.
As the House and Senate begin their work to come to agreement on language for the final bill, we urge both chambers to work from the Senate version and add some important additional tweaks. We urge them to insert language requiring notification to the affected IT vendor if a risk determination is made about its products. In some cases, the intelligence upon which this determination is based may be faulty and effectively rebutted by the vendor. In other cases, the vendor may be able to effectively mitigate the risk, which may benefit the market generally. Further, the bill should direct agencies to implement the requirements consistently. To date, U.S. IT vendors have experienced a variety of contracting and procurement delays, costing millions of dollars and hours in compliance costs, as the CJS agencies have struggled with implementing Sections 515 and 516 due to the broad nature of those provisions. Finally, the bill should include emergency waiver authority. Current language does not provide any flexibility for an agency to continue mission critical operations that depend on essential IT infrastructure. For instance, if a critical component malfunctions and needs immediate replacement, there is no ability to rapidly source that component under this language.
ITI again thanks the Senate for its leadership on this important issue and for advocating for risk-based, rather than geography-based, approaches to manage risk in the cybersecurity arena. We look forward to working with both chambers to ensure the CJS agencies are able to acquire the most secure, up-to-date IT systems and equipment in a timely manner.
Pam Walker, Senior Director of Homeland Security, ITAPS, contributed to this blog.