New rules and procedures around the operations of the Federal Acquisition Security Council are raising concerns among supply chain attorneys and experts on how information on removal and exclusion orders will be collected and who will have access to sensitive data.
The Office of Management and Budget published an interim final rule this week detailing the operations, processes and decision-making procedures for the FASC, a new executive branch interagency organization designated by law to evaluate supply chain risk and potentially order removal of suspect products from government networks.
“The FASC has a tremendous amount of discretion on how they can collect information internally, through contractors and from nonfederal entities,” said attorney Susan Cassidy, a partner at Covington who specializes in government contracting law. “It is unclear to me how broadly that information can be shared within government and some of the limitations on when it can be shared with contractors.”
Inside Cybersecurity spoke with attorneys and experts who are advising government contractors, suppliers, manufacturers and integrators on the FASC rule and other recent federal developments including the implementation of Section 889 of the fiscal 2019 National Defense Authorization Act, restrictions through the Bureau of Industry and Security’s Entity List and an upcoming rule with the potential to unwind government contracts from the Commerce Department.
“The FASC rule ties together the initial requirements in Section 889 of the NDAA, broader cybersecurity risk factors for supply chain overall and issues related to the ICT executive order with the ultimate goal of putting together all of these different programs and mandates in one place to help the federal government assess cyber risk to itself from any government contractor that meets the factors defined in the FASC,” Norma Krayem, vice president of Van Scoyoc Associates, said.
The rule sets up the Department of Homeland Security, acting through the Cybersecurity and Infrastructure Security Agency, as the FASC’s Information Sharing Agency that will “standardize processes and procedures for submission and dissemination of supply chain information, and will facilitate the operations of a Supply Chain Risk Management (SCRM) Task Force under the FASC,” according an OMB notice published Tuesday in the Federal Register.
Krayem said tasking DHS with centralizing and “pulling together cyber threat indicators that relate to specific companies” for the FASC “makes sense based on all of the work that DHS and CISA have been doing across industry on the cybersecurity risk structure, ICT working groups and information sharing overall.”
However, Cassidy said the FASC will have a “tremendous amount of discretion over what information to disclose as the basis for their decisions,” which in turn could impact how companies are able to submit appeals to their orders.
The FASC should look to supply chain risk management regulations set up by the Defense Department and Director of National Intelligence as models for how the council should operate, Cassidy said.
“We have seen DOD and IC show a willingness to help companies fix things,” Cassidy said. “If the government sees the FSAC as a way to effectuate change and address the concerns that they have on supply chain risk, this is could be useful process. If it is used as a means to just exclude companies without giving them meaningful ability to correct their concerns FASC will be a less effective measure.”
Defining supply chain risk
The implementation of the FASC will “unquestionably affect federal opportunities of thousands of companies,” according to contracting attorney Robert Metzger, co-chair of Rogers Joseph O’Donnell’s Cybersecurity and Privacy Practice Group.
The rule does not “set up standards or practices for supply chain security,” Metzger said, which are necessary to prevent companies from getting “excluded entirely from procurement” with the federal government.
Metzger said, “There’s nothing in the rule that says to look at NIST 800-161 or what it means to have good supply chain risk management practices in place. It’s all about federal agencies and this process and outcomes are all about protecting federal agencies from the inclusion of covered items and the things that we care about.”
While the rule outlines 14 ways that the FASC will evaluate supply chain risk, Metzger said there is potential for the council to explore “any number of parts, components, systems, software and solutions where it isn’t going to be so clear that there are bad guys” or what companies have put in place mitigate threats.
Learning from past approaches
For telecoms and technology companies, Wiley Rein partner Megan Brown said federal actions against Huawei and ZTE have shown how government has responded reactively to threats. FASC’s approach to supply chain security “doesn’t operate in a way that a lot of regulated entities are familiar with,” which Brown said is creating a challenge for companies to “figure out what to do to comply” and how the council will fit in with other federal efforts.
“There is the potential for duplication and having too many places for the average company to have check to determine if they are doing business with companies that the United States government finds problematic,” Brown said, referencing the Section 889 ban and BIS Entity List as “rough proxies.”
Contractors need to have some level of “predictability,” Brown said, because they “don’t have a whole giant staff to track all of these developments. That’s my biggest concern is how can a company feel comfortable that they are doing the right things and not doing business that within six to 10 months the federal government is going to have a problem with and then they are stuck figuring out what to do.”
John Miller, senior vice president for policy and senior counsel at the Information Technology Industry Council, said: "ITI is committed to aiding the U.S. government's important work of securing the ICT supply chain, and welcomes OMB’s release of the interim final rule detailing how the Federal Acquisition Security Council (FASC) will operate. We appreciate that the rule closely follows statutory procedures for sharing information and removing problematic technology from government networks. While ITI strongly supports the establishment of a government-wide, risk-based process for mitigating supply chain threats, the rule needs to establish a better process for coordination between the government and industry when defining the FASC’s standard operating procedures and making exclusion recommendations. Doing so will enable the U.S. government to draw upon industry's intimate understanding of supply chain risks." -- Sara Friedman (firstname.lastname@example.org)