The newly established Federal Acquisition Security Council is just beginning its work with the development of a “charter” and strategy for securing the government's supply chain, which will look beyond the risks posed by China, according to government and industry officials at a meeting hosted by MITRE Corp. today.
“I think the issue is beyond China in developing a longer-term strategy,” said an official involved with the council, adding the group's strategy is expected to be sent to Congress by early September, as required by the SECURE Technology Act signed into law late last year.
The council has held its first meeting and has formed a working group to develop the charter for the interagency entity and a subsequent strategy that will include identifying criteria and methodologies for sharing information about supply-chain vulnerabilities both inside and outside government, according to the official.
The discussion about the acquisition council kicked off the two-day meeting hosted by MITRE at its McLean, VA offices, which was conducted under the Chatham House Rule.
The council is expected to coordinate its efforts with other federal initiatives including a Department of Homeland Security task force on securing communications and information technology systems and a Defense Department task force for protecting critical technology.
The launch of the group comes amid heightened concern over, and attention to, the cybersecurity risks from China as trade negotiations with Beijing may be hitting an end point -- and negotiators reportedly have dropped the issue of cyber protections for intellectual property from these talks. Yet the threat from China was highlighted last week by an annual report from DOD on the military capabilities of China, which includes a section on Beijing's cyber ambitions and aggressions.
The threat from China will be a part of but not the focus of the federal acquisition council, according to the discussion at the MITRE meeting. An official pointed out that the government's ban on Kaspersky Lab products was focused on the threat from Russia -- a move by DHS in 2017 under its rarely used “binding operational directive” authority.
With regards to China, the “flip side of that is what if I don't have any other options,” said the official in response to a question about the council's intentions for responding to the cyber threats from China. The official said the council's work will be “broader than that,” while adding “we don't want to buy crappy stuff.”
The official said the council will look at both “sides of the issue” to ensure adequate suppliers, while acknowledging the federal system may have to use components that are not trusted. “The trick is, how do you limit your reliance” on those untrusted elements.
The council will be working to promote “shared services” as required by the law to help smaller agencies secure their systems by allowing them to leverage the work and experience of larger agencies such as DHS and DOD. The new law also provides legal protections for “classified” information relied on by the government for excluding services and products based on security concerns -- an issue that was discussed at the MITRE meeting.
The council will eventually publish interim regulations in the Federal Register.
The interagency acquisitions council which is being manged by the White House Office of Management includes representatives from the Office of the Director of National Intelligence, DHS, DOD, the General Services Administration, and the departments of Commerce and Justice. -- Rick Weber (rweber@iwpnews.com)