The Department of Homeland Security's task force on securing the communications and information technology supply chain has drafted guidelines for purchasing products from “trusted and approved” vendors, according to officials at a MITRE Corp. meeting on Thursday.
The draft guidelines were developed by task force “working group four” on incentivizing purchases of non-counterfeit products, according to participants at the MITRE meeting involved with the DHS effort.
The draft four-page guidance document is one of the first “work products” by the task force and will be reviewed at the task force's next meeting slated for mid-June, according to officials at the MITRE meeting.
Members of the DHS task force and working groups updated participants at the MITRE meeting, which was conducted under the Chatham House Rule. The presentation was part of the MITRE “software and supply chain assurance” meeting at the company's McLean, VA offices on May 8-9.
The draft guidelines recommend the development of a trusted and approved list of suppliers similar to a program managed by NASA, according to officials at the meeting. The draft also includes a section on how department heads and chief information security officers can approve a purchase from a non-trusted supplier to meet a specific need that cannot be accommodated by the approved list.
These provisions are needed, for example, to ensure an adequate supply of products and services particularly when an original supplier has transitioned out of the market or no longer produces a certain item.
Overall, the DHS task force working groups are completing the initial phase of their “work streams,” according to the presenters at the MITRE meeting.
For instance, the working group on information sharing asked its members what information they need to secure their supply chains, and has received responses. The group is now going through those responses to see if that type of information exists, and what type of legal or other obstacles might exist for sharing that information, according to officials at the meeting.
The working group on threats has compiled a list of about 200 threats based on input from its 100-plus membership, and is winnowing down that list as an “interim project” that is expected to be completed by July or August and possibly shared with Congress, according to officials at the meeting.
Participants said the DHS task force is expected to be the primary track for industry input to a new Federal Acquisition Security Council mandated by the SECURE Technology Act signed into law late last year. The status of the acquisition council was the focus of discussions kicking off the MITRE meeting on Wednesday.
The DHS task force includes 20 representatives from each sector of communications, information technology and government. The industry and government leaders of the task force met last month in New York City and stressed the mutually supportive nature of the working groups' efforts, which was also discussed at the MITRE meeting.
Robert Mayer, U.S.Telecom Association's senior vice president for cybersecurity and a co-chair of the task force, said in New York: “We're trying to understand how one set of information can inform another, so for example, the threat evaluation group is going through a large number of cyber supply-chain threats right now.”
“That's being organized in a way that captures the key threats and the actors, but that will also be a basis for identifying the priorities around information sharing,” he said, “and then that will drive some analysis around what the current state of the law is with respect to information sharing.”
Mayer spoke during a media roundtable on April 24 with fellow co-chairs Bob Kolasky, director of DHS' National Risk Management Center, and John Miller, vice president of policy and senior counsel for the Information Technology Industry Council. – Rick Weber (rweber@iwpnews.com)