A new rule from the Office of Management and Budget looks to open up the process for deciding who should and shouldn’t be supplying the federal government with technology based on threats to national security.
OMB laid out procedures and criteria for the evaluation of supply chain risk information that could result in orders that federal agencies remove or exclude certain products from their acquisitions.
The details are included in an interim final rule set to publish in the Federal Register Tuesday which will be open to public comment over the next 60 days.
Under the SECURE Technologies Act, signed into law at the end of 2018, the Federal Acquisition Security Council, an interagency group chaired by a senior OMB official, has the power to recommend the removal or exclusion from the federal government of information and communications technology that the council determines presents an unacceptable threat to critical infrastructure.
The council includes representation from the General Services Administration, Homeland Security Department, the Cybersecurity and Infrastructure Security Agency, the Office of the Director of National Intelligence, the National Counterintelligence and Security Center, the Justice Department, the FBI, the Defense Department, the National Security Agency, the Commerce Department, the National Institute of Standards and Technology, and “any other executive agency, or agency component, as determined by the chairperson of the FASC.”
The secretaries of DHS and DOD, as well as the DNI, would issue any recommended orders for their respective jurisdictions.
“Initiation of the process can begin either by referral of the FASC or any member of the FASC; upon the written request of any U.S. government body; or based on information submitted to the FASC by any individual or non-federal entity that the FASC determines to be credible,” reads the interim final rule, submitted by former Federal Chief Information Security Officer Grant Schneider.
Schneider served as the first chair of the FASC but has since left government for the private sector.
At the end of 2017, Kaspersky Labs sued the government over a binding operational directive from DHS that instructed federal agencies to remove the company’s software from their systems without—Kaspersky argued—providing any due process.
FASC procedures would require the group notify targeted entities of a recommended removal or exclusion order and allow for a response and possible mitigations that could lead to a recension of the recommendation.
The FASC will also do its due diligence in evaluating recommendations, the rule said, and provide summaries of its assessments and decisions to the targeted source. According to the interim final rule, the FASC will rely on the technical expertise of an interdisciplinary supply chain risk management task force to be established at CISA.
The interim final rule identifies possible supply chain risk information that might be submitted for consideration as foreign control or influence over the source, but also much broader criteria.
Implications to national security, homeland security, and/or national critical functions associated with use of the covered source, vulnerability of federal systems, programs, or facilities, and market alternatives to the covered source were also listed as legitimate reasons for requesting removal or exclusion.
“The request shall include all necessary information for the issuing official to review and evaluate the request, including alternative mitigations to the risks addressed by the order and the ability of an agency to fulfill its mission critical functions,” the rule reads.
Agencies will be able to request waivers, either for more time to comply or for complete exemption from orders, based on national security reasons, according to the interim final rule.