In January 2021, Joe Biden will assume the responsibilities of the U.S. Commander-in-chief. Among the many national security challenges the new administration will face is the rapid proliferation of threats to the information and communications technology (ICT) supply chain, which can lead to costly IP theft and erode the United States’ worldwide technological influence to the benefit of its adversaries. As a candidate, President-elect Biden had an eye on the issue, vowing to “institute an ongoing, comprehensive government-wide process to monitor supply chain vulnerabilities, designate vital products where the U.S. needs to address supply chain vulnerabilities, and immediately close identified gaps.” However, the Biden-Harris Administration can’t effectively address this mission alone—the incoming administration should draw significantly upon the tech industry’s subject matter expertise when devising a proactive supply chain strategy.
Supply chain security is an important, inter-connected factor contributing to America’s overall national security, which depends on factors like technological innovation and leadership, international competitiveness, economic stability, and information sharing. Earlier this year, ITI published a set of National Security Principles to help stakeholders think about national security holistically, advocating in favor of policies that address a discrete risk, protect economic openness, and promote public-private cooperation. However, we believe an overly-broad scope and focus on any one of these aspects can cause unintended consequences in the other areas and possibly even hurt national security. Response and mitigation strategies should weigh these tradeoffs and offer dynamic solutions that minimize unintended consequences, not overly prescriptive approaches that struggle to adjust in a fast-changing environment.
A growing understanding of this crucial national security issue has led to a sprawling array of new supply chain-related laws, executive orders, regulations and agency actions. While we appreciate policymakers’ recognition of the very real challenge of securing federal ICT networks and infrastructure, the best way to ensure government stakeholders can nimbly react to and mitigate supply chain threats would be to streamline this confusing patchwork of requirements. A recent white paper from the U.S. Cyberspace Solarium Commission echoes this sentiment, noting that government-wide supply chain strategies and programs “should be assessed and consolidated under a single vision.”
The Federal Acquisition Security Council (FASC) is well-positioned to serve in this central role. Established in the SECURE Technology Act of 2018, the FASC brings together cybersecurity and supply chain experts throughout the government to analyze supply chain risks in concert with industry and recommend the removal of problematic IT equipment from federal networks. On September 2, the U.S. Office of Management and Budget (OMB) published an interim final rule detailing the roles and responsibilities of the FASC and laying out a process for issuing an exclusion or removal order for IT equipment that presents an unacceptable level of risk.
In a comment submission filed in November 2020, ITI suggested the following ways OMB and other government partners can best position the FASC to lead the way on federal supply chain security policy:
- Permanently establish a formal mechanism for the FASC to work closely and continuously with subject matter experts from industry. The ICT Supply Chain Risk Management Task Force, which is co-chaired by ITI, is the perfect candidate to serve in this role. Though only chartered on a temporary basis, the Task Force has produced substantial supply chain risk management guidance for public and private stakeholders and is looking ahead to a third year of activity.
- Provide a clear understanding of how government contractors can help carry out the removal of problematic IT equipment once the FASC has decided an exclusion or removal order is necessary.
- Lay out a fair process for banning IT equipment that ties closely to an articulable security risk, appropriately considers every possible mitigation measure, and doesn’t fall victim to potential abuse by a company’s competitors.
- Create a process for evaluating risk that doesn’t rely solely on companies’ foreign operations and country of origin as the basis for determining threats or use geography as the sole basis of risk mitigation.
A strong FASC working hand-in-glove with industry will not only strengthen the U.S.’s ability to defend itself against supply chain risks but will also enable innovative companies—based in the U.S. and in its allied nations— to develop technological dominance in the global market. The tech industry remains committed to supporting the U.S. government by offering subject matter expertise through the FASC and similar channels and providing best-in-class solutions. Ultimately, this will solidify U.S. tech leadership and strengthen the nation’s security posture.