By Bob Kolasky, Senior Vice President of Critical Infrastructure, Exiger
In 2018, Congress passed the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act, otherwise known as the SECURE Technology Act, which among other things created the Federal Acquisition Security Council (FASC) and took a major step in bringing government executive attention to a growing security vulnerability — adversaries using intentionally unsafe technology to exploit supply chains and cause harm to federal systems and information protection.
Based on a recently published interim rule, in December the FASC will take the next step in its maturity and begin to execute processes for issuing removal and exclusion orders for untrustworthy products or services on federal systems.
The FASC has been diligently working to establish governance processes and procedures, information sharing, and risk standards since its inception and has become a true source of positive collaboration for the Executive Branch in creating a single interagency body to address significant Information and Communications Technology (ICT) supply chain risks. With departments and agencies such as Office of Management and Budget (OMB), the General Services Administration (GSA), the Department of Defense (DOD), Cybersecurity and Infrastructure Security Agency (CISA), Commerce, ODNI, NASA and DHS at the table, there is now a unified approach for identifying entities and products that present unacceptable cyber risk to ICT supply chains and to take steps to exclude them from federal acquisitions. This approach works in a structured and repeatable manner to share information about risks as broadly as needed. This benefits both government and non-government supply chains.
Exiger is a data and analysis provider to many of the FASC agencies and, from our perch as a leader in government supply chain risk management, we have seen a broad community of agency leaders emerge to advance acquisitions approaches for addressing cyber risk. Thanks in no small part to the FASC, there has been an observable increase in the degree to which cyber risks are accounted for in ICT acquisition processes, as well as a burgeoning culture of ensuring that security considerations are part of the acquisitions process alongside cost, performance and schedule.
When the new rule takes effect, this cultural and practice shift is going to be augmented with real teeth. The rule says, “As a result of this interim rule, contracting officers will now have established procedures to implement FASCSA orders in existing and new federal contracts and to share relevant information on potential supply chain risk.”
Specifically, the rule says that, “When an offeror submits a new offer in response to a contract solicitation containing the new requirement, the offeror will represent, after conducting a reasonable inquiry, that the offeror does not propose to provide or use any prohibited covered articles or products or services subject to a FASCSA order.”
Exiger’s solutions are designed to meet this “reasonable inquiry” — and go further to make risk visible in supply chains so that acquisition professionals and suppliers can have confidence in their practices. We support commercial clients who are invested in de-risking their supply chains, while also helping ensure that government acquisition and information security professionals can validate and monitor their critical ICT suppliers to ensure that they don’t have covered entities in their supply chain. And we do so in a way that enables information sharing of risk identification and analysis across government to help meet the mandate of the FASC. We applaud the next step in the FASC maturity and look forward to continuing our support to this critical mission.
Contact us to learn more about Exiger’s solutions to identify risk and bring visibility to all tiers of your supply chain.