The U.S. Government is renewing its focus on mitigating technological risks by regulating the supply chain for various goods and services. To achieve these goals, Congress and agencies have introduced, and in some cases enacted, legislation and regulations that direct agencies to identify, assess, and mitigate supply chain risks generally as well as prohibit agencies from purchasing goods and services from specific organizations. The primary aim of these efforts is to make U.S. information technology (“IT”) infrastructure less vulnerable to attacks from state and non-state actors. The most notable legislation and regulations thus far in 2018 are summarized below:
Prohibition on Procuring Chinese Telecommunications Services or Equipment
One of the most prominent legislative efforts addressing the U.S. Government’s supply chain would prohibit agencies from purchasing certain Chinese telecommunications equipment or services. The prohibition was first proposed in The Defending U.S. Communications Act (H.R. 4747 / S. 2391). If enacted, that legislation would prohibit all agencies from:
- Procuring or obtaining “any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system” or
- Entering into, extending, or renewing a contract “with an entity that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.” H.R. 4747 § 3(a).
“Covered telecommunications equipment or services” means telecommunications equipment or services “produced” or “provided” by “an entity that the head of the relevant agency reasonably believes to be an entity owned or controlled by, or otherwise connected to” the government of the People’s Republic of China. Id. at § 3(b)(2), (3).
These prohibitions have largely been incorporated into the House of Representatives’ and Senate’s versions of the National Defense Authorization Act (“NDAA”) for Fiscal Year 2019, with some differences. The House version would apply these prohibitions only to the Department of Defense (“DoD”). See H.R. 5515 § 891; S. 2987 § 891. However, section 6702 of the Senate version would apply these restrictions to all federal agencies. S. 2987 § 6702(b). It would also expand the restrictions to prohibit agencies from “obligat[ing] or expend[ing] loan or grant funds to procure or obtain, extend or renew a contract to procure or obtain, or enter into a contract (or extend or renew a contract) to procure or obtain” covered telecommunications equipment or services. Id. § 6702(c).
Federal Acquisition Supply Chain Security Act of 2018 (S. 3085)
On June 19, 2018, Sens. Claire McCaskill (D-MO) and James Lankford (R-OK) introduced the Federal Acquisition Supply Chain Security Act of 2018 (“FASCSA”) to manage supply chain risk. If passed, this bill would establish the Federal Acquisition Security Council (the “Council”), which will be charged primarily with the following tasks:
- Identifying and “assessing threats and vulnerabilities relating to supply chain risk posed by the acquisition of information technology to national security and the public interest” and sharing that information amongst federal agencies and, as appropriate, with the private sector. S. 3085 § 1323(a).
- “Issuing guidance to executive agencies for incorporating information relating to supply chain risks and other relevant information into procurement decisions for the protection of national security and the public interest.” Id. § 1323(a)(3).
- “Developing standards and measures for supply chain risk management, including assessments, evaluations, mitigation, and response that take into consideration national security and other factors relevant to the public interest.” Id. § 1323(a)(4).
- “Consulting, as appropriate, with the private sector and other nongovernmental stakeholders on issues relating to the management of supply chain risks posed by the acquisition of information technology.” Id. § 1323(a)(5).
- “Determining whether the exclusion of a source made by one executive agency should apply to all executive agencies upon receiving a notification under section 4713 and carrying out such other actions as are agreed upon by the Council.” Id. § 1323(a)(6).
- Developing “a strategic plan for addressing supply chain risks posed by the acquisition of information technology and for managing such risks.” Id. § 1324(a).
The Council will comprise representatives from the Office of Management and Budget (“OMB”), the General Services Administration (“GSA”), the Department of Homeland Security (“DHS”), the Office of the Director of National Intelligence (“ODNI”), the Federal Bureau of Investigation (“FBI”), DoD, the National Institute of Standards and Technology (“NIST”), and any other agencies the Chair of the Council elects to include. S. 3085 §§ 1322(a), (b)(1).
Enhance Cybersecurity for Small Manufacturers Act of 2018 (S. 2666)
The Enhance Cybersecurity for Small Manufacturers Act would require NIST to work with DoD and the Hollings Manufacturing Extension Partnership to help “small manufacturers in the defense industrial supply chain” understand and address cybersecurity threats. S. 2666 § 3(b)(1). These efforts would include helping “small manufacturers conduct voluntary self-assessments in order to understand operating environments, cybersecurity requirements, and existing vulnerabilities”; transferring NIST’s “technology and techniques” to small manufacturers “to protect covered defense information, including controlled unclassified information”; and creating “a cyber counseling certification program” (or using a similar existing program) “to certify small business professionals and other relevant acquisition staff within the [DoD] to provide cyber planning assistance to small manufacturers in the defense industrial supply chain.” S. 2666 § 3(b)-(e).
Federal Network Protection Act (S. 2743)
Currently, DHS is authorized to “mitigat[e] . . . exigent risks to information systems” by issuing “binding operational directives.” 44 U.S.C. § 3553. The Federal Network Protection Act would clarify that DHS is not required to notify contractors of any mitigation efforts related to goods or services provided by those contractors.
Foreign Source Code Reviews (S. 2978)
Source code reviews have received increased attention in the media in recent months. A source code review is the process of reviewing the code of software or applications to identify security flaws. The U.S. Government has expressed concern that allowing foreign governments to review source codes of software and applications sold to the U.S. Government could create or increase cybersecurity threats. To mitigate these risks with respect to DoD, the Senate version of the 2019 NDAA would prohibit DoD from “us[ing] a product, service, or system relating to information or operational technology, cybersecurity, an industrial control system, a weapons system, or computer antivirus provided by a person unless that person discloses” whether it has allowed, or is required to allow, a foreign government to review the source code of such a product, system, or service. S. 2987 § 1639(a). Additionally, all contracts for such products, systems, or services “shall include a clause requiring” contractors to disclose any actual or required foreign government source code reviews throughout the life of the contract. Id. at § 1639(b). Any information disclosed in accordance with these requirements would be maintained in a “registry.” Id. at § 1640. Information contained in the registry would be exempt from disclosure under the Freedom of Information Act (“FOIA”).
Federal Acquisition Regulation Subpart 4.20 – Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab (83 Fed. Reg. 28,141)
On June 15, 2018, the Federal Acquisition Regulation (“FAR”) Council issued an interim rule that will prohibit U.S. Government agencies from using “any hardware, software, or services developed or provided, in whole or in part, by” Kaspersky Lab, a successor entity to Kaspersky Lab, a Kaspersky Lab corporate affiliate, or an “entity of which Kaspersky Lab has a majority ownership.” 83 Fed. Reg. 28,144. This rule was issued in accordance with Section 1634 of the NDAA for 2018 and will take effect July 16, 2018. The prohibition arises from concerns over Kaspersky Lab’s alleged ties to the Russian Government and would purport to make U.S. Government IT systems less susceptible to hacking by foreign actors. This rule follows DHS’s September 2017 directive instructing all agencies to identify and purge Kaspersky products from their systems. See Binding Operational Directive 17-01, 82 Fed. Reg. 43,782 (Sept. 19, 2017).
Federal Communications Commission (“FCC”) Network and Supply Chain Security Proposed Rule (83 Fed. Reg. 19,196)
On May 2, 2018, the FCC issued a notice of proposed rulemaking titled Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs. 83 Fed. Reg. 19,196 (May 2, 2018). This proposed rule would prohibit the FCC from using the Universal Service Fund “to purchase or obtain any equipment or services produced or provided by a company posing a national security threat to the integrity of communications networks or the communications supply chain.” Id. at 19,198.