The Homeland Security Department is trying to alleviate some of the growing concerns about where in the world commercial cybersecurity products are developed.
DHS is adding more rigor to vendor supply chains for a governmentwide cybersecurity initiative.
Kevin Cox, the program manager of the continuous diagnostic and mitigation (CDM) program at DHS, said an updated CDM supply chain risk management plan should help agencies be more confident in the cybersecurity products and services they are buying.
“Essentially what the requirements are for a vendor submitting to be added to the CDM approved products list (APL) is they have to complete a questionnaire around their products being submitted,” Cox said in an interview with Federal News Radio. “The questionnaire addresses some background relating to the manufacturer in just getting some information in regards to having some visibility in terms of how the product was manufactured, what kind of visibility there was in tracking the supply chain of the product and in many cases the original equipment manufacturer, and just having knowledge of that chain of transfer for the product and the components of the product to give anyone using CDM APL a better sense that the vendors offering products on the approved products list have given some thought and are really looking into understanding the supply chain of the products they are offering.”
The supply chain risk management (SCRM) plan coincides with the General Services Administration opening up the special item number for cyber products under Schedule 70 on Aug. 3.
Concerns about the federal IT supply chain has received more public attention over the last few months with rising anxiety about cybersecurity software from Kaspersky Lab.
And inside the government, the Committee on National Security Systems (CNSS) released new agency guidance for protecting the federal IT supply chain.
The updated SCRM plan is part of how DHS and GSA are changing the acquisition process for CDM.
GSA and DHS announced in May they would use the Alliant governmentwide acquisition contract (GWAC) for new task orders and set up a new special item number under the IT schedule for products and services instead of using the blanket purchase agreement from 2013.
Cox said GSA and DHS will grandfather in some 70,000 existing cyber software, hardware and services under the CDM program, which will not have to submit new documentation under the SCRM plan. He said the existing vendors eventually will have to update their supply chain data when they reapply for Schedule 70 or if they significantly change the existing product or service.
“While we would’ve liked to have gone back and reassessed all of those products, the overhead and level of effort to do that as compared to all the other activities we had, it just didn’t make sense to reassess all of those,” he said. “The aim is over time, the products that were already on the existing APL will ultimately, as they get updated, will go through the SCRM review as well.”
Since DHS and GSA set up the CDM program in 2013, vendors went through an assessment process, which included some supply chain-related questions.
But Cox said with this updated SCRM approach, GSA and DHS are holding vendors even more accountable.
“We really now are tracking that they are thinking through a series of questions related to the understanding of how products were developed, code in the products was developed, and where appropriate, performing security tests and evaluations scans of the product,” he said. “The goal is to really mature the visibility that the government has in terms of the products it’s offering out to the agencies, states, locals, tribes and territories, and the vendors have done their assessment of the product and can stand by what they are submitting.”
Additionally, DHS works with MITRE, a federally-funded research and development center (FFRDC), to help with the assessment of the products under the SCRM criteria.
“What we are doing now is really expanding out what we were able to do before and asking the vendor community to be aware too of the products they are offering, what has gone into them, how they have gone from development to being marketed and being made available to the customer. What we are doing is really taking it to the next level,” Cox said. “We’ve looked across the spectrum about how we wanted to mature this process and add additional capabilities in terms of helping customers of the product gain confidence so they have a sense of the supply chain process the product took to be made available to them.”
Vendors also can submit additional information about their products for DHS, GSA and MITRE to consider.
And customer agencies can review all SCRM documentation as needed.
“Customers will have the same visibility as the CDM program has. The customer may review the information and be comfortable with it, they may have further questions and have further discussions with the vendor or they could say their assessment of the risk is different than what the program offered and choose not to use the product,” Cox said. “We want to be transparent in regards to our assessment process, transparent in terms of the information that we have available so that the customers can really do their own assessments and make their own risk decisions going forward with any products they may procure off the APL.”
Cox said the first set of products will go through this approval process this fall as part of GSA’s first open season for the SIN.
“The products that pass all the criteria, not only with supply chain, but all the criteria that the CDM program has tied to the APL, we want to get through the process as quickly as possible,” he said. “Thereafter, we are looking to have an open season each month and go through the review process. The real improvement in this process is that before with the APL, the products had to be submitted through the integrators tied to the blanket purchase agreement. Now vendors can submit directly. The other improvement is before we had much longer windows in regards to products to be able to be considered for the APL. Now we’ve tightened that time frame so vendors can submit them more frequently. We also are encouraging innovative products to be able to be added more quickly so the turnaround of what’s available for the customer is much quicker.”