The New York Times reported on May 2 that the White House was drafting an EO that would ban agencies and possibly contractors from buying telecommunications equipment from Chinese firms, including Huawei and ZTE.
The second order and corresponding policy, sources said, would extend the supply chain threats into the federal procurement arena even further. Details on the second order were vague, but sources said these steps are part of the growing public recognition that the federal supply chain continues to face serious risks.
At the same time, House Armed Services Committee lawmakers approved a provision in the fiscal 2019 Defense Authorization bill that would ban agencies from buying equipment from telecommunications companies owned, controlled or partly managed by the Chinese government, such as Huawei and ZTE.
Under the provision, every agency by Jan. 1, 2021 would have to stop using ZTE, Huawei or any other equipment or services either directly or indirectly through a third party that is connected to the Chinese government.
“This section would require the head of an agency to submit to the specified committees a plan to phase in the prohibition in this section, including with respect to the ‘white label’ problem,” the NDAA states. “This section would also permit the head of an agency to provide an additional 2-year waiver if he determines it is appropriate to allow an entity to terminate its use of covered telecommunications equipment and he can demonstrate certain other conditions have been met.”
In another congressional action, lawmakers on the House Appropriations Subcommittee on Commerce, Justice, State and related agencies added supply chain provisions to the 2019 spending bill.
The provisions in the draft bill released May 8 would require the agencies that fall under this subcommittee to review criteria of companies providing systems at the moderate and high levels, review the possible risk of the awardees particularly around cyber espionage and then send a report of that determination to the House and Senate appropriations committees and their respective inspectors general.
While a lot of these efforts are for public show, the real action to secure the federal procurement supply chain can be found one level down within the agencies.
A good example of this happened recently with the Social Security Administration. SSA issued a solicitation for printers and associated equipment and services. As part of the request for quote, SSA required a supply chain risk assessment of the awardee — including an assessment of any subcontractors, suppliers, distributors and manufacturers involved in the awardee’s supply chain.
Among the nine factors SSA said it wanted to review were :
The foreign ownership or control of the apparent awardee, or its subcontractors or suppliers;
The degree to which the apparent awardee and its subcontractors or suppliers maintain formal security programs, that include personnel, information, physical, cyber security, and supply chain risk management programs;
The locations of the manufacturing facilities where the hardware and software are designed, manufactured, packaged and stored prior to distribution.
The procurement received a lot of interest from a handful of bidders, and the supply chain requirements even worried a few.
Iron Bow submitted a pre-award protest first to the Government Accountability Office and then to the Court of Federal Claims after GAO dismissed the complaint. Iron Bow said SSA’s decision to disqualify them was “irrational.” SSA downselected Iron Bow out of the competition due to the printers the company was proposing to use in the contract were from Lexmark. SSA said the Lexmark devices were “an unacceptable supply chain risk to the government” because the Chinese government’s interest in the company was greater than the SSA initially recognized.
You can read the entire court case here. The upshot is the Court of Federal Claims ruled that SSA conducted the supply chain risk assessment in accordance with the terms of the RFQ, and that the agency reasonably concluded that the printers proposed by Iron Bow presented unacceptable risks to the government’s supply chain.
This is an important case for several reasons.
First, it drives home a key point about supply chain risk that Bill Evanina, the director of the National Counterintelligence and Security Center (NCSC) in the Office of the Director of National Intelligence, said at a recent event sponsored by the Intelligence and National Security Alliance (INSA).
“You can have the best cyber program in your company and you can hire a private cybersecurity firm who has the best software, but if your procurement and acquisition folks are not part of the team, you will fail,” Evanina said. “Our adversaries, that’s how they get us, through procurement and acquisition programs. If you are a chief information security officer or chief information officer, are you aware of all the procurement being done by your company — to buy new printers, scanners, faxes, PBX switches, routers — probably not.”
He said agencies are required to do some basic research, such as finding who are on the company’s board of directors, who are their subcontractors and who is on the ownership team.
“The Defense Department does this every single day. We do National Intelligence Determinations for companies who want to do business with the government all the time. It’s a big process,” he said. “Private sector needs to do this more often. Understand who your suppliers of the suppliers are because our adversaries strike us with the subs and subs of subs.”
Evanina said agencies and companies need mitigation plans as well as opportunities to exercise those strategies, similar to what organizations need to do with cyber intrusions.
The second point the court’s decision for SSA drives home is around vendors who need more help to ensure the security of their supply chains as agencies continue to ask for more details.
Eric Crusius, a partner with Holland and Knight law firm, said he’s sees more and more clients asking for assistance to make sure they are compliant with laws and regulations.
“The fact is there are supply chain requirements in procurements themselves and if a company, generally speaking, thinks it’s the wrong approach, they should protest it before bids are due on solicitation,” he said. “Otherwise you are agreeing for the government to evaluate your supply chain as part of the overall evaluation process.”
Crusius said companies need to go beyond just the minimal level of compliance.
“It’s just not meeting the legal requirements of supply chain risk management, but sometimes companies have to look at it from a practical and business standpoint,” he said. “As a prime contractor, you are responsible for the entire chain below you, and that is not always practical. So you should do a risk analysis and see where it leads you down the supply chain, and then you can make smarter decisions, and maybe even change suppliers if you can’t ensure the security of the vendor.”
There are several other cases like that of SSA that highlight similar points. For instance in 2018, the Commerce Department upgraded its supercomputers and decided not to go with Lenovo, which had bought IBM’s x86 server business — the type of servers NOAA bought previously. Instead, Commerce brought in Dell systems after concerns increased about Lenovo’s relationship with the Chinese government.
Supply chain risk management also played a big role in another recent Commerce Department acquisition for cybersecurity services.
In the request for proposals, Commerce required the vendor to have supply chain risk management expertise on staff with 16 different skill sets, including conducting research and analysis, preparing situational awareness briefings and conduct individual assessments for internal department customers buying technology.
Evanina said many organizations don’t have effective supply risk management programs but like cyber was 5 or 7 years ago, there’s a growing understanding of why it’s important.
“We spend a lot of time with DoD and others training acquisition folks to understand the threats that manifest in contracts,” he said. “The contracting world is something we have to hurry up and train and make them aware of threats.”