After the government’s swift efforts to remove Kaspersky products from federal IT systems, DHS reported that all federal agencies have removed Kaspersky software from their systems. DHS is now reportedly focusing on the supply chain for IT products to ensure Kaspersky software is not embedded in products in early stages of the supply chain. Other agencies are also planning standards for supply chain risk management, and Congress has drafted requirements in a funding bill for FY19 for certain agencies to consult with federal entities over the supply chain risk to new IT systems being acquired. These could all be factors which impact federal IT acquisition, which continues to grow rapidly in the federal market, as emphasized by our coverage.
While the FY19 NDAA includes its own IT requirements for DOD, the separate FY19 funding bill for the Departments of Commerce (DOC), Justice (DOJ), and related agencies was drafted in the House of Representatives with section concerning supply chain risk for those departments. Those agencies would have to consult with the National Institute of Standards and Technology (NIST), the FBI, and other relevant agencies to understand the supply chain risks associated with acquiring a “high-impact or moderate-impact information system,” and produce a plan to mitigate any risks which may arise from procuring the system from the prospective awardee.
NIST, itself a sub-agency of DOC, has included new supply chain risk management (SCRM) concepts in a new draft of its Special Publication 800-37- Risk Management Framework (RMF). Agencies using the RMF to assess cyber risk would have to form a SCRM plan which addresses supply chain risks which “include the insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the supply chain.” In an environment increasingly relying on component parts built across the global economy, this kind of scrutiny will be particularly visible in the acquisition of commercial off-the-shelf (COTS) products.
While the RMF recommends that an agency build a relationship with the external provider for better visibility into the “processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the products,” it simultaneously mentions those relationships between agency and provider as risk in and of themselves. This management of supply chain risk would extend not only to component and product providers, but to the evergrowing field of cloud services, with “external providers handling federal information or operating systems on behalf of the federal government” subject to stringent security standards, including supply chain requirements. While the RMF draft preaches cooperation with the product/services providers, the RMF emphasizes that regardless of the assurances from and agreements with external providers, the responsibility for risk management ultimately falls on the agency responsible for the acquisition.
Kaspersky is not the only foreign company facing scrutiny in public, with Chinese cellphone manufacturers Huawei and ZTE recently experiencing bans by certain federal agencies (and sanctions for ZTE) due to certain activities and associated risks. With Kaspersky products clear of federal networks, this month DHS mentioned the potential to punish federal contractors for their own use of Kaspersky software.
Interested in learning more about contracting opportunities with the agencies mentioned above, or IT acquisition at other agencies? Sign up for a free trial with EZGovOpps. In less than 60 seconds, you will have access to the premier government market intelligence tool, allowing for access to more history on DOD programs, custom analyst updates, Industry Day information, and daily tracking from the solicitation period through to final contract awards. Easily set up your profile for alert notifications on these exciting RFPs.
Don’t forget to view our full GovCon News section for more intel.