Homeland Security Advisory Council recommends significant enhancements to DHS’ role in monitoring supply chain risk

The recent SolarWinds supply chain infiltration into federal networks is an unprecedented attack that highlights the importance of maintaining close scrutiny of suppliers. In this article, Baker Tilly summarizes key findings from two recent Homeland Security Advisory Council (HSAC)[1] reports providing recommendations on how the Department of Homeland Security (DHS) can evolve its supply chain governance practices. Released on Nov. 16, 2020, nearly a month before the SolarWinds event, we’ve summarized some of the reports’ key takeaways, as the findings are particularly relevant in a post-SolarWinds world.

Introduction

HSAC recently released two reports noting increased concern related to American economic and technological security. The reports from the Economic Security Subcommittee and the Information Communications and Technology (ICT) Risk Reduction Subcommittee represent the culmination of private and public sector analysis into vulnerabilities in supply chain governance, current industrial policy, DHS’ procurement process and aims to guide departmental policy. Notably, the reports propose enhancements to capabilities at the Cybersecurity Infrastructure and Security Agency (CISA) and make a strong case for DHS to take a more active role in supply chain assessments – with impacts that go well beyond the federal market.

Economic Security Subcommittee report

The COVID-19 pandemic’s shift into a worldwide crisis upended global supply chains, causing shortages in numerous critical industries in the U.S. – ranging from medical devices, personal protective equipment (PPE) and pharmaceuticals, to electronics and even the nation’s food supply. The sobering reality of these events, in particular, was our nation’s problematic foreign dependence on hostile countries for critical virus-related goods – hampering the ability of the federal government to effectively respond in the early days of the pandemic.  As bluntly stated within the report, the “global supply chain has made U.S. industries globally competitive, but it has also become America’s greatest vulnerability.”

Given the need to reduce the nation’s reliance on increasingly adversarial foreign sources, the HSAC was confronted with how DHS might help “contribute to the goal of greater economic security.” In order to answer this question, HSAC provided 14 recommendations, six of which have the potential to impact federal contractors. These six have been highlighted below:[2]

1. The department should institutionalize its [recently established] Economic Security Council (as detailed in the report, the council “coordinates internal DHS activities relating to continuity of the civilian economy, particularly focused on supply chain issues”). Congress should provide a legislative mandate for the establishment and maintenance of the council to identify concentrated risks, to set priorities and to coordinate enterprise-wide action on economic security matters.
2. DHS must lead by example in procurement practices that foster cybersecurity, including supply chain security. The Secretary should ensure effective coordination through the Economic Security Council or some other mechanism among the many offices that can contribute to security in acquisitions, including the Office of Management, the Office of Acquisition, the acquiring component, CISA, the Chief Information Officer and the Office of Science and Technology.
3. A Deputy Assistant Secretary for Economic Security should be institutionalized within the Office of Strategy, Policy, and Plans.
4. The Intelligence Community and DHS should create a joint supply chain intelligence center with private sector entities as participants and customers. This center should provide practical guidance about suppliers that may pose a particular risk. The center should also influence intelligence collection priorities and provide feedback to improve the quality of supply chain intelligence.
5. The Secretary should define roles and missions and coordination responsibilities between CISA and the Office of Strategy, Policy, and Plans, for the task of mapping civilian supply chain and economic security risks.
6. At the start, the DHS economic security effort should be incremental, focused on high-impact, focused reviews of priority topics/sectors.
   a. DHS should formalize its role in supplying data and risk management analysis to the Commerce Department pursuant to Executive Order 13873.
   b. DHS should conduct a joint Department of Defense (DOD)-DHS analysis of the industries identified by China as its priorities for ensuring China’s economic security (and reducing the economic security of the U.S.). The study should ask two questions about every industry on China’s shopping list: which U.S. producers are put at risk by China’s mercantilist policies and what can the U.S. do to ensure their survival?
   c. DHS should conduct industry-wide supply chain assessments of particular companies or industries based on referrals from the Committee on Foreign Investment in the United States (CFIUS), from Team Telecom and from the Executive Order 13873 interagency process.
   d. DHS’ economic security unit should also accept referrals from the Federal Acquisition Security Council (FASC). It should be possible for FASC to seek a broader study of a particular industry or company than FASC itself is designed to perform. DHS’ economic security unit should be prepared to accept such referrals.
   e. The DHS economic security unit should accept nominations for economic security reviews from DHS components concerned about their critical components.

Recommendation four is especially notable, as it highlights present challenges in collecting and disseminating threats to U.S. supply chains. The call for greater information sharing and cross-departmental coordination echoes many of the recommendations from the bipartisan U.S. Cyberspace Solarium Commission’s (CSC) October 2020 report entitled, “Building a Trusted ICT Supply Chain.” The subcommittee endorses the CSC recommendation to establish a National Supply Chain Intelligence Center (NSCIC) within DHS to improve supply chain risk management (SCRM) information sharing between public and private sector partners and between government agencies (particularly interfacing with the Intelligence Community).

Similarly, the report calls for DHS to perform “industry-wide supply chain assessments” based on referrals from CFIUS and Team Telecom. The knowledge transfer challenge and need to act in a broad, coordinated fashion based on CFIUS and Team Telecom action is laid bare within the text of the report, with a recounting of the attempted 2007 sale of 3Com (a U.S. digital electronics manufacturer) to Huawei, and the lack of further governmental action after the failed acquisition:

“The government was first forced to consider the risks posed to U.S. critical infrastructure by Chinese telecommunications equipment makers in 2007, when CFIUS was asked to rule on a transaction that would have given Huawei a large role in the U.S. company, 3Com. After the deal caused concern at the highest levels of government, it was rejected. Unfortunately, once they had voted against the transaction, the Cabinet officials who mistrusted Huawei had no easy way to ask for a broader review of the company and the risks it might pose. So, when an economic stimulus bill was written in a hurry in 2009, it included $7.2 billion in broadband grants and loans — without anyone asking whether the funds might be spent installing Chinese telecommunications gear in U.S. networks. In fact, many rural and smaller carriers were offered Chinese equipment at low prices. These carriers installed so much Chinese equipment that, ten years later, the Federal Communications Commission had to go back to Congress and ask it to appropriate $1.8 billion to get those same carriers to rip the Chinese gear out of their networks. One reason for this debacle was the loss of institutional memory following the rejection of the 3Com transaction. While CFIUS continued to be suspicious of any Huawei (and ZTE) acquisitions, the remaining elements of U.S. policymaking were never engaged in addressing the threat that such acquisitions posed to U.S. economic security. The DHS economic security unit should be made available to build on what is learned in CFIUS reviews and to recommend broader responses to threats identified during those reviews. The same is true for referrals from members of Team Telecom and from the Commerce Department after actions under E.O. 13873.”

Information Communications and Technology (ICT) Risk Reduction Subcommittee report

Within this report, the ICT Risk Reduction Subcommittee details five specific recommendations to bolster ICT supply chain security. These recommendations are:[2]

1. Develop an effective and robust risk management framework to guide ICT procurement across the government, with particular emphasis on unclassified systems
2. Standardize the sharing and reception of threat data from the Intelligence Community (IC) and across departments and agencies
3. Establish a joint National Supply Chain Intelligence Center (NSCIC) Center of Excellence within DHS to operationalize and mature ICT risk reduction efforts
4. Conduct a comprehensive review of the DHS procurement office authorities to ensure and maintain capabilities adequate for reducing ICT risks for the department
5. Improve public-private partnerships specifically focused on the ICT security effort

As with the Economic Security Report, the ICT Risk Reduction Subcommittee again highlights issues with cross-agency (and even cross-departmental) information sharing. DHS procurement offices do not have a consistent mechanism of being alerted as to whether a vendor has been flagged by another agency as compromised – requiring speedy resolution. The call to establish the NSCIC is seen as a lynchpin in not only centralizing the management of ICT risk reduction efforts, but also acting as a key conduit in solving the information sharing challenge. As the report states:

“The proposed NSCIC would be chartered to share relevant information about suppliers that pose a national security risk with key private sector partners, while allowing private industry to share knowledge of potential vulnerabilities in technology with government agencies. By cutting through private sector norms of corporate competitiveness and IC norms of intelligence control, the NSCIC would build trust between government and industry, as well as broaden government understanding of risks and technology trends.”

The HSAC also provides a number of suggestions on establishing public-private partnerships around ICT risk reduction, imploring DHS to take “the lead in establishing and demonstrating how public-private partnerships can share actionable information at speed and scale in both classified and unclassified formats.” It also encourages implementation of SCRM frameworks, as appropriate, in both government and private enterprises:

• NIST SP-800-161: Supply Chain Risk Management Practices for Federal Information Systems and Organizations
• ISO/IEC 27036: Information Security for Supplier Relationships (Four Parts)
• SAE International Standards ARP9113
• Supply Chain Risk Management Guidelines
• Open Trusted Technology Provider Standard (O-TTPS)
• Mitigating maliciously tainted and counterfeit products (ISO/IEC 20243)

Conclusion

Both reports endorse key recommendations set forth by the CSC, calling for “…increased Congressional action on cybersecurity, particularly as it relates to cyber deterrence to adversaries. Among the Commission’s recommendations was the emphasis on resilient systems, supply chains, and the broader economy.” HSAC’s recommendations, in whole, point to changes in DHS’ practices related to ICT, in lieu of short-term congressional action.

These recommendations may prompt the adoption of enhancements to risk management tactics – that may lead to greater scrutiny over federal contractors and their management of suppliers. The key is to understand the changing landscape and remain vigilant about the central role the prime contractor plays in this arena. By assessing the impact early on and having an “eyes-wide-open” approach to evolving federal demands related to supply chain risk, contractors can avoid disruption, compliance risk and best position themselves to continue delivering value to the federal buyer.

For more information on this and SCRM, or to learn how Baker Tilly specialists can help – please contact us.

[1] The Homeland Security Advisory Council (HSAC) provides advice and recommendations to the Secretary of Homeland Security on matters related to homeland security. HSAC comprises leaders from state and local government, first responder communities, the private sector and academia. For more information, visit:  https://www.dhs.gov/homeland-security-advisory-council

[2] Direct excerpts of the recommendations have been provided within this article.