The Department of Homeland Security should create "stringent guidelines" for securing its information and communications technology (ICT) supply chain for its purchases of unclassified systems given threats from China and other nations to the hardware, software and support services used by the department, says a new report by and advisory panel.
"As disruption of unclassified systems could potentially hinder the execution of the department's critical missions at any time, DHS should focus supply chain security initiatives and procurement processes on developing stringent guidelines for unclassified systems," says the report, prepared by the Homeland Security Advisory Council (HSAC) ICT Risk Reduction Subcommittee.
A risk management framework would account for potential consequences of successful attacks on the ability of DHS to carry-out its missions, vulnerability assessments of its ICT systems from "supply chain corruption," and identify the most significant threats to unclassified ICT supply chains, says the report, which was approved by the HSAC last Thursday for consideration by Acting Homeland Security Secretary Chad Wolf.
The report also says that DHS should map out its ICT supply chains for vendors, subcontractors, parts, components and software and conduct red team exercises to assess the performance of ICT systems under stress.
Another recommendation calls a joint National Supply Chain Intelligence Center (NSCIC) Center of Excellence within DHS that would allow the government to share information about suppliers that pose a national security risk with the private sector and for industry to share information about potential technology vulnerabilities with the government. The NSCIC would also enable sharing of ICT supply chain risks across the government.
"By cutting through private sector norms of corporate competitiveness and IC norms of intelligence control, the NSCIC would build trust between government and industry, as well as broaden government understanding of risks and technology trends," says the subcommittee's 41-page report.
The panel also recommends that a review be done of the DHS procurement office's authorities to minimize ICT risks but doesn't address what additional authorities may be needed.
"DHS should therefore endeavor to assess gaps in the present procurement authorities that are related to ICT specifically," the report says.
In an interview with DHS Chief Procurement Officer Soraya Correa in April, she told the subcommittee that the the ICT supply chain for classified systems is mostly secure given "robust security consideration" and "acquisition rules favor the government's discretion." This is not the same on the unclassified side, she said.
The panel also suggests that the DHS procurement office have access to better data on potential vulnerabilities of the products and services the department is buying or considering buying.
"In fact, DHS has no consistent way of knowing which vendors have been identified as compromised or under investigation by U.S. intelligence agencies," the report says. "Insights and conclusions gained from acquisition authorities in one department of the government regarding potential ICT risks and threats across the public and private ICT ecosystem must be shared with other departments."