Acting General Counsel
Thank you for inviting me here today and for organizing such an important event. Stacy and the many panelists have done an excellent job discussing the Cybersecurity Maturity Model Certification (CMMC).
I’d like to use this time to talk about how the Department of Homeland Security (DHS) is approaching cybersecurity, supply chain issues, and contractor security. I will start with some background and then discuss what DHS is doing to secure our federal civilian systems, our efforts at contractor security, and lastly how we plan to partner with the private sector to improve supply chain security.
Our rapidly evolving threat environment has forced those working in the national security space to rethink how we secure our key resources and critical infrastructure. We know that future conflicts will be fought through cyber and economic means, in addition to physical ones. Even in times of peace, we are seeing cyberattacks on America’s private companies by foreign state actors. And our foreign adversaries continue to try to position themselves in a manner to infiltrate our supply chains and steal our intellectual property.
China has done this better than any other adversary. Take COVID-19 as an example – China restricted exports of PPE to countries around the world in need, while Huawei donated PPE to countries that are considering whether to use its equipment for 5G networks, and China continues to try to shamelessly steal American intellectual property. Indeed, the FBI and DHS warned in May that China-linked hackers were targeting the theft of U.S. data related to COVID-19 research, including vaccines.
It is undeniable that economic security is key to national security. This means both protecting our critical infrastructure and the major drivers of our economy, like American business and innovation, while also working to promote economic growth here in the U.S.
DHS has a unique perspective, as our agency sits at the intersection of promoting economic growth, through facilitating lawful trade and travel into the United States and protecting our economy. As such, we are always looking for tailored solutions that address our security concerns in a targeted manner.
Consistent with our mission, DHS is looking for innovations that both protect and promote our economy. This is one reason we are closely watching DOD’s CMMC, both as a possible way forward for our own acquisitions, and as a useful model for our stakeholders and partners. We believe that as DoD’s private partners begin to implement the CMMC, we could see real benefits to supply chains in several critical infrastructure sectors. And as all businesses grow in cybersecurity maturity, we expect to experience positive downstream effects across both our federal defense and civilian sectors, and even in the private sector. As they say, a rising tide lifts all boats.
We believe that securing the supply chain requires companies to adopt reasonable baseline cyber measures, while taking a risk-based approach to their own supply chains. To do this, a company must understand that the threats posed by China and other foreign adversaries not only influence national security, but also a company’s own economic wellbeing.
We also believe a key aspect of security will involve moving supply chains “home” to the United States, or near the United States – but importantly, away from foreign adversaries that may seek to impose export controls to cripple critical supply chains.
We at DHS are taking this approach to heart. You can see some of this innovation in the work of the Cybersecurity and Infrastructure Security Agency, or CISA, which is DHS’ lead component agency in protecting federal networks and the information of our non-federal partners. As one aspect of this role, CISA plans to launch the Quality Services Management Office this fall, which will serve as the government marketplace for high-quality cybersecurity service offerings and capabilities that align with federal requirements. All of this will increase efficiency while reducing costs.
Another tailored tool we use to secure federal systems is the Binding Operational Directive, or BOD. We coordinate BODs with OMB and, when applicable, with the National Institute of Standards and Technology or NIST to ensure that agencies and contractors aren’t subject to conflicting requirements.
But the true genius of the BOD is how we can use it in a targeted fashion. You may be familiar with our 2017 BOD ordering the removal of Kaspersky Lab-branded products from federal networks. DHS led the executive branch’s response to the threats posed by Kaspersky Lab, a Russia-based company that provides anti-virus software. We created a process to carefully consider all aspects of the issue, including allowing the company to present its case. Ultimately, DHS decided to direct all federal civilian agencies to remove Kaspersky Lab anti-virus products from their networks, and Congress followed by enacting an even broader prohibition.
In the last four years, DHS has issued around a dozen BODs. These directives demonstrate our role in federal supply chains more broadly: (1) we aggregate information from the government and private sector; (2) use our technical expertise to determine the most effective mitigation; (3) and then provide clear action items for federal executive branch agencies. This common-sense, risk-based approach ensures that DHS is protecting national security without being so onerous as to stifle American businesses or innovation.
DHS is committed to this principle: Securing our supply chains in a way that doesn’t harm the very economy we are seeking to protect. To this end, one idea that we’ve recently experimented with is allowing the public to comment on a draft version of one of our BODs. This is part of the Department’s commitment to receiving timely and actionable feedback from our stakeholders on supply chain issues.
DHS has recently expanded its national security and risk management expertise through involvement in the Committee on Foreign Investment in the United States, Team Telecom and the Federal Acquisition Security Council, or FASC. Through these bodies, the Department leverages its analytical expertise to provide assessments and prevent foreign adversaries for gaining a dangerous foothold in our economy.
DHS’ role in these groups reflects the undeniable, growing link between civilian businesses and national security.
The FASC, which is relatively new, is particularly interesting. It is an interagency council that can share information about supply chain risks within the federal government. The FASC can recommend that the Secretary of Homeland Security, Secretary of Defense, and Director of National Intelligence issue sector-wide or government-wide removal and exclusion orders to address supply chain risks. This process includes judicial review and robust due process, so companies can rest assured that their equities will be fully adjudicated.
We have been very involved with this effort from its inception and are playing an active role in getting the Council operational. Not only are DHS and CISA both statutory members of the FASC, but the FASC has also authorized DHS to assist executive agencies in conducting risk assessments and implementing mitigation requirements.
Now I would like to get into a few specifics of contractor supply chain security, starting with cybersecurity.
One piece of this is continuing to take contractor cybersecurity very seriously. As you all know, DHS is a civilian agency that sits at the intersection of national security, trade and economic regulation, law enforcement, and the intelligence community. As such, our contractors are part of the highly sensitive and important work we do in this diverse space.
Contractors are important partners at DHS, and many may have access to sensitive DHS information, including personally identifiable information, protected critical infrastructure information, and law enforcement information. We have the highest expectations of security and responsibility for our contractors.
To this end, we could see real value in the model that DoD is implementing. As I said earlier, we are watching the CMMC roll-out closely to see if this is a model that would work for DHS. Consistent with the way we view national security more broadly, DHS is always looking for ways to make smart and economically-minded improvements without compromising security.
In addition to cybersecurity, it is also important to understand the full spectrum of risks in your supply chain, including risks associated with where you do business and whom you do business.
DHS is interested in finding ways to incentivize and assist our contractors with strengthening their supply chains. Specifically, we are interested in exploring whether our procurement authorities allow us to incentivize certain contractors to on-shore or near-shore their supply chains. DHS headquarters alone spends billions annually on contractors and hundreds of millions on information and communications technology and services. Improving the supply chain security for our contractors would be a significant win for many of our critical infrastructure sectors and promote growth within the U.S. economy, which is a gain to our national security. I expect you will hear more about this effort in the coming weeks and months.
Partnership with the private sector is key to so much of the work we do at DHS. We rely on companies to participate in our information sharing forums, including CISA’s Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force. The ICT SCRM Task Force is a public-private supply chain risk management partnership that includes 20 federal partners – including DoD, which has been a key partner in this and many other DHS initiatives – and 40 of the largest companies in the IT and communications sectors, such as Microsoft, Verizon, Comcast and Cisco. In addition to assembling an inventory of existing supply chain risk management efforts across government and industry, the Task Force has launched four main work streams: developing a common framework for the bi-directional sharing of supply chain risk information between government and industry; identifying processes and criteria for threat-based evaluation of ICT supplies, products, and services; identifying market segments and evaluation criteria for Qualified Bidder and Manufacturer Lists; and, producing policy recommendations to incentivize the purchase of ICT from original manufacturers or authorized resellers.
Recent events have given us yet another opportunity to leverage innovative ways to collaborate with the private sector to secure our supply chain. Specifically, DHS is using the Defense Production Act (DPA) to create the first-of-its kind “voluntary agreement” to deal with pandemic response and preparedness. Led by FEMA, the voluntary agreement participants may assist with projects ranging from critical PPE and vaccine distribution to on-shoring critical drug product production. And the DPA provides special antitrust protection for the participants to this agreement, which should provide comfort for those who want to work collectively with us to respond to COVID-19 and prepare our key medical resource supply chain for future pandemics.
I think the DPA voluntary agreement really encapsulates how we as a Department see economic growth and security as being core to our mission of safeguarding the national security. Being prepared for future pandemics requires not only preparing how we as a federal government will respond but ensuring that our private sector is strong and not overly dependent on supplies subject to control by our adversaries.
With that, I want to thank each of you for your interest in this complex and evolving area. Supply chain security is a top priority across DHS, and I hope I’ve given you a sense of some areas the Department is focused on right now. Whether it’s safeguarding federal systems through Binding Operative Directives and the Federal Acquisition Security Council, working with our contractors to ensure the security of our sensitive information and their supply chains, working with the private sector to explore the state of the ICT supply chain, or using our authorities to promote economic growth in preparation for future crises, you can expect that DHS will continue to be on the front lines of supply chain security. Thank you.