Update on the Government’s IT Supply Chain Initiative – part 1 of 2
Posted by: Lynn McNulty
in IT/Cyber Security
on Jun 25, 2009 
By: Lynn McNulty, Executive Consultant, McConnell International
Introduction. In a previous paper I discussed the background and initial manifestations of the Government’s Information Technology (IT) supply chain program. This posting provides additional information about the supply chain program and reemphasizes the need for hardware and software vendors to follow the evolution of this initiative which is bound to be reflected in future acquisition requirements published by federal agencies.
Relation of the Supply Chain Initiative to the Sixty Day Cyber Policy Review. The security of the IT supply chain was one of the components (Project #11) of the twelve part Comprehensive National Cybersecurity Initiative (CNCI) formally launched by the Bush Administration in January 2008. The concerns over vulnerabilities resulting from the globalization of the IT supply chain carried over into the Obama administration and were included in the “sixty day” policy review President Obama ordered shortly after taking office. On May 29, the President announced the results of the cyber security policy review to a selected group of government and industry officials at a meeting held in the East Room of the White House. This meeting marked the first time that a President has addressed the cyber security issue in the context of a formal White House briefing. A document, “Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure”, that accompanied the President’s verbal presentation reported the unclassified results of the cyber policy review. Chapter V, “Encouraging Innovation”, contains a section specifically focused on the supply chain issue. The document points out that, “As technology becomes more critical to the United States, maintaining confidence and trust in this constantly evolving infrastructure is essential.” The report also notes that the global marketplace has resulted in the establishment of off-shore centers for manufacturing, design, development of IT products. This situation in turn results in the potential for the “…easier subversion of computers and networks through subtle hardware or software manipulations”. In response to this challenge the document states, “A broad holistic approach to risk management is required rather that a wholesale condemnation of foreign products and services.”
After recognizing the threat and basically revalidating the concern about the supply chain problem, the report states that the President’s cyber security policy official (commonly referred to in the press as the Cybersecurity Czar) will undertake the following actions to assure U.S. market leadership, while improving the level of supply chain component and product assurance:
Introduction. In a previous paper I discussed the background and initial manifestations of the Government’s Information Technology (IT) supply chain program. This posting provides additional information about the supply chain program and reemphasizes the need for hardware and software vendors to follow the evolution of this initiative which is bound to be reflected in future acquisition requirements published by federal agencies.
Relation of the Supply Chain Initiative to the Sixty Day Cyber Policy Review. The security of the IT supply chain was one of the components (Project #11) of the twelve part Comprehensive National Cybersecurity Initiative (CNCI) formally launched by the Bush Administration in January 2008. The concerns over vulnerabilities resulting from the globalization of the IT supply chain carried over into the Obama administration and were included in the “sixty day” policy review President Obama ordered shortly after taking office. On May 29, the President announced the results of the cyber security policy review to a selected group of government and industry officials at a meeting held in the East Room of the White House. This meeting marked the first time that a President has addressed the cyber security issue in the context of a formal White House briefing. A document, “Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure”, that accompanied the President’s verbal presentation reported the unclassified results of the cyber policy review. Chapter V, “Encouraging Innovation”, contains a section specifically focused on the supply chain issue. The document points out that, “As technology becomes more critical to the United States, maintaining confidence and trust in this constantly evolving infrastructure is essential.” The report also notes that the global marketplace has resulted in the establishment of off-shore centers for manufacturing, design, development of IT products. This situation in turn results in the potential for the “…easier subversion of computers and networks through subtle hardware or software manipulations”. In response to this challenge the document states, “A broad holistic approach to risk management is required rather that a wholesale condemnation of foreign products and services.”
After recognizing the threat and basically revalidating the concern about the supply chain problem, the report states that the President’s cyber security policy official (commonly referred to in the press as the Cybersecurity Czar) will undertake the following actions to assure U.S. market leadership, while improving the level of supply chain component and product assurance:
- Define procurement strategies through the General Services Administration, building on work by the National Security Agency for the Department of Defense, for commercial products and services in order to create market incentives to be part of hardware and software product design, new security technologies, and secure managed services.
- Expand partnerships with State, local, and tribal governments and international partners to maximize the market influence of these procurements;
- Work with Congress to identify mechanisms that would enable departments and agencies—under appropriate, limited situations--to incorporate threat information into acquisition decisions; and
- Work with industry to provide threat information and identify best practices for managing supply chain and insider risks, both from economic and treat perspectives.
Subscribe to this comment's feed
