The Office of Management and Budget detailed how its newest council will recommend threatening technologies be removed from federal information systems or excluded from future procurements in an interim final rule released Tuesday.
OMB‘s rule further establishes Federal Acquisition Security Council membership and how supply chain risk information is to be shared in accordance with the Federal Acquisition Supply Chain Security Act of 2018.
Agencies previously worked individually or in small groups to identify supply chain threats and vulnerabilities, but the interagency council will now handle risk information sharing, analysis and assessment.
Based on its assessments, FASC may recommend that the departments of Homeland Security or Defense or the Office of the Director of National Intelligence issue removal or exclusion orders for threatening hardware or software within supply chains.
The recommendation process may be initiated by agencies, non-federal entities or members of FASC, which is chaired by a senior OMB official and comprised of others from the General Services Administration, DHS, ODNI, Department of Justice, DOD, and Department of Commerce.
FASC’s recommendations will be based on 10 criteria concerning the technology it’s evaluating:
- Functionality, including the source’s access to data and information system privileges;
- Security, authenticity and integrity, including that of embedded, integrated or bundled software;
- The source’s ability to deliver the technology as expected;
- Ownership, control or influence by foreign governments or parties with ties to them, especially those deemed adversaries or of special concern;
- Implications to national security and source-critical functions;
- Vulnerability of federal systems, programs and facilities;
- Ability of government to mitigate;
- Credibility of the information;
- Transmission of data to countries outside the U.S.; and
- Other information like the impact to agencies’ missions.
FASC will consult with the National Institute of Standards and Technology to ensure any recommendation it makes is in line with federal standards and guidelines.
Risk information will be shared publicly if a removal or exclusion order is not deemed necessary, but source responses, mitigation proposals and meetings will only be publicized as required by law.
Any of the agencies FASC recommends an order to — among DHS, DOD and ODNI — may issue one, after which GSA and relevant agency officials are responsible for handling all affected contracts.
Agencies may request waivers from orders asking for more time to execute them or exclusion from them in the interest of national security.
FASC will review orders annually and may modify or rescind them.
DHS, acting primarily through the Cybersecurity and Infrastructure Security Agency, will serve as FASC’s risk information sharing agency — responsible for standardizing submission and dissemination. The agency will also manage the Supply Chain Risk Management Task Force, a group of technical experts that will decide how federal and non-federal entities submit information, as well as removal and exclusion order requests, to FASC.
Non-federal entities won’t be required to share supply chain risk information like agencies will, but the removal and exclusion orders will affect their use of products and services. Orders will apply to non-federal information systems when a company is a prime contractor or subcontractor at a federal agency.
FASC will be able to request information from agencies and create program offices, committees and working groups as needed.
The public has until Nov. 2 to comment on FASC’s interim final rule.