The House Armed Services Committee’s Emerging Threats and Capabilities Subcommittee met Wednesday to mark-up its proposals of the Fiscal Year 2018 National Defense Authorization Act. There is plenty of information technology and cybersecurity meat in the bill to encourage cleared professionals.
The subcommittee’s chairwoman, Rep. Elise Stefanik (R-N.Y.), said in her prepared remarks that one of her priorities is “to ensure technological superiority and overmatch for our warfighters against current and future threats.”
To help achieve this, the subcommittee’s wants to make the DoD’s chief information officer formally responsible for “policy, oversight, guidance, and coordination” of IT supply chain risk management.
SCRM: MAKING SURE ALL IT COMPONENTS ARE SECURE
The supply chain for IT systems is more complex than the supply chain for a vehicle on an aircraft. The Federal government has been developing SCRM policies and procedures since President George W. Bush issued National Security Presidential Directive 54/Homeland Security Presidential Directive 23 in 2008.
President Obama expanded the Comprehensive National Cyber Initiatives to include an initiative (CNCI #11) to develop “a multi-pronged approach” to global SCRM. Commercial Off-The-Shelf technology can help simplify the process, especially in terms of choice, cost, innovation, and rapid deployment. But COTS technology also introduces its own complexities. As Rep. Adam Smith (D-Wash.), the HASC ranking member, noted in an August 2016 hearing on military cyber operations, “the least little device can be an entry point to a cyber attack.”
The National Institute of Science and Technology began a pilot program in 2010 to address these unique vulnerabilities and develop best practices to mitigate them. In August 2015, it published comprehensive SCRM guidelines for the Federal government.
CONGRESS THINKS DOD HASN’T DONE ENOUGH
Although the subcommittee says it recognizes the efforts DoD has made in this area to-date., CNCI #11 has been in place for eight years, and Stefanik and the subcommittee’s ranking member, Rep. Jim Langevin (D-R.I.) are concerned that the DoD lacks the structure or the resources to manage this risk effectively. For instance, Rep. Mike Rogers (R-Ala.) noted at the August 2016 hearing that the DoD lacked a comprehensive list of “Chinese firms that [the department is] concerned about.”
The subcommittee believes the department should “do more to invest in automated information feeds, including from business and commercial intelligence providers, to fuse with classified information when needed, but also to provide stand-alone products more easily shareable with industry, interagency, and international partners.”
Placing the CIO in charge of SCRM, and requiring updates in the department’s quarterly cyber briefings to Congress, is a means to that end.
What remains to be determined is exactly how to pay for this effort. This provision “pins the rose” on the CIO, granting authority, but it does not explicitly fund any new structure. The report (mildly) admonishes the DoD for not having the capacity, but does not provide a way to build the capacity.
This shortcoming is something that the full committee will need to address. If it does not, expect to see an objection to this provision in the Statement of Administration Policy this summer. Information technology supply chain risk management is a critical piece of the nation’s overall cyber security program, and if Congress intends for the DoD to take it seriously, it needs to provide the resources.