The Department of Homeland Security is looking for ways to streamline the process of assessing the supply chain risk of technologies that the government might use, and it wants industry to help it shape what such a capability would look like.
The agency issued a request for information Friday for help in conducting market research on supply chain risk assessment capabilities.
The goal is to end up with a tool or process that will allow stakeholders to conduct due diligence on information and communications technology (ICT) services they might use. When such a capability is developed, DHS plans to share it with other agencies on the federal, state, local, tribal and territorial level, as well as critical infrastructure owners and operators.
The agency says that these stakeholders “are highly dependent on vendors and integrators of ICT (including IoT) to accomplish their various missions, and as a result, the global ICT supply chain is a significant source of risk to the nation.”
DHS is the agency largely responsible for ensuring the security of the technology that the government uses. The focus on supply chain stems from concerns that ICT vendors that are not properly vetted could potentially compromise government networks and data. And it particularly comes as the federal government has banned foreign companies who it fears pose a threat to national security, such as the Russian Kaspersky Labs, and Chinese Huawei and ZTE.
To DHS, any component or stage of development of a service is an opportunity to introduce a vulnerability into the system, regardless of if it’s deliberate.
“[S]upply chain threats and vulnerabilities may intentionally or unintentionally compromise an ICT product or service at any stage of the lifecycle,” the RFI says.
That’s why DHS is looking for a framework that can examine a product or service and assess risk “as a function of threat, vulnerability, likelihood, and consequences.” Companies at any level of the supply chain of the final product could be subject to the due diligence DHS wants to be able to conduct.
The deadline for submission to the RFI is Oct. 10.