GSA considering IT supply chain risk management pilot
The General Services Administration is considering a pilot program to let federal buyers authenticate the supply chain of vendors’ IT products.
GSA issued a request for information Monday for a “supply chain solution” to “strengthen the compliance and security of the supply chain and thwart tampering, counterfeiting and gray market offerings,” which the agency defines as “products that are intended for sale in foreign countries, and enter the United States without the permission of the trademark owner.”
Called the Supply Chain Risk Management Provenance Pilot Program, the envisioned system would assist agency customers with tracking “all changes in ownership from the time the [information and communication technology] product is manufactured to the time it is distributed through an authorized supply chain, and ultimately to the point the product is purchased by a consumer and held or resold.”
Supply chain risk management has long been a concern for federal IT systems, particularly in the Defense Department. DOD issued guidance in November 2012 to “minimize the risk that DoD’s warfighting mission capability will be impaired due to vulnerabilities in system design or sabotage or subversion of a system’s mission critical functions or critical components.”
Likewise, the National Institute of Standards and Technology published a guide laying out IT supply chain best practices for federal agencies in April 2015.
The uncertainty of an IT product’s supply chain leaves agencies vulnerable to cybersecurity flaws — intended or not. Used or counterfeit products “carry high risks of failure or sabotage,” the RFI states.
The pilot system would, according to the RFI, enlist a process to guard against:
- Recycled components that are sold as new;
- Obsolete parts and components sold as new;
- Unlicensed overproduction of authorized components;
- Test rejects and sub-standard components sold as high-quality;
- Parts marked with falsely elevated reliability or newer date of manufacture;
- Clones and copies, which may be of low quality, or may include hidden functionality; and
- Components that are covertly repackaged for unauthorized applications.
The pilot also needs to offer ways to:
- Determine Trade Act Agreement compliance requirements;
- Verify and confirm with original equipment manufacturer if offering sold directly or through authorized distributor or reseller; and
- Validate OEM transactions by authorized resellers and distribution channels.
A 2012 study from the Naval Postgraduate School found that governments of all levels “may be at risk due to purposeful manipulation of micro-processing chips during the manufacturing process” that could allow for remote access of cybercriminals, possibly posing a threat to national security.
Interested companies have until June 15 to provide information to GSA on current supply chain risk management capabilities that might fit the program’s needs.