Requirement for IT supply chain risk assessments is included in bill for Commerce, Justice

The agencies would have to review the supply chain risk for new “high-impact or moderate-impact” IT systems, using criteria from the FBI and NIST.

An early version of the fiscal 2019 spending bill for many of the government’s law enforcement and science agencies would block them from buying IT systems that have not been evaluated for security vulnerabilities introduced intentionally at some point in their development.

The House Appropriations subcommittee that handles spending for the Department of Commerce, Department of Justice, National Science Foundation and NASA included a provision requiring all four to conduct supply chain risk assessments before acquiring sensitive IT systems. The panel approved the spending bill on Wednesday. It now moves to the full committee.

The agencies would have to review the supply chain risk for new “high-impact or moderate-impact” IT systems, using criteria from the FBI and NIST, the government’s technology standards agency.

“We have … included numerous oversight provisions to protect the scarce and hard-earned tax dollars that we are responsible for,” said Commerce-Justice-Science Subcommittee Chairman John Culberson, R-Texas, during Wednesday’s markup.


The bill would also require the agencies to consult with the FBI or another appropriate agency to assess “risk of cyber-espionage or sabotage” associated with acquiring sensitive IT systems. The language of the bill spells out that this applies to systems made by companies from China, Iran, North Korea and Russia, but says that the requirement is not limited to those countries.

Lawmakers and federal agencies have lately heightened their attention to supply chain risk, given the large number of contractors that the government works with.

NIST is considering adding supply chain provisions to its Risk Management Framework, which agencies use to assess their exposure to cyber risk, in draft released Wednesday.

Jeanette Manfra, a top cybersecurity official at the Department of Homeland Security, recently referred to supply chain vulnerabilities as a “digital public health crisis.”

The 2018 National Defense Authorization Act instituted a government-wide ban on using products made by Russian cybersecurity firm Kaspersky Lab out of the concern that the company’s anti-virus software creates a pathway for sensitive information to leak to Russian authorities. A draft of the 2019 NDAA would do the same for Chinese telecommunications companies Huawei and ZTE for similar fears.

Latest Podcasts