The recent SolarWinds supply chain infiltration into federal networks is an unprecedented attack that highlights the importance of maintaining close scrutiny of suppliers. In this article, Baker Tilly summarizes key findings from two recent Homeland Security Advisory Council (HSAC) reports providing recommendations on how the Department of Homeland Security (DHS) can evolve its supply chain governance practices. Released on Nov. 16, 2020, nearly a month before the SolarWinds event, we’ve summarized some of the reports’ key takeaways, as the findings are particularly relevant in a post-SolarWinds world.
HSAC recently released two reports noting increased concern related to American economic and technological security. The reports from the Economic Security Subcommittee and the Information Communications and Technology (ICT) Risk Reduction Subcommittee represent the culmination of private and public sector analysis into vulnerabilities in supply chain governance, current industrial policy, DHS’ procurement process and aims to guide departmental policy. Notably, the reports propose enhancements to capabilities at the Cybersecurity Infrastructure and Security Agency (CISA) and make a strong case for DHS to take a more active role in supply chain assessments – with impacts that go well beyond the federal market.
The COVID-19 pandemic’s shift into a worldwide crisis upended global supply chains, causing shortages in numerous critical industries in the U.S. – ranging from medical devices, personal protective equipment (PPE) and pharmaceuticals, to electronics and even the nation’s food supply. The sobering reality of these events, in particular, was our nation’s problematic foreign dependence on hostile countries for critical virus-related goods – hampering the ability of the federal government to effectively respond in the early days of the pandemic. As bluntly stated within the report, the “global supply chain has made U.S. industries globally competitive, but it has also become America’s greatest vulnerability.”
Given the need to reduce the nation’s reliance on increasingly adversarial foreign sources, the HSAC was confronted with how DHS might help “contribute to the goal of greater economic security.” In order to answer this question, HSAC provided 14 recommendations, six of which have the potential to impact federal contractors. These six have been highlighted below:
Recommendation four is especially notable, as it highlights present challenges in collecting and disseminating threats to U.S. supply chains. The call for greater information sharing and cross-departmental coordination echoes many of the recommendations from the bipartisan U.S. Cyberspace Solarium Commission’s (CSC) October 2020 report entitled, “Building a Trusted ICT Supply Chain.” The subcommittee endorses the CSC recommendation to establish a National Supply Chain Intelligence Center (NSCIC) within DHS to improve supply chain risk management (SCRM) information sharing between public and private sector partners and between government agencies (particularly interfacing with the Intelligence Community).
Similarly, the report calls for DHS to perform “industry-wide supply chain assessments” based on referrals from CFIUS and Team Telecom. The knowledge transfer challenge and need to act in a broad, coordinated fashion based on CFIUS and Team Telecom action is laid bare within the text of the report, with a recounting of the attempted 2007 sale of 3Com (a U.S. digital electronics manufacturer) to Huawei, and the lack of further governmental action after the failed acquisition:
“The government was first forced to consider the risks posed to U.S. critical infrastructure by Chinese telecommunications equipment makers in 2007, when CFIUS was asked to rule on a transaction that would have given Huawei a large role in the U.S. company, 3Com. After the deal caused concern at the highest levels of government, it was rejected. Unfortunately, once they had voted against the transaction, the Cabinet officials who mistrusted Huawei had no easy way to ask for a broader review of the company and the risks it might pose. So, when an economic stimulus bill was written in a hurry in 2009, it included $7.2 billion in broadband grants and loans — without anyone asking whether the funds might be spent installing Chinese telecommunications gear in U.S. networks. In fact, many rural and smaller carriers were offered Chinese equipment at low prices. These carriers installed so much Chinese equipment that, ten years later, the Federal Communications Commission had to go back to Congress and ask it to appropriate $1.8 billion to get those same carriers to rip the Chinese gear out of their networks. One reason for this debacle was the loss of institutional memory following the rejection of the 3Com transaction. While CFIUS continued to be suspicious of any Huawei (and ZTE) acquisitions, the remaining elements of U.S. policymaking were never engaged in addressing the threat that such acquisitions posed to U.S. economic security. The DHS economic security unit should be made available to build on what is learned in CFIUS reviews and to recommend broader responses to threats identified during those reviews. The same is true for referrals from members of Team Telecom and from the Commerce Department after actions under E.O. 13873.”
Within this report, the ICT Risk Reduction Subcommittee details five specific recommendations to bolster ICT supply chain security. These recommendations are:
As with the Economic Security Report, the ICT Risk Reduction Subcommittee again highlights issues with cross-agency (and even cross-departmental) information sharing. DHS procurement offices do not have a consistent mechanism of being alerted as to whether a vendor has been flagged by another agency as compromised – requiring speedy resolution. The call to establish the NSCIC is seen as a lynchpin in not only centralizing the management of ICT risk reduction efforts, but also acting as a key conduit in solving the information sharing challenge. As the report states:
“The proposed NSCIC would be chartered to share relevant information about suppliers that pose a national security risk with key private sector partners, while allowing private industry to share knowledge of potential vulnerabilities in technology with government agencies. By cutting through private sector norms of corporate competitiveness and IC norms of intelligence control, the NSCIC would build trust between government and industry, as well as broaden government understanding of risks and technology trends.”
The HSAC also provides a number of suggestions on establishing public-private partnerships around ICT risk reduction, imploring DHS to take “the lead in establishing and demonstrating how public-private partnerships can share actionable information at speed and scale in both classified and unclassified formats.” It also encourages implementation of SCRM frameworks, as appropriate, in both government and private enterprises:
Both reports endorse key recommendations set forth by the CSC, calling for “…increased Congressional action on cybersecurity, particularly as it relates to cyber deterrence to adversaries. Among the Commission’s recommendations was the emphasis on resilient systems, supply chains, and the broader economy.” HSAC’s recommendations, in whole, point to changes in DHS’ practices related to ICT, in lieu of short-term congressional action.
These recommendations may prompt the adoption of enhancements to risk management tactics – that may lead to greater scrutiny over federal contractors and their management of suppliers. The key is to understand the changing landscape and remain vigilant about the central role the prime contractor plays in this arena. By assessing the impact early on and having an “eyes-wide-open” approach to evolving federal demands related to supply chain risk, contractors can avoid disruption, compliance risk and best position themselves to continue delivering value to the federal buyer.
For more information on this and SCRM, or to learn how Baker Tilly specialists can help – please contact us:
 The Homeland Security Advisory Council (HSAC) provides advice and recommendations to the Secretary of Homeland Security on matters related to homeland security. HSAC comprises leaders from state and local government, first responder communities, the private sector and academia. For more information, visit: https://www.dhs.gov/homeland-security-advisory-council
 Direct excerpts of the recommendations have been provided within this article.
 More information on Executive Order 13873: “Securing the Information and Communications Technology and Services Supply Chain” is available here: https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain/