The Federal Acquisition Security Council (FASC), compelled by the SECURE Technology Act, is a recently established interagency body tasked with developing “uniform criteria for supply chain risk management (SCRM) programs” across federal agencies, improving information sharing on supply chain risk, and setting forth procedures for making exclusion and removal determinations for any information and communications technology (ICT) considered to represent a security risk. Just recently, the FASC’s strategic plan and charter was submitted to Congress.
In light of the recent SolarWinds supply chain infiltration into federal networks, Baker Tilly has summarized several important takeaways from the strategic plan as the FASC will be a critical actor in the nation’s strategic activities to secure the federal supply chain. In a post-SolarWinds world, federal contractors would be wise to remain mindful of the broad discretion of the FASC – particularly in the council’s ability to issue exclusion and removal notices which would result in an automatic referral for potential suspension and debarment.
On Sept. 1, 2020, the Office of Management and Budget (OMB) issued an interim rule implementing the Federal Acquisition Supply Chain Security Act of 2018, which established the FASC and empowered it to oversee an “overarching effort to establish standardized SCRM practices across the federal ICT enterprise.” Recently, the Office of the Federal CIO released the FASC’s strategic plan outlining its core mission and objectives. As put succinctly in the plan:
“ICT SCRM is the process of identifying, assessing, and mitigating the risks associated with the global and distributed nature of ICT product and service supply chains. Because each federal agency’s supply chain is as unique as each agency’s mission, no single SCRM program can be universally applied across the federal government. But now, all federal agencies will be able to look to the FASC for guidance, including for:
Three central pillars are identified to enhance security, reliability and resiliency of federal ICT. These are described in further detail below.
In order to meet the statutory mandates from the SECURE Technology Act, the FASC outlines several core activities it expects to undertake:
A key statutory mandate for the FASC is to develop criteria and improve information sharing related to supply chain risk (government to government, government to industry, and industry to industry). Understanding that agencies each have their own policies and procedures that may constrain information sharing, the FASC will “develop criteria to delineate the specific categories (mandatory and voluntary) of information to be shared to ensure the security of federal ICT (including sharing with non-executive branch federal entities) while ensuring the information sharing process complies with applicable legal and policy requirements.” Additionally, within the strategic plan, the FASC has appointed the Department of Homeland Security (DHS), acting through the Cybersecurity and Infrastructure Security Agency (CISA), as the executive agency for overseeing information sharing guidance set forth by the FASC.
Recognizing the importance of engagement with non-federal entities (private sector, private-public partnerships, federally funded research development centers and academic institutions) on this complex issue, the FASC plans to prepare a “stakeholder management plan” to identify relevant stakeholders and develop a means of communication to “ensure that the FASC’s activities are informed by all relevant information as well as meet the needs of a diverse ecosystem of stakeholders.”
As cybersecurity and surveillance threats become ever more present, federal contractors should expect to see increasingly strict efforts to secure and strengthen the federal supply chain. This particular strategic plan makes clear that the FASC will be a critical voice in our nation’s growing measures to reduce ICT risk – with impacts that are likely to make their way to companies that do business with the federal government. These organizations should remain vigilant in addressing supply chain risks, as they look to partner with federal customers. As the recent SolarWinds event makes clear, the risks to our national security are much too great. In addition to assessing their supply chains, federal contractors should look to develop an effective SCRM program that puts the systems, policies and processes in place that will allow them to effectively mitigate and manage ongoing supplier risks.
For more information on this and SCRM, or to learn how Baker Tilly specialists can help – please contact us: