Top senators on the Senate Homeland Security Committee warned the Office of Management and Budget Oct. 9 that IT professionals in Congress and the federal judiciary may not be getting all the supply chain risk information they need to secure their computer systems and networks as they make acquisitions.
The senators wrote to OMB Director Mick Mulvaney ″urging" the Federal Acquisition Security Council (FASC) to develop a strategic plan for sharing supply chain security information with Congress and the judiciary. The letter is signed by Chairman Ron Johnson, R-Wisc.; Ranking Member Gary Peters, D-Mich.; Sen. Tom Cotton, R-Ark.; and Sen. Ron Wyden, D-Ore.
The FASC is responsible for increasing information sharing within the federal government regarding supply chain risk and creating guidelines and practices for risk management. The FASC distributes the intelligence community’s supply change risk management (SCRM) threat analysis to federal civilian agencies making acquisitions decisions. But the senators said that the information from FASC is not reaching the other two branches of government and supply chain solutions that work for executive agencies don’t necessarily work for the “whole of government.”
“Neither Congress nor the Judiciary has the resources, expertise or mission to replicate the IC SCRM’s work, meaning that the comprehensive ‘whole of government’ approach the FASC was intended to achieve will likely only benefit one branch of the federal government,” the senators wrote. “This leaves Congress and the court at risk of introducing insecure [information and communications technology] that is vulnerable to the national security threats assessed by IC and the FASC.”
The senators noted several reports of adversaries targeting the court and congressional networks. Microsoft recently disclosed that several email accounts of government officials were targeted by the Iranian-backed hackers.
“The threat is not hypothetical,” they wrote. “Americans may accept the principle of separation of branches of government, but our adversaries don’t abide by that principle.”
Andrew Eversden covered all things defense technology for C4ISRNET. Beforehand, he reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.