If the Intelligence Authorization Act for Fiscal Year 2013 is any indication, the US government's intelligence agencies are taking IT supply chain security very seriously.
The pending legislation -- sponsored by Senator Dianne Feinstein (D-Calif) and submitted to the president last week -- specifically calls out the CIOs of all intelligence agencies, commanding them to collect and report information about any software or other IT equipment in use in their respective operations.
Recent history has shown examples of PCs being infected with malware before they even reach store shelves. So the supply chain security measures contained in the act are laudable goals. And, the act will keep agencies on a tight schedule. Within 90 days of enactment, the director of national intelligence will have to submit a report to the Congressional intelligence committees that:
(1) Identifies foreign suppliers of information technology (including equipment, software, and services) that are linked directly or indirectly to a foreign government, including:
(a) by ties to the military forces of a foreign government;
(b) by ties to the intelligence services of a foreign government;
(c) by being the beneficiaries of significant low-interest or no-interest loans, loan forgiveness, or other support by a foreign government; and
(2) Assesses the vulnerability to malicious activity, including cyber crime or espionage, of the telecommunications networks of the United States due to the presence of technology produced by suppliers identified under paragraph (1).
So, when intelligence agencies and telecom companies are buying new gear, it isn't enough anymore to simply check the name on the label. Even if a device is stamped "made in America," it doesn't necessarily mean that all the components inside it were made in America. CIOs in intelligence agencies will now need to know how to answer the question "just how much of this was made in America?"
IT vendors are going to have to be forthcoming about what kinds of companies are in their supply chains, and this could impact purchasing decisions. The vendors that remain tight-lipped, or don't come back with the right answers, may lose government business.
Related to this, the law would also mandate that the CIOs of each intelligence agency conduct inventories of all their software licenses -- for software in use and software not in use -- and report those inventories to the overriding CIO of the intelligence community.
Now, I don't read every law, of course, but I've read many, and I've never seen the term "CIO" in any of them. The fact that the text of the legislation actually uses this term shows that CIOs are getting some of the respect they deserve... and states in no uncertain terms just who's responsible for making this inventory happen.
The act will also demand that intelligence agencies develop a plan to achieve compliance with the Improper Payments Elimination and Recovery Act, which we covered last week.
Neither Senator Feinstein's office, nor the Senate Select Committee on Intelligence, responded to our requests for comment.
If this pending legislation is ratified by the president, it could be a boon to IT supply chain security efforts. However, a number of questions remain to be answered:
- Is it even possible to improve IT supply chain security?
- If it's possible, how difficult will it be?
- And, if the intelligence agencies' CIOs find out that all IT gear is "linked directly or indirectly" to a foreign government, what do they do next?
- How many IT products and services could be eliminated?