Joyce Corell, assistant director for the supply chain directorate at the Officer of the Director of National Intelligence’s (ODNI) National Counterintelligence and Security Center, predicts that regulation or other means to manage IT supply chain security risk is inevitable, given increased emphasis on the topic across government.
Speaking at an Information Security and Privacy Advisory Board meeting Friday, Corell said rumblings across the Federal space concerning supply chain risk will soon likely lead to even more formal steps.
“Something’s coming down the road,” Corell said. “There’s so much interest on the Hill, there’s so much interest in the White House, in the senior leadership across the administration in taking some action that we are going to see more conversations related to regulations or other types of tools to manage risk.”
Corell said the White House has taken supply chain issues as a priority but noted that agencies like the Department of Homeland Security – which has several law enforcement agencies under its umbrella – are unwilling or unable to enforce proper risk management practice, unless it is accompanied by an actual law.
She also noted numerous congressional actions, which have been both specific – like those in the National Defense Authorization Act targeting Chinese telecom firm ZTE – and broad – such as proposed draft legislation in the Senate to create a Federal Acquisition Security Council – as further evidence of the growing government imperative.
She also spoke about her organization’s role to advocate proper supply chain risk management. ODNI’s National Counterintelligence and Security Center’s authorities, Corell noted, are governmentwide and established by Congress. “We’re expanding our footprint, expanding our skills,” she said, and ODNI is working with agencies to establish better threat information sharing across their various supply chains.
Some of the difficulty in creating appropriate standards for managing risk, she said, come down to difficulties in wrangling all of the relevant parties.
“You need to bring together your acquisition folks, your physical security folks, your information security folks, your network security folks. It has to be a team approach,” Corell said. “Looking across government at the different government agencies, this does not happen organically. These lines of business do not come together organically.”
This difficulty in bringing together stakeholders is why the type of change needed can’t be done from the bottom up, she said, and why big changes from the top might be on the way.
“The risk has ratcheted up, and there’s more attention on the issues,” she said.