Civilian

The intelligence community’s questions on supply chain security

The Office of the Director of National Intelligence is not immune to the struggle that all corners of the federal government face on securing its supply chain.

ODNI general counsel Jason Klitenic, speaking Feb. 5 at the American Bar Association, outlined several supply chain security questions that the office wants addressed, but is finding hard to answer.

How much information can ODNI lawfully share?

ODNI wants to be able to share actionable threat intelligence with unwitting companies that are making acquisition decisions. The central challenge for the office in this situation is protecting sources and methods, the perennial issue in the intelligence community’s information sharing relationships.

“If we pick up intel or information that there’s a product out there that may have a vulnerable but we’re aware of it, but the company may not be aware of it, how can we possibly make sure that the company ... is aware of it?” Klitenic said.

To solve this problem, ODNI is trying to work out how to get information declassified or how to do a one-time read-in for specific members of the company.

To what extent can federal agencies influence the conduct of our suppliers?

Klitenic said that the ODNI wants to know if they can influence security compliance through security requirements embedded within contracts.

“How far can we go in terms of including contractual terms that impose security obligations and enforcing compliance with those obligations?” Klitenic asked.

ODNI might want to look for guidance at the Department of Defense, which recently tightened its cybersecurity requirements for its contracts in a move that’s likely to have widespread implications for prime and subprime contractors. Those new standards will be put in contracts later this year.

Klitenic mentioned two other questions facing ODNI, though he didn’t elaborate on them:

What actions on supply chain risk management can the government take on both federal and non-federal IT systems?

Is there an obligation for the IC to engage with industry to propose mitigation measures?

Recommended for you
Around The Web
Comments