Published by The Lawfare Institute
in Cooperation With
Until recently, software from the Russian company Kaspersky Lab was used widely within the U.S. government. But in 2017, the Department of Homeland Security concluded that products from Kaspersky posed security threats to government networks, warning of the company’s problematic ties to Russian government agencies and its obligations to the Kremlin under Russian law. Given how many Kaspersky products were installed on government networks, immediate action to remove them from these systems became paramount.
But there was just one problem: No government committee or council had the jurisdiction to address these concerns. Homeland Security was forced to use its authorities under the Federal Information Security Modernization Act (FISMA) to issue a binding operational directive instructing federal agencies to remove Kaspersky products from their networks. But the directive’s authority was not designed to address specific products or companies. To make the authority work, Homeland Security had to create new processes not provided for in FISMA and customize the directive to awkwardly address the risks posed by this single company. Even then, the authority was only broad enough to cover use of the software by certain agencies, requiring Congress to step in to address the use of Kaspersky products within the Pentagon.
Enter the Federal Acquisition Security Council (FASC). Following the Kaspersky decision, Congress created the FASC to provide a smoother process by which the government could address the threats posed by products such as Kaspersky’s.
On Sept. 1, the FASC, chaired by the Office of Management and Budget, published its Interim Final Rule setting out the processes, procedures and criteria the FASC will use to implement its authority to recommend that certain products be excluded or removed from government networks. With the publication of the rule, the FASC has become the newest, and potentially most significant, player in the executive branch’s efforts to curtail the influence and impact of products from rival nation-states.
What Is the FASC?
In 2018 Congress passed the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure (SECURE) Technology Act. One of the most important provisions of the new law was Title II, the Federal Acquisition Supply Chain Security Act of 2018, which amended Title 41 of the U.S. Code and created the FASC. The council is designed to provide an interagency process through which the government can address potential security threats posed by “covered articles”: information technologies; telecommunications equipment and services; and related hardware, software, systems and devices.
The FASC includes representatives from seven executive branch agencies: the Department of Homeland Security, the Department of Defense, the Office of Management and Budget, the General Services Administration, the Office of the Director of National Intelligence (ODNI), the Department of Justice and the Department of Commerce. The federal chief information security officer serves as the chairperson for the FASC.
The council has several important functions, including recommending supply-chain risk management standards and establishing criteria for sharing information on supply-chain risks between executive agencies and other entities. But most significantly, the council has the authority to issue recommendations to executive agencies that certain products that pose supply-chain threats be excluded from agency procurement or be removed from agency networks. These recommendations must include, among other things, a summary of the risk assessment supporting the recommendation, information on the scope of the recommended exclusion or removal, discussion of the steps needed to implement the recommendation, and any mitigation measures that could be taken by the company that produced the product to lessen the supply-chain risk.
Once the council has issued a recommendation, it must notify the company whose product is at issue. This notice must provide such information as the criteria supporting the recommendation, a discussion of the basis for the recommendation including any “less intrusive measures that were considered and why such measures were not reasonably available,” and a description of mitigation steps the company could take. The company then has 30 days to submit information to the council opposing the recommendation.
Finally, the council’s recommendation and any information that the company submitted in response to it are sent to the secretaries of homeland security and defense, along with the director of national intelligence. The three cabinet secretaries will then review the information and decide whether to issue exclusion or removal orders to the information systems under their authority—federal civilian networks, in the case of Homeland Security; military networks, in the case of Defense; and networks servicing the intelligence community, in the case of the ODNI. After an order has been issued, the company has 60 days to file a petition for judicial review in the U.S. Court of Appeals for the D.C. Circuit.
Launching the FASC
On Sept. 1, the FASC published an interim final rule—to be codified at 41 C.F.R. 201—which fleshes out the statutory requirements discussed above. Comments on the rule will be accepted until Nov. 2, but the mere publication of the rule enables the FASC to begin taking actions concerning products and services that may pose risks.
The rule contains three parts. Subpart A covers the administration of the council, including its membership. Importantly, it clarifies that “non-federal entities” are not required to take the actions laid out in an exclusion or removal order, unless the order specifically applies to government contractors and subcontractors. For example, when concerns about Kaspersky’s products were being publicly discussed in 2017, private companies and foreign governments began taking actions to remove these products from their stores and networks. Subpart A reiterates that companies and other entities are not required to take the same steps as the federal government and may make their own risk assessments of products included in the council’s recommendations.
Subpart B establishes the “information sharing agency,” the home agency for managing the day-to-day work of the council. Homeland Security, acting through the Cybersecurity and Infrastructure Security Agency, will fill this role. It includes further provisions discussing the notice provided to the company and its opportunity to respond, as well as how an administrative record is prepared so that courts can effectively review the decisions.
Finally, and most significantly, Subpart C lays out the procedures the FASC will follow when issuing recommendations that products be excluded or removed from government systems. The council may begin evaluating alleged security threats posed by a company or product by referral from a member of the council or any other executive branch agency, as well as any other entity it deems “credible.” The statute does not define what a “credible” entity would be, but this might include state or local governments, foreign governments or international organizations, or trade associations.
The rule sets out 10 factors that the FASC will consider when evaluating the security of a product, including the functionality of the product; the “security, authenticity, and integrity” of the product and any “embedded, integrated, and bundled software”; whether the product or company that produces it is owned or controlled by a “foreign government or parties owned or controlled by a foreign government”; and whether the product transmits data outside of the United States. In the case of Kaspersky, for example, several factors would have supported the council issuing a recommendation—specifically, U.S. concerns about the control the Russian government had over Kaspersky and the ability of Kaspersky products to transfer data back to the company’s servers in Russia. This list of factors will guide the FASC but will also help companies attempting to sell products to the federal government to make important decisions such as what software or hardware to include in their products or what countries and governments they associate with.
A fully operational council could have a significant impact on how the executive branch addresses alleged national security threats posed by foreign-owned supply-chain products. The council fills in the gaps left by other executive branch committees and councils. Other committees, such as the Committee on Foreign Investment in the United States or Team Telecom, have jurisdiction to address national security threats only when they fall into discrete categories: mergers and acquisitions of U.S. companies involving foreign investors, or applications for Federal Communications Commission licenses. While these forms of jurisdiction are wide ranging, they do not cover many situations that the government is confronting daily. The council was created to help address these gaps.
Additionally, the FASC presents a whole-of-government approach to supply-chain security threats. In the Kaspersky case, while Homeland Security was able to issue a binding operational directive addressing the security threats posed by the company’s products, the directive did not apply to information networks operated by the military or the intelligence community. This gap left many of the U.S. government’s most sensitive networks outside the reach of the removal mandate, forcing Congress to take further steps by banning all Kaspersky products from all Defense Department networks. The council creates a process involving the military, intelligence community and civilian agencies at every stage.
However, the council also allows for precision in how the government acts to protect its networks. As noted, the council will forward recommendations to Homeland Security, Defense, and the ODNI, which have the discretion to decide whether to issue exclusion and removal orders within their sectors. Thus, broad government-wide bans of foreign products will be replaced by targeted exclusion and removal from the networks most at risk from these products. In addition, the Interim Final Rule’s statement that exclusion and removal orders do not apply to private-sector entities helps protect against overly broad actions by the government and allows U.S. companies to make their own risk assessments. The requirement that the council provide affected companies notification of recommendations—along with potential mitigation steps those companies may take to address the alleged security issues—allows for greater transparency and interaction between the government and the private sector on supply-chain threats. Ideally, it will also provide avenues to address national security concerns short of formal removal and exclusion orders.