[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]




 
         PUBLIC-PRIVATE INITIATIVES TO SECURE THE SUPPLY CHAIN

=======================================================================

                                HEARING

                               before the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED SIXTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            OCTOBER 16, 2019

                               __________

                           Serial No. 116-41

                               __________

       Printed for the use of the Committee on Homeland Security
       
       
                                     

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                                     

        Available via the World Wide Web: http://www.govinfo.gov

                               __________
                               
                 U.S. GOVERNMENT PUBLISHING OFFICE 
 40-457 PDF               WASHINGTON : 2020                               
                               
                               
                               
                               
                               

                     COMMITTEE ON HOMELAND SECURITY

               Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas            Mike Rogers, Alabama
James R. Langevin, Rhode Island      Peter T. King, New York
Cedric L. Richmond, Louisiana        Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey     John Katko, New York
Kathleen M. Rice, New York           Mark Walker, North Carolina
J. Luis Correa, California           Clay Higgins, Louisiana
Xochitl Torres Small, New Mexico     Debbie Lesko, Arizona
Max Rose, New York                   Mark Green, Tennessee
Lauren Underwood, Illinois           Van Taylor, Texas
Elissa Slotkin, Michigan             John Joyce, Pennsylvania
Emanuel Cleaver, Missouri            Dan Crenshaw, Texas
Al Green, Texas                      Michael Guest, Mississippi
Yvette D. Clarke, New York           Dan Bishop, North Carolina
Dina Titus, Nevada
Bonnie Watson Coleman, New Jersey
Nanette Diaz Barragan, California
Val Butler Demings, Florida
                       Hope Goins, Staff Director
                 Chris Vieson, Minority Staff Director
                 
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Chairman, Committee on 
  Homeland Security:
  Oral Statement.................................................     1
  Prepared Statement.............................................     2
The Honorable Mike Rogers, a Representative in Congress From the 
  State of North Carolina, and Ranking Member, Committee on 
  Homeland Security:
  Oral Statement.................................................     3
  Prepared Statement.............................................     4

                               Witnesses

Mr. Robert Kolasky, Assistant Director, National Risk Management 
  Center, Cybersecurity and Infrastructure Security Agency, 
  Department of Homeland Security:
  Oral Statement.................................................     5
  Prepared Statement.............................................     7
Mr. Robert Mayer, Senior Vice President, Cybersecurity, 
  USTelecom:
  Oral Statement.................................................    12
  Prepared Statement.............................................    13
Mr. John S. Miller, Vice President of Policy and Senior Counsel, 
  Information and Technology Industry Council:
  Oral Statement.................................................    15
  Prepared Statement.............................................    17

                                Appendix

Questions From Chairman Bennie G. Thompson for Robert Kolasky....    41
Questions From Honorable James Langevin for Robert Kolasky.......    43
Questions From Honorable Dina Titus for Robert Kolasky...........    44
Questions From Chairman Bennie G. Thompson for Robert Mayer......    45
Questions From Chairman Bennie G. Thompson for John Miller.......    47


         PUBLIC-PRIVATE INITIATIVES TO SECURE THE SUPPLY CHAIN

                              ----------                              


                      Wednesday, October 16, 2019

                     U.S. House of Representatives,
                            Committee on Homeland Security,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 10:03 a.m. in 
Room 310, Cannon House Office Building, Hon. Bennie G. Thompson 
[Chairman of the committee] presiding.
    Present: Representatives Thompson, Langevin, Correa, 
Underwood, Slotkin, Barragan, Demings; Rogers, Katko, Lesko, 
Taylor, Joyce, and Crenshaw.
    Chairman Thompson. The Committee on Homeland Security will 
come to order.
    The committee is meeting today to receive testimony on 
public-private initiatives to secure the supply chain.
    Without objection, the Chair is authorized to declare the 
committee in recess at any point.
    Good morning. I want to thank the witnesses for being here 
today to discuss an issue critical to our National security: 
The information and communications technology supply chain.
    Concerns about the original components embedded in our ICT 
devices such as cell phones, computers, and satellites are 
nothing new. We have known that such technology produced by our 
adversaries could be exploited for espionage or cyber attacks 
for a long time.
    In 2012 the Senate Intelligence Committee released a 
damning report about the threats products from Chinese telecom 
companies ZTE and Huawei pose to U.S. National security 
interests. Government officials had acknowledged concerns about 
the use of Kaspersky anti-virus software for years before the 
Department of Homeland Security finally directed all Federal 
agencies to remove it from their systems in 2018.
    But the rapid evolution of the global economy, coupled with 
our increasing reliance on technology and anticipation of a new 
5G cell network, has resulted in much-needed momentum to 
address risk in our ICT supply chain.
    Developing sound supply chain risk management policy is not 
just a whole-of-Government effort, and it is all-hands-on-deck 
effort. That is why I am pleased that CISA is spearheading a 
critical public-private initiative to provide recommendations 
for assessing and managing ICT supply chain risk.
    Last month the task force issued its interim report, and I 
congratulate the task force co-chairs on that accomplishment. 
The interim report identified practices and policies related to 
supply chain threat information sharing, white-listing, and 
threat evaluation, along with associated challenges. I am eager 
to discuss those issues today.
    More importantly, I want to know how Congress can help 
advance the recommendations of the task force. I am also 
interested to learn how the work of the task force is being 
leveraged by the Federal Acquisition Security Council, and by 
the Department of Commerce as it executes its authorities under 
Executive Order 13873, which was seemingly targeted at China.
    On that note, I want to commend the administration for 
finally taking a concrete step to mitigate the threat Chinese 
firms pose to the supply chain. The Chinese Government has 
spent years strategically investing in and promoting Chinese 
information and communications technology to advance its 
national agenda at our expense.
    So I was disturbed last year when the President directed 
the Department of Commerce to lift the ban on ZTE buying U.S. 
parts, apparently to advance his trade agenda. Our National 
security is not a bargaining chip, and the President cannot 
negotiate away policies that will secure our supply chain. 
Toward that end I will continue to monitor the implementation 
of the Executive Order closely.
    I look forward to the hearing and your testimony today.
    [The statement of Chairman Thompson follows:]
                Statement of Chairman Bennie G. Thompson
                            October 16, 2019
    Concerns about the origin components embedded in our ICT devices, 
such as cell phones, computers, and satellites, are nothing new. We 
have known that such technology produced by our adversaries could be 
exploited for espionage or cyber attacks for a long time. In 2012, the 
Senate Intelligence Committee released a damning report about the 
threats products from Chinese telecom companies ZTE and Huawei pose to 
U.S. National security interests. Government officials had acknowledged 
concerns about the use of Kaspersky anti-virus software for years 
before the Department of Homeland Security finally directed all Federal 
agencies to remove it from their systems in 2018. But the rapid 
evolution of the global economy coupled with our increasing reliance on 
technology and anticipation of a new 5G cell network has resulted in 
much-needed momentum to address risks to our ICT supply chain.
    Developing sound supply chain risk management policy is not just a 
whole-of-Government effort--it's an all-hands-on-deck effort. That is 
why I am pleased that CISA is spearheading a critical public-private 
initiative to provide recommendations for assessing and managing ICT 
supply chain risks. Last month, the task force issued its Interim 
Report, and I congratulate the task force co-chairs on that 
accomplishment. The Interim Report identified practices and policies 
related to supply chain threat information sharing, whitelisting, and 
threat evaluation, along with associated challenges. I am eager to 
discuss those issues today. More importantly, I want to know how 
Congress can help advance the recommendations of the task force.
    I am also interested to learn about how the work of the task force 
is being leveraged by the Federal Acquisition Security Council and by 
the Department of Commerce as it executes its authorities under 
Executive Order 13873, which was seemingly targeted at China. On that 
note, I want to commend the administration finally taking a concrete 
step to mitigate the threat Chinese firms pose to the supply chain. The 
Chinese government has spent years strategically investing in and 
promoting Chinese information and communications technology to advance 
its National agenda--at our expense. So I was disturbed last year when 
the President directed the Department of Commerce to lift the ban on 
ZTE buying U.S. parts, apparently to advance his trade agenda.
    Our National security is not a bargaining chip, and the President 
cannot negotiate away policies that will secure our supply chain. 
Toward that end, I will continue to monitor the implementation of the 
Executive Order closely.

    Chairman Thompson. The Chair now recognizes the Ranking 
Member of the full committee, the gentleman from Alabama, Mr. 
Rogers, for an opening statement.
    Mr. Rogers. Thank you, Mr. Chairman.
    The U.S. economy is the envy of many around the world. Our 
innovative spirit and technological advances have led the world 
for more than 150 years. For almost the same period of time, 
our adversaries and criminal actors around the world have 
attempted to steal our innovations, to enrich themselves, and 
undermine our way of life. They have sought every advantage to 
copy and extract information and intelligence about the U.S. 
Government, our industry, and our citizens.
    The latest front in this battle is the supply chain. Our 
adversaries are actively exploiting vulnerabilities in our 
supply chain to undermine our economy and our National 
security. These vulnerabilities have led to intellectual 
property theft, data breaches, and the leaks of Classified 
information. In recent years, that threat has intensified as 
our intelligence community has been able to link certain 
foreign companies with strong presence in our commercial and 
Government supply chain to foreign intelligence agencies.
    Protecting our supply chain from companies like Kaspersky 
Labs and Huawei that serve as intelligence fronts for Russia 
and China is a complex challenge. We need to do a better job of 
identifying and prohibiting companies like these from 
infiltrating our supply chain.
    But even if we are able to fully secure technologies in the 
United States, our citizens' companies still operate throughout 
the globe in countries that make different choices about their 
supply chains. For this reason we must have a holistic approach 
to securing the supply chain.
    I applaud the Information and Communications Technology 
Supply Chain Risk Management Task Force for taking such an 
approach. The ITC Task Force is a great example of public and 
private collaboration working to identify and understand the 
problem. Together they are working systematically to equip the 
Government and industry to mitigate risks. While the task force 
is focused on information and communications technology 
ecosystem, I hope their work will inform other areas of the 
supply chain risk.
    Our transportation systems, manufacturing, health care, and 
other critical industries are increasing vulnerable--
increasingly vulnerable to supply chain disruption. I think the 
Department of Homeland Security has the expertise to assist 
these industries, our Government, and other Government agencies 
if we fight this emerging threat. I expect the Department to 
continue to play a central role in the effort.
    I appreciate our witnesses for being here today to discuss 
this important work. I look forward their recommendations on 
how to best equip the Government, industry, and our citizens to 
secure our supply chain.
    [The statement of Ranking Member Rogers follows:]
                Statement of Ranking Member Mike Rogers
                            October 16, 2019
    The U.S. economy is the envy of many around the world. Our 
innovative spirit and technological advances have led the world for 
more than 150 years.
    And, for almost the same period of time, our global adversaries and 
criminal actors have attempted to steal our innovations to enrich 
themselves and undermine our way of life.
    They have sought every advantage to copy and extract information 
and intelligence about the U.S. Government, our industry, and our 
citizens.
    The latest front in this battle is the supply chain. Our 
adversaries are actively exploiting vulnerabilities in our supply chain 
to undermine our economy and our National security.
    These vulnerabilities have led to intellectual property theft, data 
breaches, and leaks of Classified information.
    In recent years, the threat has intensified as our intelligence 
community has been able to link certain foreign companies with a strong 
presence in our commercial and Government supply chain to foreign 
intelligence agencies.
    Protecting our supply chain from companies like Kaspersky Labs and 
Huawei that serve as intelligence fronts for Russia and China is a 
complex challenge.
    We need to do a better job of identifying and prohibiting companies 
like these from infiltrating our supply chain.
    But even if we were able to fully secure technologies in the United 
States, our citizens and companies still operate throughout the globe, 
in countries that make different choices about their supply chains.
    For this reason, we must have a holistic approach to securing the 
supply chain. I applaud the Information and Communications Technology 
Supply Chain Risk Management Task Force for taking such an approach.
    The ICT Task Force is a great example of the public and private 
collaboration, working to identify and understand the problem and work 
systematically to equip the Government and industry to mitigate risks.
    While the task force is focused on the information and 
communications technology ecosystem, I hope their work will inform 
other areas of supply chain risk. Our transportation systems, 
manufacturing, health care, and other critical industries are 
increasing vulnerable to supply chain disruption.
    I think the Department of Homeland Security has the expertise to 
assist these industries and other Government agencies as we fight this 
emerging threat. I expect the Department to continue to play a central 
role in this effort.
    I appreciate our witnesses for being here today to discuss their 
important work. I look forward to their recommendations on how best to 
equip Government, industry, and our citizens to secure our supply 
chain.

    Mr. Rogers. With that, Mr. Chairman, I yield back.
    Chairman Thompson. Thank you very much. Other Members of 
the committee are reminded that, under the committee rules, 
opening statements may be submitted for the record.
    I welcome our panel of witnesses today.
    Our first witness, Mr. Bob Kolasky, leads the Cybersecurity 
and Infrastructure Security Agency's National Risk Management 
Center at the Department of Homeland Security. As assistant 
director he oversees the Center's efforts to facilitate a 
strategic, cross-sector risk management approach to cyber and 
physical threats to critical infrastructure.
    Mr. Robert Mayer is senior vice president of cybersecurity 
at USTelecom. He currently serves as co-lead of DHS' 
Information and Communications Technology Supply Chain Risk 
Management Task Force. That is a tremendous title.
    We welcome you here, Mr. Mayer.
    Mr. John Miller is vice president of policy, and senior 
policy counsel at the IT Industry Council. He serves as co-lead 
of DHS' ICT Supply Chain Risk Management Task Force, 
representing information technology companies and the task 
force's work. Without objection, the witnesses' full statements 
will be inserted in the record.
    I now ask each witness to summarize his statement for 5 
minutes, beginning with Mr. Kolasky.

STATEMENT OF ROBERT KOLASKY, ASSISTANT DIRECTOR, NATIONAL RISK 
 MANAGEMENT CENTER, CYBERSECURITY AND INFRASTRUCTURE SECURITY 
            AGENCY, DEPARTMENT OF HOMELAND SECURITY

    Mr. Kolasky. Thank you, Chairman Thompson. Thank you, 
Ranking Member Rogers. Thank you, Members of the committee, for 
today's opportunity to testify regarding CISA's on-going 
efforts to secure the supply chain of information and 
communications technology. I will today a little bit about the 
work of the ICT task force, but as well as other efforts that 
we are taking across this in DHS and the Federal Government.
    As CISA's assistant director in charge of running the 
National Risk Management Center, I have the privilege of 
leading an organization with a vitally important mission. The 
National Risk Management Center is a planning, analysis, and 
collaboration center, working with public and private partners 
to better understand and manage the most strategic risks to the 
Nation's critical infrastructure.
    We are doing this based principally through two main 
buckets of activity: No. 1, building lasting analytic 
capability for critical infrastructure risk; and No. 2, leading 
and catalyzing initiative planning and execution for managing 
risk to priority areas identified.
    Since our inception at the end of last year we have 
steadily matured a capacity in both of these categories, 
particularly around risks to the Nation's supply chains.
    This hearing is timely and important for the reasons that 
you laid out in your opening statement, as well. Many and 
most--or most discussions around cybersecurity threats include 
some risk calculation around supply chain, third-party, or 
vendor assurance risk. In line with that reality, CISA has 
identified supply chain risk management to include 5G security 
resilience as a Top-5 priority for our agency in our recently-
released strategic intent document, which we released at the 
end of August of this year.
    Supply chain risk can broadly be understood as efforts by 
our adversaries to exploit ICT technologies and their related 
supply chains for purposes of espionage, sabotage, and foreign 
interference activities. Vulnerabilities in supply chains, 
either developed intentionally for malicious intent, or 
unintentionally through poor security practices, can enable 
data and intellectual property theft, loss of confidence in the 
integrity of the system, or exploitation to cause system and 
network failure.
    Increasingly, our adversaries are looking at these 
vulnerabilities as a principal attack vector, and we are 
increasingly concerned with aggressive actions by potential 
foreign adversaries to include Russia, China, North Korea, and 
Iran.
    In the critical infrastructure community we frequently talk 
about the merits of deeper integration partnership across the 
Government and with private-sector partners to address high-
priority risks. Supply chain risks are such a priority, and a 
risk that can't be addressed without public-private 
partnerships. I think it is significant that I sit here with 
Robert and John, testifying on the same panel, because I can 
say confidently that the partnership between the ICT 
stakeholder community and CISA is stronger than ever before.
    Through our work at the ICT Supply Chain Risk Management 
Task Force, we have taken on a lot of the issues that are most 
important in understanding and dealing with the risks to the 
Nation's supply chain. As a high-level snapshot of where things 
stand, the task force has successfully brought together 40 
industry stakeholders across the IT and com sector, launched 4 
working groups of key areas of priority risk management focus 
in supply chain, and published an interim report detailing key 
recommendations and next steps. John and Robert are going to 
talk a little bit more about those recommendations in their 
testimony.
    This is an important reinforcement of bringing the right 
people to the table. We can't do this work without the 
partnership with industry and across the interagency. The task 
force can be a model for a range of public-private partnership 
activities in this space and beyond.
    Outside of the work of the task force CISA is engaged in a 
wide range of supply chain risk management activity, and will 
be for the foreseeable future. As mentioned, our work in 
support of the President's Executive Order 13873--in 
particular, DHS has focused on assessing and identifying 
entities, hardware, software, and services that present 
vulnerabilities in the United States that pose the greatest 
potential consequence for our National security.
    As part of us doing the assessment, we relied on the work 
of the task force, and particularly our engagement and 
partnership with the firms who participate in the task force to 
help us better understand the critical nodes of our supply 
chain.
    CISA will soon release the methodology we used in the 
assessment and support of this Executive Order, and that we 
have provided--we have provided the whole report to the 
Secretary of Commerce. The methodology we used included a 
deconstruction of the ICT supply chain into 61 elements, the 
hardware, software, and service building blocks that 
collectively make up the ICT ecosystem.
    Among the elements that CISA designated as critical for 
focusing supply chain risk reduction efforts were home 
subscriber services, mobile switching centers, and sensitive 
system software, to include software-defined networking. 
Untrustworthy equipment in those supply chains could create an 
unacceptable amount of risk to the National security of the 
United States.
    Many of these critical elements will be part of the fifth 
generation communications network, 5G. 5G is the single biggest 
critical infrastructure build that the globe has seen in the 
last 25 years. Coupled with the growth of cloud computing, 
automation, and the future of artificial intelligence, 5G 
demands focused attention today to secure tomorrow.
    CISA and our interagency partners, recognizing the 
importance of 5G security and resilience, recognize the 
importance of 5G security and resilience in efforts. To 
demonstrate the reasons for that, the Financial Risk Management 
Center worked with the IT and communications sector to produce 
a publicly-available 5G risk characterization as a baseline-
level-setting document to understand the complexities, risks, 
and opportunities presented by 5G deployment.
    If untrusted components and suppliers take a foothold in 
our 5G infrastructure, there is potential for not just data 
integrity and privacy loss, but also public health and safety 
concerns due to many of the envisioned use cases of 5G 
connectivity. We must take these risks seriously, and I can 
tell you with confidence that CISA, with our partners, is doing 
that, both here in the United States and working with our 
allies globally.
    In summary, a holistic understanding of critical 
infrastructure risk must take into account the supply chain 
risks stemming from an interconnected society that relies 
heavily on ICT technology. As CISA continues to mature its 
engagement in supply chain risk management and 5G security and 
resilience lines of efforts, the agency is also working on 
developing a lasting technological architecture and framework 
to allow for better structured supply chain risk analysis. We 
believe investing in this capability will be critical to fully 
achieving CISA's critical infrastructure mission in the years 
to come.
    Thank you again for holding this hearing, and I look 
forward to your questions.
    [The prepared statement of Mr. Kolasky follows:]
                  Prepared Statement of Robert Kolasky
                            October 16, 2019
    Chairman Thompson, Ranking Member Rogers, and Members of the 
committee, thank you for today's opportunity to testify regarding the 
U.S. Department of Homeland Security's (DHS) Cybersecurity and 
Infrastructure Security Agency's (CISA) on-going efforts to secure the 
supply chain of information and communications technology (ICT). Thanks 
to Congress's leadership and passage of the Cybersecurity and 
Infrastructure Security Agency Act of 2018 (Pub. L. 115-278) nearly 1 
year ago today. CISA is now even better poised to achieve our important 
critical infrastructure security and resilience mission.
                        understanding the threat
    Cyber threats remain one of the most significant strategic risks 
for the United States, threatening our National security, economic 
prosperity, and public health and safety. We have seen advanced 
persistent threat actors, including hackers, cyber criminals, and 
nation-states, increase the frequency and sophistication of their 
attacks. In a 2018 report, Foreign Economic Espionage in Cyberspace, 
the United States' National Counterintelligence and Security Center 
stated, ``We anticipate that China, Russia, and Iran will remain 
aggressive and capable collectors of sensitive U.S. economic 
information and technologies, particularly in cyber space.'' Our 
adversaries have been developing and using advanced cyber capabilities 
in attempts to undermine critical infrastructure, target our 
livelihoods and innovation, steal our National security secrets, and 
threaten our democratic institutions.
    During his annual World-wide Threat Assessment testimony before 
Congress this January, the director of national intelligence stated, 
``China presents a persistent cyber espionage threat and a growing 
attack threat to our core military and critical infrastructure systems. 
China remains the most active strategic competitor responsible for 
cyber espionage against the U.S. Government, corporations, and 
allies.'' The director further stated, ``We are also concerned about 
the potential for Chinese intelligence and security services to use 
Chinese information technology firms as routine and systemic espionage 
platforms against the United States and allies.'' This assessment is 
consistent with the fact that Chinese laws on National security and 
cybersecurity provide the Chinese government with a legal basis to 
compel technology companies operating in China to cooperate with 
Chinese security services.
    Increasingly, many or most discussion around cybersecurity threats 
include some risk calculation around supply chain, third party, or 
vendor assurance risk. In fact, a 2018 Symantec report detailed that 
the number of observed supply chain attacks was 78 percent higher in 
2018 than it was in 2017, as malicious actors sought to exploit 
vulnerabilities in third-party software, hardware, and services.
    Supply Chain Risk can broadly be understood as efforts by our 
adversaries to exploit ICT technologies and their related supply chains 
for purposes of espionage, sabotage, and foreign interference activity. 
Vulnerabilities in supply chains--either developed intentionally for 
malicious intent or unintentionally through poor security practices--
can enable data and intellectual property theft, loss of confidence in 
the integrity of the system, or exploitation to cause system and 
network failure. Increasingly, our adversaries are looking at these 
vulnerabilities as a principal attack vector, and we are increasingly 
concerned with aggressive actions, by potential foreign adversaries to 
include Russia, China, North Korea, and Iran.
                       roles and responsibilities
    CISA, our Government partners, and the private sector are all 
engaging in a more strategic and unified approach toward improving our 
Nation's overall defensive posture against malicious cyber activity. In 
May 2018, the Department published the DHS Cybersecurity Strategy, 
outlining a strategic framework to execute our cybersecurity 
responsibilities during the next 5 years. The National Cyber Strategy, 
released in September 2018, reiterates the criticality of collaboration 
and strengthens the Government's commitment to work in partnership with 
industry to combat cyber threats and secure our critical 
infrastructure. Together, the National Cyber Strategy and DHS 
Cybersecurity Strategy guide CISA's efforts.
    CISA works across Government and critical infrastructure industry 
partnerships to lead the National effort to safeguard and secure cyber 
space. We share timely and actionable Classified and Unclassified 
information as well as provide training and technical assistance. Our 
work enhances cyber threat information sharing between and among 
governments and businesses across the globe to stop cyber incidents 
before they occur and quickly recover when they do. By bringing 
together the intelligence community, law enforcement, the Department of 
Defense, Sector-Specific Agencies, all levels of government, the 
private sector, international partners, and the public, we are enabling 
collective defense against cybersecurity risks, improving our incident 
response capabilities, enhancing information sharing of best practices 
and cyber threats, strengthening our resilience, and facilitating 
safety.
    In addition to our cross-sector leadership role, CISA is the 
Sector-Specific Agency for numerous sectors, notably the Information 
Technology and Communications Sectors. In this role, we work with a 
range of stakeholders to address both short-term and longer-term 
challenges regarding risks to telecommunications networks, including 
supply chain risk management and 5G security. These stakeholders 
include the Department of Justice, Department of Commerce, Department 
of Defense, Federal Communications Commission, General Services 
Administration, the intelligence community, and the private sector.
    Reducing ICT supply chain risk is a National security imperative 
and one that is a key pillar of CISA's Strategic Intent. While many 
components of CISA play some role in supporting supply chain 
initiatives, the National Risk Management Center (NRMC) leads the 
agency-wide supply chain coordination effort--providing program 
management and analytical support to current lines of effort. These 
include:
   The ICT Supply Chain Risk Management Task Force
   ICT analysis in support of Executive Order 13873: Securing 
        the Information and Communications Technology and Services 
        Supply Chain
   5G mobile communications security and resilience efforts.
    CISA's supply chain risk management efforts are closely integrated 
with the agency's broader critical infrastructure protection mission. 
Supply chain risk cuts across many of the 55 National Critical 
Functions released by CISA in April, and the National Critical 
Functions framework continues to be an effective platform for 
holistically understanding and prioritizing risk to our Nation's 
critical infrastructure.
              ict supply chain risk management task force
    In 2018, CISA established the Information and Communication 
Technology Supply Chain Risk Management Task Force as a public-private 
partnership jointly chaired by CISA and the chairs of the IT and 
Communications Sector Coordinating Councils. The task force is working 
to identify and manage risks to the global ICT supply chain and is 
comprised of 40 industry partners from the IT and Communications 
Sectors and 20 interagency partners from the U.S. Government.
    The first year of the task force focused on 4 priority areas of 
policy concern for supply chain risk management, including: Information 
Sharing, Threat Evaluation, Qualified Bidder Lists and Qualified 
Manufacture Lists, and Policy Recommendations to Incentive Purchase of 
ICT from Original Equipment Manufacturers and Authorized Resellers.
    In September of this year, the task force released an Interim 
Report providing a status update on activities and objectives of the 
task force. The report outlines the overall structure of the task force 
as well as the 4 Working Groups, areas of discussion, and relevant key 
findings. The Interim Report serves as an important building block for 
the second year of the task force, including strategic priorities and 
recommendations.
    Among these priorities is enhancing the information sharing about 
supply chain risks with a particular focus on potential bad actors. The 
task force identified current gaps in the ability of Government to 
collect relevant information on bad actors, the ability to use that 
information as part of an overall evaluation of trusted vendors, and 
the ability for that information to be shared with the private sector. 
Crucially, the task force also identified limitations on private-to-
private information sharing on supply chain risks because of lingering 
legal concerns. Going forward, the task force is establishing a Working 
Group of lawyers from industry and government to address these hurdles 
and make recommendations for legal and regulatory changes; in addition, 
the task force is likely to identify the necessary components of an 
enhanced information sharing environment that can take advantage of 
factors that contribute to understanding as to whether vendors can be 
trusted.
    Another effort of the task force will be related to taking the 
output of a list of the Threat Evaluation Working Group--which 
identified 9 types of supply chain threats and related scenarios--and 
making recommendations as to how the identified threats and threat 
scenarios can inform risk management programs for Government agencies, 
and large and small businesses alike. These threats--whether from 
counterfeit parts, insider threats, poor cybersecurity practices, or 
market forces--need to be accounted for in effective supply chain risk 
management programs.
    In addition to its Working Groups, the task force has emerged as a 
key private-sector touch point for the recently-launched Federal 
Acquisition Security Council (FASC). All agencies participating in the 
FASC also have representatives on the task force--a deliberately 
designed synergy. And, we recently completed an agency-wide data call 
for the FASC and the task force that identified supply chain risk 
management programs from across Government for the purpose of 
increasing integration and synchronization of efforts across the 
Executive branch.
                        ict criticality analysis
    On May 15, 2019, the President signed Executive Order (EO) 13873: 
Securing the Information and Communications Technology and Services 
Supply Chain. This EO declares a National emergency with respect to the 
threat posed by foreign adversaries to the Nation's information and 
communications technology supply chain. Specifically, the EO addresses 
concerns that ``foreign adversaries are increasingly creating and 
exploiting vulnerabilities in information and communications technology 
and services, which store and communicate vast amounts of sensitive 
information, facilitate the digital economy, and support critical 
infrastructure and vital emergency services, in order to commit 
malicious cyber-enabled actions, including economic and industrial 
espionage against the United States.''
    DHS, specifically CISA, plays a key role in EO 13873. Section 5(b) 
requires the Secretary of Homeland Security to ``asses and identify 
entities, hardware, software, and services that present vulnerabilities 
in the United States that pose the greatest potential consequences to 
the National security of the United States.'' The Secretary of DHS, in 
coordination with sector-specific agencies and coordinating councils as 
appropriate, was required to submit an assessment within 80 days of 
issuance of the EO and annually thereafter. The assessment was required 
to include an ``evaluation of hardware, software, or services that are 
relied upon by multiple information and communications technology or 
service providers, including the communication services relied upon by 
critical infrastructure entities identified pursuant to section 9 of 
Executive Order 13636.''
    The Secretary of DHS delegated this responsibility to CISA. To 
carry out this responsibility, CISA has engaged with its Federal and 
private-sector partners to provide assessments of ICT hardware, 
software, and services to determine which pose the greatest threats and 
vulnerabilities to U.S. critical infrastructure.
    CISA will soon release the methodology it used in its assessment in 
support of the EO. The methodology includes a deconstruction of the ICT 
supply chain into 61 elements--the hardware, software, and services 
``building blocks''--that collectively make up the ICT ecosystem. CISA 
hopes that this elemental deconstruction will have lasting value for 
supply chain risk management activity beyond this EO.
    Among the elements that CISA designated as critical for focusing 
supply chain risk reduction efforts were Home Subscriber Services, 
Mobile Switching Centers, and Sensitive Systems Software (to include 
software-defined networking). Untrustworthy equipment in those supply 
chains could create an unacceptable amount of risk to the National 
security of the United States. There would likely be significant 
regional or National impacts, including affecting operations and the 
confidentiality, integrity, or availability of data or the system, and 
the ability to effectively mitigate these risks is uncertain or 
unsatisfactory.
                                   5g
    With that finding in mind, DHS--and our interagency partners--
recognize 5G deployment as a significant area for National and economic 
security intention. The Fifth Generation Communications Network (5G) is 
the next generation of wireless technology that represents a complete 
transformation of telecommunication networks. Combining new and legacy 
technology and infrastructure, 5G will build upon previous generations 
in an evolution that will occur over many years, utilizing existing 
infrastructure and technology.
    From my perspective, 5G is the single biggest critical 
infrastructure build that the globe has seen in the last 25 years and, 
coupled with the growth of cloud computing, automation, and future of 
artificial intelligence, demands focused attention today to secure 
tomorrow.
    5G builds upon existing telecommunication infrastructure by 
improving the bandwidth, capacity, and reliability of wireless 
broadband services. The evolution will take years, but the goal is to 
meet increasing data and communication requirements, including capacity 
for tens of billions of connected devices that will make up the 
internet of things (IoT), ultra-low latency required for critical near-
real-time data transmission, and faster speeds to support emerging 
technologies. As of June 2019, 5G networks and technologies are in 
development with a limited rollout in select cities around the world, 
including 20 in the United States.
    DHS, working with its interagency and industry partners, has an 
opportunity to help shape the rollout of this emerging critical 
infrastructure, increasing its security and resilience at the design 
phase and reducing National security risk from an untrustworthy 5G 
network. Our intent in doing so is to promote the development and 
deployment of a secure and resilient 5G infrastructure that enables 
enhanced National security, technological innovation, and economic 
opportunity for the United States and its allied partners.
    Our work in this area will be focused on 6 lines of effort, to 
include:
   Support the design and deployment of 5G networks with 
        security and resilience in mind, to include investing in 
        Research & Development
   Promote 5G use cases that are secure and trustworthy
   Identify and communicate risks--including supply chain 
        risks--to 5G infrastructure
   Promote development and deployment of trusted 5G components
   Advance the United States' global effort to influence 
        direction of allied nations in 5G deployments
   Provide leadership role within USG to coordinate operational 
        5G security and resilience efforts.
    The analogy of the space race is not entirely incorrect for 5G 
deployment, but I view it more as a competition between differing views 
of the world--one in which technology is deployed that protects the 
values of privacy, enables greater confidence amongst citizenry in 
essential services, and creates greater connectivity and economic 
opportunity while not undermining the ability of countries and 
communities to protect themselves; and, one that views technology as an 
enabler of illegitimate behavior.
    The United States' goal needs to be to do whatever we can to lead 
the world to the former vision. Industry will be a partner in all of 
this effort--so, too, will like-minded countries. One particular focus 
needs to be on ensuring that State-influenced entities do not dominate 
a market through unfair business practices and to potentially do the 
work of adversary action. As such, a particular concern that the 
Department of Homeland Security is focusing on regards the growing 
presence of Chinese telecom equipment in the Radio Access Network (RAN) 
portion of the network where there are a limited number of RAN 
equipment suppliers. There are 5 main purveyors of 5G RAN technology 
globally, the largest of which is Chinese-based. If Chinese 
manufacturers continue to gain market share, there will be growing 
concern about the long-term viability of the existing supply chain for 
5G and successor technologies. As such, it is important for the United 
States and its allies to continue to promote market dynamism and 
support existing trusted vendors in the space while investing in 
innovation and research and development that will help the trusted 
community win the quality battle in the RAN, innovate to a future 5G, 
and compete on a level playing field in the market. This is 
particularly necessary to help support deployment across the United 
States, including in rural communities.
                         dhs advisory councils
    CISA is working through the Critical Infrastructure Partnership 
Advisory Council (CIPAC) structure to engage with private-sector 
stakeholders, especially the Communications and Information Technology 
Sector Coordinating Councils and the Enduring Security Framework 
Operations Working Group to collaborate on the risk posed by 5G 
technologies.
    CISA operates the Communications Sector Information Sharing and 
Analysis Center (ISAC), a partnership of 11 Federal agencies and over 
60 private-sector communications and information technology companies. 
Some of these companies maintain a permanent presence in CISA's 
operations center. Through the Communications ISAC, Government and 
industry exchange vulnerability, threat, intrusion, and anomaly 
information. CISA also uses this mechanism to maintain situational 
awareness regarding the evolution of 5G standards and carrier 5G plans.
    The President's National Security Telecommunications Advisory 
Committee (NSTAC), created in 1982, provides industry-based analyses 
and recommendations to the President and the Executive branch regarding 
policy and enhancements to National security and emergency preparedness 
(NS/EP) telecommunications. It is composed of up to 30 Presidentially-
appointed senior executives who represent various elements of the 
telecommunications industry. NSTAC is supported by the Secretary of 
Homeland Security, who is the Executive Agent.
    NSTAC has reviewed 5G security issues, including when it finalized 
its NSTAC Report to the President on Emerging Technologies Strategic 
Vision on July 14, 2017. The report included recommendations on how the 
government can adapt to ``unprecedented growth and transformation in 
the technology ecosystem over the next decade,'' including 5G 
technology, which the NSTAC identified as a near-term transformative 
technology.
    The NSTAC is currently examining technology capabilities that are 
critical to NS/EP functions in the evolving ICT ecosystem. On April 2, 
2019, the NSTAC submitted a letter to the President outlining the first 
phase of its study to identify the technologies within the ICT 
ecosystem that are most critical to the Government's NS/EP functions, 
which include 5G, quantum computing, and artificial intelligence.
    During the second phase of this study, the NSTAC plans to examine 
how certain dependencies, market limitations, and supply chain risks 
began, using the deployment of 5G technologies as a case study. The 
NSTAC will formulate recommendations for the recommended National 
innovation NS/EP ICT strategy. This strategy will ensure that the 
United States is more resilient, has access to trusted technology to 
support its NS/EP mission, and leads in the development and use of ICT 
technology.
                        research and development
    The next age of digital transformation depends on the success of 
the United States' National and global 5G build out. Significant 
research remains to be done in this area as well as hardening of the 5G 
network protocols, which are currently in early development. On April 
22, 2019, DHS's Science and Technology Directorate and CISA announced 
an effort related to the development of new standards to improve the 
security and resilience of critical mobile communications networks. 
This solicitation established a research and development project for 
innovative approaches and technologies to protect legacy, current, and 
5G mobile network communications services and equipment against all 
threats and vulnerabilities.
    The 3d Generation Partnership Project (3GPP) and the United 
Nations' International Telecommunications Union (ITU) lead the global 
5G standards development initiatives. CISA currently works with 
industry, including Nation-wide U.S. wireless carriers, in preparing 
technical standards for the standards development organizations to 
ensure Public Safety and NS/EP personnel will have priority 
communications services on 5G networks.
                               conclusion
    In the face of increasingly sophisticated threats, CISA employees 
stand on the front lines of the Federal Government's efforts to defend 
our Nation's Federal networks and critical infrastructure. The threat 
environment is complex and dynamic with interdependencies that add to 
the challenge. As new risks emerge, we must better integrate cyber and 
physical risk in order to effectively secure the Nation. CISA 
contributes unique expertise and capabilities around cyber-physical 
risk and cross-sector critical infrastructure interdependencies.
    A holistic understanding of critical infrastructure risk must take 
into account the supply chain risk stemming from an interconnected 
society that relies heavily on ICT technology as the supporting 
backbone of many National Critical Functions. As CISA continues to 
mature its engagement on supply chain risk management and 5G security 
and resilience lines of effort, the agency is also working on 
developing a lasting technological architecture and framework to allow 
for better-structured supply chain risk analysis. We believe investing 
in this capability will be critical to fully achieving CISA's critical 
infrastructure mission in the years to come.
    I recognize and appreciate this committee's strong support and 
diligence as it works to understand this emerging risk and identify 
additional authorities and resources needed to address it head on. We 
at CISA are committed to working with Congress to ensure our efforts 
cultivate a safer, more secure, and resilient homeland through our 
efforts to defend today and secure tomorrow.
    Thank you for the opportunity to appear before the committee today, 
and I look forward to your questions.

    Chairman Thompson. Thank you very much. Thank you for your 
testimony.
    We now recognize Mr. Mayer for 5 minutes.

       STATEMENT OF ROBERT MAYER, SENIOR VICE PRESIDENT, 
                    CYBERSECURITY, USTELECOM

    Mr. Mayer. Chairman Thompson, Ranking Member Rogers, and 
other distinguished Members of the committee, thank you for the 
opportunity to testify at today's hearing on public-private 
initiatives to secure the supply chain.
    My name is Robert Mayer, I am senior vice president of 
cybersecurity at USTelecom. I serve as the chair of the 
Communications Sector Coordinating Council, and serve as co-
chair of the Department of Homeland Security Information 
Communication Technology Supply Chain Risk Management Task 
Force, hereafter known as ``the task force,'' which is the 
subject of today's hearing.
    The term ``supply chain management'' only entered the 
business lexicon in 1983, when distributed computing power and 
new software applications were replacing traditional analog 
forms of communications and record keeping. A decade later, the 
invention of the internet and the proliferation of e-Commerce 
changed forever the pace, complexity, and scale of commerce, 
creating a global digital economy that now represents one-fifth 
of the world's total economic value.
    Today we stand at the precipice of an entirely new 
paradigm, where technological advances in distributed 
computing, networking, fifth-generation wireless, big data, 
artificial intelligence, and machine learning promise to 
fundamentally change the nature of business transactions and 
the supply chain that is at its foundation.
    The question we must now ask ourselves: What risks come 
with these transformational technologies, and how best can we 
work together to mitigate them?
    It is hard to overstate the complexity of supply chain 
challenges. For both suppliers and buyers, the potential 
universe of supply chain vulnerabilities touches all aspects of 
information technology: Hardware and sub-components, IOT 
devices, operating systems, softwares, and applications of all 
varieties, cloud and hosting services, telecommunications 
equipment, and services. Essentially, any physical or logical 
element that can be used to generate, store, manipulate, or 
transport data in digital form.
    That means the billions of new connected objects coming on-
line will expand the risk universe exponentially. To be clear, 
many companies in the ICT ecosystem are incorporating high 
standards of supply chain risk management. Companies with large 
global and National footprints and have substantial 
dependencies on foreign inputs have dedicated teams of supply 
chain practitioners working tirelessly to ensure that their 
brand is not tarnished and their customers can continue to 
trust the integrity of their products and services. Rigorous 
internal systems and controls are applied, and expectations of 
downstream suppliers are often reinforced by verified 
attestations, audits, and contractual commitments.
    In my written testimony, I described the efforts of the 4 
ICT working groups and some of the Year 2 activities now being 
discussed among task force members.
    I do want to bring to the committee's attention some 
insights from the information-sharing group as legislative 
proposals are likely to emerge. This group has identified one 
of the most serious obstacles to effective supply chain risk 
management. Information about suspect suppliers cannot be 
freely exchanged without--with other parties operating in the 
same space. Why? Because doing so could subject enterprises to 
a variety of legal actions, including violations of Federal or 
State antitrust laws, anti-competitive behaviors, or deceptive 
trade practices.
    Private causes of action also can result from 
transgressions involving commercial agreements and other 
statutory or common law infractions. The working group is 
recommending that independent legal counsel study the matter 
more deeply, and determine to what extent liability protections 
are needed to facilitate sharing.
    The task force's importance and value is not only reflected 
in the sum of its current and future work, but also because it 
is a model for collectively advancing policies critical to our 
National interest that can be operationalized in ways that have 
a high likelihood of success.
    The task force success did not happen overnight. It is the 
result of more than a decade of an increasingly robust, 
mutually accountable, and trusted public-private partnership. 
The task force governance structure supports the important 
principles of whole-of-Government approach, and has brought an 
extraordinary group of private- and public-sector experts to 
the same table to tackle some of the most challenging supply 
chain issues.
    I know I speak for all the members of the task force when I 
say we appreciate the gravity and urgency of our work, and we 
are committed to delivering strategies that will lead to 
meaningful and sustainable solutions.
    Thank you for the privilege of participating in this 
hearing, and I look forward to answering your questions.
    [The prepared statement of Mr. Mayer follows:]
                   Prepared Statement of Robert Mayer
                            October 16, 2019
    Chairman Thompson, Ranking Member Rogers, and other distinguished 
Members of the committee, thank you for the opportunity to testify at 
today's hearing on Public-Private Initiatives to Secure the Supply 
Chain. My name is Robert Mayer and I am the senior vice-president 
cybersecurity at USTelecom, the Nation's trade association representing 
broadband providers, suppliers, and innovators connecting our families, 
communities, and enterprises to the future. Our diverse membership 
ranges from large publicly-traded global communications providers, 
manufacturers, and technology enterprises, to small companies and 
cooperatives--all providing advanced communications services to 
markets, both urban and rural and everything in between.
    I also serve as the chair of the Communications Sector Coordinating 
Council. I currently serve as co-chair of the Department of Homeland 
Security Information and Communications Technology (ICT) Supply Chain 
Risk Management Task Force which is the subject of today's hearing.
    The term supply chain management only entered the business lexicon 
in 1983--when distributed computing power and new software applications 
were replacing traditional analogue forms of communications and record 
keeping. A decade later, the invention of the internet and the 
proliferation of e-commerce changed forever the pace, complexity, and 
scale of commerce creating a global digital economy that now represents 
one-fifth of the world's total economic value.
    Today we stand at the precipice of an entirely new paradigm where 
technological advances in distributed computing, networking, fifth-
generation wireless, big data, artificial intelligence, and machine 
learning promise to fundamentally change the nature of business 
transactions and the supply chain that is its foundation. The question 
we must now ask ourselves. What risks come with these transformational 
technologies and how best can we work together to mitigate them?
    It's hard to overstate the complexity of supply chain challenges. 
For both suppliers and buyers, the potential universe of supply chain 
vulnerabilities touches all aspects of information technology--hardware 
and sub-components, IoT devices, operating systems, software and 
applications of all varieties, cloud and hosting services, 
telecommunications equipment or services. Essentially, any physical or 
logical element that can be used to generate, store, manipulate, or 
transport data in digital form. That means the billions of new 
connected objects coming on-line will expand the risk universe 
exponentially.
    To be clear, many companies in the ICT ecosystem are incorporating 
high standards of supply chain risk management practices. Companies 
with large global and National footprints and substantial dependencies 
on foreign inputs, have dedicated teams of supply chain practitioners 
working tirelessly to ensure their brand is not tarnished and that 
their customers can continue to trust the integrity of their products 
and services. Rigorous internal systems and controls are applied and 
expectations of downstream suppliers are often reinforced by verified 
attestations, audits, and contractual commitments.
    The task force has addressed a small, but very important slice of 
the supply chain risk management universe. Working group 1, the 
information-sharing group, has identified one of the most serious 
obstacles to effective risk management. Information about suspect 
suppliers cannot be freely exchanged when enterprises are subject to a 
variety of legal actions, including violations of Federal or State 
anti-trust laws, anti-completive behaviors, or deceptive trade 
practices. The working group has recommended that independent legal 
counsel study the matter more deeply with possible legislative or 
regulatory recommendations to reduce liability risk.
    Working group 2 focused on the identification of processes and 
criteria to better understand and evaluate threats to ICT suppliers. 
That working group identified 9 major threat categories comprising 
approximately 200 unique threats. The working group currently is 
framing work that might include examples of how enterprises can 
leverage the task force threat assessment as an information feed into 
their own company-specific risk management program.
    Working Group 3 examined how Qualified Bidder and Manufacturer 
lists might help mitigate supply chain risk. The group examined 5 
programs within the Federal Government that make use of such lists and 
identified several potential follow-up activities that would advance 
current and future use of such qualified lists.
    Finally, Working Group 4 explored concerns related to deployment of 
counterfeit ICT products and recommended adding a new section to the 
Federal Acquisition Regulation (FAR). The section would be titled 
``Procurement of Information and Communications Technology from a 
trusted Original Manufacturer, the Authorized Channels or other 
Approved Source.'' That recommendation has been submitted to the 
Federal Acquisition Security Council for Review.
    The task force's importance and value is not only reflected in the 
sum of its current and future work but also because it is a model for 
collectively advancing policies critical to our National interests that 
can be operationalized in ways that have a high likelihood of success. 
The task force's success did not happen overnight; it is the result of 
more than a decade of an increasingly robust, mutually accountable and 
trusted public-private partnership. The task force's governance 
structure supports the important principle of a whole-of-Government 
approach and has brought an extraordinary group of private- and public-
sector experts to the same table to tackle some of the most challenging 
supply chain issues. I know I speak for all of the members of the task 
force when I say we appreciate the gravity and urgency of our work, and 
we are committed to delivering strategies that will lead to meaningful 
and sustainable solutions.
    Thank you for the privilege of participating in this hearing. I 
look forward to answering your questions.

    Chairman Thompson. Thank you for your testimony.
    I now recognize Mr. Miller to summarize his statement for 5 
minutes.

   STATEMENT OF JOHN S. MILLER, VICE PRESIDENT OF POLICY AND 
  SENIOR COUNSEL, INFORMATION AND TECHNOLOGY INDUSTRY COUNCIL

    Mr. Miller. Chairman Thompson, Ranking Member Rogers, and 
distinguished Members of the committee, on behalf of the 
Information Technology Industry Council, or ITI, thank you for 
the opportunity to testify today.
    As the current chair of the Information Technology Sector 
Coordinating Council and co-chair of the task force, I welcome 
the committee's interest on the importance of public-private 
initiatives to secure the supply chain.
    ITI is a global policy and advocacy organization 
representing nearly 70 of the world's leading ICT companies. 
The global ICT industry respects and takes seriously the U.S. 
Government's obligation to address risks to global supply 
chains and its responsibility to protect National security more 
broadly.
    Public-private partnerships are an essential mechanism for 
addressing our shared security challenges. Working together to 
leverage the public-private partnership structures that were 
pioneered in the United States, industry and Government can 
seize this moment and lead on developing supply chain security 
policy solutions that also support innovation and economic 
growth.
    Two key factors are making supply chain security a growing 
challenge.
    First, while managing risk to global supply chains has 
always been complex, our increasingly connected global ICT 
infrastructure is powering every segment of the economy as we 
move toward surpassing 20 billion connected devices in 2020, 
illustrating the vast scope of the challenge. Nation-state 
threats, too, are now a greater part of the conversation, 
implicating not only National security, but also economic 
security and U.S. competitiveness.
    Second, the rise of the 5G networks and the data-centric 
world they will power has magnified supply chain security 
challenges and anticipated risks, driving governments to more 
intensely focus on the issue. Specifically, the increased speed 
and volume of data that will soon flow through networks raises 
significant questions regarding data access that implicate not 
only National security, but individual privacy, technological 
leadership, and economic competitiveness.
    The Supply Chain Task Force was established to address 
these evolving threats, and brings together stakeholders from 
across the communications and IT sectors and multiple Federal 
agencies to enable targeted resource investment, share 
technical and policy expertise, and identify actionable policy 
solutions.
    DHS's Cybersecurity and Infrastructure Security Agency 
recently published an interim report detailing the task force's 
progress to date.
    Two key takeaways from the report that I would like to 
highlight are, No. 1, information sharing remains a top 
priority. The task force determined that the highest-value 
supply chain threat information relates to suspected, known, or 
proven bad actors in the supplier context, but that legal and 
policy issues often prevent the sharing of such information. 
This insight suggests the need for further legal analysis and 
foreshadows the potential need for future legislative action.
    No. 2, the supply chain threat landscape is vast and 
diverse. The task force evaluated the global supply chain 
threat landscape, compiling nearly 200 supplier-related 
threats, and categorizing those threats into 9 categories, 
ranging from cybersecurity to economic to legal to external 
threats such as natural disasters. This work illustrates how 
adequately managing supply chain risk requires a fact-based and 
contextual analysis of multiple identifiable threats and 
potential mitigations.
    I would like to conclude by offering 3 concrete 
recommendations.
    First, continue using the task force as a key resource for 
public-private collaboration on supply chain risk management. 
The task force's work to inform the ICT risk assessment 
required by the supply chain Executive Order demonstrates it 
can be deployed as a resource to help inform supply chain 
policy efforts beyond the task force's core work streams.
    A significant opportunity exists to leverage the connective 
tissue established between the task force and the Federal 
Acquisition Security Council to help build out the rules to 
implement last year's Secure Technology Act in a way that 
achieves its security objectives while minimizing unintended 
impacts to continued technology innovation and the 
technological leadership of U.S. companies.
    Second, target future U.S. supply chain measures to 
identified gaps. While we appreciate the focus of policy makers 
globally on the urgency of addressing supply chain risk, the 
sheer volume of policy making activity has, in some instances, 
overwhelmed the ability of private-sector actors to effectively 
keep up.
    The task force realized early on that conducting an 
inventory of public-sector supply chain activities would be 
useful for helping the task force and other stakeholders 
identify what tasks weren't being done, and to prioritize those 
that were most important. Once complete, we should share the 
task force inventory results with key stakeholders, and 
leverage those results to inform supply chain policy making 
across the board.
    Finally, we encourage the U.S. Government to continue to 
deepen engagement with international partners and pursue a 
coordinated approach. Global supply chain security challenges 
ultimately call for globally scalable solutions, and we 
encourage cross-border collaboration to avoid harmful 
fragmentation. The Prague principles on 5G security provide a 
good blueprint for such activity.
    Thank you again for the opportunity to testify today. I 
look forward to your questions.
    [The prepared statement of Mr. Miller follows:]
                  Prepared Statement of John S. Miller
                            October 16, 2019
    Chairman Thompson, Ranking Member Rogers, and distinguished Members 
of the Committee on Homeland Security, thank you for the opportunity to 
testify today. I am John Miller, vice president of policy and senior 
counsel at the Information Technology Industry Council (ITI).\1\ I have 
deep experience working on public-private security initiatives in the 
United States, including serving as the current chair of the 
Information Technology Sector Coordinating Council (ITSCC) \2\ and co-
chair of the Information and Communications Technology Supply Chain 
Risk Management Task Force (task force). I am honored to testify before 
your committee today on the important topic of ``Public-Private 
Initiatives to Secure the Supply Chain.'' The global ICT industry 
respects and takes seriously the U.S. Government's--and other 
governments'--obligation to address risks to global information and 
communications technology (ICT) supply chains, and the responsibility 
of governments to protect National security more broadly. We believe 
government and industry must work together to achieve the trusted, 
secure, and reliable global supply chain that is a necessary priority 
for protecting National security and is also an indispensable building 
block for supporting innovation and economic growth. We welcome the 
committee's interest and engagement on this subject.
---------------------------------------------------------------------------
    \1\ The Information Technology Industry Council (ITI) is the 
premier advocacy and policy organization for the world's leading 
innovation companies. ITI navigates the constantly-changing 
relationships between policy makers, companies, and non-governmental 
organizations to promote creative policy solutions that advance the 
development and deployment of technology and the spread of digitization 
around the world. Visit https://www.itic.org/ to learn more.
    \2\ The Information Technology Sector Coordinating Council (IT SCC) 
serves as the principal entity for coordinating with the Government on 
a wide range of critical infrastructure protection and cybersecurity 
activities and issues. The IT SCC brings together companies, 
associations, and other key IT sector participants, to work 
collaboratively with the Department of Homeland Security, Government 
agencies, and other industry partners. Through this collaboration, the 
IT SCC works to facilitate a secure, resilient, and protected global 
information infrastructure. Visit https://www.it-scc.org to learn more.
---------------------------------------------------------------------------
    ITI represents nearly 70 \3\ of the world's leading ICT companies. 
Robust security is a key pillar of building and maintaining trust in 
the global ICT ecosystem, and is thus essential to our businesses and 
customers. Supply chain security and cybersecurity are rightly priority 
issues for governments and our industry, and we share the common goals 
of improving cybersecurity and supply chain security, protecting the 
privacy of individuals' data, and maintaining strong intellectual 
property protections. Further, our members are global companies and do 
business in countries around the world. Most service the global market 
via complex supply chains in which products are developed, made, and 
assembled in multiple countries, and service customers across all 
levels of government and the full range of global industry sectors, 
such as financial services, health care, and energy. We thus acutely 
understand the importance of securing global ICT supply chains as not 
only a global business imperative for companies and customers alike, 
but as critical to our collective security. As a result, our industry 
has devoted significant resources, including expertise, initiative, and 
investment in cybersecurity and supply chain risk management efforts to 
create a more secure and resilient internet ecosystem.
---------------------------------------------------------------------------
    \3\ See ITI membership list at https://www.itic.org/about/
membership/iti-members.
---------------------------------------------------------------------------
    Our members also understand we cannot tackle current and future 
cybersecurity challenges on our own. We recognize public-private 
partnerships and other multi-stakeholder approaches are essential to 
addressing our shared security challenges and have thus prioritized 
working with governments around the world to help develop cybersecurity 
and supply chain security policy solutions. We believe the emergence of 
supply chain security as a priority issue amongst government policy 
makers globally highlights the urgency with which like-minded nations 
must address this issue. It also represents an important opportunity 
for U.S. policy makers to advance supply chain security policy 
approaches that are not only compatible with, but indeed drive, global 
policy making in this space. Working together to leverage the public-
private partnership structures that were pioneered in the United 
States, as well as sound risk-management based approaches that we have 
long advocated as best cybersecurity practices, industry and Government 
can seize this moment to lead on supply chain security policy together.
    I will focus my written testimony on 4 areas: (1) The evolving 
supply chain threat and the need for public-private action; (2) the 
creation of the task force grounded in principles of risk management 
and public-private partnerships; (3) the progress of the task force to 
date, including the recently-released Interim Report and the task 
force's work to help the Department of Homeland Security (DHS) 
implement the supply chain Executive Order (EO); and (4) 
recommendations on a collaborative path forward, including discussing 
how the Federal Acquisition Security Council (the ``FASC'') and other 
Federal Government stakeholders can synergistically work with the task 
force to help advance our collective supply chain security policy 
interests.
                  1. the evolving supply chain threat
    While supply chain security is not a new topic, particularly for 
large technology companies managing sophisticated global supply chains, 
the heightened policy maker focus on the issue over the past 2 years is 
unprecedented. The increased focus on supply chain security, by 
governments, policy makers, and private-sector actors, is prompted by a 
few key developments.
    A Multifaceted and Growing Threat.--Supply chain risk management 
(SCRM) has always been a multifaceted challenge. On the one hand, SCRM 
is one element of an organization's overall cybersecurity risk 
management program (indeed, the visionary Cybersecurity Framework 
developed in the U.S. integrated SCRM into Version 1.1 in 2018). On the 
other hand, a SCRM program must address much more than just 
cybersecurity threats to IP, systems and networks, but also threats 
that are physical (e.g. building security), personnel-based (e.g. 
insider threats), economic (e.g. cost-volatility), legal (e.g. weak IP 
laws), development or manufacturing-related (e.g. compromises in 
system, hardware, or software development life-cycle processes or 
tools), or external threats such as those related to environmental, 
geopolitical, or workforce-related factors.
    When we consider our increasingly connected global ICT digital 
infrastructure and economy, and acknowledge the reality that ICT 
products, hardware, software, and services are powering every segment 
of the economy as we move toward surpassing 20 billion connected 
devices in 2020,\4\ one can better appreciate the vast scope of risks 
to the global ICT supply chain ``attack surface'' that we need to 
secure. Nation-state threats, too, are a greater part of the 
conversation than before, implicating not only National security but 
also economic security and U.S. competitiveness.
---------------------------------------------------------------------------
    \4\ ``Leading the IoT, Gartner Insights on How to Lead in a 
Connected World'', Mark Hung, 2017, available at: https://
www.gartner.com/imagesrv/books/iot/iotEbook_digital.pdf.
---------------------------------------------------------------------------
    Putting both of those pieces together--the large and growing number 
of all-hazards threats and the vast and increasing number of products 
and services generated by the global ICT supply chain--we can better 
appreciate the scope of the risks that must be managed, and the scope 
of the policy challenge.
    The Rise of 5G and Data.--The build-out of 5G networks has 
magnified the spotlight on supply chain security challenges, where the 
focus has largely been on anticipated risks. While securing the 5G 
infrastructure, including both networks and component ICT parts, is of 
course critical, it bears noting that 5G networks and equipment will 
also contain security enhancements that can help make 5G networks more 
secure than previous generations. Rather, it is the increased speed and 
volume of data that will soon flow through 5G networks, helping to 
enable the next generation of data-enabled innovations such as the 
internet of things (IoT) and artificial intelligence (AI), that has 
driven the United States and other governments to more intensely focus 
on global supply chain security threats.
    As the Department of Homeland Security's (DHS) Cybersecurity and 
Infrastructure Security Agency (CISA) documents in its 5G Risk 
Assessment,\5\ 5G networks will enable increased speeds and amounts of 
data that are staggering. The data flowing through 5G networks, or 
throughput, will be multiplied by a factor of up to 200. The speed at 
which data travels, or latency, will be up to 20 times faster than in 
4G networks. The implications of these numbers are significant--not 
only because 5G will power the next wave of data-driven innovations 
such as IoT and AI, but also because the question of who potentially 
has access to or controls that data raises a panoply of questions, 
including implications for individual privacy, National security, 
technological leadership, and economic competitiveness. The centrality 
of data to our present and future lives and to the supply chain debate 
underscores that SCRM must focus on managing potential vulnerabilities 
and other malicious activity targeted at ICT supply chains as well as 
the potential for governments or others perceived as adversaries to 
access that data through their domestic legal regimes.
---------------------------------------------------------------------------
    \5\ ``Overview of Risks Introduced by 5G Adoption in the United 
States'', Cybersecurity and Infrastructure Security Agency (CISA), July 
31, 2019, available at: https://www.dhs.gov/sites/default/files/
publications/19_0731_cisa_5th-generation-mobile-networks-
overview_0.pdf.
---------------------------------------------------------------------------
    While it will be important to continue to focus on ICT SCRM, and 
creating high assurance, trusted ICT products, we must realize that 
managing the full range of data access risks implicated by the current 
SCRM debate moves us into somewhat uncharted territory.
    Increase in Supply Chain Policy Making.--We appreciate the focus of 
governments and policy makers globally on the urgency of addressing 
supply chain risk, for all the reasons stated above. However, the sheer 
volume of policy making activity has, in some instances, overwhelmed 
the ability of private-sector entities, particularly small and medium-
sized businesses (SMBs), to effectively monitor, make sense of, and 
implement important supply chain policy or legal developments. While 
well-intended, some policies may have unintended consequences on 
security, innovation, and competitiveness--which is why public-private 
sector cooperation is imperative. To ensure these measures can be 
properly addressed and implemented, is critical that this activity is 
coordinated and targeted at identified legal or policy gaps.
    Global government activity regarding supply chain security is 
rising across the European Union, and in countries including Japan, 
Australia, and elsewhere. In the United States there continues to be 
significant and not always visible activity across multiple Federal 
agencies, and the last few years have brought multiple legislative 
efforts from Congress, including numerous stand-alone bills and 
National Defense Authorization Act (NDAA) amendments, as well as 
President Trump's recent supply chain EO, and the launch of the FASC 
following last year's SECURE Technology Act. The task force helps drive 
a more holistic, coordinated approach through a better understanding of 
supply chain policy making activity in the United States and holds the 
promise to help streamline efforts to address potential risks.
  2. the creation of the task force grounded in on principles of risk 
               management and public-private partnerships
    While formation of the Supply Chain Task Force was motivated out of 
a heightened concern regarding supply chain threats, its formation, 
structure, and mandate are grounded in cyber and supply chain security 
principles long advocated by the ICT industry. Those principles are 
based on the importance of taking risk-management based approaches to 
complex threats such as global ICT supply chain security threats and 
the promise of public and private stakeholders working together through 
partnerships to forge durable solutions to those threats.
    Approaches to Risk Management: No One Size Fits All.--The ICT 
industry has long maintained that efforts to improve cybersecurity, 
including supply chain security, must be based on effective risk 
management of a dynamic and ever-evolving set of threats.
    Cybersecurity is not an end-state, but rather a continuous process 
of protecting the global digital infrastructure and its users.--No 
sector of the economy is without some inherent risk, whether that is 
the result of a natural disaster, a malicious automated attack, or 
simple human error. As cyber and supply chain attacks become 
increasingly more sophisticated, the adoption of comprehensive risk 
management strategies is critical for organizations of all sizes and 
across all sectors, particularly those managing complex global supply 
chains. By integrating technologies, people, and processes into an 
overall risk management framework, limited resources can be most 
efficiently focused on where the need is greatest.
    Effective risk management allows individuals and entities to 
properly identify, assess, prioritize, and manage threats to their 
data, systems, and operations, including supply chains. There is no 
one-size-fits all approach. Eliminating one potential threat may 
unintentionally create other vulnerabilities. For example, using the 
same supplier (even a ``trusted'' supplier) throughout a network or 
supply chain could make it easier to exploit a vulnerability; thus, a 
diversity of suppliers is crucial to risk management. The National 
Institute of Standards and Technology (NIST) Cybersecurity Framework, 
informed by a collaborative effort involving public and private-sector 
stakeholders, provides a familiar example of a flexible risk management 
tool that can help a diversity of entities--critical infrastructure 
owners and operators, government agencies, and other stakeholders--
understand how to approach cybersecurity risk management. Notably, 
Version 1.1 of the Framework, published in 2018, incorporates SCRM 
standards, guidelines, and best practices.
    Global ICT companies build risk management into their daily 
operations and long-term planning, including efforts to secure their 
supply chains, through mechanisms like legal and contractual 
agreements, cybersecurity operational controls, adherence to global 
risk management standards, and a host of other practices. As the 
primary owners and operators of critical cyber infrastructure, the 
private sector has devoted significant resources, including expertise, 
initiative, and investment in cybersecurity and risk management efforts 
to create a more secure and resilient internet ecosystem. However, the 
ICT industry understands it cannot tackle current and future 
cybersecurity challenges on its own.
    Public-Private Partnerships Are Essential.--Public-private 
partnerships and other multi-stakeholder approaches are essential to 
addressing supply chain security. Government and industry often have 
access to unique information sets--only when this information is shared 
can all relevant stakeholders see the complete picture. These 
partnerships are essential to: (1) Identify potential threats; (2) 
understand how and whether the risk can be managed; and (3) determine 
what actions should be taken to address risks without yielding 
unintended consequences. The private-sector ICT community has been 
foundational in developing the infrastructure of cyber space and, for 
well over a decade, has provided leadership, innovation, and 
stewardship in all aspects of cybersecurity, including helping to 
develop and participating in numerous public-private partnership 
structures and efforts.
    Sector Coordinating Councils. Global ICT companies participate in 
sector-coordinating councils (SCCs), which are self-organized, self-
governed councils that allow owners and operators of critical 
infrastructure to engage on a range of sector-specific strategies, 
policies, and activities. SCCs also enable participants to coordinate 
with their sector-specific agencies and related Government Coordinating 
Councils (GCCs) to facilitate Government collaboration on a range of 
critical infrastructure security policy and strategy issues, including 
on supply chain security. I am pleased to chair the ITSCC and to work 
closely with my counterparts in the Communications SCC, as well as DHS 
as our sector-specific agency and other U.S. Government partners, on 
the task force.
    Formation of the Task Force.--The task force embodies these 
critical dual principles of risk management and public-private 
partnership. The task force aims to better secure global ICT supply 
chains, gathering stakeholders from key communities--including from the 
communications and IT sectors, as well as across multiple Federal 
agencies, including Departments of Homeland Security, Commerce, 
Defense, Treasury, Justice, and Energy; Office of the Director of 
National Intelligence (ODNI), National Security Agency (NSA), General 
Services Administration (GSA), Social Security Administration (SSA), 
National Telecommunications and Information Administration (NTIA), 
Federal Communications Commission (FCC), NIST, NASA, and others. These 
entities should work together to enable targeted resource investment, 
share technical and policy expertise, and identify actionable policy 
solutions aimed at helping public and private stakeholders better 
manage ICT supply chain risks.
    From the perspective of the IT sector--both ITI and the ITSCC--
there was no hesitation regarding the merits of task force 
participation. Supply chain security had been identified as the top 
cybersecurity priority of both organizations, and many experts across 
the sector who had been working on this issue for a long time shared 
the view that this was a moment in time where real progress could be 
made.
    There was also wide-spread agreement that the challenges quite 
clearly are shared by Government and the private sector--and thus 
adequately addressing them requires a collaborative, holistic approach 
involving the IT and Communications sectors working together with U.S. 
Government partners from key Federal agencies.
                 3. progress of the task force to date
    The task force was chartered in late 2018 by DHS and CISA working 
with the IT and Communications SCCs, with the express purpose of 
providing guidance and recommendations to Government and private-sector 
critical infrastructure owners and operators to help them better assess 
and manage risks associated with the global ICT supply chain.
    Comprised of 60 voting members--20 IT companies and associations, 
20 communications-sector stakeholders, and 20 representatives from 
across the U.S. Government--the task force acts as a forum for private-
sector and Government collaboration on methods and practices to 
effectively identify, prioritize, and mitigate ICT supply chain risks, 
with the goal of providing realistic, actionable, timely, economically 
feasible, scalable, and risk-based recommendations for addressing those 
risks. Beyond its voting membership, scores of other entities have 
additionally participated in the Task Force at the working level.
    Once we were up and running, the task force members surveyed the 
vast supply chain threat and risk management landscape, identifying 4 
initial working groups focused on both longer-term, foundational 
efforts that could have global ICT ecosystem-wide impact and shorter-
term tactical efforts geared toward shoring up the Federal Government's 
supply chain: (1) Development of a common framework for the bi-
directional sharing of supply chain risk information between Government 
and industry; (2) identification of processes and criteria for threat-
based evaluation of ICT supplies, products, and services; (3) 
identification of market segments and evaluation criteria for Qualified 
Bidder and Qualified Manufacturer lists to address considerations of 
vendor and product inclusion and exclusion; and (4) policy 
recommendations to incentivize purchase of ICT from original equipment 
manufacturers (OEM) and authorized resellers.
    Interim Report.--The Interim Report,\6\ published in September 2019 
at CISA's 2d Annual Cybersecurity Summit, provides a fuller summary of 
the task force's origins, membership, and workstreams, and also details 
progress to date on each of those workstreams. Rather than restating 
all that information in my testimony, I thought the committee would 
find it more helpful if I highlighted a few key takeaways:
---------------------------------------------------------------------------
    \6\ ``Information and Communications Technology Supply Chain Risk 
Management Task Force: Interim Report: Status Update on Activities and 
Objectives of the Task Force,'' CISA, September 2019, available at: 
https://www.cisa.gov/sites/default/files/publications/ICT%20Supply%20- 
Chain%20Risk%20Management%20Task%20Force%20Interim%20Report%20%28FINAL%2
9_- 508.pdf.
---------------------------------------------------------------------------
    Information sharing remains a key priority. Working Group One made 
excellent progress exploring the types of information that would be 
most valuable in mitigating supply chain risk; whether that information 
exists in a standardized or easily accessible form or from sources that 
can be easily identified, accessed, and leveraged for risk management 
purposes; and what barriers might exist that are impeding the 
collection and or dissemination of such information. While Working 
Group One determined that many types of risk information are indeed 
available, the sources were not always easily known and did not 
typically exist in a standardized format (unlike cyber threat 
indicators in the cybersecurity threat information sharing context). 
Additionally, due to the wide array of supply chain threats, such 
information was not easily centralized nor accessible.
    Working Group One significantly determined that the highest-value 
supply chain threat information relates to suspected, known, or proven 
bad actors in the supplier context, but that legal and policy issues 
often prevent the sharing of such information. The Working Group 
concluded that further legal analysis and guidance are thus 
prerequisite to fully developing the envisioned bi-directional supply 
chain information sharing framework. This foundational work will likely 
be carried forward into year 2 of the task force and may well presage 
the need for future legislative action to remove legal barriers to 
effective sharing of SCRM threats.
    The supply chain threat landscape is vast. The efforts of Working 
Group Two help illustrate the vast threat space in play when we 
consider scope of global ICT supply chain challenges. Working Group Two 
was established to identify processes and criteria for threat-based 
evaluation of ICT suppliers, products, and services. The working group 
concentrated on threat evaluation related to suppliers as an initial 
matter, rather than risk assessment, to ensure it was looking more 
broadly at the breadth of the SCRM ecosystem, rather than at risks 
associated with specific ICT products and services.\7\ The working 
group methodically identified and inventoried the global supply chain 
threat landscape, compiling nearly 200 supplier-related threats and 
categorizing those threats into 9 categories to provide a helpful 
taxonomy. The threat categories included counterfeit parts, 
cybersecurity, internal security operations and controls, compromise of 
system development life cycle and tools, insider threats, inherited 
risks (extended supply chain), economic, legal, and external end-to-end 
threats ranging from natural disasters to workforce and labor issues.
---------------------------------------------------------------------------
    \7\ Working Group 2 determined that ``risk'' is the intersection of 
assets, threats, and vulnerabilities. A vulnerability is a shortcoming 
or hole in the ``security'' of an asset. Risk represents the potential 
for loss, damage, or destruction of an asset as a result of a threat 
exploiting a vulnerability.
---------------------------------------------------------------------------
    The Working Group then developed several threat scenarios, ranging 
from ransomware attacks to natural disasters, and reviewed and 
documented those scenarios to provide additional context regarding the 
threat, its importance and potential impact on the supply chain, as 
well as information related to threat sources, vulnerabilities, and 
potential mitigations. Next steps for the Working Group could include 
creating a similar inventory and taxonomy of threats related to ICT 
products and services (as per the group's mandate and providing a 
similar assessment of various threat scenarios related to those 
products. In any event, the foundational work around threat evaluation 
has already informed the work of other task force working groups, and 
as the work product matures can prove invaluable for informing future 
Government and private-sector SCRM activities.
    We need to continue to explore the extent to which we can leverage 
public-sector SCRM solutions in the private sector and vice versa. 
Working Groups 3 and 4 tackled tactical issues more immediately 
relevant to Federal Government SCRM and procurement, including 
identification of market segments and evaluation criteria for Qualified 
Bidder (QBL) and Manufacturer (QML) lists (Working Group 3) and policy 
recommendations to incentivize the purchase of ICT from OEMs, 
authorized channels, or other trusted suppliers (Working Group 4). 
Whether and how to use QBLs and QMLs is a topic with different 
implications in the public procurement and private-sector contexts. For 
instance, many global companies currently manage trusted supplier 
programs and there are lessons that could be leveraged in Federal 
procurement. However, the process of qualifying suppliers in the 
public-sector procurement context could have a disproportionate impact 
on SMBs if not managed carefully. These are the types of issues Working 
Group 3 will continue to explore. In the case of Working Group 4, the 
primary tasking of the group was completed with the delivery of its 
policy recommendation, Procurement of ICT from OEMs, their Authorized 
Channels, or other Trusted Suppliers, and is primarily geared toward 
addressing risks associated with the procurement of potentially 
counterfeit products from the gray market or other unauthorized 
channels. The efforts of Working Group 4 illustrate the task force's 
capability to rapidly conclude targeted projects and make 
recommendations that can translate into policy solutions in the short 
term.
    Urgent Supply Chain Inventory Work.--As the Interim Report 
indicates, good progress was made on compiling a private-sector 
inventory of SCRM standards, guidance, and best practices. This 
inventory work product will provide invaluable guidance that companies 
and Federal Government agencies can use to better inform their supply 
chain risk management activities. A parallel effort to compile supply 
chain risk management efforts across the Federal Government is still in 
flight. When completed and shared, the Government inventory will assist 
the task force members as they consider future workstreams and can 
serve as a resource for policy makers in Congress and elsewhere as they 
consider which aspects of the multi-faceted supply chain issue to 
address via legislation. Further, the Government inventory will bring 
clarity to the supply chain risk management landscape for those 
stakeholders who have expressed concern that that the volume of supply 
chain risk management activity is difficult to effectively monitor.
    Collaboration with FASC.--The task force is also coordinating 
efforts with the Federal Acquisition Supply Chain (FASC) to help ensure 
the effectiveness of the implementation of the Federal Acquisition 
Supply Chain Security Act (FASCSA) (passed late last year as part of 
the SECURE Technology Act). Having established the connective tissue 
between the task force and the FASC over the past several months, the 
task force is poised to help inform the interim implementing rules for 
FASCSA due at the end of 2019 and the final rules due in 2020, as well 
as to advance a number of other interagency supply chain risk 
management priorities.
    Collaboration on the Supply Chain EO.--In addition to its regular 
workstreams, the task force also stepped in to assist DHS as it 
fulfilled its duties pursuant to Executive Order 13873: Securing the 
Information and Communications Technology and Services Supply Chain 
(Supply Chain EO), which tasked DHS with producing a report assessing 
the criticality of ICT products and systems. Task force members 
provided required private-sector input to CISA's National Risk 
Management Center (NRMC), which was delegated the responsibility of 
conducting the ICT criticality assessment required by the Supply Chain 
EO. This input resulted in a deconstruction of the ICT supply chain 
into 5 roles, 11 sub-roles, and 61 elements (ICT hardware software and 
services). DHS has stated that it hopes this elemental deconstruction 
will provide a helpful and standardized taxonomy for discussing ICT 
criticality within the task force and elsewhere.
    The initial assessment focused on ICT products and services 
comprising the ``connect'' theme of the National Critical Functions 
list (primarily covering the backbone of national connectivity enabling 
cross-country and global core telecommunications networks and 
services), and future assessments will address other themes identified 
by the NRMC in the National Critical Functions (NCFs).\8\ As we 
understand it, the assessment will inform the Commerce Department's 
promulgation of rules to implement the Supply Chain EO, and the 
assessment may help inform any future work taken on by the task force 
to assess threats associated with ICT products and services. The 
deployment of the task force to assist in producing the ICT assessment 
helps illustrate the value of the partnership as a durable resource to 
assist Government policy makers implement SCRM policies.
---------------------------------------------------------------------------
    \8\ ``National Critical Functions Set (NCFs)'', CISA, April 2019, 
available at: https://www.dhs.gov/sites/default/files/publications/
national-critical-functions-overview-508.pdf.
---------------------------------------------------------------------------
           4. recommendations on a collaborative path forward
    My testimony thus far illustrates the substantial amount of 
progress that has been made by the task force, but also recognizes that 
there is much work still to be done. While the task force intends to 
continue to advance the ball on multiple SCRM projects during year 2 of 
its mandate, below are concrete recommendations for U.S. Government 
actions on how to maximize the impact and effectiveness of the task 
force's work to aid in other Federal supply chain efforts, as well as 
recommendations for broader strategic U.S. Government action to address 
global SCRM challenges.
    Build Out the Established Connective Tissue Between the Task Force 
and the FASC.--Structurally, the established connective tissue between 
the task force and the FASC creates real opportunities for the FASC to 
leverage the private-sector expertise assembled in the task force to 
help build out the rules to implement the FASCSA. Involving the task 
force in its efforts with more regularity can help the FASC achieve the 
bill's objectives for better securing the Federal Government's supply 
chain, while minimizing unintended impacts to continued technology 
innovation and the technological leadership of U.S. companies.
    Prioritize Communicating the Task Force Inventory Results to Key 
Stakeholders and Integrate the Inventory Results into SCRM Policy 
Planning.--Soon after the task force's inception, we reached consensus 
that conducting an inventory of public-sector supply chain activities 
would be useful to help bring order to the scores of disconnected on-
going SCRM efforts across the Federal Government. Taking a strategic 
approach, the task force's goal in recommending the Government conduct 
such an inventory was that by taking stock of the various existing and 
on-going supply chain efforts we could prevent duplicative efforts, and 
identify what work needed to be done. After completion and review of 
existing efforts (which will essentially provide a gap analysis), both 
the task force and other stakeholders will be better situated to: (1) 
Identify what tasks aren't being done and prioritize those that are 
most important and needed; (2) identify tasks that are most well-suited 
to be completed by the task force; and (3) identify what tasks are 
important, but should be completed by others (such as by Congress in 
instances where changes to legal authorities are needed to implement 
SCRM improvements).
    Embrace the Task Force as the center of gravity for public-private 
collaboration on SCRM.--The task force could also help increase 
visibility of the on-going efforts and construct a narrative to 
articulate how everything fits together. If we take this type of 
strategic 360-degree approach to the problem, we can essentially 
position the task force as the central hub for all the many on-going 
and disconnected supply chain efforts across the U.S. Government and 
industry more broadly. Other stakeholders, including Congress, will at 
least indirectly benefit from cementing the task force as an SCRM 
resource.
    Further streamline USG supply chain efforts.--To help mitigate 
current and on-going SCRM risks, we recommend that Congress work with 
the administration in streamlining existing and new tools on supply 
chain issues (including the FASC, FASCSA implementation, and Supply 
Chain EO) to better align resources and avoid duplicating efforts and 
support long-term, coordinated solutions to address global supply chain 
challenges. The Government inventory can play a key role here.
    Target Future Supply Chain Measures to Identified Gaps.--The task 
force learned quickly through our initial scoping activities that 
attempting to ``boil the ocean'' to ``solve'' supply chain security 
challenges would be a fruitless task. Instead, we worked to target both 
foundational and tactical workstreams that could tackle discrete 
elements of the issue, while also laying the groundwork for future 
success. Laws, regulations, and other measures to address supply chain 
security risks should take a fact-based, narrowly-tailored approach to 
combat concrete and identifiable risks, rather than apply broadly to 
entire categories of technology or business activity.
    Deepen Engagement with International Partners and Pursue a 
Coordinated Approach.--Global ICT SCRM challenges ultimately call for 
globally scalable solutions, and we encourage cross-border 
collaboration on this issue. The United States and other open economies 
should take common approaches to technology-related National security 
risks--including through promotion of global, consensus-based, 
industry-led standards--to avoid harmful fragmentation of markets. The 
Prague Principles on 5G Security \9\ provide a good blueprint for this 
sort of activity.
---------------------------------------------------------------------------
    \9\ ``The Prague Proposals: The Chairman Statement on Cybersecurity 
of Communication Networks in a Globally Digitalized World.'' May 3, 
2019, available at: https://www.vlada.cz/assets/mediacentrum/aktualne/
PRG_proposals_SP_1.pdf.
---------------------------------------------------------------------------
                               conclusion
    Members of the committee, ITI and our member companies are pleased 
you are examining how public-private partnerships play a key role in 
addressing evolving and increasingly sophisticated supply chain 
threats.
    Historically, the United States has maintained a leadership 
position in cyber space--from the companies who have led the way in 
building the global digital economy and internet-based services that 
have fueled its growth, to visionary cyber policy developments such as 
the Cybersecurity Framework, to pioneering the use of cybersecurity 
public-private partnerships. The U.S. Government should aspire to 
maintain a similar leadership position going forward on SCRM policy, 
and to do so it must work collectively, via public-private 
collaboration and across sectors, both domestically and on the global 
stage.
    ITI stands ready to provide you any additional input and assistance 
in our collaborative efforts to develop policy approaches to supply 
chain security that continue to leverage risk management-based 
solutions and public-private partnerships as the most promising way 
forward for addressing complex and evolving global ICT supply chain 
threats.
    I thank the Chairman, Ranking Member, and Members of the committee 
for inviting me to testify today and for their interest in and 
examination of this important issue. I look forward to your questions.
    Thank you.

    Chairman Thompson. Thank you very much. I remind all 
witnesses for their testimony, and I really appreciate you for 
your sharing that.
    I guess the concern that I heard from all the witnesses is 
you might learn who a bad actor might be, but there might be 
some liabilities in saying who that bad actor might be. Can you 
burrow down a little bit and help the committee with--we have 
identified them, but now, because of liability concerns, we 
can't share who they are. How do we--is it liability 
protections, as somebody talked about?
    But I guess the task force's work is good. But I think at 
this point you have given us additional problems, and not 
enough solutions. I guess I am waiting on the next report.
    So Mr. Mayer, you brought it up, so I will start with you.
    Mr. Mayer. So the Congress has made some progress with--
important progress with information sharing. So the 2015 
Cybersecurity Information Sharing Act created liability 
protections for sharing indicators of compromise.
    So indicators of compromise would be some indication that 
there is a cybersecurity threat, and it is very specific, and 
that can be shared. What we don't have is a situation where an 
organization, for example, has a piece of equipment where they 
discover, you know, some software, malware, or some--or a 
pattern of activities that allow--makes them feel very 
suspicious about a particular company that would be very 
beneficial to share with--it could be upstream providers, it 
could be downstream providers, and it could be anybody else in 
the ecosystem that could benefit from that information.
    The lawyers are going to be very reluctant to allow that 
person, that company, to make those kinds of remarks or 
evidence without liability protections, because there are laws 
in place, and private causes of action that could result in 
litigation. So in the absence of a similar liability protection 
that was created in 2015 for this particular instance, the 
members of the working group said we need to think about how we 
can encourage that type of information sharing.
    Chairman Thompson. Well, Mr. Miller, since you included 
that as one of your recommendations, share some more 
enlightenment, if you would, with the committee.
    Mr. Miller. Thank you, Chairman Thompson. Well, I mean, I 
think Robert covered well what--the way that the task force has 
looked at it. You know, I don't want to prejudge the next phase 
of the task force's work in this regard, because we do believe 
that significant legal analysis is needed to, you know, examine 
these barriers and how they can be adequately removed.
    I mean, I think a couple of things that are important to 
note, you know, again, clearly, as I think all the witnesses 
have already indicated, it is actually a much more complex set 
of threat information that needs to be shared in some ways, or 
at least more diverse than in the cybersecurity threat 
indicator sharing context from the 2015 CISA that was passed by 
Congress.
    Then I think the other thing that is important is that, you 
know, if we look at--I think some of these issues will be 
answered through implementation of some of the current policy 
initiatives that I think you mentioned in your opening 
statement. For instance, the Secure Technology Act does provide 
Federal Government entities with the authorities to remove or 
exclude certain suppliers. You know, that is one of the things 
the FASC is working on now. Importantly, in that piece of 
legislation, there were important due process and other types 
of provisions that were built into that process to kind-of 
guard against some of these potential legal challenges.
    Chairman Thompson. Mr. Kolasky.
    Mr. Kolasky. Sure. On top of the FASC, let me make 2 
points.
    No. 1, you know, we want something in place to encourage 
private-sector firms to share information about things they 
might not have trust in, based on due diligence work they do. I 
think that is an area where, to Robert and John's point, we 
need to expand the ability to do that.
    Within the Federal Government itself, a lot of time we will 
derive this information through intelligence or other analysis 
that we are doing. We will--when we derive it through 
intelligence, we will do--we do a pretty good job when we--
there is intelligence out there to get that information in the 
hands of owners and operators who make a decision. We want to 
expand our ability within the Federal Government to get it in 
the hands of the procurement officials within the Federal 
Government, and that is what we are working on within the FASC, 
to stand up a better information repository so that we know 
about threats that could be in the supply chain.
    Then, to the point John just made, when we are ready to 
take action, we want to make sure there is due process and we 
are respecting fairness in everything. We lived through this 
through the Kaspersky Labs software and the operation directive 
that DHS issued. That withstood a court test. We built the case 
of evidence, and we indicated to the private sector and State 
local governments that we had taken these steps as a Federal 
Government, that we didn't trust this stuff on our systems. We 
couldn't tell them not to buy it in their systems, but I think 
our indicator was very important.
    I think some of the FASC authorities will allow us to do 
that in a more streamlined process, and make sure that that 
information gets out there. If we are making a trust judgment 
for our own systems, we want others to know in case they want 
to make the same trust judgment.
    Chairman Thompson. Thank you very much. I yield to the 
Ranking Member for 5 minutes.
    Mr. Rogers. Thank you, Mr. Chairman.
    Mr. Kolasky, how do you think the supply--your task force's 
efforts are lining up with similar efforts across the rest of 
the Federal Government?
    Mr. Kolasky. Sure. We--as Rob and John mentioned, we have 
an inventory of other activities going on across the Federal 
Government.
    In the critical infrastructure sectors there are 3 sectors 
that are really taking some steps on supply chain risk 
management that we are integrating with: The energy sector, 
particularly the electricity sector; the health and public 
health sector; and the defense industrial base sector that DoD 
is working on.
    I co-chaired the Government coordinating councils with 
other sector-specific agencies, and so it is a good opportunity 
for me to make linkages for other critical infrastructure work. 
A lot of that is less about ICT systems and more about 
component pieces to actually deliver the mechanisms of the 
functioning infrastructure. Call it the operational technology 
for that. But we are coordinating cross efforts and looking for 
synergies there.
    Then, you know, there are other efforts across the Federal 
Government that are important that we are integrating, 
particularly that the Department of Commerce is taking through 
the Executive Order. We are the decision support to help the 
Secretary of Commerce make decisions on potential actions taken 
through IEPA on that. So, again, the task force is providing 
key input to the Secretary of Commerce that he will then 
ultimately implement through the regulatory process. So that is 
a linkage.
    Then there is some software bill of assurance work that 
Congress is working on that----
    Mr. Rogers. You made reference to the DoD's efforts. The 
DoD is requiring that supply chain risk management 
certification be required for many of its contracts--to 
participate. Would something like that be recommended for the 
DHS?
    Mr. Kolasky. So yes. So what DoD is doing there 
particularly is, you know, the big prime contractor is driving 
down deeper into supply chains, in that--the CMMC tool and some 
of the work they are doing is to drive down deeper into supply 
chains.
    I think it is fair to say that the task force is interested 
in learning more about that effort, and is still at the point 
of evaluating, and, in DHS's opinion, will be informed by some 
of the task force evaluation. We actually have--the team is 
working on CMMC. Katie Arrington and her team are coming to 
brief the task force, and are meeting next week on the 25th, to 
hear more about the CMMC process so that the task force can 
learn more, ask them questions, and ultimately will deliberate 
on, you know, the value, and is there any application in the 
broader civilian ICT space.
    But I do--I don't want to prejudge, you know, task force 
members' evaluation and opinion.
    Mr. Rogers. Mr. Miller, you made reference in your--at the 
end of your remarks about recommendations that we try to 
incentivize other countries to be as vigorous on this subject 
as we are hoping to be. How do we do that? How do we--we can't 
make another country do anything. How would you recommend, or--
do you all plan to explore ways to recommend to us that we 
incentivize other countries to be vigorous in their policing of 
this topic?
    Mr. Miller. Thank you for the question. I don't think it is 
necessarily just about incentivizing other countries. But, you 
know, I made reference to the Prague principles on 5G security, 
for instance.
    I think, you know, Step No. 1 is making sure that 
countries--that the United States is talking with other 
countries, particularly, you know, its other partners in the 
case of the Prague principles, as well as having most of the 
European nations--you know, you had countries like Australia, 
Israel, Japan, other--you know, Canada and other like-minded 
nations.
    You know, and I think, just as is the case, for instance, 
as we were talking about with respect to information sharing 
between private and public-sector actors in the United States, 
countries like the United States and other allies sharing 
information can help inform kind of a coordinated policy-making 
approach.
    I think it is--so I think it is about getting people on the 
same page. You know, that said, there will always be a need for 
contextual fact-based analyses when we are talking about risk 
management. It is possible that other countries don't 
necessarily always see eye to eye with the United States. But, 
you know, we should continue to do what we are doing, which is 
talking, and trying to share our intelligence and insights in 
this matter.
    Mr. Rogers. For any one of you, just give us a very simple 
example of how a bad actor--because all of you made reference 
to 5G. We hear a lot about it, and how it is going to change 
things, how we have to be very careful about it. Give us an 
example of how a bad actor could penetrate and exploit 5G to 
our detriment, commercially or governmentally, either way.
    Mr. Mayer. So when you think about 5G, it is an evolution 
beyond the existing 4G in some very substantial ways. The 
architecture of the networks changes fundamentally. You have 
much more computing power, intelligence at the edge. You have a 
much broader variety of participants in the ecosystem, even 
more than you have right now. Software is going to be a big 
factor, because these are going to be software-defined networks 
that are going to constantly be upgraded.
    So what you have is, essentially, more vectors where 
attacks can take place.
    Now they are--we are building into the architecture 
security by design. This is the first generation of wireless 
where security by design is being embedded from the very 
beginning, and there are bodies working on that. Having said 
that, there are capabilities that will help us defend, but we 
can also expect, I think, more attacks.
    So what makes it very important here is that the nature of 
the 5G environment is going to touch on all critical 
infrastructures. It is going to touch on, you know, key things 
like medical supplies, logistics vehicles, things that we can't 
even imagine yet. You know, a determined and persistent bad 
actor is going to look for every vulnerability.
    If they don't find a vulnerability today, they will look 
for it again tomorrow, and they will use automated technologies 
to do that. You know, just like we use artificial intelligence 
and machine learning into our defensive capabilities, the bad 
guys are going to use the same technology. So we are now in a 
very dynamic kind of battle between those two opposing forces.
    Chairman Thompson. Thank you very much. The Chair 
recognizes the gentleman from Rhode Island, Mr. Langevin, for 5 
minutes.
    Mr. Langevin. Thank you, Mr. Chairman. I want to thank our 
witnesses for being here today, your testimony.
    Director Kolasky, I am glad you mentioned that you are 
following and tracking the work that DoD is doing on supply 
chain vulnerability identification and risk management.
    I serve as the chair of the Subcommittee on Intelligence, 
Emerging Threats, and Capabilities on Armed Services. Of 
course, we track the Department's efforts to address supply 
chain security risks. The forthcoming cybersecurity maturity 
model certification, I believe, is one way that the Pentagon 
hopes to mitigate some of the data security risks that they 
face in the defense industrial base.
    So one of the essential steps, of course, in supply chain 
risk management is actually understanding the dependencies 
underlying a function. My understanding from the CMMC is that a 
good deal of the value will come from helping to illuminate 
supply chain. So what approach is the NRMC taking to illuminate 
supply chains that support the National critical function set?
    Mr. Kolasky. Sure. Thanks, Congressman, I appreciate the 
question.
    So you referenced at the end the National critical function 
set. So one of the things, the first things we did as a 
National risk management center, was identify 55 National 
critical functions that are things that critical infrastructure 
produces that are absolutely essential to National security, 
economic security, and community health and safety. Those 
National critical functions include things like conducting 
elections, and the provision of position and navigation timing 
services, and the provision of wholesale payment services, and 
the communications core network, and communicating wirelessly.
    So that is our overall risk architecture that we were 
designed as part of our assessment that we did per the EO that 
the President signed in May of this year. We looked at the 
critical functions associated most prominently with the 
communications in the connect function, the things that allow 
us to be connected as a country. We started to map out.
    You know, what are the elements and sub-elements of the 
supply chains?
    What enables those critical functions to work?
    What are the elements and sub-elements of the supply 
chains?
    Should any of those sub-elements fail, what is the 
criticality at a National security, National economic security 
perspective?
    So we did that kind-of initial analysis to prioritize areas 
where we think that most likely--most critical in a 
communications supply chain, because they support essential 
functions that we need as a country.
    Mr. Langevin. But you are not just confining your work to 
ICT. You are looking across the broad spectrum of critical 
infrastructure, correct?
    Mr. Kolasky. Across the work we are doing at the Natural 
Risk Management Center. Yes, there are things--you know, 
operational technology type things, there is work--again, 
position navigation, timing, finance, election security. Those 
are key functions. Ultimately, there could potentially be key 
supply chain vulnerabilities within all of those functions.
    Our analysis structure is going to allow us to build that 
out, understand the sources of criticality. Then, ultimately, 
when you get to the critical elements, that is when you start 
to look at what actually is going into those supply chains. How 
diverse is the market? Who are the key providers? How 
interconnected is the market; how could it----
    Mr. Langevin. Yes----
    Mr. Kolasky. So we are taking that approach, so that we can 
then start to study particular use cases to help make decisions 
of the importance of trust there.
    Mr. Langevin. What about the private companies themselves? 
How are you dealing with them? They may not know their supply 
chains and their supply chain vulnerability risks.
    Mr. Kolasky. I mean, I think that is part of what we are 
trying to do in this general awareness as part of the task 
force. I think John and Robert, for the most part, represent 
companies who recognize the importance of knowing their supply 
chain have to drive toward knowing that. I think--and they can 
talk a little more to how advanced the discipline is getting.
    There will be private companies who haven't done that work. 
You know, a lot of what we are trying to do in CISA is to 
support--develop tools and offer technical assistance to help 
make sure that there are easy ways to understand your supply 
chain----
    Mr. Langevin. All right. So before my time expires, you are 
turning to threat assessment. Can you expound on the cyber 
intrusion techniques that are most worrisome to you?
    You know, the supply chain, cybersecurity vulnerabilities 
take many forms. In the Target breach, for instance, it was 
connections to the HVAC contractor's network. Petya leveraged a 
hijacked software update from a Ukrainian tax company. Some of 
their--of the vulnerabilities we have talked about today are 
rooted in hardware.
    So these vulnerabilities all have different mitigations. So 
what metrics does NMRC use to evaluate vulnerabilities, both 
specific examples or classes of vulnerabilities?
    How do you prioritize mitigation efforts based on these 
metrics, if at all?
    Mr. Kolasky. Sure. So I think the metrics associated in 
vulnerabilities, turning vulnerability metrics into risk 
metrics, which means understanding the consequences of how the 
vulnerability could be exploited. So if you look at the 
question from sort-of a philosophical approach, it is really 
turning vulnerability metrics into risk metrics.
    To your question of which ones concern me the most, you 
know, it is a dynamic environment, so it is hard to answer that 
quickly. But what I would say is the things that people don't 
have any reason to look for. Right? The places where there is 
already trust inherent in the--inherent in what is going on, 
that something has not thought twice that there might be a 
vulnerability, that it was bought by a company they trust, or 
it is been serviced by an insider.
    If those--if we allow people into supply chains and things 
that are inherently--we think are inherently trustworthy, it is 
going to be harder to find those vulnerabilities. That is what 
we are worried that the adversaries are going--some of this is 
through foreign investment. Some of this is through other sort-
of counter-intelligence means. Those are the ones that keep me 
up at night.
    Mr. Langevin. I know my time has expired, but I know Mr. 
Mayer has something.
    Mr. Mayer. Just real quickly. There were almost 200 threats 
that were identified and put into categories. They ranged from 
everything from interdiction of the supply chain to human 
activity that could be both malicious or non-malicious.
    One of the things that I think is interesting is that you 
have to look at the supply chain in terms of different stages. 
So it goes from design, development, production. Then it gets, 
you know, acquired, it gets distributed, gets deployed, then it 
has to be operated and maintained, and it has to be disposed 
of. So all of these ICT products and services have this life 
cycle to them, and you can have the threat at any particular 
point in that process.
    What we want to do, I believe--and hopefully in Year 2, and 
we are discussing it now--is provide a framework that gives 
some guidance to companies so that they can understand, look, I 
can't deal with 200 threats and track that every day. How do I 
prioritize this? How do I--where do I get the information that 
is going to be valuable here? Who can I coordinate with in 
terms of mitigating the risk?
    Ultimately, where we want the task force to go is to 
provide real, concrete, practical risk mitigation, you know, 
practices and information, so that it can--we can start 
affecting the--buying down risk, basically.
    Mr. Langevin. OK. Thank you, Mr. Chairman.
    Chairman Thompson. Thank you very much. The Chair 
recognizes the gentleman from New York, Mr. Katko, for 5 
minutes.
    Mr. Katko. Thank you, Mr. Chairman. Thank you all, 
gentlemen, for being here today.
    I was a 20-year Federal organized crime prosecutor, and I 
never made a case of any significance without a task force. A 
task force for Federal, State, local, and sometimes private 
components. I recognize the value of it. Sometimes they work 
better together, sometimes they don't. But it is clear to me 
from your testimony that it is working, and I am really glad to 
see that. Public-private partnerships are really a wonderful 
thing to hear. It is good that you are exchanging information.
    I appreciate some of the barriers that you are 
experiencing, but your goal, as part of your task force, I 
hope, is to identify how to get past some of those barriers, 
especially with respect to exchange of information. Because 
exchange of information is everything in a task force, and the 
success of a task force. So I appreciate that.
    That is one of reasons why a bill that was passed out of 
committee recently I hope gets passed out of the House to form 
a CISA advisory committee overall, because I think it is going 
to be very important.
    I want to talk to you about best practices in supply chain 
management. There is clearly an incentive, from a legal 
standpoint, to do it because, as best practices become more 
apparent, there is also liability or exposure for companies who 
don't utilize best practices. But instead of trying to solve a 
problem in a courtroom, I would like to see if we could solve 
the problem by incentivizing companies.
    So I wonder if any of you can talk to me about anything you 
have discussed within the task force about incentives that may 
be--that you might be recommending with respect to supply chain 
management practices.
    We could start with Mr. Mayer, since you are nodding your 
head.
    Mr. Mayer. So I would say that, you know, we have a very 
interesting group of participants. So you have some companies 
who are global leaders in brand management and have very 
sophisticated activities around protecting the value chain. 
They have every incentive based on market activities to make 
sure that their supply chain--the integrity of their supply 
chain.
    One of the conversations that we have had in the task 
force--and in some--it relates in part to what DoD is doing 
with respect to their CMMC and their efforts to create, you 
know, higher levels of assurance in the smaller companies. But 
we have also talked more generally about the group of 
companies. The small and medium business organizations clearly 
do not have the kind of resources that these global 
communications and IT companies have, yet they can be very 
impactful from a supply chain, especially as they provide 
products upstream.
    I think we are going to have to grapple with this--it came 
up in yesterday's meeting of the co-chair leaders--to make sure 
that, as we think about how we move forward with information 
sharing, threat evaluations, the development of qualified 
bidder lists, and things like that, that we keep in mind that 
there are certain companies that are going to be very 
successful in this space and have very sophisticated 
capabilities, and there are other companies that don't have the 
financial resources, the human resources to implement these 
capabilities.
    I think DoD is going to discover some of that as they 
implement the CMMC. That is just a societal problem we have to 
deal with, and we have to think very carefully about the kinds 
of incentives--cybersecurity generally, but supply chain, in 
particular.
    Mr. Katko. Have you come up with any incentives yet that 
you have you have talked about or bantered about?
    Mr. Mayer. We have bandied about many ideas. I mean, this 
goes back to the Executive Orders in President Obama's 
administration, where he wanted departments to look at 
incentives.
    My view is that nothing ever really came out of that 
effort. I think we have to revisit that. Incentives take--
require money, and there is a great deal of complexity in 
administrating it. Some companies don't want incentives. If you 
give incentives to some company, are you tilting the market 
dynamic in some way? So it is a complicated question.
    I think it is something that industry and Government should 
work closely with Congress on and think through. I think we are 
getting to the point in time where we need to think----
    Mr. Katko. I would ask you to do that. I think it is very 
important. I had a roundtable discussion back in my district, 
and it is clear to me that the smaller businesses just don't 
have the financial capacity, and they make value judgments 
every day and--of where to spend their money, and they are just 
not prioritizing this the way they should. That is a big 
concern to me.
    So, Mr. Kolasky, part of the Secure Technology Act's 
requirement in their strategic plan was that DHS come up with 
some sort of incentives, some ideas of some incentives. Have 
they done that yet?
    Mr. Kolasky. So I would frame it this way, that the way the 
procurements have been done in the Federal Government for a 
while, incentives have been around evaluating contracts from a 
current cost performance schedule incentive. What we need to do 
is re-frame cost, performance schedule, and security have to 
be--and there is a Deliver Uncompromised report that MITRE put 
together that--they have to be the pillars of a procurement 
strategy.
    It is amazing, as you know, once you put that into a 
Federal acquisitions process rule, that you have to evaluate 
security, just like you are validating cost and past 
performance. That very quickly becomes real incentives. You 
start to build tools for procurement officials to know how to 
do that. The companies who are trying to get into the space 
then have to demonstrate it. It sets up an auditing potential, 
you know, free-market auditing regime to evaluate things like 
that, and all that. You see that contract incentives can drive 
a lot of change in performance doing that in a way and, you 
know, talking--as we put that in our own contracts, can we 
share that with other big buyers who are procuring things even 
at the private sector to use similar language?
    I think that is a real--that is going to be a real driver 
in change of behavior down supply chains.
    Mr. Katko. Yes, I appreciate it. Just keep working on that, 
because we are looking forward to hearing from you.
    Mr. Miller, I know I am almost--I am out of time, but 
anything you want to add?
    Mr. Miller. I mean I, first of all, agree with everything 
my fellow panelists said on this. Really, just to highlight the 
point about the small and medium-sized businesses, you know, I 
think both panelists have talked about how that is one of the 
things that I think DoD is trying to get at with their CMMC 
program.
    When we start talking about things--when we say things like 
3 or 4 levels down in the supply chain, we are talking about 
small and medium-sized businesses usually, right?
    I mean, I think just the numbers themselves, just to kind-
of put a fine point on how important this issue is, I am not 
sure what the latest statistic is from the, you know, Small 
Business Association, but it is something like 90 to 95 percent 
of companies in the United States for small and medium-sized 
businesses. I think DoD has something like 90,000 contractors 
and 300,000 subcontractors. Most of those companies are small 
and medium-sized businesses.
    So, as Robert said, one of things we talked about yesterday 
was the importance of kind-of integrating the, you know, this 
notion of incentivizing, you know, SMB practices, or just at 
least trying to consider the SMB dimension of everything we are 
doing, because we have a lot of large companies in the task 
force that are doing really good work. Again, they are not 
perfect, either. But, you know, figuring out how to get down 
deeper into their supply chains, into the Government supply 
chains, is really the key.
    Mr. Katko. Yes, I think it is critically important to 
examine this issue, and I ask that you do that and report back 
to us in a timely manner.
    With that I yield back. Thank you, Mr.----
    Chairman Thompson. Thank you. The Chair recognizes the 
gentleman from California for 5 minutes, Mr. Correa.
    Mr. Correa. Thank you, Chairman Thompson, for holding this 
most important hearing. As we all know, technology is rapidly 
evolving, and that is why cyber threats is a major challenge to 
all of us.
    You know, as I listen to this conversation, this 
discussion, I am reminded of a story I read back a couple of 
decades ago. The Iraq War. I read the story where it talked 
about how the United States made Xerox machines that were being 
used in Iraq. We essentially put chips in those Xerox machines 
that were--at the right time we were able to activate them, and 
they caused all kinds of headaches for the Iraqis and their 
defense system, which helped us have a competitive edge when it 
came to winning that war.
    I guess you look back at that chapter and lessons learned, 
and now we are talking about 5Gs, you know, infinitely more 
complex, a whole lot more players. In your words, the number of 
vector threats growing exponentially. Trying to figure it all 
out.
    I would ask--supply chain trustworthiness.
    You, Mr. Miller, just talked about the small businesses. I 
agree, gentlemen, that we have to go with those that we trust. 
At the same time, we are looking at the lowest-cost producer of 
a chip, lowest-cost producer of something out there.
    So where do we start, or where do we keep going in terms of 
making sure that, you know, first of all, if--try to make sure 
most of those chips, most those products, are made in the 
United States. But even if they are made in the United States, 
God knows, how do we prevent a lot of those chips and a lot of 
those things from being put in our systems that can come back 
to haunt us? Open question to all of you.
    Mr. Miller. Sure. I mean I think--I think that's a really 
good question. You know, I mean 2 things I would say on that.
    You know, No. 1, as we have mentioned a few different 
times, we did have a threat assessment group looking at this 
issue. It was nearly 200 threats. I think 188 different threats 
were cataloged and divided into 9 different categories.
    I think it bears noting that only one of those categories 
was--you know, really involved cybersecurity threats. I mean, 
again, there is a whole bunch of other different types of 
threats, as if it wasn't complex enough that we have to deal 
with--when we are talking about global supply chains.
    Country of origin was also--is also just one of 188 
threats. So I think it highlights the importance of really 
basic risk management principles, and always thinking about, 
you know, how do we conduct a fact-based, context-based 
analysis of these various different multiple threat vectors?
    You know, it includes the entity and the supplier, of 
course. But also, what is the----
    Mr. Correa. Let me flip that around.
    Mr. Miller. How is it used?
    Mr. Correa. Let me flip it around. I am almost out of time 
here. But Mr. Katko talked about incentivizing. How do you keep 
the--continue to work with small businesses that may not have 
the resources to have so many guards up, so to speak, security-
wise, and at the same time we value their entrepreneurship. 
They are incentivizing, coming up with new technologies. How do 
you work with those folks? How do you make sure that they are 
part of this system, they are secure, and they keep us moving 
to 6G?
    Mr. Miller. Well, I mean, really quickly, one way, for 
instance, is that, you know, larger companies can--you know, 
they often have trusted supplier programs or something, and 
they can--or they can flow down requirements, you know, even 
to, for instance, do something as simple as--or maybe not as 
simple, but something like using the cybersecurity framework 
into their contracts as a way of trying to incentivize those 
companies to do that.
    But there is a host of other incentives that could be 
explored, as well.
    Mr. Correa. Gentlemen, any other comments?
    Mr. Mayer. So I know how we are not going to make progress. 
I always think of, like, regulation, technology, and markets. 
This is evolving too quickly. It is too dispersed for----
    Mr. Correa. It is not regulation.
    Mr. Mayer. It is not regulation.
    Mr. Correa. Not legal, but it is--what is it?
    Mr. Mayer. Oh, so it is a combination of one--as 
technologies advance, hopefully they become more functional in 
this respect, and cheaper, as it is more broadly adopted, so 
you have capabilities to address supply chain risk.
    But the most important aspect, I think, are how can we make 
markets drive some of this.
    So for a large company that has a supply chain, a diverse 
supply chain that has to guarantee their brand, they can do 
that through contractual arrangements. They can do that by 
requiring audits, attestations. There are all kinds of 
mechanisms. They have to provide some discipline to the people 
who provide markets there.
    I think that this issue is going to get continued 
visibility in society writ large, and it is going to get to the 
point where there is going to be a standard of care around 
protecting the supply chain. It is just going to emerge 
naturally as part of business. There are going to be players 
who are going to take serious consideration of how to manage 
their supply chain risk. Those that don't, they are going to 
find themselves vulnerable to either reputational harm, or 
potentially other kinds of, you know, legal or regulatory 
considerations.
    So I am hopeful that the markets and technology and the 
work that we are doing in the task force, by thinking about how 
to make it possible for some of these companies to be more 
effective, is the way we can have some success here.
    Mr. Correa. Mr. Kolasky.
    Mr. Kolasky. Sure. The question brings to mind a couple 
things, right? There is processes to subsidize small businesses 
for a lot of reasons, and there is some responsibility, I would 
say, on the vendor side, if they are buying chips and there is 
only a couple of sources of chips, to perhaps use some of the 
resources to make sure that there is security at that level. 
So, you know, I would hope that the market would see some 
incentive to helping small businesses.
    But then there are ways that we have, as a Federal 
Government, have subsidized small enterprises for a lot of 
different reasons, partially because they are a key source of 
innovation here. I do think, you know, if this--you know, 
depending on--if this gets too unbalanced, thinking about ways 
that the Government can subsidize some security practices, we 
certainly are building tools to help small businesses who want 
to take this seriously so that they don't necessarily have to 
go buy those tools from the market to get better at 
cybersecurity. We will help the assistance. But, you know, 
there may be a point where it gets out of alignment and some 
version of subsidization is necessary.
    Mr. Correa. Thank you, Mr. Chairman. I yield.
    Chairman Thompson. Thank you very much. The Chair 
recognizes the gentleman from Texas, Mr. Crenshaw, for 5 
minutes.
    Mr. Crenshaw. Thank you, Mr. Chairman. Thank you, everyone, 
for being here.
    Earlier this year my staff met with Intero Solutions. It is 
a company that uses artificial intelligence to evaluate supply 
chain vulnerabilities. Their program found some interesting 
issues.
    For instance, with--the F-35 at tier 2 and tier 3 
components have 22 percent and 72 percent Chinese-manufactured 
parts, for instance.
    Closer to what you might deal with in DHS they also found 
that, within our voting systems--I think there is only 3 
companies that actually--3 vendors that actually make our 
voting systems here in America, and 19 percent of those 
components in the tiers 1 through 3 had supply chains that came 
from China-based companies.
    Almost 60 percent of companies studied have supply chains 
and locations in China, Russia, or China and Russia. Even 
worse, some of these companies included awards from the NRTA, 
which is China's State-run censorship organization.
    I just want to get a sense from you, Mr. Kolasky, on how 
CISA deals with this.
    Mr. Kolasky. Sure. I can take this question from a number 
of angles. I will try to take them from 3 different ones.
    No. 1, Intero does participate in the task force, and is a 
member of the task force, within that.
    We have looked at Intero's tools. That kind offering, 
whether from them or someone else, does a good job of scraping 
together publicly available data that is just hard to aggregate 
without taking advantage of machine learning and technology, 
and providing areas that you might want to do a deeper dive.
    I don't think--and I think if Jennifer was here--wouldn't 
tell you that they are absolutely right in those statistics, 
but those statistics start to narrow it down in cause for areas 
of--for deeper exploration. So we look at tools like that as a 
good way to get closer to evaluating risk.
    I am familiar a little bit with the election work, and--
familiar greatly with election work. We are doing a little bit 
of what Intero studies. The three companies you reference--
Dominion, ES&S, and Hart, you know, are all companies we do 
business--we work with as part of our election security 
efforts.
    I can tell you that this has been a subject that we have 
had conversation with in the Election Subsector Security 
Council. I know that the companies are increasingly aware that 
there may be supply chain threats, and are looking deeply at 
their own supply chains to start studying, including some of 
the companies have actually gone out and inspected the 
factories that are providing key components of that to try to 
have a better sense of the provenance of the component pieces 
that they put in.
    I won't say for any certainty, you know, the exactness of 
this, but it is an area where the combination of a technology 
like that to help illuminate a supply chain, and then good 
supply chain risk management, and actually going out looking 
and seeing is there any reason to be concerned, the businesses 
are doing that. We at DHS stand ready to work with them if you 
are finding areas of concern and, you know, maybe push certain 
things out of election supply chains.
    Mr. Crenshaw. Yes. I mean they--well, let's say the 
technology is half right. You know, it is still a pretty big 
concern. Like you said, it points you in the right direction.
    How much are we just relying on those companies to actually 
investigate their own supply chains? What is the relationship 
between them and you all to make sure that they do, and that 
our election machines are safe for the 2020 election?
    Mr. Kolasky. Sure. Again, we have a good information-
sharing relationship. You know, a couple of those companies, at 
least, we tested some of their equipment, the key equipment 
within a supply chain. So we have done some testing at our 
Idaho National Lab.
    So, you know, you are, in theory, worried about supply 
chains. But then, ultimately, it manifests itself--is there 
actually a vulnerability? If you get to sort-of a lab testing, 
you can actually test do any of those vulnerabilities manifest 
itself.
    I don't want to say, you know--we can't be in a position 
where say, oh, you bought something from this country, and 
therefore, inherently, somehow the whole system is going to 
collapse. That is not realistic.
    Mr. Crenshaw. Right.
    Mr. Kolasky. You have to understand where the sources of 
that material influence----
    Mr. Crenshaw. In my limited time--that actually gets to 
another question on the DJI drones. Are you familiar with that 
entire situation? What is DHS's take on DJI, and whether those 
drones are safe to use?
    Mr. Kolasky. We have provided a couple guidance of concerns 
that we have with drones manufactured in China. We put out 2 
public products. We think there is potential, if mitigation has 
not been put in place, that there could be information leakage 
through the drone process. We have some recommendations that we 
think can effectively mitigate the actual information leakage 
from the drone.
    So we are not at a point where we are saying don't use 
drones from----
    Mr. Crenshaw. Does DHS use any of those drones?
    Mr. Kolasky. I don't know, off-hand----
    Mr. Crenshaw. Border security or anything?
    Mr. Kolasky. I don't--yes, we don't--CISA doesn't operate 
drones. So I don't know off-hand. We can get back to you on 
that one.
    Mr. Crenshaw. All right. I yield back my time. Thank you, 
Mr. Chairman.
    Chairman Thompson. Thank you very much. The Chair 
recognizes the gentlelady from Florida, Mrs. Demings, for 5 
minutes.
    Mrs. Demings. Thank you so much, Mr. Chairman. Thank you to 
all of you for being here with us today.
    Mr. Kolasky, once again, the committee is holding a hearing 
against the backdrop of major departures and leadership 
shakeups in DHS. How are you working to make sure that the NRMC 
and this task force, in particular, is staying above the fray?
    Does the NRMC have the support it needs to carry out its 
mission during this very critical time?
    Mr. Kolasky. I would cite a quote Mr. Mayer gave to Inside 
Cybersecurity yesterday about our ability to stay above the 
fray, and I will let him paraphrase the phrase, but it is a 
serious question.
    We have had support consistently through the Secretaries 
and Acting Secretaries that have served this administration, 
including Acting Secretary McAleenan. CISA has been--I think 
this is paraphrasing Robert's quote, to some extent--we have 
had--sorry, we have had really good consistency at the 
political leadership level, starting with Chris Krebs and down 
there.
    So we have been--I can say, as somebody who has been a part 
of, you know, 3--now 3 Presidential administrations in the 
Department, you know, the consistency has allowed us not to 
have to change any direction based on any change of leadership 
at the more senior level, at a strategic level.
    You know, we will see what happens with the successor to 
Acting Secretary McAleenan. But at this point we expect it is 
full speed ahead with the work of the task force.
    Mrs. Demings. So with the consistent support that you talk 
about, that does not necessarily include the more senior level.
    What concerns you the most, though, about the changes in 
leadership, and how it affects your--could affect your 
operation? What are you preparing for as you await the next----
    Mr. Kolasky. Yes, I am--I mean I am human. Any change of 
leadership, you know, you want to be responsive to that.
    I am not expecting that a change of leadership at the DHS 
Secretary level is going to drive a change in how we approach 
supply chain risk management or risk management for critical 
infrastructure. Obviously, we serve our leadership to some 
extent. But, you know, I can say that we have had consistency, 
and we expect consistency going forward. We are not planning to 
adjust our plans based on having a new Acting Secretary.
    Mrs. Demings. Then you don't need one? You know, that is 
not really a serious question.
    Mr. Mayer, since he interjected you into his answer, would 
you like to speak for yourself on----
    Mr. Mayer. Oh, thank you.
    Mrs. Demings [continuing]. Staying above the fray?
    Mr. Mayer. Yes. So I appreciate that. So I think what I 
said was that the system was operating on all cylinders, and 
that the public-private partnership with DHS has never been 
stronger. I really believe that.
    I have had 10 years of working with DHS, and I have seen it 
evolve over these many years to the point where we are now 
having a level of engagement, bringing subject-matter experts 
to the table, DHS is listening. We are listening. We are 
developing products that reflect a great deal of collaboration.
    Most recently, for example, the 80-day criticality 
assessment that had to go into the efforts on the--we are 
having those discussions on 5G, we are having those 
conversations on National critical functions.
    Going back all the way, I think, to Secretary Kelly and 
some of the changes that have existed at the top levels, I have 
not observed anything that suggested that it is either a 
distraction or disruption.
    Mrs. Demings. Perfect. Thank you. To you or to Mr. Miller, 
it appears the task force has focused on the issues of hardware 
to our ICT supply chain. Can you describe the work--either one 
of you or both--that has been done to secure cloud-based 
storage and applications in the process?
    Mr. Miller. Excuse me. Just to clarify the question, are 
you asking about cloud in the context of the task force?
    Mrs. Demings. Yes.
    Mr. Miller. I don't believe that the task force has worked 
on cloud, specifically, other than in the context of the 
broader, you know, threat assessment work.
    But, you know, more broadly speaking, I think it--you know, 
talking about cloud does highlight one of the points that I 
made earlier, and that is about, you know, data access and 
managed service providers and other cloud providers are, you 
know, a really important part of the conversation right now. 
So, you know, it is definitely a focus area, and I think a 
future focus area of our work.
    Mrs. Demings. Mr. Mayer, anything to add?
    Mr. Mayer. The only thing I would add is I don't think how 
you can think of the supply chain in the context of ICT and not 
give a lot of consideration to cloud, because a lot of the 
services are moving there.
    The other point that I would make is there must be--you 
know, I would go through the list of the 40 companies. I would 
imagine a good number of those companies either rely intensely 
on cloud capabilities, or provide those services themselves. So 
I think it is kind of being built into the thinking, as it 
should be, because you cannot talk about this ICT ecosystem 
without thinking about how much of the--how big a role the 
cloud is having.
    I would also say that, from a security perspective, I think 
the cloud has been very instructive in terms of how well we 
have been able to defend it. I think the lessons we learn from 
cloud security are going to be easily applied to the 5G 
environment, which is going to be very helpful.
    Mrs. Demings. OK, thank you.
    Mr. Chairman, I yield back.
    Chairman Thompson. Thank you very much. The Chair 
recognizes Mr. Taylor for 5 minutes.
    Mr. Taylor. Thank you, Mr. Chairman.
    Chairman Thompson. Or less.
    [Laughter.]
    Mr. Taylor. Thank you, Mr. Chairman. I will be brief. Just 
looking forward to the next--to the future of the task force, 
what are some of the primary areas that you think you will 
focus on in the future, Mr. Kolasky?
    Mr. Kolasky. Sure. I mean we will start by continuing the 
work of the working groups, some of the information-sharing 
threat evaluation work that we have talked about, and 
particularly pushing further on guidance around QBL, qualified 
bidder lists, and qualified manufacturer lists.
    So we want to come back with, I think, on information 
sharing, some tangible recommendations, the changes that need 
to be made to facilitate information sharing on threat 
evaluation. We want to come back and work on what I call sort-
of a reference guide on risk mitigation. How do you mitigate 
risk against threats that are of particular concern to your 
supply chains? So that is going to be the principle area that 
we start with.
    We have talked about some other ideas, and we are in the 
deliberating process. I think there is an opportunity to bring 
some of the work going on in other critical infrastructure 
sectors and connect that. There is an opportunity to make 
additional connections across the Federal Government. Part of 
that will then be to influence the implementation of the FASC 
strategic plan, the Federal Acquisition Security Council 
strategic plan.
    So Year 2 we are going to have a tighter linkage, now that 
the Federal Acquisition Security Council has worked through the 
sort-of forming--storming and forming stage, tighter linkage 
around that.
    Mr. Taylor. So nothing I heard there would indicate a need 
for statutory changes or statutory assistance that--you would 
come to the committee and say, ``Hey, we need the law changed 
here, here, and here,'' or did you just not mention it?
    Mr. Kolasky. No, I mean, I think you have heard here 
information sharing and incentives are 2 areas where I think, 
ultimately, we may come back with some recommendations of 
current statutory gaps that allow us to push in those areas.
    We don't think we need codification to operate as a task 
force, or to get people to the table, things like that. The 
critical infrastructure partnership authorities that already 
exist have enabled us to do that.
    So I think we are in a good place, as a standing with the 
task force, but there may be recommendations that--around 
incentives and information sharing.
    Mr. Taylor. Looking forward to those recommendations.
    Mr. Chairman, I yield back.
    Chairman Thompson. Thank you very much. Let me thank the 
witnesses for your absolute expert testimony. Your interest and 
participation in this subject matter is clear.
    We are waiting for the next report to kind-of see how far 
down the road we can get.
    Taken from Mr. Taylor, I think there will be some 
legislative fixes on liability and some other things we will 
have to look at down the road. I am a little concerned that 
there is a reluctance to call out a bad actor for fear of being 
sued, and that might create a vulnerability that should not be. 
So there is no reluctance on the Chairman's part, and I don't 
think any other Member of the committee's part that, if we need 
to do that to secure our systems, that is fine.
    The other thing I would like the next time you gentlemen 
come is to kind-of talk about some of those nation-state bad 
actors, and what they are doing, and what we are doing to 
counter them. We get a lot of companies who come to us and say, 
``Well, we can't really compete in a competitive market, 
because this company that is winning the bids is owned by X 
Government.'' I am trying to figure out if those entities are 
some of the entities who--the bad actors also in this scheme of 
things.
    So I want you to think a little bit about that, because 
some of those small businesses Mr. Correa and some of the other 
people talked about are saying, you know, when companies don't 
have a bottom line, they can just about compete at zero and 
win. But I am not--that is not what we want. So I want you to 
kind-of think about some of that.
    I thank you also for your valuable testimony. The Members 
of the committee may have additional questions for the 
witnesses, and we ask that you respond expeditiously in writing 
to those questions. Without objection, the committee record 
shall be kept open for 10 days.
    Hearing no further business, the committee stands 
adjourned.
    [Whereupon, at 11:17 a.m., the committee was adjourned.]



                            A P P E N D I X

                              ----------                              

     Questions From Chairman Bennie G. Thompson for Robert Kolasky
    Question 1a. The ICT Supply Chain Task Force has taken on very 
complicated issues with respect to supply chain risk management, and 
its work is on-going. What is the future of the task force?
    Question 1b. Does the Cybersecurity and Infrastructure Security 
Agency (CISA) plan to make the task force permanent?
    Answer. The first year of the task force focused on 4 priority 
areas for supply chain risk management, including Information Sharing, 
Threat Evaluation, Qualified Bidder Lists, and Qualified Manufacturer 
Lists, and Policy Recommendations to Incentive Purchase of Information 
and Communications Technology (ICT) from Original Equipment 
Manufacturers and Authorized Resellers. In September 2019, the task 
force released an Interim Report, providing an update on activities and 
objectives. The ICT Supply Chain Risk Management Task Force also serves 
as a private-sector engagement point for the Federal Acquisition 
Security Council.
    For year 2, the task force will continue 3 of the 4 work groups 
with a focus on Information Sharing, Threat Evaluation, Qualified 
Bidder Lists, and Qualified Manufacturer Lists. It is also likely that 
the task force will initiate a new working group related to attestation 
of suppliers and vendor vetting. The task force will continue to allow 
for industry engagement with the Federal Government on a myriad of 
supply chain risk management efforts, including the Federal Acquisition 
Security Council.
    The task force is currently operating under a 2-year charter. While 
no decision has yet been made about future work, there is strong 
interest across the membership in re-chartering its work beyond that 
date.
    Question 2a. This committee has always supported CISA's work, and 
has worked to ensure it has the authorities it needs to carry out its 
mission to defend Federal networks and critical infrastructure. Does 
CISA currently have all the authorities it needs to carry out its 
supply chain risk management efforts? Moving forward, do you anticipate 
that the work of the task force may result in CISA seeking additional 
authorities?
    Answer. We currently have the authorities we need to carry out our 
supply chain risk management initiatives. The task force is helping us 
analyze this question and we will let the committee know if we identify 
additional authorities that are needed.
    Question 3a. In the Interim Report it stated that the task force is 
working closely with OMB and the Federal Supply Chain Acquisition 
Council to compile a Federal version of your ``Inventory of Supply 
Chain-related Standards & Best Practices.'' When do you expect that to 
be complete? How will that information inform the future work of the 
task force?
    Question 3b. Although the work of the task force is targeted at 
Federal information and communications technology, do you expect the 
inventory will benefit the private-sector supply chain risk management 
efforts as well?
    Answer. Information for the initial inventory has been gathered 
from Government sources and is being analyzed for completeness and 
utility. With a complete inventory, this will ensure an understanding 
of the range of Federal efforts and help identify where additional 
Federal work may be needed.
    We believe there is benefit to compiling this information, both to 
help focus the task force on not creating redundant work and also to 
give a more holistic view of applicable Federal Government processes 
and programs to help support private-sector supply chain risk 
management efforts.
    Question 4a. It is imperative we secure the supply chain for 5G 
technology, and I understand there are 5G Network Security and 
Resilience initiatives under way at CISA's National Risk Management 
Center (NRMC). Can you speak to what CISA is doing to help secure the 
5G supply chain?
    Question 4b. How has CISA engaged other agencies, and in particular 
the FCC, in addressing 5G supply chain security concerns?
    Question 4c. What more should we be doing as the country moves 
toward 5G?
    Answer. Cybersecurity and Infrastructure Security Agency's (CISA) 
5G work is grouped into 4 areas of effort:
    1. Encourage the design and deployment of 5G networks with security 
and resilience;
    2. Promote 5G use cases that are secure and trustworthy;
    3. Identify and communicate risks--including supply chain risks--to 
5G infrastructure; and
    4. Promote development and deployment of trusted 5G components.
    As part of those efforts, we have worked with the Information 
Technology and Communications Sectors to conduct a broad review of the 
risks and opportunities posed by 5G technology and have publicly posted 
this risk characterization on our website.
    We are maturing our testing capabilities of 5G infrastructure, 
starting with 5G handset testing with one of our National laboratory 
partners.
    We have partnered with the U.S. Chamber of Commerce and the 
Competitive Carriers Association on a Rural Engagement Initiative to 
support the rollout of 5G networks in rural environments. We also are 
engaging with the U.S. State Department and international partners to a 
take risk-based approach to trusted 5G deployment around the globe.
    Specific to the Federal Communications Commission (FCC), the FCC is 
an active participant in the task force. We have offered review on the 
FCC rulemaking related to use of Universal Service Fund for 5G and we 
stand ready to support the FCC with any analysis that might help with 
their exercise of their authorities. Finally, CISA participates in 
Communications Security, Reliability, and Interoperability Council VII, 
specifically on working groups 2 and 3, which intend to specifically 
address matters related to 5G and 5G security. We are actively working 
to enhance the capability of this group.
    Question 5a. Part of what has enabled foreign ICT components to 
become so ubiquitous throughout the Federal supply chain is the desire 
for less expensive products. Moving forward, how will integrating 
supply chain security requirements into Federal purchasing requirements 
affect cost?
    Question 5b. Should we anticipate spending significantly more on 
products with strong supply chain assurances?
    Answer. There is a growing consensus that security is now the so-
called 4th pillar of Federal acquisition to complement the existing 
pillars of cost, performance, and schedule. CISA's participation in the 
Federal Acquisition Security Council and other Federal procurement 
activities will help streamline and mature the inclusion of security 
requirements in Federal acquisition of ICT. It is true that there may 
be additional upfront costs associated with procuring more secure 
elements of the ICT supply chain, but often much of the up-front costs 
can be offset by the benefits of having more secure systems, thus 
limiting the risk of future costs associated with security incidents.
    Question 6a. There has been more momentum behind supply chain risk 
management efforts over the past 2\1/2\ years--from the establishment 
of the Task Force and the Federal Acquisition Security Council to the 
Executive Order. From your perspective, to what degree have the 
activities led by the Federal Government stimulated better supply chain 
risk management practices within the ICT sector?
    Question 6b. What more should the Federal Government be doing?
    Answer. The activities of the Federal Government are making a 
difference. Increasingly, many or most discussions around cybersecurity 
and critical infrastructure protection include some risk calculation 
around supply chain, third-party, or vendor assurance. Vulnerabilities 
in supply chains--either developed intentionally for malicious intent 
or unintentionally through poor security practices--can enable data and 
intellectual property theft, loss of confidence in the integrity of the 
system, or exploitation to cause system and network failure. Managing 
risk to the ICT supply chain is a top priority for CISA.
    We live in a system of systems world where ICT components--these 
foundational building blocks of hardware, software, and services--
underpin a broad range of critical infrastructure and governmental 
functions the American people depend upon. We must have trust in these 
components. They must be secure by design. And their manufacturers 
should operate without risk of subversion or manipulation by 
adversarial regimes.
    Our engagements with ICT stakeholders largely reinforce a growing 
recognition that effective ICT Supply Chain Risk Management (SCRM) is 
not only important for product security, but is also necessary for 
business and organization resilience, as well as economic and National 
security. The participation in our ICT SCRM Task Force by 40 of the 
largest ICT stakeholders is testament to the intentions of those on the 
front end of developing and producing the connected infrastructure 
underpinning our digital world are committed to leading in and 
prioritizing security and resilience in their business decisions. The 
combination of this work and the utilization of a range of Federal 
authorities is driving companies to a position of taking less supply 
chain risk.
    Question 7. While it is encouraging to see the membership of the 
task force include the leaders in each of the Communications and 
Information Technology Sectors, I am concerned that the voices of small 
businesses are not part of the task force membership. How are you 
ensuring that small business concerns are taken into consideration 
through the task force and its component Working Groups?
    Answer. The task force and the respective Working Groups recognize 
the unique circumstances and needs of small and medium-sized 
businesses. In fact, CEOs of two small business that produces 
cybersecurity tools and services sit on the task force and participate 
actively in the Working Groups. Their perspective has been valuable, 
and their input has been considered.
    The task force is including small business concerns into each of 
the working efforts and some of the recommendations will be designed 
specifically to make available more information and capability for 
small businesses to help them secure their ICT components.
       Questions From Honorable James Langevin for Robert Kolasky
    Question 1. What responsibility does the National Risk Management 
Center have for helping to illuminate private-sector supply chains?
    Answer. While we cannot compel private-sector action by 
illuminating our understanding of risk to the Nation's critical 
infrastructure, we are confident that owners and operators of critical 
infrastructure can make more informed decisions that make 
infrastructure more resilient.
    In particular, the National Risk Management Center (NRMC) is 
looking at improving analytics to help illuminate supply chains around 
three general questions:
    1. How big is the risk exposure of particular supply chain 
elements?
    2. Should we demand higher level of assurance in supply chains 
given the risk exposure?
    3. Does the proposed solution give us enough assurance that 
critical functions to National security are not at risk?
    Question 2. If a private-sector entity supporting a National 
Critical Function does not have a good understanding of its supply 
chain--or its supply chain risk--are their actions the NRMC can take to 
get a better understanding of that supply chain risk?
    Question 3. What responsibility do sector-specific agencies have to 
illuminate, or help private-sector organizations, illuminate supply 
chain risk within their sectors?
    Question 4. Does the NRMC have any agreements with sector-specific 
agencies specific to supply chain risk and efforts to illuminate it 
within their sectors?
    Answer. The NRMC works in a voluntary manner with the private 
sector to better understand and assess supply chain risk. Our 
partnership with most of the industry that contributes to the delivery 
of National Critical Functions helps us understand their supply chain 
risks, but we are exploring ways to increase information sharing and 
better understand vulnerabilities and risks. This could lead to new 
industry-Government partnerships in the future.
    Sector-Specific Agencies (SSAs) contribute to this effort. CISA is 
the SSA for 8 of the 16 sectors and responsible for coordinating the 
security of critical infrastructure across all sectors. We are driving 
this imperative across all sectors. We have partnered with the U.S. 
Departments of Energy, Defense, and Health and Human Services on 
targeted sector-specific supply chain efforts. The cross-sector 
collaboration on supply chain risk management remains a priority in 
2020.
    Question 5. Does the NRMC have any plans to scan, request 
information of, or otherwise directly illuminate supply chains of 
entities supporting National Critical Functions, whether using NRMC 
resources, other intra-governmental resources, or contracts with non-
Government entities?
    Answer. From an ICT supply chain perspective, we did this as part 
of our responsibilities under Executive Order 13873. The NRMC utilized 
a repeatable, qualitative approach, developed in collaboration with the 
National Laboratories, Government, and private-sector entities, to 
decompose 7 NCFs into their respective ICT elements (hardware, 
software, and services). These ICT element classes can then be analyzed 
for criticality. The NRMC continues to refine its analytical process 
for supply chain risk management to help build a lasting analytical 
engine.
    In Year 2 of the assessment, the NRMC plans to conduct both deeper 
and broader analysis across ICT supply chains to better illuminate any 
risks of concern.
    Question 6. How does the NRMC model supply chain risk across the 
National Critical Function Set? Is the risk modeling quantitative or 
qualitative?
    Question 7. Does the modeling capability support the dynamic 
introduction of new intelligence? For instance, if a new zero-day 
vulnerability is disclosed and is actively being exploited in the wild, 
can risk metrics rapidly be recalculated across National Critical 
Functions?
    Answer. The NRMC uses a repeatable, qualitative approach, developed 
in collaboration with the National Laboratories, Government, and 
private-sector entities, to decompose each of the NCFs into their 
respective ICT elements. These ICT element classes are then analyzed in 
terms of National security or regional-level impacts, based on assumed 
compromise of the element. For National-level analysis, the risk 
assessment accounts for likely compromises, so the overall strategic 
level assessment wouldn't necessarily need adjustment regarding a zero-
day vulnerability. It's the tactical-level operational protocols that 
would likely need adjustments.
    As new intelligence is introduced into the model, our assessment of 
criticality and threat can change which could cause different risk 
judgments and priorities in terms of mitigation.
    Question 8. What steps is the NRMC and DHS more broadly taking to 
``promote market dynamism and support existing trusted-vendors in the 
space while investing in innovation and research and development that 
will help the trusted community win the quality battle in the RAN, 
innovate to a future 5G, and compete on a level playing field in the 
market?'' How is CISA working with the interagency to achieve these 
ends?
    Answer. During the current early stage of 5G, CISA is focused on 
cross-collaboration and awareness until more mature use cases emerge in 
real-world deployments. We are coordinating with the DHS Office of 
Science and Technology and other areas of research and development 
across the inter-agency to ensure technology that will support 5G 
deployment has proper incubation and innovation stimulated around it. 
We work with partners to support a consortium of industry vendors to 
promote interoperability between vendors supporting 5G infrastructure. 
We also participate in international standards bodies like 3GPP to 
support a level playing field for American innovation.
    Further, we are in close collaboration with the U.S. Department of 
Defense, as well as several of the National Laboratories, to ensure we 
are coordinated in the area of research and development. Finally, we 
are persistently engaged with our European partners through forums such 
as the Prague 5G Security Conference.
    Question 9. What other technologies, besides 5G, are of particular 
concern to the NRMC?
    Answer. Most technologies present strategic opportunities, as well 
as risk management challenges. For instance, artificial intelligence 
(AI) enables adversaries to be more automated in their attacks; 
however, it also empowers network defenders like CISA to be more 
strategic in the way we defend against cyber threats.
    The NRMC also has dedicated resources to the topic of space and 
terrestrial-based Position, Navigation and Timing (PNT), and the 
associated technologies that ensure those capabilities. As we assess 
the National Critical Functions and work to determine the elements in 
those functions, technologies such as PNT and 5G stand out as areas we 
want to get ahead of.
    Other technologies of interest are quantum computing, smart cities, 
and associated automation, and advances in the bio-economy.
    Question 10. What barriers does NRMC believe exist to effective 
threat information sharing with the private sector? How do these 
barriers fall outside protections enacted in the Cybersecurity Act of 
2015?
    Answer. Potential barriers to effective information sharing with 
the private sector include those that are legal, process or 
operational, financial, and reputational. Through the ICT SCRM Task 
Force, we plan to convene key Government agency and private-sector 
representatives with specific subject-matter expertise on the legal 
issues relating to supply chain information sharing barriers and 
discuss throughout this year. Many of the key issues are related to 
having more assurance that suppliers can be trusted to deliver secure 
hardware and software.
         Questions From Honorable Dina Titus for Robert Kolasky
    Question 1. If, as you say in your testimony, a particular focus 
for CISA `` . . . needs to be on ensuring that State-influenced 
entities do not dominate a market . . . to potentially do the work of 
adversary action,'' how should the United States convince other 
countries of the risks and vulnerability of adopting Chinese 
technology? How should the United States work with countries that have 
already adopted Chinese networks out of economic necessity?
    Answer. In our efforts, we are also encouraging all countries to 
adopt a risk-based security framework for the rollout of 5G networks. 
We urge nations to conduct a careful evaluation of potential hardware 
and software equipment, vendors, and the supply chain. It is imperative 
that the international community renews its efforts to incentivize 
security in the marketplace and ensure it is a primary consideration, 
alongside cost, in product development, manufacture, acquisition, and 
procurement. Earlier this year, the global community made great strides 
at the Prague 5G Security Conference where officials from nearly 40 
countries met to discuss a set of principles on how best to design, 
construct, and administer secure 5G infrastructure, known as the Prague 
Proposal. Additionally, the European Commission and member states 
released their coordinated E.U. risk assessment of 5G security. The 
assessment clearly identified the vulnerability of 5G vendors or 
suppliers that could be subject to pressure or control by a third 
country, especially countries without legislative or democratic checks 
and balances. The assessment also highlighted the corporate ownership 
structure of 5G suppliers as a potential risk factor, which aligns with 
the U.S. assessment and the Prague Proposals' call for transparency. 
Establishing international cybersecurity norms, like we did in Prague, 
must continue with our international partners, we must continue to 
encourage responsible behavior and oppose those who would seek to 
disrupt networks and systems.
    Question 2. How can non-Chinese companies compete with Huawei given 
that its telecom networks typical cost 20 to 30 percent less than 
competing products?
    Question 3. Huawei is trying to build 5G networks around the world. 
Why doesn't the United States have any competitors with similar 5G 
infrastructure?
    Answer. American companies can continue to compete in the 
development of emerging technologies by participating in 
interoperability efforts, which will allow American companies to more 
easily incorporate new technologies within existing networks. The 
Federal Government can continue to support American companies, by 
limiting the adoption of Chinese 5G equipment that may contain 
vulnerabilities. Section 889 of the 2019 National Defense Authorization 
Act prohibits Federal agencies from procuring or obtaining, or 
extending or renewing a contract to procure certain Huawei and ZTE 
equipment and services, and the recently-enacted Federal Acquisition 
Supply Chain Security Act provides the Government with important new 
authorities to address risks presented by the purchase of technologies 
developed or supplied by entities whose manufacturing and development 
processes, obligations to foreign governments, and other factors raise 
supply chain risks.
    Furthermore, Chinese companies, such as Huawei, appear to have 
benefited from subsidized financing for their equipment sales. 
Countries should adopt the best practices in procurement, investment, 
and contracting, and require that financing be commercially reasonable, 
conducted openly and transparently, and based on free market 
competition, while taking into account trade obligations.
    Within the United States, there are a multitude of companies that 
will be well-positioned to provide aspects of the 5G network, while 
there are trusted international vendors that have ample U.S. presence. 
We believe that a move to a more open 5G architecture will only advance 
the opportunity for U.S. companies in 5G.
    Question 4. How should the United States work with countries that 
have already adopted Chinese networks out of economic necessity?
    Answer. Response was not received at the time of publication.
      Questions From Chairman Bennie G. Thompson for Robert Mayer
    Question 1. The Business Software Alliance, last week, wrote to 
Commerce Secretary Wilbur Ross of their disappointment in a lack of 
public comment before the Interim Public Rule is issued, pursuant to 
the ICT Executive Order.
    How does a lack of input into this Rule impact the Communications 
and IT Sectors?
    Question 2. What is the capacity of the ICT industry to be able to 
implement recommendations without restricting competition and imposing 
burdensome costs?
    Answer. The rules that will be issued pursuant to Executive Order 
13873 will be an extraordinarily significant step in the Government's 
assertion of authority to intervene in the private-sector supply chain. 
Unlike other Government supply chain activities (such as various 
Federal procurement rules and the FCC's proposed restrictions on 
Universal Service Fund support for purchases from certain suspect 
suppliers), this Executive Order asserts broad authority to prohibit 
purely private commercial transactions.
    USTelecom and other stakeholders have engaged on these issues with 
relevant Commerce personnel--namely senior officials and staff from the 
Bureau of Industry (BIS), the National Telecommunications and 
Information Administration (NTIA), the Office of General Counsel (OGC) 
and the Secretary's office--and we are satisfied that the Department 
understands the significance of the step they are taking. It is our 
understanding that the rules will not themselves take substantive 
prohibitive action against specific transactions, but will instead 
establish the procedural, jurisdictional, and definitional framework 
under which such future prohibitions would take place. We expect, per 
multiple public statements from senior Department officials, that there 
will be an opportunity for robust public comment on these rules when 
they are issued.
    For the long-term success of this policy, including to ensure 
positive effects on global competition and to avoid imposition of 
unnecessary burdens and costs, it is important that the Department 
receive additional formal on-the-record input from a wide variety of 
stakeholders in the Communications and IT sectors.
    Question 3. Part of what has enabled foreign ICT components to 
become so ubiquitous throughout the Federal supply chain is the desire 
for less expensive products.
    Moving forward, how will integrating supply chain security 
requirements into Federal purchasing requirements affect cost?
    Question 4. Should we anticipate spending significantly more on 
products with strong supply chain assurances?
    Answer. Integrating supply chain security requirements and 
acquiring products with supply chain assurances may in some cases 
increase the costs of some acquisitions, but the Government should 
endeavor to leverage private-sector expertise in supply chain security 
processes to advance cutting-edge supplier vetting and security risk 
management processes that can ultimately create efficiencies--and cost 
savings--in Federal procurement that may not exist today. While it is 
the case that some foreign-origin ICT components are less expensive 
because they have been subsidized by foreign state actors such as the 
Chinese government to sell at below-market prices, many private-sector 
buyers are aware of the longer-term security and performance costs that 
such purchases entail.
    USTelecom believes that deep engagement with private-sector 
expertise on Federal supply chain risk management activities is the 
primary method for creating efficiencies that will control costs while 
mitigating risks in the supply chain.
    Question 5. There has been more momentum behind supply chain risk 
management efforts over the past 2\1/2\ years--from the establishment 
of the task force and the Federal Acquisition Security Council to the 
Executive Order.
    From your perspective, to what degree have the activities led by 
the Federal Government stimulated better supply chain risk management 
practices within the ICT sector?
    Question 6. What more should the Federal Government be doing?
    Answer. Further to my answers to the previous set of questions, we 
commend the Government for its approach to supply chain security risk 
management--namely in partnering with private-sector experts in 
developing solutions. This has been mutually beneficial to the 
Government and to industry. So far as we are aware, the ICT Supply 
Chain Risk Management Task Force is the only formally chartered 
industry-Government partnership whose leadership and membership are 
composed of a 2-1 industry-to-Government ratio. This is how these 
processes should proceed, because while all stakeholders have a strong 
interest in the security of the supply chain, it is the communications 
and IT sectors that have the pertinent real-world expertise regarding 
how to make a secure supply chain a reality.
    To this end, we believe the most important principle the Government 
can follow in this arena is to promote coordination among and between 
the various Government and private-sector activities on these issues in 
various Federal agencies and industry sectors. Additionally, these 
initiatives must recognize that the relevant ICT markets are global, so 
to the extent possible, these efforts should be coordinated among like-
minded governments world-wide so as to increase the size of the market 
for a secure supply chain of trusted vendors.
    Question 7. While it is encouraging to see the membership of the 
task force include the leaders in each of the Communications and 
Information Technology Sectors, I am concerned that the voices of 
smaller businesses are not part of the task force membership.
    How are you ensuring that small businesses' concerns are taken into 
consideration through the task force and its component Working Groups?
    Answer. In addition to large, global companies, USTelecom has many 
members who are small and medium businesses (SMB) themselves, in 
addition to serving the SMB community extensively as their broadband 
service provider. Accordingly, my role at USTelecom has given me a 
significant appreciation of the SMB security concerns, including 
overseeing the USTelecom SMB Cybersecurity subcommittee. Further, I 
serve as chair of the Communications Sector Coordinating Council 
(CSCC), which takes small/medium business concerns very seriously. One 
of the CSCC's formal committees is exclusively concerned with 
addressing the security challenges of small and medium businesses. All 
of this informs my work as co-chair of the ICT Supply Cain Risk 
Management Task Force, with guidance from other members and 
associations who also represent SMB segments. Furthermore, we are now 
in the process of identifying Year 2 projects for the task force and a 
proposal is before the voting members to create a new working group 
that will focus its attention on the unique circumstances of the SMB 
community and possible incentives that may be required to bring their 
capabilities to a higher level of maturity.
    In short, small/medium business concerns are integral to our work 
on the CSCC, and also to our work on the ICT Supply Chain Risk 
Management Task Force. We must develop supply chain security approaches 
that work for all stakeholders in industry, small and large.
    Question 8. It appears that the task force has focused on the 
issues to the hardware in our ICT supply chain, can you describe the 
work that has been done to address software concerns?
    Answer. Members of the ICT Supply Chain Risk Management Task Force 
have been active participants in NTIA's Software Component Transparency 
multi-stakeholder effort. This process has yielded the development of a 
standard software bill of materials and proof of concept that would 
increase supply chain transparency across industry. The task force also 
recently released an Interim Report in September 2019 that provides 
further details on how task force members are addressing software 
supply chain concerns, such as providing an assessment of best 
practices and standards for the software supply chain.
    Question 9. What protections does industry feel the task force 
needs to promote a deeper level of information sharing of supply chain 
risks?
    Answer. One of the working groups on the ICT Supply Chain Risk 
Management Task Force looked into this issue in some depth, through the 
lens of the question of how industry and Government could share and/or 
receive derogatory, supplier-specific information--that is, ``naming 
names'' of specific suspect suppliers.
    Broadly speaking, a private company's formal or informal sharing or 
receipt of information regarding a suspect supplier could create the 
prospect of facing a private cause of action, most likely brought by 
the supplier at issue, involving an alleged violation of a pertinent 
commercial agreement or of applicable Federal or State law (either 
statutory or common law). While certain statutory protections such as 
those under the Cybersecurity Information Sharing Act (CISA) and the 
Protected Critical Infrastructure Information Act (PCII) in some cases 
may be pertinent to these legal risks, these statutes may not fully 
accommodate the risk information sharing that is envisioned under the 
task force's work on this matter.
    The task force continues to work on this legal challenge, and we 
believe there are some models in other areas of procurement and law 
enforcement activities that could provide legal standards and processes 
that would be applicable here. We would welcome the opportunity to 
engage with your staff in greater depth regarding these possibilities.
    Question 10. As the Federal Government seeks to improve its supply 
chain risk management policies, how should it approach requesting 
information from vendors further down the supply chain without being 
burdensome?
    Answer. Similar to my answers to other questions above, we believe 
the best approach to this question is to leverage private-sector 
expertise in supply chain security processes to advance cutting-edge 
supplier vetting and security risk management processes that can 
ultimately create and advance efficiencies in Federal procurement. 
Private-sector companies have been addressing these supply chain 
assurance challenges for years, so deep engagement with private-sector 
expertise on Federal supply chain risk management activities is the 
best method for creating supply chain security advances while avoiding 
unnecessary burdens.
       Questions From Chairman Bennie G. Thompson for John Miller
    Question 1. The Business Software Alliance, last week, wrote to 
Commerce Secretary Wilbur Ross of their disappointment in a lack of 
public comment before the Interim Public Rule is issued, pursuant to 
the ICT Executive Order.
    How does a lack of input into this Rule impact the Communications 
and IT Sectors?
    Answer. We anticipate that we will have the opportunity to provide 
comments on the rules to implement the Executive Order when they are 
released, whether they are published as an Interim Final Rule or as an 
Advanced Notice of Proposed Rulemaking. We have engaged with the U.S. 
Department of Commerce throughout the process to share the perspectives 
of the ICT sector.
    Question 2. What is the capacity of the ICT industry to be able to 
implement recommendations without restricting competition and imposing 
burdensome costs?
    Answer. Without having seen the text of the Interim Final Rule, it 
is difficult to make an accurate determination as to ease of 
implementation or costs. Ultimately any final determination as to these 
and other issues will depend on what the actual rule as issued says and 
the process that is laid out with the rule. A flexible framework in 
which determinations about National security risk associated with 
particular ICT transactionsare grounded in a fact-based, context-based 
analysis should allow the ICT sector to implement recommendations 
without incurring significant cost or burden related to a large 
majority of ICT transactions.
    Question 3. Part of what has enabled foreign ICT components to 
become so ubiquitous throughout the Federal supply chain is the desire 
for less expensive products.
    Moving forward, how will integrating supply chain security 
requirements into Federal purchasing requirements affect cost?
    Answer. In the absence of a clear set of requirements, it is 
difficult to make a clear determination. There are a number of factors 
which might increase the cost and that should be taken into 
consideration. These include: The number of different supply chain 
requirements that are introduced across Government, the depth within 
the supply chain that the industry must certify, the amount of supply 
chain information that is shared across procurements, the level of 
customization required for a certain procurement (i.e. bespoke products 
vs. commercial off-the-shelf products), and the willingness of 
Government and industry to adopt a flexible model which recognizes that 
risk is not equal in all procurements. Furthermore, if multiple Federal 
agencies promulgate supply chain requirements that are in conflict, 
divergent, or otherwise misaligned in significant respects, increased 
compliance burdens could no doubt impact overall product costs.
    Question 4. Should we anticipate spending significantly more on 
products with strong supply chain assurances?
    Answer. As noted, there are many possible cost drivers. Absent 
clarity on those factors, and others, it is not possible to provide a 
concrete response.
    Question 5. There has been more momentum behind supply chain risk 
management efforts over the past 2\1/2\ years--from the establishment 
of the task force and the Federal Acquisition Security Council to the 
Executive Order.
    From your perspective, to what degree have the activities led by 
the Federal Government stimulated better supply chain risk management 
practices within the ICT sector?
    Answer. The activities led by the Federal Government have helped to 
shed light on the complex challenges that have emerged from an 
increasingly connected global ICT infrastructure and supply chain, 
which has in turn helped to highlight many of the supply chain security 
efforts already in flight across the ICT sector, as well as increasing 
coordination and sharing of best practices amongst IT, communications, 
and Federal Government stakeholders. Many of these positive attributes 
are highlighted by the work of the ICT SCRM Task Force, which recently 
issued an Interim Report detailing progress made to date on 
recommendations across 4 workstreams, plus an effort to inventory 
Federal activities and ICT best practices. The work of the task force 
has thus stimulated better supply chain risk management practices 
within the ICT sector. By bringing together parties from both the 
public and private sector to work on these issues in a coordinated 
manner, the task force has created a nexus of public-private 
collaboration and facilitated increased information sharing regarding 
supply chain threats and best practices, and this progress will be 
furthered once the recommendations offered by the task force are 
implemented.
    Question 6. What more should the Federal Government be doing?
    Answer. The Federal Government should continue to leverage public-
private sector relationships, including the ICT SCRM Task Force, 
ensuring that information continues to flow openly and allowing for 
risk to be mitigated appropriately. The Government should look to the 
ICT SCRM Task Force as a resource that can be used for supply chain 
efforts beyond the task force itself. Please see my oral testimony for 
examples of how to leverage the ICT SCRM Task Force moving forward.
    While the Federal Government's increased attention on supply chain 
security has been largely positive, some new challenges have also 
emerged, including a flurry of policy-making activity that has been 
difficult for the private sector to keep pace with. ITI recommends that 
the Federal Government work to streamline on-going supply chain risk 
management efforts, while striving to avoid duplication of efforts as 
new activities are undertaken. Coordinated approaches to supply chain 
risk management across the Federal Government will yield the best, most 
interoperable results, not only in the United States, but globally. In 
that sense, future supply chain measures and activities should be 
targeted to specific identified gaps, rather than duplicating existing 
efforts of ``reinventing the wheel.''
    Finally, the Federal Government should work to deepen relationships 
with international partners and pursue a coordinated approach to supply 
chain security. Global supply chain challenges call for globally 
scalable solutions and only through continued dialog will we be able to 
develop such solutions and avoid harmful fragmentation.
    Question 7. While it is encouraging to see the membership of the 
task force include the leaders in each of the Communications and 
Information Technology Sectors, I am concerned that the voices of 
smaller businesses are not part of the task force membership.
    How are you ensuring that small businesses concerns are taken into 
consideration through the task force and its component Working Groups?
    Answer. The IT sector understood from the outset the importance of 
small and medium-sized businesses (SMBs) to the discussion of supply 
chain security, and that is why we made sure that SMBs are amongst 
those representing the IT sector on both the task force executive 
committee and voting membership. For your reference, task force 
participants, including SMB participants, are listed in Table 1 on page 
v of the Interim Report. Additionally, the larger companies 
participating in the task force are acutely aware of the concerns of 
SMBs, who represent the bulk of their suppliers, business partners, and 
customers. As such, the task force aspires to address the concerns of 
SMBs throughout our work--for example, the Task Force Information-
Sharing Working Group identified key challenges for SMBs to access 
supply chain risk information and recommended inclusion of an 
independent counsel to work with the SMBs. It could thus be said that 
the task force considers SMB concerns to be a cross-cutting priority. 
That said, in Year 2 of the task force, as well as considering SMBs as 
across-cutting priority we are considering whether to launch an SMB-
specific workstream.
    Question 8. It appears that the task force has focused on the 
issues to the hardware in our ICT supply chain; can you describe the 
work that has been done to address software concerns?
    Answer. The task force has not focused its work exclusively on 
concerns related to hardware. In fact, much of the work of the task 
force during Year 1 has dealt with foundational topics, such as 
establishing a bidirectional supply chain information sharing 
framework, and conducting an assessment of ICT supplier-related 
threats, that encompass supply chain information and threats related to 
the full spectrum of ICT products, hardware, and services, which in the 
context of many ICT products and services are often implemented in 
integrated systems.
    During Year 2 of the task force, we expect to continue the work of 
the ICT threat assessment group, and anticipate ``phase 2'' of this 
activity to focus specifically on evaluating threats to ICT products 
(including both hardware and software elements) as well as services.
    Question 9. What protections does industry feel the task force 
needs to promote a deeper level of information sharing of supply chain 
risks?
    Answer. The Task Force Bi-Directional Information Sharing Working 
Group has identified ways that the Federal Government and industry can 
share supply chain risk information more effectively. Some high-level 
conclusions offered by that working group include that supply chain 
risk information is often available, but that accessing and utilizing 
the information can often be resource-intensive and must be prioritized 
based on risk, and that the most relevant or actionable information may 
not always be generally available, particularly from non-public sources 
(e.g., audit firms and sensitive/business proprietary information). 
Further, information sensitivity is another factor, as is the form of 
this type of information, which is often decentralized and therefore 
difficult to share readily, securely, and at scale.
    Question 10. As the Federal Government seeks to improve its supply 
chain risk management policies, how should it approach requesting 
information from vendors further down the supply chain without being 
burdensome?
    Answer. Any request for detailed supply chain information adds work 
to the procurement process. In order to limit the impact, these 
requests for information should be made in a clearly-defined manner 
that is based on the risks for a particular procurement, makes clear 
how information being requested will help to mitigate the risk, and 
defines how that information will be evaluated and used during the 
procurement selection.