DHS RFI Tackles ICT Supply Chain Risk, Rogue Functionality

Department of Homeland Security DHS

The Department of Homeland Security today released a request for information (RFI) calling on the private sector to provide DHS with information on strategies and tools to augment its cyber supply chain risk management program.

In particular, DHS wants to know if there are solutions that can spot hidden malware or rogue functionality in information and communications technology (ICT) products – driven by fears that companies with nation-state ties could be seeking to undermine U.S. critical infrastructure by hiding malicious code in products used by customers in the United States.

“The government seeks information about capabilities that enable identification and mitigation of ICT products (e.g., hardware, software, devices) that may contain potentially malicious functionality, are counterfeit, are vulnerable due to deficient manufacturing practices within the supply chain, or are otherwise determined to enable or constitute a threat to the United States,” DHS wrote in the RFI.

DHS also asked for information on supply chain risks posed by “ICT-based services”–such as cloud and managed services–and capabilities to combat those risks.

DHS announced an ICT Supply Chain Task Force on July 31, and it appears the agency is quickly seeking to increase industry outreach to combat perceived supply chain threats.

Because of the government’s reliance on vendors who support critical infrastructure, DHS said “the global ICT supply chain is a significant source of risk to the nation.” The government has already moved to ban Chinese firms Huawei and ZTE from doing business with the Federal enterprise due to perceived supply chain threats. Prior to that, Russian-linked Kaspersky Labs was barred from working with the government.

The goal, the RFI says, is to come up with a tool that can help assess cyber risk, presumably across all U.S. critical infrastructure sectors. “DHS intends to use the information received in response to this RFI for planning purposes and to help define requirements for a cyber supply chain risk assessment capability to support stakeholders,” it said.

DHS said it wants a capability that is: affordable, automated, scalable, extensible, consistent, and that enables information-sharing and minimizes duplication of effort.

Interested parties have until October 10 to respond to the RFI, which includes specific criteria on how to describe and price industry capabilities on offer to DHS.

Recent