Commercial Products and Services Committee
June 14, 2018
Cochair Jeff Clayton introduced guest speaker Robert (Bob) Metzger on the subject of supply chain security. Bob opened by noting several recent cybersecurity incidents. Then he set forth a risk-based assessment model for cybersecurity systems. “The supply chain threat is present — actual, not conjectural.” Nevertheless, he said, finding solutions is very difficult; it will require leadership from Congress, heads of departments, industry, and the president. Bob particularly noted the importance of regulatory and consumer agencies.
He touched on the use of inadequate cybersecurity as a criterion for an offeror’s nonresponsibility, which could involve the Small Business Administration as well as contracting agencies. This in turn would involve the question of whether the agencies have the expertise to make such a determination. In answer to Herman’s question, Bob noted that, at present, there are no generally recognized standards (e.g., of Underwriters Laboratories (UL)) for cybersecurity adequacy.
In any event, Bob said, there are limits on the present federal approaches. Among other things, voluntary measures may not be adopted, trust-based “compliance” is inadequate, present procurement measures are insufficient, supply chain risk is throughout the life cycle, connected systems add complications, and adversaries may exploit new standards. In short, “[t]here is an emerging consensus among government leadership (executive branch and Congress) that present security measures are insufficient and that new strategies, policies, and methods are necessary. A ‘whole of government’ approach is needed,” he said, which DoD will lead.
In conclusion, Bob emphasized that improved cybersecurity is a work in progress.