US Congress building

Two US senators have proposed a bill this week that aims to address the issues with software and IT services provided to the US government and its agencies.

Named the "Federal Acquisition Supply Chain Security Act" (FASCSA), the bill addresses "supply-chain attacks," a term used to describe cyber-incidents when an attacker compromises a target's software in order to gain visibility inside its operations.

The purpose of this new bill is to create a special council —named the Federal Acquisition Security Council— that will be tasked with reviewing software and services together US intelligence agencies and drafting policies and recommendations to prevent the US government from using software from contractors with ties to other governments.

FASCSA is a direct response to the Kaspersky and ZTE bans

The bill is a direct reaction to the recent scandals that have involved Kaspersky Lab and ZTE.

Last year, the US government banned the use of Kaspersky software on computers part of the federal network, claiming the Russian antivirus vendor has ties to the Russian intelligence apparatus.

Kaspersky rejected the claims and unsuccessfully tried to have the ban lifted, only to see it spread to other countries such as the UK, the Netherlands, and Lithuania.

This year, the US government banned US companies from selling components to ZTE, a hardware vendor which it believes it has close ties to the Chinese government, and which has broken US economic sanctions on numerous occasions, only to later see President Trump step in and thwart some of their efforts.

Also this year, on the same fears that Chinese companies provide data to the Chinese government, US legislators have proposed two bills to ban US government agencies from buying, using, or contracting Chinese-made telecommunications equipment or services altogether. The bills specifically name Chinese equipment manufacturers like Huawei, ZTE, Datang, and Zhongxing.

FASCSA wants to prevent supply-chain issues before they happen

The new FASCSA wants the Council it plans to set up will be tasked with determining current supply-chain threats and help the US government shed some of its suspicious IT suppliers and avoid signing new contracts.

The Council will have to work together with the US public and private intelligence and cyber-security communities. According to FASCSA's text, the following will have a seat on the Council:

⊗  The Office of Management and Budget
⊗  The General Services Administration
⊗  The Department of Homeland Security
⊗  The Office of the Director of National Intelligence
⊗  The Federal Bureau of Investigation
⊗  The Department of Defense
⊗  The National Institute of Standards and Technology
⊗  Other executive agencies as determined by the Chairperson of the Council

"We need to have a system in place that will allow us to address risks before it becomes an issue nationwide," said Senator James Lankford (R-OK), who introduced the bill together with Senator Claire McCaskill (D-MO).

"This bipartisan bill will help to clarify each government agencies' role and responsibility and protect the federal government from IT security threats through strengthening supply chain risk management," he added.

"Our bill creates a government-wide approach to solving supply chain security issues in federal acquisitions," the Senator added on Twitter.

Related Articles:

Senators Demand Voting Machine Vendor Explain Why It Dismisses Researchers Prodding Its Devices

Microsoft Disrupts APT28 Hacking Campaign Aimed at US Midterm Elections

China's National Cybersecurity Standards Considered a Risk for Foreign Firms

DOD to Move All Websites to HTTPS by the End of the Year

Senator Asks US Government to Remove Flash From Federal Sites, Computers