Search for:

On October 20, the House of Representatives passed five bills with overwhelming bipartisan support that aim to promote supply chain and network security.  This post will focus on one bill directed to the Department of Homeland Security (“DHS”), and two bills directed to the Department of Commerce (“DOC”).  While these legislative measures are directed towards U.S. government entities, and thus may not (on their face) appear applicable to corporate supply chains, if enacted, these bills could result in changes to laws, regulations, and policies down the line that impact compliance measures for companies.

DHS Software Supply Chain Risk Management Act of 2021 (H.R. 4611)

The DHS Software Supply Chain Risk Management Act would direct DHS to modernize its information and communication technology or services acquisitions process by requiring the Under Secretary for Management to issue Department-wide guidance to require DHS contractors to submit software bills of materials that identify the origins of each component of the software furnished to DHS.

Background

Increasingly sophisticated cyberattacks have become a larger threat to U.S. national security, especially when they are directed against government agencies.  In many cases, the cyberattack is not directed against government agency systems, but against the contractors that supply software and other information technology (IT) services to federal agencies.  For example, the 2020 SolarWinds cyber-espionage campaign, which compromised numerous government agencies, began when hackers were able to breach the cybersecurity of the company that provided commercial software to the agencies.  By adding spyware to the software on the supplier end, the hackers were able to infiltrate the agencies indirectly, and the complexity of some software supply chains allow for multiple points of infiltration.  In order to identify risks in its own supply chain, DHS needs information from its IT contractors on the software used in their systems.  In addition to securing its own cybersecurity, this information can help the DHS increase awareness of vulnerabilities in the government’s supply chain.

Summary

This bill requires DHS to issue guidance for new and existing contracts for the procurement of certain IT and communications products and services for the Department to help ensure they are secure from spyware or other cybersecurity vulnerabilities.  Specifically, the guidance must require the contractor to submit a list of parts and components of the end product or service to the department, along with either a certification that the components are free from known vulnerabilities or defects or a notification of possible vulnerabilities.  For new contracts, the bill of materials and certifications must be submitted with the proposed bid, while for existing contracts, the information must be updated in a timely manner.  The new guidance would take effect within 180 days of enactment, and the Government Accountability Office must report to Congress within one year on implementation of the bill’s provisions along with recommendations for improving the security of the supply chain for IT and communications products.

Next Steps

The House-passed bill has been received in the Senate and referred to the Senate Committee on Homeland Security and Governmental Affairs.  The measure now awaits a mark-up by the committee before consideration by the full Senate.

Information and Communication Technology Strategy Act (H.R. 4028)

The Information and Communication Technology Strategy Act would require the DOC to report on and develop a whole-of-Government strategy with respect to the economic competitiveness of the information and communication technology supply chain.

Background

In recent years there have been major security concerns surrounding foreign-owned companies (particularly from China) offering U.S. companies inexpensive communications equipment for installation on their networks — which could potentially be used as a “back door” into U.S. corporate and military computer systems.  As a result of past heavy investment in equipment development and manufacturing from China, U.S. companies largely retreated from the business.  Few U.S. companies currently sell telecommunications network equipment — the one exception being Cisco, which sells some equipment that resides in the innermost parts of a carrier’s network.  Cisco, however, does not compete in the market for the cell-tower equipment that allows cell sites to connect with smartphones and other mobile devices.  While Sweden’s Ericsson and South Korea’s Samsung have gained some market share in the United States (especially after pressure from the U.S. government for domestic networks and foreign allies to use those companies over Chinese ones), many believe that reinvigorating U.S. telecommunications equipment manufacturers is necessary to ensure the nation’s security.

Summary

This bill requires the DOC to report to Congress on the economic competitiveness of trusted vendors to the U.S. government and to U.S. companies in the information and communication technology supply chain, and to use that report to create a whole-of-government strategy to ensure the competitiveness of trusted vendors in the United States.  Specifically, the report, which is due within one year of enactment, must assess the competitiveness of information and communications technology vendors, assess the dependence of these vendors on foreign actors, and identify what federal resources are needed to reduce the dependence of information and communications vendors on foreign actors.  Within six months of the report’s submission to Congress, the DOC must create a whole-of-government strategy to bolster the economic competitiveness of U.S. information and communications vendors and reduce their reliance on foreign resources.

Next Steps

The House-passed bill has been received in the Senate and referred to the Senate Committee on Commerce, Science, and Transportation.  The measure now awaits a mark-up by the committee before consideration by the full Senate.

Open RAN Outreach Act (H.R. 4032)

The Open RAN Outreach Act would strengthen the diversity of U.S. wireless networks and protect the supply chain from reliance on untrusted technology companies.

Background

A radio access network, such as ones that make up a cell phone network, consists of cell sites and their subcomponents such as radios, hardware and software.  Many carriers today use a closed or proprietary network, meaning that they need to use one vendor or manufacturer from end-to-end, which can be more expensive.  This can place a substantial cost burden on smaller carriers to try to reduce costs, potentially by using cheaper, Chinese-owned alternatives like Huawei.  Currently, there are only three major non-Chinese companies (Ericsson, Samsung and Nokia) that produce end-to-end network equipment.  An Open Radio Access (“Open-RAN”) network is an open network infrastructure that allows for different components of the network to be produced by different companies — leading to a more diverse and competitive supply chain for carriers.

Summary

This bill requires the National Telecommunications and Information Administration within the DOC to provide outreach and technical assistance to small communications network providers regarding how to use Open-RAN technologies.  Under the measure, the outreach must include the provision of information on the uses, benefits and shortcomings of open networks, and how to participate in the federal Wireless Supply Chain Innovation grant program — which provides funds that can be used to replace Chinese-made equipment in U.S. wireless infrastructure.

Next Steps

The House-passed bill has been received in the Senate and referred to the Senate Committee on Commerce, Science, and Transportation.  The measure now awaits a mark-up by the committee before consideration by the full Senate.

Author

Bruce Linskens is a Senior Analyst for International and Legislative Affairs in Baker McKenzie's Washington office. He assists clients with compliance matters extending into federal legislative, regulatory, and policy issues.