Promoting the Sharing of Supply Chain Security Risk Information Between Government and Communications Providers and Suppliers
| Published date | 12 June 2020 |
| Citation | 85 FR 35919 |
| Record Number | 2020-12780 |
| Section | Notices |
| Court | National Telecommunications And Information Administration |
Federal Register, Volume 85 Issue 114 (Friday, June 12, 2020)
[Federal Register Volume 85, Number 114 (Friday, June 12, 2020)]
[Notices]
[Pages 35919-35922]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-12780]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Telecommunications and Information Administration
[Docket No. 200609-0154]
RIN 0660-XC046
Promoting the Sharing of Supply Chain Security Risk Information
Between Government and Communications Providers and Suppliers
AGENCY: National Telecommunications and Information Administration,
U.S. Department of Commerce.
[[Page 35920]]
ACTION: Notice, request for public comment.
-----------------------------------------------------------------------
SUMMARY: Section 8 of the Secure and Trusted Communications Network Act
of 2019 (Act) directs the National Telecommunications and Information
Administration (NTIA), in cooperation with other designated federal
agencies, to establish a program to share supply chain security risk
information with trusted providers of advanced communications service
and suppliers of communications equipment or services. Through this
Notice and in accordance with the Act, NTIA is requesting comment on
ways to facilitate the sharing of security risk information with such
trusted providers. These comments will inform the program that NTIA
establishes under the Act.
DATES: Comments are due on or before July 13, 2020.
ADDRESSES: Written comments may be submitted by email to
[email protected]. Written comments also may be submitted by
mail to the National Telecommunications and Information Administration,
U.S. Department of Commerce, 1401 Constitution Avenue NW, Room 4725,
Attn: Evelyn L. Remaley, Associate Administrator, Office of Policy
Analysis and Development, Washington, DC 20230. For more detailed
instructions about submitting comments, see the ``Instructions for
Commenters'' section at the end of this Notice.
FOR FURTHER INFORMATION CONTACT: Megan Doscher, National
Telecommunications and Information Administration, U.S. Department of
Commerce, 1401 Constitution Avenue NW, Room 4725, Washington, DC 20230;
telephone (202) 482-2503; [email protected]. Please direct media
inquiries to NTIA's Office of Public Affairs, (202) 482-7002, or at
[email protected].
SUPPLEMENTARY INFORMATION: Section 8 of the Secure and Trusted
Communications Network Act of 2019 (Act) directs NTIA, in cooperation
with the Office of the Director of National Intelligence, the
Department of Homeland Security (DHS), the Federal Bureau of
Investigation, and the Federal Communications Commission (FCC), to
establish a program to share ``supply chain security risk'' information
with trusted providers of ``advanced communications service'' and
suppliers of communications equipment or services.\1\ As part of that
program, NTIA must ``conduct regular briefings and other events'' to
share information with trusted providers and suppliers and ``engage''
with such providers and suppliers, particularly those that are small
businesses or that primarily serve rural areas.\2\ NTIA must also
develop, and submit to Congress, a plan for declassifying material,
when feasible, and expediting and expanding the provision of security
clearances to facilitate information sharing from the Federal
government to trusted providers and suppliers.\3\ Therefore, we request
comments on several key terms in the Act, as well as on steps that
should be taken to best achieve the purposes of the Act.
---------------------------------------------------------------------------
\1\ Secure and Trusted Communications Network Act of 2019,
Public Law 116-124, 8, 134 Stat. 158, 168 (2020) (codified at 47
U.S.C. 1607).
\2\ See id. Sec. 8(a)(2)(A), (B).
\3\ See id. Sec. 8(a)(2)(C).
---------------------------------------------------------------------------
1. Key Terms:
NTIA seeks information to clarify key terms in the Act.
Supply Chain Security Risk Information
The Act defines ``supply chain security risk'' information to
include ``specific risk and vulnerability information related to
equipment and software.'' \4\ NTIA's identification of supply chain
security risk information will be aided by other ongoing U.S.
Government activities to detect potential security risks to information
and communications technology (ICT) supply chains. For example, this
effort will be informed by all relevant activities of the National
Strategy to Secure 5G, which focuses not only on the identification of
information security risks, but on broader strategic risks to the U.S.
economy and national security, including risks to the global 5G market,
capabilities and infrastructure. Defining ``supply chain security
risk'' to encompass national security and economic risk will reinforce
the Act's purpose to safeguard the economy and national critical
infrastructure against these risks.\5\
---------------------------------------------------------------------------
\4\ Id. Sec. 8(c)(3).
\5\ See Executive Office of the President, National Strategy to
Secure 5G of the United States of America, March 2020, available at
https://www.whitehouse.gov/wp-content/uploads/2020/03/National-Strategy-5G-Final.pdf.
---------------------------------------------------------------------------
NTIA will also be informed by key terms established by the Federal
Acquisition Supply Chain Security Act of 2018, which established the
Federal Acquisition Security Council (FASC), which is developing,
within the Federal government, risk information sharing policies and
procedures comparable to those that the Act contemplates for
interactions between the Federal government and the private sector.\6\
That legislation defines ``supply chain risk'' by reference to 41
U.S.C. 4713, which in turn defines the term to mean ``the risk that any
person may sabotage, maliciously introduce unwanted function, extract
data, or otherwise manipulate the design, integrity, manufacturing,
production, distribution, installation, operation, maintenance,
disposition, or retirement of covered articles so as to surveil, deny,
disrupt, or otherwise manipulate the function, use, or operation of
covered articles or information stored or transmitted on the covered
articles.'' \7\
---------------------------------------------------------------------------
\6\ See Federal Acquisition Supply Chain Security Act of 2018,
Public Law 115-390, Tit. II, Sec. 202, 132 Stat. 5173, 5180-81
(2018) (codified at 41 U.S.C. 1323(a)).
\7\ 41 U.S.C. 4713(k)(6).
---------------------------------------------------------------------------
NTIA will also consider key terms defined by other bodies, such as
the DHS ICT Supply Chain Risk Management Task Force (DHS Task Force),
which provides a forum for government-private sector collaboration on
supply chain issues and provides advice and recommendations on ways to
assess and mitigate risks to the ICT supply chain.\8\ One of the DHS
Task Force's working groups is identifying and categorizing supply
chain threats, as well as providing background information on such
threats, their significance, and potential impact on the ICT supply
chain.\9\
---------------------------------------------------------------------------
\8\ See DHS, Cybersecurity and Infrastructure Security Agency,
Information and Communications Technology Supply Chain Risk
Management Task Force: Interim Report, at iii (Sept. 2019) (DHS Task
Force Interim Report), available at https://www.cisa.gov/sites/default/files/publications/ICT%20Supply%20Chain%20Risk%20Management%20Task%20Force%20Interim%20Report%20%28FINAL%29_508.pdf. For a list of Task Force members and
contributors, see id. at v-vi.
\9\ See id. at 17-18.
---------------------------------------------------------------------------
Trusted Providers and Suppliers
NTIA seeks comment on clarifying the term ``trusted
providers and suppliers.'' The Act requires information sharing only
with ``trusted'' providers and suppliers--entities ``not owned by,
controlled by, or subject to the influence of a foreign adversary.''
\10\ In identifying the providers and suppliers that are ineligible
under the Act, NTIA will rely on various designations as set forth in
Section Sec. 2(c)(1-4) of the Act. Accordingly, ineligible providers
and suppliers will be determined by:
---------------------------------------------------------------------------
\10\ Act, Sec. 8(c)(4).
---------------------------------------------------------------------------
(1) Any executive branch interagency body with appropriate national
security expertise, including the Federal Acquisition Security Council;
[[Page 35921]]
(2) the Department of Commerce pursuant to Executive Order No.
13873;
(3) the equipment or service being covered is telecommunications
equipment or services, as defined in section 889(f)(3) of the John S.
McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L.
115-232; 132 Stat. 1918); or
(4) an appropriate national security agency.
Foreign Adversaries
NTIA directs commenters to the Act's definition of ``foreign
adversary,'' which is identical to that in Executive Order 13873,
``Securing the Information and Communications Technology and Services
Supply Chain'' (E.O. 13873).\11\ E.O. 13873 directs the Secretary of
Commerce to review, and where necessary, prohibit transactions
involving entities owned, controlled, or subject to foreign adversaries
that pose unacceptable risks to the U.S. ICT and services supply
chain.\12\ NTIA notes that the determination of ``foreign adversary''
for purposes of implementing E.O. 13873 is a matter of executive branch
discretion and will be made by the Secretary in consultation with the
other agencies identified in the E.O.. To ensure consistency of action
across the Federal government, in identifying the providers and
suppliers that are eligible under the Act to receive supply chain
security risk information, NTIA will rely on pertinent decisions by the
Secretary of Commerce under E.O. 13873, as well as other relevant
federal determinations.
---------------------------------------------------------------------------
\11\ Executive Order 13873, ``Securing the Information and
Communications Technology and Services Supply Chain,'' 84 FR 22,689
(2019).
\12\ Compare id. Sec. 8(c)(2) with Executive Order 13873, Sec.
3(b), 84 FR 22,689, 22,691 (2019).
---------------------------------------------------------------------------
Advanced Communications Service
Finally, NTIA seeks comment on the term, ``advanced communications
service.'' The Act directs NTIA to share risk information only with
trusted providers of ``advanced communications service,'' which the
legislation equates with ``advanced telecommunications capability'' as
defined in section 706 of the Telecommunications Act of 1996.\13\ As
for mobile services, the FCC has determined that 4G Long Term Evolution
services offering transmission speeds between 5Mbps/1Mbps and 10Mbps/
3Mbps are the ``best proxy'' for advanced mobile service.\14\
---------------------------------------------------------------------------
\13\ See Act, Sec. 9(1). Advanced telecommunications capability
``is defined, without regard to any transmission media or
technology, as high-speed, switched, broadband telecommunications
capability that enables users to originate and receive high-quality
voice, data, graphics, and video telecommunications using any
technology.'' Public Law 104-104, 706(c)(1), 101 Stat. 56, 153
(1996) (codified at 47 U.S.C. 1302(d)(1)).
\14\ Inquiry Concerning Deployment of Advanced
Telecommunications Capability to All Americans in a Reasonable and
Timely Manner, 2019 Broadband Deployment Report, 34 FCC Rcd 3857,
3863-64, ] 16 (2019). Act, Sec. 8(c)(4).
---------------------------------------------------------------------------
Questions:
What sorts of risks and vulnerabilities should be covered
by the language ``specific risk and vulnerability information related
to equipment and software''?
What information, if any, is unique to ``supply chain risk
information''? In other words, to avoid the re-creation of existing
threat and vulnerability information sharing programs, what types of
specific, enhanced, or aggregated threat and vulnerability information
would be helpful to the private sector to identify, avoid, or mitigate
ICT supply chain risks? What information do suppliers and providers
need to make informed, risk-based security and transactional decisions?
Are there supply chain security risks beyond those
Congress specified that should be included in an information security
program?
To what extent should NTIA's program be aligned with the
actions of the FASC in determining whether an identified threat is a
``security risk''?
Section 4 of the Act sets a limit of 2,000,000 customers
for the Act's ``remove and replace'' reimbursement program. Is this
also an appropriate measure to determine small business and rural
service provider participation in the program, as required by Section
Sec. 8(a)(2)(B)? Would that metric cause any key small or rural
providers or suppliers to be missed?
Are there other factors aligned with the Act that should
be considered in determining ``trusted'' providers and suppliers
eligible for the program?
Should NTIA rely on the FCC's benchmarks for ``advanced''
communications services to implement its information sharing program
and, if so, what would be the implications for achieving the purposes
of the Act?
2. Information Sharing Policies and Procedures:
As noted, the Act requires NTIA to share security risk information
with trusted providers and suppliers via ``regular briefings and other
events.'' It also requires NTIA to ``engage'' with trusted parties,
particularly small businesses or those serving rural areas. Although
the Act mentions small and rural providers and suppliers only in the
context of engagements with the Federal government, NTIA believes those
entities should be the principal focus of the information sharing
program. The Act's overarching goal is the establishment of an FCC
program to reimburse smaller providers for removing from their networks
and replacing equipment and services that threaten national
security.\15\ Congress deemed reimbursement for such entities
appropriate because it believed that smaller providers did not receive
a sufficient ``heads-up by our government'' about the security risks
posed by certain equipment and services and thus made procurement
decisions based on the ``bottom line.'' \16\ The information sharing
program mandated by Section 8 of the Act was intended to ``fix this
information gap by ensuring that [small, rural providers] have access
to the information they need to keep their networks and Americans
secure.'' \17\ Accordingly, NTIA plans to structure that program
primarily to promote the flow of risk information from the government
to small and rural providers and suppliers. We request comment on that
approach.
---------------------------------------------------------------------------
\16\ See 165 Cong. Rec. H10286 (daily ed. Dec. 16, 2019)
(remarks of Rep. Doyle).
\17\ Id. (remarks of Rep. Latta).
---------------------------------------------------------------------------
Because much security risk information is also highly sensitive,
caution must be exercised in disseminating it. Briefings and events
involving multiple participants or attendees, for example, risk
exposing sensitive information or placing it in the wrong hands. NTIA
seeks to balance the need to safeguard this information with the Act's
requirement to share it with trusted providers and suppliers. NTIA
notes that security risk information is available either publicly or
from non-government sources on various terms.\18\ For example, Congress
and the Executive Branch raised concerns about the security risks posed
by certain Chinese equipment suppliers as early as a decade ago.\19\
---------------------------------------------------------------------------
\18\ See, e.g., DHS Task Force Interim Report at 14-15.
\19\ See Protecting Against National Security Threats to the
Communications Supply Chain Through FCC Programs, Report and Order,
Further Notice of Proposed Rulemaking, and Order, 34 FCC Rcd 11423,
11425-26, ]] 6-9 (2019).
---------------------------------------------------------------------------
Questions:
What means of sharing information best balances the
objectives of the Act and the need to safeguard sensitive information?
More specifically, what are the best ways for the Federal government to
provide ``regular briefings'' to providers and suppliers? Would
periodic public updates or notifications be useful or sufficient?
Should eligible providers and suppliers have an
opportunity to request risk and vulnerability information about
[[Page 35922]]
specific equipment, software, and services? Would an information
sharing system that incorporates both ``push'' and ``pull''
capabilities be useful, if possible?
Are there legal barriers that could impede the ability of
trusted providers and suppliers to receive or act on security risk
information from the Federal government?
How can publicly available security risk information be
conveyed more expeditiously to more small and rural providers and
suppliers?
What barriers (e.g., awareness, financial, legal) do small
and rural providers and suppliers face in accessing security risk
information from non-government sources? What could or should the
Federal government do to eliminate or mitigate those barriers?
3. Information Declassification and Security Clearances:
NTIA's information sharing program must include a plan for
declassifying materials, where feasible, and expanding and expediting
the provision of security clearances to facilitate the dissemination of
security risk information to trusted providers and suppliers. Because
both actions potentially risk compromising the confidentiality of
sensitive government information, NTIA is seeking additional
information.
Questions:
How specific must security risk information be to enable
providers and suppliers to make procurement decisions that adequately
protect their networks, customers, and users? If, for example, the
Federal government issues a security warning about a particular
company, how much information do trusted providers or suppliers require
about the reason for that warning in order to take appropriate action?
Is it more helpful for small and rural providers to
receive unclassified information through typical civilian channels (for
example, by email) or to receive more detailed classified information
that would require a staff member to obtain a security clearance and
could require travel to receive the classified information in person at
a secure location?
What would be the best way of identifying appropriate
staff points of contact at small and rural providers to ensure that
they receive security risk information?
Have small and rural providers and suppliers encountered
problems in attempting to obtain security clearances for staff? If so,
what has been the nature of those difficulties?
How many performance-essential security clearances would
an organization need to ensure that government-shared security risk
information is fully incorporated into its corporate risk-based
decision making and response? What challenges would an organization
have, if any, in converting such information into action?
How should NTIA best raise awareness of this program among
small business and rural providers?
Instructions for Commenters: NTIA invites comment on the full range
of issues that may be presented in this Notice, including issues that
are not specifically raised in the above questions. Commenters are
encouraged to address any or all of the above questions. Comments that
contain references to studies, research, and other empirical data that
are not widely available should include copies of the referenced
materials with the submitted comments. Comments submitted by email
should be machine-readable and should not be copy-protected. Responders
should include the name of the person or organization filing the
comment, which will facilitate agency follow up for clarifications as
necessary, as well as a page number on each page of their submissions.
All comments received are a part of the public record and will
generally be posted on the NTIA website, http://www.ntia.gov/, without
change. All personal identifying information (for example, name,
address) voluntarily submitted by the commenter may be publicly
accessible. Do not submit confidential business information or
otherwise sensitive or protected information.
Dated: June 9, 2020.
Kathy Smith,
Chief Counsel, National Telecommunications and Information
Administration.
[FR Doc. 2020-12780 Filed 6-11-20; 8:45 am]
BILLING CODE 3510-60-P
