S 2201 Introduced - Supply Chain Security Training Act
Last month, Sen Peters (D,MI) introduced S 2201, the Supply Chain Security Training Act of 2021. The bill would require the General Services Administration to develop “a training program for officials with supply chain risk management responsibilities at executive agencies.”
Definitions
Section 4 of the bill provides the definitions of four key terms used in the legislation. One of those terms is key to the discussion here:
Information and Communication Technology – This term is defined by reference to 41 USC 4713(k).
Training Program
GSA would be given 180 to develop the training program that would be “designed to prepare such personnel to perform supply chain risk management activities and identify and mitigate supply chain security threats that arise throughout the acquisition lifecycle, including for the acquisition of information and communications technology.” It would include information on current, specific supply chain security threats.
During the development of this training program, GSA would be required to coordinate with theFederal Acquisition Security Council, the Secretary of Homeland Security, and the Director of the Office of Personnel Management, as well as consult with the Director of the Department of Defense’s Defense Acquisition University and the Director of National Intelligence.
No monies are being authorized for the development of this training program in the bill.
Moving Forward
This bill will be marked-up by the Senate Homeland Security and Governmental Affairs Committee, the committee to which this bill was assigned for consideration, tomorrow. The bill will almost certainly be approved by a strong bipartisan majority.
The bill is unlikely to be brought to the floor of the Senate in its current form. It is just not important enough to take up the time of the Senate for it to be considered under regular order. The increasingly confrontational partisanship in the Senate is decreasing the effective use of the unanimous consent process for the consideration of bipartisan bills like this. I would not be surprised to see this language added to spending or authorization bill as a mode to get it to the President’s desk.
Commentary
While this bill is relatively innocuous, it does suffer from a rather obvious oversight, the lack of definition of the very important term ‘supply chain risk’. While the crafters of this bill almost certainly were concerned with protecting electronic equipment being bought by the federal government from cybersecurity hazards wrought by the physical substitution, modification or adulteration during the movement of that equipment through the supply chain to the governmental end-user, the COVID-19 pandemic has clearly shown us that ‘supply chain security’ is much more complicated than that. Ensuring that the country has access to an adequate supply of surgical masks and precursor chemicals for pharmaceuticals is an important, but completely different supply chain security consideration than the cybersecurity concerns probably targeted here.
To ensure that the cybersecurity related concerns are the focus of the requirements of this bill would require two small modifications. First, a revision of §2(a):
(a) In General.—Not later than 180 days after the date of the enactment of this Act, the Administrator of General Services, through the Federal Acquisition Institute, shall develop a training program for officials with supply chain risk management responsibilities for covered procurement at executive agencies.
Then there would be an addition required in §4 to provide the following definition of ‘covered procurement’:
(5) COVERED PROCUREMENT.—The term ‘covered procurement’ has the meaning given the term in section 4713(k) of title 41, United States Code.