Executive Order 14017 on Securing America's Supply Chains
On February 24, 2021, President Biden signed Executive Order 14017 on America’s Supply Chains to strengthen the resilience of U.S. supply chains. The Executive Order directed the Department of Commerce (DOC) and the Department of Homeland Security (DHS) to, “submit a report on supply chains for critical sectors and subsectors of the information and communications technology (ICT) industrial base (as determined by the Secretary of Commerce and the Secretary of Homeland Security), including the industrial base for the development of ICT software, data, and associated services.”
In response, DOC and DHS developed a one-year report titled, Assessment of the Critical Supply Chains Supporting the U.S. Information and Communications Technology Industry, that:
- Defines the critical sectors and subsectors supporting the ICT industry,
- Evaluates current supply chain conditions,
- Identifies key risks that threaten to disrupt those supply chains, and
- Proposes eight recommendations to mitigate risk and strengthen supply chain resiliency.
For this assessment, the scope of the ICT industrial base consists of communications hardware, computing and data storage hardware, end-user devices, as well as critical software including open-source software and firmware (these products were identified, in part, based on CISA’s National Critical Functions effort).
The ICT industry produces the technologies that individuals, companies, and governments alike rely on to connect and protect our society. The reliance on ICT products across all critical infrastructure sectors of the economy underscores the critical importance of this industry to U.S. economic growth and national security. While U.S. companies continue to lead on design innovation for products including communications equipment, computer and data storage, and end-user devices, manufacturing for these products has largely shifted to Asia, and China in particular.
The risks of ceding much of the ICT manufacturing supply chain to Asia has become apparent during the COVID-19 pandemic, when the U.S. ICT industry experienced supply chain disruptions that reduced the availability and timeliness of critical ICT components and products. The report analyzes the impact of this loss of domestic manufacturing and also evaluates the current supply chain conditions for select hardware and software products, key risks that threaten to disrupt those supply chains, the robustness of the domestic ICT workforce, as well as impacts from climate related issues.
To strengthen supply chain resiliency, DHS and DOC provided the following eight recommendations as part of a comprehensive, long-term strategy.
- Revitalize the U.S. ICT Manufacturing Base: Support domestic investment and production of key ICT products, potentially including printed circuit boards (PCBs) and semiconductors, through appropriate federal procurement incentives and funding of programs like Title III of the Defense Production Act and the Creating Helpful Incentives to Produce Semiconductors for America Act.
- Build Resilience through Secure and Transparent Supply Chains: Promote supply chain risk management practices through procurement and monitoring efforts such as implementing an Assured Supplier Program for PCBs for Federal Government and establishing a Critical Supply Chain Resilience Program at the Department of Commerce.
- Collaborate with International Partners to Improve Supply Chain Security and Resiliency: Improve international engagements through existing fora to advance shared interests in the ICT industry. These interests include bolstering supply chain security and diversity for critical products, strengthening trade enforcement, and enhancing participation in international standards development.
- Invest in Future ICT Technologies: Sustain the research and development (R&D) ecosystem through federal programs and legislation by supporting and expanding programs aimed at bringing nascent technologies to market as well as advancing manufacturing technologies.
- Strengthen the ICT Workforce Pipeline: Support and expand programs that attract, educate, and train the ICT workforce by enhancing computer science curricula and investing in multiple secondary and post-secondary pathways, including through registered apprenticeships, career and technical education programs, and community college programs. Grant investments should be aligned with employer-led sectoral partnerships that ensure training is linked to real-world job opportunities.
- Ensure Sustainability Remains a Cornerstone of ICT Development: Promote adoption of enhanced labor and environmental standards and the adoption of more sustainable ICT production facilities through financial incentives and government programs.
- Engage with Industry Stakeholders on Resiliency Efforts: Strengthen public-private engagements to promote awareness and adoption of risk mitigation techniques and best practices for securing the ICT supply chain.
- Continue to Study the ICT Industrial Base: Conduct further industrial base studies on critical ICT products such as PCBs and related microelectronics to monitor industry developments and guide long-term policy planning.
Actions DHS/CISA Are Taking
Within those eight recommendations, below are the immediate actions DHS/CISA are taking.
Recommendation: Revitalize the U.S. ICT Manufacturing Base
Support the private sector in expanding manufacturing capacity through financial incentives and procurement preference:
Incentivize the U.S. government’s purchase of ICT products, services, and components to be made by domestic producers and service providers, particularly small to mid-size manufacturers. In addition, implement enhanced Buy American Act provisions that incentivize the production of ICT products and services which bring significant revenue to the U.S. economy, including design contribution, and with tolerances for assembly in allied or partner nations.
Recommendation: Build Resilience through Secure and Transparent Supply Chains
Promote supply chain risk management practices through procurement and monitoring efforts:
Continue to support the supply chain transparency and resilience work of CISA’s ICT Supply Chain Risk Management (SCRM) Task Force as it focuses on key issues such as identifying appropriate information for the development of a baseline hardware bill of materials template that organizations can use when procuring or deploying ICT products as well as identifying ways in which small and medium-sized ICT businesses can strengthen their supply chain resilience.
In support of the National Strategy to Secure 5G, CISA will continue to lead 5G risk management efforts so the U.S. can fully benefit from all the advantages 5G connectivity promises to bring. The CISA 5G Strategy establishes five strategic initiatives that stem from the four lines of effort defined in the National Strategy to Secure 5G. Guided by three core competencies: Risk Management, Stakeholder Engagement, and Technical Assistance, these initiatives include associated objectives to ensure there are policy, legal, security, and safety frameworks in place to fully leverage 5G technology while managing its significant risks.
Continue to advance the work of CISA’s Joint Cyber Defense Collaborative (JCDC). Established in August 2021, the JCDC leverages new authorities provided by the National Defense Authorization Act (NDAA) of 2021 to bring partners—including those in federal and state, local, tribal, and territorial governments and the public and private sectors—together to unify defensive actions and drive down risk in advance of cyber incidents occurring. This collaboration is designed to strengthen the nation’s cyber defenses through planning, preparation, and information sharing. As a community, the JCDC deploys innovation, collaboration, and imagination to protect American businesses, government agencies, and the American people against malicious cyber activity.
Advance the work of the Federal Acquisition Security Council (FASC). The FASC is an interagency body tasked with enhancing the security, resiliency, and reliability of federal ICT by developing uniform criteria for programs across federal agencies; improving information sharing on supply chain risk, including government to government, government to industry, and industry to industry; and setting forth procedures for making exclusion and removal determinations for any ICT considered to represent a security risk. Additionally, the FASC has appointed DHS, acting through CISA, as the executive agency for overseeing information sharing guidance that it sets forth.
Recommendation: Collaborate with International Partners to Improve Supply Chain Security and Resilience
Improve international collaboration to advance shared interests:
Enhance federal government participation in global ICT standards development activities and encourage U.S. companies to also increase participation in such activities. This includes promoting awareness and adoption of existing international standards, risk mitigation techniques, and best practices used for securing the ICT supply chain with subject-matter experts and foreign partners.
DHS will continue to participate and advance the work of the Committee on Foreign Investment in the United States (CFIUS). CFIUS is an interagency committee authorized to review certain transactions involving foreign investment in the U.S. to determine the effect of such transactions on the national security of the U.S. On February 13, 2020, regulations implementing the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) took effect to expand the jurisdiction of CFIUS. FIRRMA now requires investors to file mandatory declarations for transactions in certain critical technologies, critical infrastructure, or the personal data of U.S. nationals. These businesses are known as TID businesses (technology, infrastructure, and data).
Through the Committee for the Assessment of Foreign Participation in the United States Telecommunications Sector or “Team Telecom,” DHS will continue to assist the Federal Communications Commission (FCC) in its public interest review of national security and law enforcement concerns that may be raised by foreign participation in the U.S. telecommunications sector.
Recommendation: Invest in Future ICT Technologies
Sustain the R&D ecosystem through federal programs and legislation:
- DHS will continue to invest in early-stage R&D projects and products, including those in the ICT space, through several of its programs including the Silicon Valley Innovation Program, the Small Business Innovation Research Program, and the National Urban Security Technology Laboratory.
Recommendation: Engage with Industry Stakeholders on Resiliency Efforts
Strengthen public-private engagements:
Continue to build and leverage existing public-private partnerships such as CISA’s ICT Supply Chain Risk Management (SCRM) Task Force. These partnerships are crucial to developing and incentivizing an information sharing community among industry players that will help to inform industry, the public, and the government about risks facing ICT supply chains. Over the past two years, the Task Force has produced groundbreaking studies and developed resources to assess the trustworthiness of vendors and suppliers, and analyze and mitigate threat scenarios for ICT products and services. The Task Force has also developed recommendations to improve the sharing of supply chain risk information between government and industry, and guidance on how to build more resilient ICT supply chains.