Promoting the Sharing of Supply Chain Security Risk Information Between Government and Communications Providers and Suppliers, 35919-35922 [2020-12780]

Download as PDF Federal Register / Vol. 85, No. 114 / Friday, June 12, 2020 / Notices action area is the Mexico Distinct Population Segment (DPS) of humpback whales. The effects of this proposed Federal action were adequately analyzed in NMFS’ Biological Opinion for the Mukilteo Multimodal Project, Snohomish, Washington, dated August 1, 2017, which concluded that issuance of an IHA would not jeopardize the continued existence of any endangered or threatened species or destroy or adversely modify any designated critical habitat. NMFS WCR has confirmed the Incidental Take Statement (ITS) issued in 2017 is applicable for this IHA. That ITS authorizes the take of seven humpback whales from the Mexico DPS. Proposed Authorization As a result of these preliminary determinations, NMFS proposes to issue an IHA to WSDOT for conducting Mukilteo Multimodal Project Year 4 construction in the State of Washington between August 1, 2020, through July 31, 2021, provided the previously mentioned mitigation, monitoring, and reporting requirements are incorporated. A draft of the proposed IHA can be found at https://www.fisheries. noaa.gov/permit/incidental-takeauthorizations-under-marine-mammalprotection-act. jbell on DSKJLSW7X2PROD with NOTICES Request for Public Comments We request comment on our analyses, the proposed authorization, and any other aspect of this notice of proposed IHA for WSDOT’s Mukilteo Multimodal construction project. We also request at this time comment on the potential Renewal of this proposed IHA as described in the paragraph below. Please include with your comments any supporting data or literature citations to help inform decisions on the request for this IHA or a subsequent Renewal IHA. On a case-by-case basis, NMFS may issue a one-time one-year Renewal IHA following notice to the public providing an additional 15 days for public comments when (1) up to another year of identical or nearly identical, or nearly identical, activities as described in the Description of Specific Activity section of this notice is planned or (2) the activities as described in the Specified Activities section of this notice would not be completed by the time the IHA expires and a Renewal would allow for completion of the activities beyond that described in the Dates and Duration section of this notice, provided all of the following conditions are met: • A request for renewal is received no later than 60 days prior to the needed Renewal IHA effective date (recognizing that the Renewal IHA expiration date VerDate Sep<11>2014 17:43 Jun 11, 2020 Jkt 250001 cannot extend beyond one year from expiration of the initial IHA). • The request for renewal must include the following: (1) An explanation that the activities to be conducted under the requested Renewal IHA are identical to the activities analyzed under the initial IHA, are a subset of the activities, or include changes so minor (e.g., reduction in pile size) that the changes do not affect the previous analyses, mitigation and monitoring requirements, or take estimates (with the exception of reducing the type or amount of take). (2) A preliminary monitoring report showing the results of the required monitoring to date and an explanation showing that the monitoring results do not indicate impacts of a scale or nature not previously analyzed or authorized. • Upon review of the request for Renewal, the status of the affected species or stocks, and any other pertinent information, NMFS determines that there are no more than minor changes in the activities, the mitigation and monitoring measures will remain the same and appropriate, and the findings in the initial IHA remain valid. Dated: June 9, 2020. Donna S. Wieting, Director, Office of Protected Resources, National Marine Fisheries Service. [FR Doc. 2020–12753 Filed 6–11–20; 8:45 am] BILLING CODE 3510–22–P DEPARTMENT OF COMMERCE National Oceanic and Atmospheric Administration [RTID 0648–XA206] Mid-Atlantic Fishery Management Council (MAFMC); Public Meeting National Marine Fisheries Service (NMFS), National Oceanic and Atmospheric Administration (NOAA), Commerce. ACTION: Notice; public meeting. AGENCY: The Mid-Atlantic Fishery Management Council’s Summer Flounder, Scup, and Black Sea Bass Advisory Panel will hold a public webinar meeting, jointly with the Atlantic States Marine Fisheries Commission’s Summer Flounder, Scup, and Black Sea Bass Advisory Panel. DATES: The meeting will be held on Monday, June 29, 2020, from 1 p.m. until 4 p.m. ADDRESSES: The meeting will be held via webinar, which can be accessed at: SUMMARY: PO 00000 Frm 00024 Fmt 4703 Sfmt 4703 35919 http://mafmc.adobeconnect.com/sfsbsbap-jun2020/. Meeting audio can also be accessed via telephone by dialing 1– 800–832–0736 and entering room number 4472108. Council address: Mid-Atlantic Fishery Management Council, 800 N. State Street, Suite 201, Dover, DE 19901; telephone: (302) 674–2331; www.mafmc.org. FOR FURTHER INFORMATION CONTACT: Christopher M. Moore, Ph.D., Executive Director, Mid-Atlantic Fishery Management Council, telephone: (302) 526–5255. SUPPLEMENTARY INFORMATION: The MidAtlantic Fishery Management Council’s Summer Flounder, Scup, and Black Sea Bass Advisory Panel will meet via webinar jointly with the Atlantic States Marine Fisheries Commission’s Summer Flounder, Scup, and Black Sea Bass Advisory Panel. The purpose of this meeting is to discuss recent performance of the summer flounder, scup, and black sea bass commercial and recreational fisheries and develop Fishery Performance Reports. These reports will be considered by the Scientific and Statistical Committee, the Monitoring Committee, Mid-Atlantic Fishery Management Council, and Atlantic States Marine Fisheries Commission when reviewing 2021 catch and landings limits and management measures for summer flounder, scup, and black sea bass. These meetings are physically accessible to people with disabilities. Requests for sign language interpretation or other auxiliary aid should be directed to M. Jan Saunders, (302) 526–5251, at least 5 days prior to the meeting date. Authority: 16 U.S.C. 1801 et seq. Dated: June 9, 2020. Tracey L. Thompson, Acting Deputy Director, Office of Sustainable Fisheries, National Marine Fisheries Service. [FR Doc. 2020–12731 Filed 6–11–20; 8:45 am] BILLING CODE 3510–22–P DEPARTMENT OF COMMERCE National Telecommunications and Information Administration [Docket No. 200609–0154] RIN 0660–XC046 Promoting the Sharing of Supply Chain Security Risk Information Between Government and Communications Providers and Suppliers National Telecommunications and Information Administration, U.S. Department of Commerce. AGENCY: E:\FR\FM\12JNN1.SGM 12JNN1 35920 Federal Register / Vol. 85, No. 114 / Friday, June 12, 2020 / Notices Notice, request for public comment. ACTION: Section 8 of the Secure and Trusted Communications Network Act of 2019 (Act) directs the National Telecommunications and Information Administration (NTIA), in cooperation with other designated federal agencies, to establish a program to share supply chain security risk information with trusted providers of advanced communications service and suppliers of communications equipment or services. Through this Notice and in accordance with the Act, NTIA is requesting comment on ways to facilitate the sharing of security risk information with such trusted providers. These comments will inform the program that NTIA establishes under the Act. DATES: Comments are due on or before July 13, 2020. ADDRESSES: Written comments may be submitted by email to supplychaininfo@ ntia.gov. Written comments also may be submitted by mail to the National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue NW, Room 4725, Attn: Evelyn L. Remaley, Associate Administrator, Office of Policy Analysis and Development, Washington, DC 20230. For more detailed instructions about submitting comments, see the ‘‘Instructions for Commenters’’ section at the end of this Notice. FOR FURTHER INFORMATION CONTACT: Megan Doscher, National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue NW, Room 4725, Washington, DC 20230; telephone (202) 482–2503; mdoscher@ntia.gov. Please direct media inquiries to NTIA’s Office of Public Affairs, (202) 482–7002, or at press@ ntia.gov. SUPPLEMENTARY INFORMATION: Section 8 of the Secure and Trusted Communications Network Act of 2019 (Act) directs NTIA, in cooperation with the Office of the Director of National Intelligence, the Department of Homeland Security (DHS), the Federal Bureau of Investigation, and the Federal Communications Commission (FCC), to establish a program to share ‘‘supply chain security risk’’ information with trusted providers of ‘‘advanced communications service’’ and suppliers of communications equipment or services.1 As part of that program, NTIA jbell on DSKJLSW7X2PROD with NOTICES SUMMARY: 1 Secure and Trusted Communications Network Act of 2019, Public Law 116–124, 8, 134 Stat. 158, 168 (2020) (codified at 47 U.S.C. 1607). VerDate Sep<11>2014 17:43 Jun 11, 2020 Jkt 250001 must ‘‘conduct regular briefings and other events’’ to share information with trusted providers and suppliers and ‘‘engage’’ with such providers and suppliers, particularly those that are small businesses or that primarily serve rural areas.2 NTIA must also develop, and submit to Congress, a plan for declassifying material, when feasible, and expediting and expanding the provision of security clearances to facilitate information sharing from the Federal government to trusted providers and suppliers.3 Therefore, we request comments on several key terms in the Act, as well as on steps that should be taken to best achieve the purposes of the Act. 1. Key Terms: NTIA seeks information to clarify key terms in the Act. Supply Chain Security Risk Information The Act defines ‘‘supply chain security risk’’ information to include ‘‘specific risk and vulnerability information related to equipment and software.’’ 4 NTIA’s identification of supply chain security risk information will be aided by other ongoing U.S. Government activities to detect potential security risks to information and communications technology (ICT) supply chains. For example, this effort will be informed by all relevant activities of the National Strategy to Secure 5G, which focuses not only on the identification of information security risks, but on broader strategic risks to the U.S. economy and national security, including risks to the global 5G market, capabilities and infrastructure. Defining ‘‘supply chain security risk’’ to encompass national security and economic risk will reinforce the Act’s purpose to safeguard the economy and national critical infrastructure against these risks.5 NTIA will also be informed by key terms established by the Federal Acquisition Supply Chain Security Act of 2018, which established the Federal Acquisition Security Council (FASC), which is developing, within the Federal government, risk information sharing policies and procedures comparable to those that the Act contemplates for interactions between the Federal 2 See id. § 8(a)(2)(A), (B). id. § 8(a)(2)(C). 4 Id. § 8(c)(3). 5 See Executive Office of the President, National Strategy to Secure 5G of the United States of America, March 2020, available at https:// www.whitehouse.gov/wp-content/uploads/2020/03/ National-Strategy-5G-Final.pdf. 3 See PO 00000 Frm 00025 Fmt 4703 Sfmt 4703 government and the private sector.6 That legislation defines ‘‘supply chain risk’’ by reference to 41 U.S.C. 4713, which in turn defines the term to mean ‘‘the risk that any person may sabotage, maliciously introduce unwanted function, extract data, or otherwise manipulate the design, integrity, manufacturing, production, distribution, installation, operation, maintenance, disposition, or retirement of covered articles so as to surveil, deny, disrupt, or otherwise manipulate the function, use, or operation of covered articles or information stored or transmitted on the covered articles.’’ 7 NTIA will also consider key terms defined by other bodies, such as the DHS ICT Supply Chain Risk Management Task Force (DHS Task Force), which provides a forum for government-private sector collaboration on supply chain issues and provides advice and recommendations on ways to assess and mitigate risks to the ICT supply chain.8 One of the DHS Task Force’s working groups is identifying and categorizing supply chain threats, as well as providing background information on such threats, their significance, and potential impact on the ICT supply chain.9 Trusted Providers and Suppliers • NTIA seeks comment on clarifying the term ‘‘trusted providers and suppliers.’’ The Act requires information sharing only with ‘‘trusted’’ providers and suppliers—entities ‘‘not owned by, controlled by, or subject to the influence of a foreign adversary.’’ 10 In identifying the providers and suppliers that are ineligible under the Act, NTIA will rely on various designations as set forth in Section § 2(c)(1–4) of the Act. Accordingly, ineligible providers and suppliers will be determined by: (1) Any executive branch interagency body with appropriate national security expertise, including the Federal Acquisition Security Council; 6 See Federal Acquisition Supply Chain Security Act of 2018, Public Law 115–390, Tit. II, § 202, 132 Stat. 5173, 5180–81 (2018) (codified at 41 U.S.C. 1323(a)). 7 41 U.S.C. 4713(k)(6). 8 See DHS, Cybersecurity and Infrastructure Security Agency, Information and Communications Technology Supply Chain Risk Management Task Force: Interim Report, at iii (Sept. 2019) (DHS Task Force Interim Report), available at https:// www.cisa.gov/sites/default/files/publications/ ICT%20Supply%20Chain%20Risk %20Management%20Task%20Force%20Interim %20Report%20%28FINAL%29_508.pdf. For a list of Task Force members and contributors, see id. at v–vi. 9 See id. at 17–18. 10 Act, § 8(c)(4). E:\FR\FM\12JNN1.SGM 12JNN1 Federal Register / Vol. 85, No. 114 / Friday, June 12, 2020 / Notices speeds between 5Mbps/1Mbps and 10Mbps/3Mbps are the ‘‘best proxy’’ for advanced mobile service.14 Questions: • What sorts of risks and vulnerabilities should be covered by the language ‘‘specific risk and vulnerability information related to equipment and software’’? • What information, if any, is unique to ‘‘supply chain risk information’’? In other words, to avoid the re-creation of Foreign Adversaries existing threat and vulnerability NTIA directs commenters to the Act’s information sharing programs, what definition of ‘‘foreign adversary,’’ which types of specific, enhanced, or aggregated threat and vulnerability is identical to that in Executive Order information would be helpful to the 13873, ‘‘Securing the Information and private sector to identify, avoid, or Communications Technology and mitigate ICT supply chain risks? What Services Supply Chain’’ (E.O. 13873).11 information do suppliers and providers E.O. 13873 directs the Secretary of need to make informed, risk-based Commerce to review, and where security and transactional decisions? necessary, prohibit transactions • Are there supply chain security involving entities owned, controlled, or risks beyond those Congress specified subject to foreign adversaries that pose that should be included in an unacceptable risks to the U.S. ICT and services supply chain.12 NTIA notes that information security program? • To what extent should NTIA’s the determination of ‘‘foreign program be aligned with the actions of adversary’’ for purposes of the FASC in determining whether an implementing E.O. 13873 is a matter of identified threat is a ‘‘security risk’’? executive branch discretion and will be • Section 4 of the Act sets a limit of made by the Secretary in consultation with the other agencies identified in the 2,000,000 customers for the Act’s ‘‘remove and replace’’ reimbursement E.O.. To ensure consistency of action program. Is this also an appropriate across the Federal government, in measure to determine small business identifying the providers and suppliers that are eligible under the Act to receive and rural service provider participation in the program, as required by Section supply chain security risk information, NTIA will rely on pertinent decisions by § 8(a)(2)(B)? Would that metric cause any key small or rural providers or the Secretary of Commerce under E.O. suppliers to be missed? 13873, as well as other relevant federal • Are there other factors aligned with determinations. the Act that should be considered in Advanced Communications Service determining ‘‘trusted’’ providers and suppliers eligible for the program? Finally, NTIA seeks comment on the • Should NTIA rely on the FCC’s term, ‘‘advanced communications benchmarks for ‘‘advanced’’ service.’’ The Act directs NTIA to share communications services to implement risk information only with trusted its information sharing program and, if providers of ‘‘advanced so, what would be the implications for communications service,’’ which the achieving the purposes of the Act? legislation equates with ‘‘advanced 2. Information Sharing Policies and telecommunications capability’’ as Procedures: defined in section 706 of the As noted, the Act requires NTIA to Telecommunications Act of 1996.13 As share security risk information with for mobile services, the FCC has trusted providers and suppliers via determined that 4G Long Term ‘‘regular briefings and other events.’’ It Evolution services offering transmission also requires NTIA to ‘‘engage’’ with trusted parties, particularly small 11 Executive Order 13873, ‘‘Securing the businesses or those serving rural areas. Information and Communications Technology and Although the Act mentions small and Services Supply Chain,’’ 84 FR 22,689 (2019). 12 Compare id. § 8(c)(2) with Executive Order rural providers and suppliers only in 13873, § 3(b), 84 FR 22,689, 22,691 (2019). the context of engagements with the 13 See Act, § 9(1). Advanced telecommunications Federal government, NTIA believes capability ‘‘is defined, without regard to any those entities should be the principal transmission media or technology, as high-speed, jbell on DSKJLSW7X2PROD with NOTICES (2) the Department of Commerce pursuant to Executive Order No. 13873; (3) the equipment or service being covered is telecommunications equipment or services, as defined in section 889(f)(3) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115–232; 132 Stat. 1918); or (4) an appropriate national security agency. switched, broadband telecommunications capability that enables users to originate and receive high-quality voice, data, graphics, and video telecommunications using any technology.’’ Public Law 104–104, 706(c)(1), 101 Stat. 56, 153 (1996) (codified at 47 U.S.C. 1302(d)(1)). VerDate Sep<11>2014 17:43 Jun 11, 2020 Jkt 250001 14 Inquiry Concerning Deployment of Advanced Telecommunications Capability to All Americans in a Reasonable and Timely Manner, 2019 Broadband Deployment Report, 34 FCC Rcd 3857, 3863–64, ¶ 16 (2019). Act, § 8(c)(4). PO 00000 Frm 00026 Fmt 4703 Sfmt 4703 35921 focus of the information sharing program. The Act’s overarching goal is the establishment of an FCC program to reimburse smaller providers for removing from their networks and replacing equipment and services that threaten national security.15 Congress deemed reimbursement for such entities appropriate because it believed that smaller providers did not receive a sufficient ‘‘heads-up by our government’’ about the security risks posed by certain equipment and services and thus made procurement decisions based on the ‘‘bottom line.’’ 16 The information sharing program mandated by Section 8 of the Act was intended to ‘‘fix this information gap by ensuring that [small, rural providers] have access to the information they need to keep their networks and Americans secure.’’ 17 Accordingly, NTIA plans to structure that program primarily to promote the flow of risk information from the government to small and rural providers and suppliers. We request comment on that approach. Because much security risk information is also highly sensitive, caution must be exercised in disseminating it. Briefings and events involving multiple participants or attendees, for example, risk exposing sensitive information or placing it in the wrong hands. NTIA seeks to balance the need to safeguard this information with the Act’s requirement to share it with trusted providers and suppliers. NTIA notes that security risk information is available either publicly or from nongovernment sources on various terms.18 For example, Congress and the Executive Branch raised concerns about the security risks posed by certain Chinese equipment suppliers as early as a decade ago.19 Questions: • What means of sharing information best balances the objectives of the Act and the need to safeguard sensitive information? More specifically, what are the best ways for the Federal government to provide ‘‘regular briefings’’ to providers and suppliers? Would periodic public updates or notifications be useful or sufficient? • Should eligible providers and suppliers have an opportunity to request risk and vulnerability information about 16 See 165 Cong. Rec. H10286 (daily ed. Dec. 16, 2019) (remarks of Rep. Doyle). 17 Id. (remarks of Rep. Latta). 18 See, e.g., DHS Task Force Interim Report at 14– 15. 19 See Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs, Report and Order, Further Notice of Proposed Rulemaking, and Order, 34 FCC Rcd 11423, 11425–26, ¶¶ 6–9 (2019). E:\FR\FM\12JNN1.SGM 12JNN1 jbell on DSKJLSW7X2PROD with NOTICES 35922 Federal Register / Vol. 85, No. 114 / Friday, June 12, 2020 / Notices specific equipment, software, and services? Would an information sharing system that incorporates both ‘‘push’’ and ‘‘pull’’ capabilities be useful, if possible? • Are there legal barriers that could impede the ability of trusted providers and suppliers to receive or act on security risk information from the Federal government? • How can publicly available security risk information be conveyed more expeditiously to more small and rural providers and suppliers? • What barriers (e.g., awareness, financial, legal) do small and rural providers and suppliers face in accessing security risk information from non-government sources? What could or should the Federal government do to eliminate or mitigate those barriers? 3. Information Declassification and Security Clearances: NTIA’s information sharing program must include a plan for declassifying materials, where feasible, and expanding and expediting the provision of security clearances to facilitate the dissemination of security risk information to trusted providers and suppliers. Because both actions potentially risk compromising the confidentiality of sensitive government information, NTIA is seeking additional information. Questions: • How specific must security risk information be to enable providers and suppliers to make procurement decisions that adequately protect their networks, customers, and users? If, for example, the Federal government issues a security warning about a particular company, how much information do trusted providers or suppliers require about the reason for that warning in order to take appropriate action? • Is it more helpful for small and rural providers to receive unclassified information through typical civilian channels (for example, by email) or to receive more detailed classified information that would require a staff member to obtain a security clearance and could require travel to receive the classified information in person at a secure location? • What would be the best way of identifying appropriate staff points of contact at small and rural providers to ensure that they receive security risk information? • Have small and rural providers and suppliers encountered problems in attempting to obtain security clearances for staff? If so, what has been the nature of those difficulties? • How many performance-essential security clearances would an VerDate Sep<11>2014 17:43 Jun 11, 2020 Jkt 250001 organization need to ensure that government-shared security risk information is fully incorporated into its corporate risk-based decision making and response? What challenges would an organization have, if any, in converting such information into action? • How should NTIA best raise awareness of this program among small business and rural providers? Instructions for Commenters: NTIA invites comment on the full range of issues that may be presented in this Notice, including issues that are not specifically raised in the above questions. Commenters are encouraged to address any or all of the above questions. Comments that contain references to studies, research, and other empirical data that are not widely available should include copies of the referenced materials with the submitted comments. Comments submitted by email should be machine-readable and should not be copy-protected. Responders should include the name of the person or organization filing the comment, which will facilitate agency follow up for clarifications as necessary, as well as a page number on each page of their submissions. All comments received are a part of the public record and will generally be posted on the NTIA website, http://www.ntia.gov/, without change. All personal identifying information (for example, name, address) voluntarily submitted by the commenter may be publicly accessible. Do not submit confidential business information or otherwise sensitive or protected information. Dated: June 9, 2020. Kathy Smith, Chief Counsel, National Telecommunications and Information Administration. [FR Doc. 2020–12780 Filed 6–11–20; 8:45 am] BILLING CODE 3510–60–P COMMITTEE FOR PURCHASE FROM PEOPLE WHO ARE BLIND OR SEVERELY DISABLED Procurement List; Proposed Additions and Deletions Committee for Purchase From People Who Are Blind or Severely Disabled. ACTION: Proposed additions to and deletions from the Procurement List. AGENCY: The Committee is proposing to add products and services to the Procurement List that will be furnished by nonprofit agencies employing persons who are blind or have other SUMMARY: PO 00000 Frm 00027 Fmt 4703 Sfmt 4703 severe disabilities, and deletes products previously furnished by such agencies. DATES: Comments must be received on or before: July 12, 2020. ADDRESSES: Committee for Purchase From People Who Are Blind or Severely Disabled, 1401 S. Clark Street, Suite 715, Arlington, Virginia, 22202–4149. FOR FURTHER INFORMATION CONTACT: For further information or to submit comments contact: Michael R. Jurkowski, Telephone: (703) 603–2117, Fax: (703) 603–0655, or email CMTEFedReg@AbilityOne.gov. SUPPLEMENTARY INFORMATION: This notice is published pursuant to 41 U.S.C. 8503 (a)(2) and 41 CFR 51–2.3. Its purpose is to provide interested persons an opportunity to submit comments on the proposed actions. Additions If the Committee approves the proposed additions, the entities of the Federal Government identified in this notice will be required to procure the products and services listed below from nonprofit agencies employing persons who are blind or have other severe disabilities. The following products and services are proposed for addition to the Procurement List for production by the nonprofit agencies listed: Products NSN(s)—Product Name(s): MR 11100—Server, Gravy and Sauce, Includes Shipper 21100 MR 11130—Carving Kit, Pumpkin, Assorted Colors Mandatory Source of Supply: Winston-Salem Industries for the Blind, Inc., WinstonSalem, NC Contracting Activity: Military Resale-Defense Commissary Agency NSN(s)—Product Name(s): MR 1186—Broom Dustpan Combo Mandatory Source of Supply: LC Industries, Inc., Durham, NC Contracting Activity: Military Resale-Defense Commissary Agency Services Service Type: Base Supply Center Mandatory for: New Mexico National Guard, Santa Fe, NM Mandatory Source of Supply: Envision, Inc., Wichita, KS Contracting Activity: DEPT OF THE ARMY, W7NQ USPFO ACTIVITY NM ARNG Service Type: Janitorial Service Mandatory for: U.S. Army Engineer District San Francisco, Bay Model Visitor Center and Baseyard Building, Sausalito, CA Mandatory Source of Supply: North Bay Rehabilitation Services, Inc., Rohnert Park, CA Contracting Activity: DEPT OF THE ARMY, W075 ENDIST SAN FRAN Service Type: Custodial Service E:\FR\FM\12JNN1.SGM 12JNN1

Agencies

[Federal Register Volume 85, Number 114 (Friday, June 12, 2020)]
[Notices]
[Pages 35919-35922]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-12780]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Telecommunications and Information Administration

[Docket No. 200609-0154]
RIN 0660-XC046


Promoting the Sharing of Supply Chain Security Risk Information 
Between Government and Communications Providers and Suppliers

AGENCY: National Telecommunications and Information Administration, 
U.S. Department of Commerce.

[[Page 35920]]


ACTION: Notice, request for public comment.

-----------------------------------------------------------------------

SUMMARY: Section 8 of the Secure and Trusted Communications Network Act 
of 2019 (Act) directs the National Telecommunications and Information 
Administration (NTIA), in cooperation with other designated federal 
agencies, to establish a program to share supply chain security risk 
information with trusted providers of advanced communications service 
and suppliers of communications equipment or services. Through this 
Notice and in accordance with the Act, NTIA is requesting comment on 
ways to facilitate the sharing of security risk information with such 
trusted providers. These comments will inform the program that NTIA 
establishes under the Act.

DATES: Comments are due on or before July 13, 2020.

ADDRESSES: Written comments may be submitted by email to 
[email protected]. Written comments also may be submitted by 
mail to the National Telecommunications and Information Administration, 
U.S. Department of Commerce, 1401 Constitution Avenue NW, Room 4725, 
Attn: Evelyn L. Remaley, Associate Administrator, Office of Policy 
Analysis and Development, Washington, DC 20230. For more detailed 
instructions about submitting comments, see the ``Instructions for 
Commenters'' section at the end of this Notice.

FOR FURTHER INFORMATION CONTACT: Megan Doscher, National 
Telecommunications and Information Administration, U.S. Department of 
Commerce, 1401 Constitution Avenue NW, Room 4725, Washington, DC 20230; 
telephone (202) 482-2503; [email protected]. Please direct media 
inquiries to NTIA's Office of Public Affairs, (202) 482-7002, or at 
[email protected].

SUPPLEMENTARY INFORMATION: Section 8 of the Secure and Trusted 
Communications Network Act of 2019 (Act) directs NTIA, in cooperation 
with the Office of the Director of National Intelligence, the 
Department of Homeland Security (DHS), the Federal Bureau of 
Investigation, and the Federal Communications Commission (FCC), to 
establish a program to share ``supply chain security risk'' information 
with trusted providers of ``advanced communications service'' and 
suppliers of communications equipment or services.\1\ As part of that 
program, NTIA must ``conduct regular briefings and other events'' to 
share information with trusted providers and suppliers and ``engage'' 
with such providers and suppliers, particularly those that are small 
businesses or that primarily serve rural areas.\2\ NTIA must also 
develop, and submit to Congress, a plan for declassifying material, 
when feasible, and expediting and expanding the provision of security 
clearances to facilitate information sharing from the Federal 
government to trusted providers and suppliers.\3\ Therefore, we request 
comments on several key terms in the Act, as well as on steps that 
should be taken to best achieve the purposes of the Act.
---------------------------------------------------------------------------

    \1\ Secure and Trusted Communications Network Act of 2019, 
Public Law 116-124, 8, 134 Stat. 158, 168 (2020) (codified at 47 
U.S.C. 1607).
    \2\ See id. Sec.  8(a)(2)(A), (B).
    \3\ See id. Sec.  8(a)(2)(C).
---------------------------------------------------------------------------

    1. Key Terms:
    NTIA seeks information to clarify key terms in the Act.

Supply Chain Security Risk Information

    The Act defines ``supply chain security risk'' information to 
include ``specific risk and vulnerability information related to 
equipment and software.'' \4\ NTIA's identification of supply chain 
security risk information will be aided by other ongoing U.S. 
Government activities to detect potential security risks to information 
and communications technology (ICT) supply chains. For example, this 
effort will be informed by all relevant activities of the National 
Strategy to Secure 5G, which focuses not only on the identification of 
information security risks, but on broader strategic risks to the U.S. 
economy and national security, including risks to the global 5G market, 
capabilities and infrastructure. Defining ``supply chain security 
risk'' to encompass national security and economic risk will reinforce 
the Act's purpose to safeguard the economy and national critical 
infrastructure against these risks.\5\
---------------------------------------------------------------------------

    \4\ Id. Sec.  8(c)(3).
    \5\ See Executive Office of the President, National Strategy to 
Secure 5G of the United States of America, March 2020, available at 
https://www.whitehouse.gov/wp-content/uploads/2020/03/National-Strategy-5G-Final.pdf.
---------------------------------------------------------------------------

    NTIA will also be informed by key terms established by the Federal 
Acquisition Supply Chain Security Act of 2018, which established the 
Federal Acquisition Security Council (FASC), which is developing, 
within the Federal government, risk information sharing policies and 
procedures comparable to those that the Act contemplates for 
interactions between the Federal government and the private sector.\6\ 
That legislation defines ``supply chain risk'' by reference to 41 
U.S.C. 4713, which in turn defines the term to mean ``the risk that any 
person may sabotage, maliciously introduce unwanted function, extract 
data, or otherwise manipulate the design, integrity, manufacturing, 
production, distribution, installation, operation, maintenance, 
disposition, or retirement of covered articles so as to surveil, deny, 
disrupt, or otherwise manipulate the function, use, or operation of 
covered articles or information stored or transmitted on the covered 
articles.'' \7\
---------------------------------------------------------------------------

    \6\ See Federal Acquisition Supply Chain Security Act of 2018, 
Public Law 115-390, Tit. II, Sec.  202, 132 Stat. 5173, 5180-81 
(2018) (codified at 41 U.S.C. 1323(a)).
    \7\ 41 U.S.C. 4713(k)(6).
---------------------------------------------------------------------------

    NTIA will also consider key terms defined by other bodies, such as 
the DHS ICT Supply Chain Risk Management Task Force (DHS Task Force), 
which provides a forum for government-private sector collaboration on 
supply chain issues and provides advice and recommendations on ways to 
assess and mitigate risks to the ICT supply chain.\8\ One of the DHS 
Task Force's working groups is identifying and categorizing supply 
chain threats, as well as providing background information on such 
threats, their significance, and potential impact on the ICT supply 
chain.\9\
---------------------------------------------------------------------------

    \8\ See DHS, Cybersecurity and Infrastructure Security Agency, 
Information and Communications Technology Supply Chain Risk 
Management Task Force: Interim Report, at iii (Sept. 2019) (DHS Task 
Force Interim Report), available at https://www.cisa.gov/sites/default/files/publications/ICT%20Supply%20Chain%20Risk%20Management%20Task%20Force%20Interim%20Report%20%28FINAL%29_508.pdf. For a list of Task Force members and 
contributors, see id. at v-vi.
    \9\ See id. at 17-18.
---------------------------------------------------------------------------

Trusted Providers and Suppliers

     NTIA seeks comment on clarifying the term ``trusted 
providers and suppliers.'' The Act requires information sharing only 
with ``trusted'' providers and suppliers--entities ``not owned by, 
controlled by, or subject to the influence of a foreign adversary.'' 
\10\ In identifying the providers and suppliers that are ineligible 
under the Act, NTIA will rely on various designations as set forth in 
Section Sec.  2(c)(1-4) of the Act. Accordingly, ineligible providers 
and suppliers will be determined by:
---------------------------------------------------------------------------

    \10\ Act, Sec.  8(c)(4).
---------------------------------------------------------------------------

    (1) Any executive branch interagency body with appropriate national 
security expertise, including the Federal Acquisition Security Council;

[[Page 35921]]

    (2) the Department of Commerce pursuant to Executive Order No. 
13873;
    (3) the equipment or service being covered is telecommunications 
equipment or services, as defined in section 889(f)(3) of the John S. 
McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 
115-232; 132 Stat. 1918); or
    (4) an appropriate national security agency.

Foreign Adversaries

    NTIA directs commenters to the Act's definition of ``foreign 
adversary,'' which is identical to that in Executive Order 13873, 
``Securing the Information and Communications Technology and Services 
Supply Chain'' (E.O. 13873).\11\ E.O. 13873 directs the Secretary of 
Commerce to review, and where necessary, prohibit transactions 
involving entities owned, controlled, or subject to foreign adversaries 
that pose unacceptable risks to the U.S. ICT and services supply 
chain.\12\ NTIA notes that the determination of ``foreign adversary'' 
for purposes of implementing E.O. 13873 is a matter of executive branch 
discretion and will be made by the Secretary in consultation with the 
other agencies identified in the E.O.. To ensure consistency of action 
across the Federal government, in identifying the providers and 
suppliers that are eligible under the Act to receive supply chain 
security risk information, NTIA will rely on pertinent decisions by the 
Secretary of Commerce under E.O. 13873, as well as other relevant 
federal determinations.
---------------------------------------------------------------------------

    \11\ Executive Order 13873, ``Securing the Information and 
Communications Technology and Services Supply Chain,'' 84 FR 22,689 
(2019).
    \12\ Compare id. Sec.  8(c)(2) with Executive Order 13873, Sec.  
3(b), 84 FR 22,689, 22,691 (2019).
---------------------------------------------------------------------------

Advanced Communications Service

    Finally, NTIA seeks comment on the term, ``advanced communications 
service.'' The Act directs NTIA to share risk information only with 
trusted providers of ``advanced communications service,'' which the 
legislation equates with ``advanced telecommunications capability'' as 
defined in section 706 of the Telecommunications Act of 1996.\13\ As 
for mobile services, the FCC has determined that 4G Long Term Evolution 
services offering transmission speeds between 5Mbps/1Mbps and 10Mbps/
3Mbps are the ``best proxy'' for advanced mobile service.\14\
---------------------------------------------------------------------------

    \13\ See Act, Sec.  9(1). Advanced telecommunications capability 
``is defined, without regard to any transmission media or 
technology, as high-speed, switched, broadband telecommunications 
capability that enables users to originate and receive high-quality 
voice, data, graphics, and video telecommunications using any 
technology.'' Public Law 104-104, 706(c)(1), 101 Stat. 56, 153 
(1996) (codified at 47 U.S.C. 1302(d)(1)).
    \14\ Inquiry Concerning Deployment of Advanced 
Telecommunications Capability to All Americans in a Reasonable and 
Timely Manner, 2019 Broadband Deployment Report, 34 FCC Rcd 3857, 
3863-64, ] 16 (2019). Act, Sec.  8(c)(4).
---------------------------------------------------------------------------

    Questions:
     What sorts of risks and vulnerabilities should be covered 
by the language ``specific risk and vulnerability information related 
to equipment and software''?
     What information, if any, is unique to ``supply chain risk 
information''? In other words, to avoid the re-creation of existing 
threat and vulnerability information sharing programs, what types of 
specific, enhanced, or aggregated threat and vulnerability information 
would be helpful to the private sector to identify, avoid, or mitigate 
ICT supply chain risks? What information do suppliers and providers 
need to make informed, risk-based security and transactional decisions?
     Are there supply chain security risks beyond those 
Congress specified that should be included in an information security 
program?
     To what extent should NTIA's program be aligned with the 
actions of the FASC in determining whether an identified threat is a 
``security risk''?
     Section 4 of the Act sets a limit of 2,000,000 customers 
for the Act's ``remove and replace'' reimbursement program. Is this 
also an appropriate measure to determine small business and rural 
service provider participation in the program, as required by Section 
Sec.  8(a)(2)(B)? Would that metric cause any key small or rural 
providers or suppliers to be missed?
     Are there other factors aligned with the Act that should 
be considered in determining ``trusted'' providers and suppliers 
eligible for the program?
     Should NTIA rely on the FCC's benchmarks for ``advanced'' 
communications services to implement its information sharing program 
and, if so, what would be the implications for achieving the purposes 
of the Act?
    2. Information Sharing Policies and Procedures:
    As noted, the Act requires NTIA to share security risk information 
with trusted providers and suppliers via ``regular briefings and other 
events.'' It also requires NTIA to ``engage'' with trusted parties, 
particularly small businesses or those serving rural areas. Although 
the Act mentions small and rural providers and suppliers only in the 
context of engagements with the Federal government, NTIA believes those 
entities should be the principal focus of the information sharing 
program. The Act's overarching goal is the establishment of an FCC 
program to reimburse smaller providers for removing from their networks 
and replacing equipment and services that threaten national 
security.\15\ Congress deemed reimbursement for such entities 
appropriate because it believed that smaller providers did not receive 
a sufficient ``heads-up by our government'' about the security risks 
posed by certain equipment and services and thus made procurement 
decisions based on the ``bottom line.'' \16\ The information sharing 
program mandated by Section 8 of the Act was intended to ``fix this 
information gap by ensuring that [small, rural providers] have access 
to the information they need to keep their networks and Americans 
secure.'' \17\ Accordingly, NTIA plans to structure that program 
primarily to promote the flow of risk information from the government 
to small and rural providers and suppliers. We request comment on that 
approach.
---------------------------------------------------------------------------

    \16\ See 165 Cong. Rec. H10286 (daily ed. Dec. 16, 2019) 
(remarks of Rep. Doyle).
    \17\ Id. (remarks of Rep. Latta).
---------------------------------------------------------------------------

    Because much security risk information is also highly sensitive, 
caution must be exercised in disseminating it. Briefings and events 
involving multiple participants or attendees, for example, risk 
exposing sensitive information or placing it in the wrong hands. NTIA 
seeks to balance the need to safeguard this information with the Act's 
requirement to share it with trusted providers and suppliers. NTIA 
notes that security risk information is available either publicly or 
from non-government sources on various terms.\18\ For example, Congress 
and the Executive Branch raised concerns about the security risks posed 
by certain Chinese equipment suppliers as early as a decade ago.\19\
---------------------------------------------------------------------------

    \18\ See, e.g., DHS Task Force Interim Report at 14-15.
    \19\ See Protecting Against National Security Threats to the 
Communications Supply Chain Through FCC Programs, Report and Order, 
Further Notice of Proposed Rulemaking, and Order, 34 FCC Rcd 11423, 
11425-26, ]] 6-9 (2019).
---------------------------------------------------------------------------

    Questions:
     What means of sharing information best balances the 
objectives of the Act and the need to safeguard sensitive information? 
More specifically, what are the best ways for the Federal government to 
provide ``regular briefings'' to providers and suppliers? Would 
periodic public updates or notifications be useful or sufficient?
     Should eligible providers and suppliers have an 
opportunity to request risk and vulnerability information about

[[Page 35922]]

specific equipment, software, and services? Would an information 
sharing system that incorporates both ``push'' and ``pull'' 
capabilities be useful, if possible?
     Are there legal barriers that could impede the ability of 
trusted providers and suppliers to receive or act on security risk 
information from the Federal government?
     How can publicly available security risk information be 
conveyed more expeditiously to more small and rural providers and 
suppliers?
     What barriers (e.g., awareness, financial, legal) do small 
and rural providers and suppliers face in accessing security risk 
information from non-government sources? What could or should the 
Federal government do to eliminate or mitigate those barriers?
    3. Information Declassification and Security Clearances:
    NTIA's information sharing program must include a plan for 
declassifying materials, where feasible, and expanding and expediting 
the provision of security clearances to facilitate the dissemination of 
security risk information to trusted providers and suppliers. Because 
both actions potentially risk compromising the confidentiality of 
sensitive government information, NTIA is seeking additional 
information.
    Questions:
     How specific must security risk information be to enable 
providers and suppliers to make procurement decisions that adequately 
protect their networks, customers, and users? If, for example, the 
Federal government issues a security warning about a particular 
company, how much information do trusted providers or suppliers require 
about the reason for that warning in order to take appropriate action?
     Is it more helpful for small and rural providers to 
receive unclassified information through typical civilian channels (for 
example, by email) or to receive more detailed classified information 
that would require a staff member to obtain a security clearance and 
could require travel to receive the classified information in person at 
a secure location?
     What would be the best way of identifying appropriate 
staff points of contact at small and rural providers to ensure that 
they receive security risk information?
     Have small and rural providers and suppliers encountered 
problems in attempting to obtain security clearances for staff? If so, 
what has been the nature of those difficulties?
     How many performance-essential security clearances would 
an organization need to ensure that government-shared security risk 
information is fully incorporated into its corporate risk-based 
decision making and response? What challenges would an organization 
have, if any, in converting such information into action?
     How should NTIA best raise awareness of this program among 
small business and rural providers?
    Instructions for Commenters: NTIA invites comment on the full range 
of issues that may be presented in this Notice, including issues that 
are not specifically raised in the above questions. Commenters are 
encouraged to address any or all of the above questions. Comments that 
contain references to studies, research, and other empirical data that 
are not widely available should include copies of the referenced 
materials with the submitted comments. Comments submitted by email 
should be machine-readable and should not be copy-protected. Responders 
should include the name of the person or organization filing the 
comment, which will facilitate agency follow up for clarifications as 
necessary, as well as a page number on each page of their submissions. 
All comments received are a part of the public record and will 
generally be posted on the NTIA website, http://www.ntia.gov/, without 
change. All personal identifying information (for example, name, 
address) voluntarily submitted by the commenter may be publicly 
accessible. Do not submit confidential business information or 
otherwise sensitive or protected information.

    Dated: June 9, 2020.
Kathy Smith,
Chief Counsel, National Telecommunications and Information 
Administration.
[FR Doc. 2020-12780 Filed 6-11-20; 8:45 am]
BILLING CODE 3510-60-P