Promoting the Sharing of Supply Chain Security Risk Information Between Government and Communications Providers and Suppliers, 35919-35922 [2020-12780]

Agencies

• DEPARTMENT OF COMMERCE
• National Telecommunications and Information Administration

[Federal Register Volume 85, Number 114 (Friday, June 12, 2020)]
[Notices]
[Pages 35919-35922]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-12780]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Telecommunications and Information Administration

[Docket No. 200609-0154]
RIN 0660-XC046


Promoting the Sharing of Supply Chain Security Risk Information 
Between Government and Communications Providers and Suppliers

AGENCY: National Telecommunications and Information Administration, 
U.S. Department of Commerce.

[[Page 35920]]


ACTION: Notice, request for public comment.

-----------------------------------------------------------------------

SUMMARY: Section 8 of the Secure and Trusted Communications Network Act 
of 2019 (Act) directs the National Telecommunications and Information 
Administration (NTIA), in cooperation with other designated federal 
agencies, to establish a program to share supply chain security risk 
information with trusted providers of advanced communications service 
and suppliers of communications equipment or services. Through this 
Notice and in accordance with the Act, NTIA is requesting comment on 
ways to facilitate the sharing of security risk information with such 
trusted providers. These comments will inform the program that NTIA 
establishes under the Act.

DATES: Comments are due on or before July 13, 2020.

ADDRESSES: Written comments may be submitted by email to 
[email protected]. Written comments also may be submitted by 
mail to the National Telecommunications and Information Administration, 
U.S. Department of Commerce, 1401 Constitution Avenue NW, Room 4725, 
Attn: Evelyn L. Remaley, Associate Administrator, Office of Policy 
Analysis and Development, Washington, DC 20230. For more detailed 
instructions about submitting comments, see the ``Instructions for 
Commenters'' section at the end of this Notice.

FOR FURTHER INFORMATION CONTACT: Megan Doscher, National 
Telecommunications and Information Administration, U.S. Department of 
Commerce, 1401 Constitution Avenue NW, Room 4725, Washington, DC 20230; 
telephone (202) 482-2503; [email protected]. Please direct media 
inquiries to NTIA's Office of Public Affairs, (202) 482-7002, or at 
[email protected].

SUPPLEMENTARY INFORMATION: Section 8 of the Secure and Trusted 
Communications Network Act of 2019 (Act) directs NTIA, in cooperation 
with the Office of the Director of National Intelligence, the 
Department of Homeland Security (DHS), the Federal Bureau of 
Investigation, and the Federal Communications Commission (FCC), to 
establish a program to share ``supply chain security risk'' information 
with trusted providers of ``advanced communications service'' and 
suppliers of communications equipment or services.\1\ As part of that 
program, NTIA must ``conduct regular briefings and other events'' to 
share information with trusted providers and suppliers and ``engage'' 
with such providers and suppliers, particularly those that are small 
businesses or that primarily serve rural areas.\2\ NTIA must also 
develop, and submit to Congress, a plan for declassifying material, 
when feasible, and expediting and expanding the provision of security 
clearances to facilitate information sharing from the Federal 
government to trusted providers and suppliers.\3\ Therefore, we request 
comments on several key terms in the Act, as well as on steps that 
should be taken to best achieve the purposes of the Act.
---------------------------------------------------------------------------

    \1\ Secure and Trusted Communications Network Act of 2019, 
Public Law 116-124, 8, 134 Stat. 158, 168 (2020) (codified at 47 
U.S.C. 1607).
    \2\ See id. Sec.  8(a)(2)(A), (B).
    \3\ See id. Sec.  8(a)(2)(C).
---------------------------------------------------------------------------

    1. Key Terms:
    NTIA seeks information to clarify key terms in the Act.

Supply Chain Security Risk Information

    The Act defines ``supply chain security risk'' information to 
include ``specific risk and vulnerability information related to 
equipment and software.'' \4\ NTIA's identification of supply chain 
security risk information will be aided by other ongoing U.S. 
Government activities to detect potential security risks to information 
and communications technology (ICT) supply chains. For example, this 
effort will be informed by all relevant activities of the National 
Strategy to Secure 5G, which focuses not only on the identification of 
information security risks, but on broader strategic risks to the U.S. 
economy and national security, including risks to the global 5G market, 
capabilities and infrastructure. Defining ``supply chain security 
risk'' to encompass national security and economic risk will reinforce 
the Act's purpose to safeguard the economy and national critical 
infrastructure against these risks.\5\
---------------------------------------------------------------------------

    \4\ Id. Sec.  8(c)(3).
    \5\ See Executive Office of the President, National Strategy to 
Secure 5G of the United States of America, March 2020, available at 
https://www.whitehouse.gov/wp-content/uploads/2020/03/National-Strategy-5G-Final.pdf.
---------------------------------------------------------------------------

    NTIA will also be informed by key terms established by the Federal 
Acquisition Supply Chain Security Act of 2018, which established the 
Federal Acquisition Security Council (FASC), which is developing, 
within the Federal government, risk information sharing policies and 
procedures comparable to those that the Act contemplates for 
interactions between the Federal government and the private sector.\6\ 
That legislation defines ``supply chain risk'' by reference to 41 
U.S.C. 4713, which in turn defines the term to mean ``the risk that any 
person may sabotage, maliciously introduce unwanted function, extract 
data, or otherwise manipulate the design, integrity, manufacturing, 
production, distribution, installation, operation, maintenance, 
disposition, or retirement of covered articles so as to surveil, deny, 
disrupt, or otherwise manipulate the function, use, or operation of 
covered articles or information stored or transmitted on the covered 
articles.'' \7\
---------------------------------------------------------------------------

    \6\ See Federal Acquisition Supply Chain Security Act of 2018, 
Public Law 115-390, Tit. II, Sec.  202, 132 Stat. 5173, 5180-81 
(2018) (codified at 41 U.S.C. 1323(a)).
    \7\ 41 U.S.C. 4713(k)(6).
---------------------------------------------------------------------------

    NTIA will also consider key terms defined by other bodies, such as 
the DHS ICT Supply Chain Risk Management Task Force (DHS Task Force), 
which provides a forum for government-private sector collaboration on 
supply chain issues and provides advice and recommendations on ways to 
assess and mitigate risks to the ICT supply chain.\8\ One of the DHS 
Task Force's working groups is identifying and categorizing supply 
chain threats, as well as providing background information on such 
threats, their significance, and potential impact on the ICT supply 
chain.\9\
---------------------------------------------------------------------------

    \8\ See DHS, Cybersecurity and Infrastructure Security Agency, 
Information and Communications Technology Supply Chain Risk 
Management Task Force: Interim Report, at iii (Sept. 2019) (DHS Task 
Force Interim Report), available at https://www.cisa.gov/sites/default/files/publications/ICT%20Supply%20Chain%20Risk%20Management%20Task%20Force%20Interim%20Report%20%28FINAL%29_508.pdf. For a list of Task Force members and 
contributors, see id. at v-vi.
    \9\ See id. at 17-18.
---------------------------------------------------------------------------

Trusted Providers and Suppliers

     NTIA seeks comment on clarifying the term ``trusted 
providers and suppliers.'' The Act requires information sharing only 
with ``trusted'' providers and suppliers--entities ``not owned by, 
controlled by, or subject to the influence of a foreign adversary.'' 
\10\ In identifying the providers and suppliers that are ineligible 
under the Act, NTIA will rely on various designations as set forth in 
Section Sec.  2(c)(1-4) of the Act. Accordingly, ineligible providers 
and suppliers will be determined by:
---------------------------------------------------------------------------

    \10\ Act, Sec.  8(c)(4).
---------------------------------------------------------------------------

    (1) Any executive branch interagency body with appropriate national 
security expertise, including the Federal Acquisition Security Council;

[[Page 35921]]

    (2) the Department of Commerce pursuant to Executive Order No. 
13873;
    (3) the equipment or service being covered is telecommunications 
equipment or services, as defined in section 889(f)(3) of the John S. 
McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 
115-232; 132 Stat. 1918); or
    (4) an appropriate national security agency.

Foreign Adversaries

    NTIA directs commenters to the Act's definition of ``foreign 
adversary,'' which is identical to that in Executive Order 13873, 
``Securing the Information and Communications Technology and Services 
Supply Chain'' (E.O. 13873).\11\ E.O. 13873 directs the Secretary of 
Commerce to review, and where necessary, prohibit transactions 
involving entities owned, controlled, or subject to foreign adversaries 
that pose unacceptable risks to the U.S. ICT and services supply 
chain.\12\ NTIA notes that the determination of ``foreign adversary'' 
for purposes of implementing E.O. 13873 is a matter of executive branch 
discretion and will be made by the Secretary in consultation with the 
other agencies identified in the E.O.. To ensure consistency of action 
across the Federal government, in identifying the providers and 
suppliers that are eligible under the Act to receive supply chain 
security risk information, NTIA will rely on pertinent decisions by the 
Secretary of Commerce under E.O. 13873, as well as other relevant 
federal determinations.
---------------------------------------------------------------------------

    \11\ Executive Order 13873, ``Securing the Information and 
Communications Technology and Services Supply Chain,'' 84 FR 22,689 
(2019).
    \12\ Compare id. Sec.  8(c)(2) with Executive Order 13873, Sec.  
3(b), 84 FR 22,689, 22,691 (2019).
---------------------------------------------------------------------------

Advanced Communications Service

    Finally, NTIA seeks comment on the term, ``advanced communications 
service.'' The Act directs NTIA to share risk information only with 
trusted providers of ``advanced communications service,'' which the 
legislation equates with ``advanced telecommunications capability'' as 
defined in section 706 of the Telecommunications Act of 1996.\13\ As 
for mobile services, the FCC has determined that 4G Long Term Evolution 
services offering transmission speeds between 5Mbps/1Mbps and 10Mbps/
3Mbps are the ``best proxy'' for advanced mobile service.\14\
---------------------------------------------------------------------------

    \13\ See Act, Sec.  9(1). Advanced telecommunications capability 
``is defined, without regard to any transmission media or 
technology, as high-speed, switched, broadband telecommunications 
capability that enables users to originate and receive high-quality 
voice, data, graphics, and video telecommunications using any 
technology.'' Public Law 104-104, 706(c)(1), 101 Stat. 56, 153 
(1996) (codified at 47 U.S.C. 1302(d)(1)).
    \14\ Inquiry Concerning Deployment of Advanced 
Telecommunications Capability to All Americans in a Reasonable and 
Timely Manner, 2019 Broadband Deployment Report, 34 FCC Rcd 3857, 
3863-64, ] 16 (2019). Act, Sec.  8(c)(4).
---------------------------------------------------------------------------

    Questions:
     What sorts of risks and vulnerabilities should be covered 
by the language ``specific risk and vulnerability information related 
to equipment and software''?
     What information, if any, is unique to ``supply chain risk 
information''? In other words, to avoid the re-creation of existing 
threat and vulnerability information sharing programs, what types of 
specific, enhanced, or aggregated threat and vulnerability information 
would be helpful to the private sector to identify, avoid, or mitigate 
ICT supply chain risks? What information do suppliers and providers 
need to make informed, risk-based security and transactional decisions?
     Are there supply chain security risks beyond those 
Congress specified that should be included in an information security 
program?
     To what extent should NTIA's program be aligned with the 
actions of the FASC in determining whether an identified threat is a 
``security risk''?
     Section 4 of the Act sets a limit of 2,000,000 customers 
for the Act's ``remove and replace'' reimbursement program. Is this 
also an appropriate measure to determine small business and rural 
service provider participation in the program, as required by Section 
Sec.  8(a)(2)(B)? Would that metric cause any key small or rural 
providers or suppliers to be missed?
     Are there other factors aligned with the Act that should 
be considered in determining ``trusted'' providers and suppliers 
eligible for the program?
     Should NTIA rely on the FCC's benchmarks for ``advanced'' 
communications services to implement its information sharing program 
and, if so, what would be the implications for achieving the purposes 
of the Act?
    2. Information Sharing Policies and Procedures:
    As noted, the Act requires NTIA to share security risk information 
with trusted providers and suppliers via ``regular briefings and other 
events.'' It also requires NTIA to ``engage'' with trusted parties, 
particularly small businesses or those serving rural areas. Although 
the Act mentions small and rural providers and suppliers only in the 
context of engagements with the Federal government, NTIA believes those 
entities should be the principal focus of the information sharing 
program. The Act's overarching goal is the establishment of an FCC 
program to reimburse smaller providers for removing from their networks 
and replacing equipment and services that threaten national 
security.\15\ Congress deemed reimbursement for such entities 
appropriate because it believed that smaller providers did not receive 
a sufficient ``heads-up by our government'' about the security risks 
posed by certain equipment and services and thus made procurement 
decisions based on the ``bottom line.'' \16\ The information sharing 
program mandated by Section 8 of the Act was intended to ``fix this 
information gap by ensuring that [small, rural providers] have access 
to the information they need to keep their networks and Americans 
secure.'' \17\ Accordingly, NTIA plans to structure that program 
primarily to promote the flow of risk information from the government 
to small and rural providers and suppliers. We request comment on that 
approach.
---------------------------------------------------------------------------

    \16\ See 165 Cong. Rec. H10286 (daily ed. Dec. 16, 2019) 
(remarks of Rep. Doyle).
    \17\ Id. (remarks of Rep. Latta).
---------------------------------------------------------------------------

    Because much security risk information is also highly sensitive, 
caution must be exercised in disseminating it. Briefings and events 
involving multiple participants or attendees, for example, risk 
exposing sensitive information or placing it in the wrong hands. NTIA 
seeks to balance the need to safeguard this information with the Act's 
requirement to share it with trusted providers and suppliers. NTIA 
notes that security risk information is available either publicly or 
from non-government sources on various terms.\18\ For example, Congress 
and the Executive Branch raised concerns about the security risks posed 
by certain Chinese equipment suppliers as early as a decade ago.\19\
---------------------------------------------------------------------------

    \18\ See, e.g., DHS Task Force Interim Report at 14-15.
    \19\ See Protecting Against National Security Threats to the 
Communications Supply Chain Through FCC Programs, Report and Order, 
Further Notice of Proposed Rulemaking, and Order, 34 FCC Rcd 11423, 
11425-26, ]] 6-9 (2019).
---------------------------------------------------------------------------

    Questions:
     What means of sharing information best balances the 
objectives of the Act and the need to safeguard sensitive information? 
More specifically, what are the best ways for the Federal government to 
provide ``regular briefings'' to providers and suppliers? Would 
periodic public updates or notifications be useful or sufficient?
     Should eligible providers and suppliers have an 
opportunity to request risk and vulnerability information about

[[Page 35922]]

specific equipment, software, and services? Would an information 
sharing system that incorporates both ``push'' and ``pull'' 
capabilities be useful, if possible?
     Are there legal barriers that could impede the ability of 
trusted providers and suppliers to receive or act on security risk 
information from the Federal government?
     How can publicly available security risk information be 
conveyed more expeditiously to more small and rural providers and 
suppliers?
     What barriers (e.g., awareness, financial, legal) do small 
and rural providers and suppliers face in accessing security risk 
information from non-government sources? What could or should the 
Federal government do to eliminate or mitigate those barriers?
    3. Information Declassification and Security Clearances:
    NTIA's information sharing program must include a plan for 
declassifying materials, where feasible, and expanding and expediting 
the provision of security clearances to facilitate the dissemination of 
security risk information to trusted providers and suppliers. Because 
both actions potentially risk compromising the confidentiality of 
sensitive government information, NTIA is seeking additional 
information.
    Questions:
     How specific must security risk information be to enable 
providers and suppliers to make procurement decisions that adequately 
protect their networks, customers, and users? If, for example, the 
Federal government issues a security warning about a particular 
company, how much information do trusted providers or suppliers require 
about the reason for that warning in order to take appropriate action?
     Is it more helpful for small and rural providers to 
receive unclassified information through typical civilian channels (for 
example, by email) or to receive more detailed classified information 
that would require a staff member to obtain a security clearance and 
could require travel to receive the classified information in person at 
a secure location?
     What would be the best way of identifying appropriate 
staff points of contact at small and rural providers to ensure that 
they receive security risk information?
     Have small and rural providers and suppliers encountered 
problems in attempting to obtain security clearances for staff? If so, 
what has been the nature of those difficulties?
     How many performance-essential security clearances would 
an organization need to ensure that government-shared security risk 
information is fully incorporated into its corporate risk-based 
decision making and response? What challenges would an organization 
have, if any, in converting such information into action?
     How should NTIA best raise awareness of this program among 
small business and rural providers?
    Instructions for Commenters: NTIA invites comment on the full range 
of issues that may be presented in this Notice, including issues that 
are not specifically raised in the above questions. Commenters are 
encouraged to address any or all of the above questions. Comments that 
contain references to studies, research, and other empirical data that 
are not widely available should include copies of the referenced 
materials with the submitted comments. Comments submitted by email 
should be machine-readable and should not be copy-protected. Responders 
should include the name of the person or organization filing the 
comment, which will facilitate agency follow up for clarifications as 
necessary, as well as a page number on each page of their submissions. 
All comments received are a part of the public record and will 
generally be posted on the NTIA website, https://www.ntia.gov/, without 
change. All personal identifying information (for example, name, 
address) voluntarily submitted by the commenter may be publicly 
accessible. Do not submit confidential business information or 
otherwise sensitive or protected information.

    Dated: June 9, 2020.
Kathy Smith,
Chief Counsel, National Telecommunications and Information 
Administration.
[FR Doc. 2020-12780 Filed 6-11-20; 8:45 am]
BILLING CODE 3510-60-P