The Department of Homeland Security plans to implement a new requirement that seeks to provide federal agencies information on commercial cybersecurity products and services they purchase, Federal News Radio reported Wednesday.
Kevin Cox, manager of the continuous diagnostic and mitigation program at DHS, told the station the updated supply chain risk management plan for CDM offerings would require vendors to complete a questionnaire about the products they intend to be included in the CDM approved products list.
“The questionnaire addresses some background relating to the manufacturer in just getting some information in regards to having some visibility in terms of how the product was manufactured, what kind of visibility there was in tracking the supply chain of the product and in many cases the original equipment manufacturer,” Cox said.
“The goal is to really mature the visibility that the government has in terms of the products it’s offering out to the agencies, states, locals, tribes and territories, and the vendors have done their assessment of the product and can stand by what they are submitting,” he added.
DHS unveiled the SCRM plan in line with the Aug. 3 launch of a special item number for cyber platforms under the General Services Administration’s Schedule 70.
Cox noted that DHS and GSA will exempt approximately 70,000 cyber hardware, software and services that are already covered by the CDM program from complying with the new SCRM requirement, the report added.