Classified data key to new acquisition approach, Federal CISO says

The new regime contrasts from previous “Whac-A-Mole” approaches that were confined to the unclassified space, Grant Schneider said.
Grant Schneider, White House, National Security Council, Federal CISO
Grant Schneider speaks April 25, 2019, at the Security Through Innovation Summit presented by McAfee and produced by CyberScoop and FedScoop. (CyberScoop)

The strength of a new federal acquisition council on supply-chain security lies in its ability to directly involve classified information in agencies’ decisions to buy products and services, according to a senior White House official.

The new regime contrasts from previous “Whac-A-Mole” approaches that were confined to the unclassified space, Federal Chief Information Officer Grant Schneider said Thursday at the 2019 Security Through Innovation Summit, presented by McAfee. He chairs the nascent interagency Federal Acquisition Security Council, which was established by a law signed by President Donald Trump in December. The law allows classified information to be used to support risk assessments while assuring the intelligence community that data is protected, Schneider added.

“The Binding Operational Directive on Kaspersky was completely through open-source [information],” Schneider said, referring to a 2017 federal order that, due to security concerns, banned civilian agencies from using products made by Moscow-based Kaspersky Lab. “If we had written a Binding Operational Directive on Kaspersky using classified information, we might have done it several years ago.”

U.S. officials have long argued that Russian authorities could leverage local laws to access Kaspersky Lab data for intelligence operations – a charge that the antivirus maker denies.


But federal officials’ supply chain concerns run far deeper than one particular country or product. They worry about maintaining visibility into the vast ecosystem of gear bought by agencies and companies in the face of offshoring and ever-greater network connectivity.

Those concerns have spawned multiple policy initiatives in the last year, including the acquisition council and a separate Department of Homeland Security-run task force that trades threat information with industry.

Examples of sophisticated breaches of global tech vendors have only added urgency to those policy efforts.

Schneider, a former CIO of the Defense Intelligence Agency, made clear how high the supply chain is on his list of security concerns.

“My bigger concern that keeps me up at night is ‘is there going to be a trusted supply chain in the future?’ he said.


One important task for the new acquisition council is developing criteria for making recommendations on equipment, products and services that “we shouldn’t allow to do business with the federal government,” Schneider added. The body will have its first meeting at the end of the month, he said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts