DataBank Assesses Impact of the U.S. Executive Order on Securing IT Services Supply Chain
On May 15, 2019, the President issued an Executive Order (EO) directing that communications technology or services be more tightly controlled within the United States, both federal and commercial spaces. The specific order can be read here: https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain/
As part of an ongoing effort to keep our customers and partners appraised of significant security developments, we wanted to share our impressions of the EO and its likely impact on our, and possibly your operations.
The intent of the EO is to prevent “sabotage”, “subversion”, or other “catastrophic effects” of infrastructure and technology or technology services such as code, designs, manufacturing, or general supply. The EO was in response to and vaguely directed at Huawei and accusations that they are an arm of the Chinese government,. However, the EO was broad enough to encompass any similarly accused providers including those of future, actual, or perceived adversaries. It should be noted that China, and Huawei deny these accusations.
While there is no immediate action to be taken, we do anticipate the following impacts and changes to operations in months ahead:
This EO will impact how DataBank acquires systems and our overall acquisition process.
Our CISO, Mark Houpt, will begin working with our internal acquisitions teams when more information is provided. Specifically, we’ll be looking to the U.S. Federal Government for a list of defined “adversaries” or a program similar to the ITAR/EAR programs operated through the State Department and Department of Commerce. This list will likely include country, company, and individual person sources that we will have further evaluate. We will then need to develop policies and processes to ensure that we acquire technology and services in accordance with any new standards and we will need to follow those strictly. It should be noted that we already acquire technology and services in accordance with U.S. Federal Standards as defined by Supply Chain controls for FedRAMP. We anticipate these new policies or standards to be more strict.
We should be prepared for more stringent regulation and testing – aka auditing – of our acquisition process and supply chain as it relates to SSAE18, HIPAA, FedRAMP and FISMA.
Our network, server and storage devices, and even our environmental systems such as UPS, generators and transfer switches, will have to be verified and certified in some way as not being impacted by “adversaries” as defined by the U.S. Federal Government. Our CISO expects that in the coming weeks and months additional guidance regarding this will be coming from the FedRAMP PMO or other applicable agencies and it will be provided as soon as it is available.
We’ll continue to closely monitor developments and appraise our customers and partners of operational changes as they become clear.