President Biden took action today to extend a national emergency declared by President Trump in 2019 aimed at preventing U.S. adversaries from exploiting vulnerabilities in the information and communications technology (ICT) services supply chain.
President Trump declared the emergency in May 2019 to protect the ICT supply chain, and to “protect the vast amount of sensitive information being stored in and communicated through ICT products and services,” according to information provided by the Cybersecurity and Infrastructure Security Agency (CISA).
The emergency declaration – put in place by Executive Order 13873 – sets out procedures to be used by the Department of Commerce “to prohibit the use or transaction of ‘information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary,’ and that pose risk of sabotage or subversion; 2) catastrophic effects on the Nation’s critical infrastructure or digital economy; or 3) adverse consequences to national security and public safety,” CISA said.
The declaration had been due to expire on May 15 of this year.
The White House said today that “the national emergency declared in Executive Order 13873 of May 15, 2019, with respect to securing the information and communications technology and services supply chain, is to continue in effect beyond May 15, 2023.”
“The unrestricted acquisition or use in the United States of information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries augments the ability of these foreign adversaries to create and exploit vulnerabilities in information and communications technology or services, with potentially catastrophic effects,” the White House said today.
“This threat continues to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States,” the White House said.
The 2019 directed CISA to “to assess and identify entities, hardware, software, and services that present vulnerabilities in the United States and that pose the greatest potential consequences to the national security of the United States” as decision support to the Department of Commerce.
Since then, CISA said that the agency and the ICT Supply Chain Risk Management (SCRM) Task Force worked with industry and government partners to:
- Develop a standardized taxonomy of ICT elements (e.g., hardware, software, and services);
- Perform criticality assessments on these ICT elements with appropriate stakeholder input; and
- Assess the national security risks stemming from vulnerabilities in ICT hardware, software, and services including components enabling 5G communications.
CISA has since released publicly available resources about its actions to protect the ICT supply chain, but noted that they are presented for “informational purposes only.” The agency said, “this methodology can used as an input to a risk assessment, but by itself is not sufficient for a comprehensive review of risk.”