After House passage, supply chain security training and federal cybersecurity workforce bills set to become law

The U.S. House of Representatives has passed two key pieces of legislation this week, which will help bolster the cybersecurity posture across public and private entities. One of the bills helps create a supply chain security training program for federal officials, while the other legislation strengthens the federal cybersecurity workforce. The legislative bills have already passed in the U.S. Senate and will now head to the desk of President Joe Biden to be signed into law.

The bipartisan ‘Supply Chain Security Training Act’ would create a standardized training program to help federal employees responsible for purchasing services and equipment identify whether those products could compromise the federal government’s information security. In addition, the legislation works toward protecting against cybersecurity threats and other technological supply chain security vulnerabilities that arise when the federal government purchases services, equipment, or products. The bill has already passed the Senate and now heads to President Biden’s desk to be signed into law. 

The bipartisan Supply Chain Security Training Act has been introduced by the U.S. Senators Gary Peters, a Democrat from Michigan and chairman of the Senate Homeland Security and Governmental Affairs Committee, and Ron Johnson, a Republican from Wisconsin. It directs the General Services Administration (GSA), in coordination with the Department of Homeland Security (DHS), Department of Defense (DOD), and the Office of Management and Budget (OMB), to create a supply chain security training program for federal officials with supply chain risk management responsibilities. 

The bill would also require the OMB to develop guidance for federal agencies to adopt and use the training program and how to select officials to participate in the training, according to the provisions of the Act. The legislation also builds on an executive order from President Biden that made it easier for federal agencies to share threat information, modernize their cybersecurity infrastructure and enhance federal software supply chain security in the wake of recent serious breaches.

Training and preparing federal acquisition employees to recognize and mitigate these growing threats is essential in preventing hostile actors from compromising America’s national security. Additionally, breaches of federal information systems in the past exploited vulnerabilities in the SolarWinds and Microsoft Exchange networks, highlighting the need for robust technological supply chain security. It also emphasizes the importance of ensuring agency personnel responsible for managing these resources are well versed and up-to-date on cybersecurity threats and other attempts to steal sensitive or valuable information.

“Federal employees who are responsible for buying software and equipment for the government must be able to recognize potential cybersecurity threats in these products,” Senator Peters said in a media statement. “This bipartisan legislation will help federal employees deter foreign adversaries and criminal hackers from taking advantage of vulnerabilities in newly purchased technology to breach federal systems and disrupt our supply chains. I applaud my colleagues in the House for passing this bill and look forward to seeing President Biden sign it into law,” he added.

“Counterintelligence training for federal workers who buy and sell goods and services for the government is critical, especially at a time when our adversaries are aggressively and persistently attempting to breach our systems and steal information,” according to Senator Johnson. “This is essential training that will help close a potential gap in our cyber and physical security defenses.”

Earlier this week, researchers from Cequence Security found additional unpatched servers with the Log4j vulnerability hidden within their digital supply chain, labeled LoNg4j. Detecting this type of LoNg4j exploit requires an extensive test infrastructure that most organizations have not allocated, indicating that the Log4j vulnerability is more widespread than initially thought and spread across the digital software supply chain.

The federal cybersecurity workforce bill also secured House passage, which will help recruit, develop and retain highly skilled cybersecurity professionals in the federal workforce. Agencies across the federal government face growing cyber threats but struggle to hire and retain qualified cybersecurity employees. As the Supply Chain Security Training legislation, this bill has also already passed in the U.S. Senate and now heads to President Biden’s desk to be signed into law.

The bill has been introduced by Senators Peters, John Hoeven, a Republican from North Dakota, and Jacky Rosen, a Democrat from Nevada. The legislation will help attract and retain cybersecurity experts in the federal government by offering civilian employees opportunities to enhance their careers, broaden their professional experience, and foster collaborative networks by experiencing and contributing to the cyber mission beyond their home agencies. 

Government agencies often cannot compete with the salaries and other benefits offered by tech giants in Silicon Valley, but they provide valuable opportunities to serve the country and defend our cyber front lines. For example, the Federal Rotational Cyber Workforce Program Act creates a civilian personnel rotation program for cybersecurity professionals at federal agencies. The program would enable employees to spend time working at different government agencies, gaining experience beyond their primary assignment and expanding their professional networks. 

“As we have seen, cyber-attacks pose a significant threat to our national and economic security and will only continue to grow more sophisticated. That is why we need a highly skilled federal cybersecurity workforce that will enhance our nation’s ability to fight back against online threats from foreign adversaries and criminal hackers for years to come,” Senator Peters said in another media statement. “Now that this commonsense legislation has passed the House, I urge the President to sign it into law as soon as possible so we can provide federal cybersecurity professionals with additional opportunities to learn how to defend networks from complicated and evolving threats.”

“Our legislation will help the federal government to meet the growing demand for cybersecurity professionals by developing a rotational cyber workforce program that enables federal employees to serve across multiple government agencies and expand their skills,” Senator Hoeven said. “This is vital to our national security and ensuring that the federal government has the capable professionals needed to meet our nation’s cybersecurity challenges. We look forward to our legislation being signed into law.”

“The shortage of U.S. cybersecurity professionals leaves our nation vulnerable to debilitating cyberattacks,” said Senator Rosen. “As a former computer programmer, I know that in order to successfully protect our nation against a myriad of cyber threats, we must expand and strengthen our federal cyber workforce,” she added.

In February, the U.S. Committee on Oversight and Reform approved the Supply Chain Security Training Act, which works toward improving federal government operations and hiring practices. It also passed the Federal Information Security Modernization Act of 2022, which bolsters cybersecurity for federal agencies.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.