Yesterday the Senate took up S 2201, the Supply Chain
Security Training Act of 2021. The reported version of the bill was withdrawn
and the Senate considered an amendment (SA
4899) in the form of a substitute. The amendment and the bill were adopted
by unanimous consent without debate.
The substitute language in SA 4899 was nearly identical to
the substitute language that was
reported by the Senate Homeland Security and Governmental Affairs Committee.
The only difference in the new language was the addition of the phrase “and
the Director of the National Institute of Standards and Technology” at the
end of §2(c)(2).
The bill now goes to the House for consideration. If/when
the bill makes it to the floor for consideration it will likely be taken up under
the suspension of the rules process. This would mean limited debate and the
bill would require a supermajority to pass. Based upon the action in the
Senate, I would suspect to see the bill receive substantial bipartisan support.
It is interesting to see that there is no definition of ‘supply
chain security’ included in this bill. With both CISA and NIST referred to as
coordination targets, I would suspect that the crafters were at least partially
considering protecting hardware and software against unauthorized manipulation
in transit between the manufacturer and the Federal user. It could also mean
ensuring that there were backup suppliers vetted and approved in the event the
primary provider is unable to keep supplies moving due to conditions (like
Covid for example) beyond their immediate control.