IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

New Hampshire Pushes Pause on Creating Supply Chain Authority

New Hampshire lawmakers are waiting to see how the federal government navigates recent hacks before moving ahead with a piece of legislation aimed at tightening security around vendors and the supply chain.

To reduce cybersecurity risks, a New Hampshire lawmaker has proposed legislation to create an Information Technology Supply Chain Risk Authority to oversee all purchases and acquisitions of software, hardware and telecommunication services used within state agencies.

House Bill 487 is inspired by the 2017 ban of Kaspersky Lab software from being used within the federal government, which came after the Department of Homeland Security raised concerns about the Moscow-based company sharing information with Russian intelligence agencies. The ban also prompted Gov. Christopher Sununu’s to sign a bill prohibiting state agencies from using software developed by the company.

Now HB 487 has set its sights on preventing companies from accessing information that would present a security risk to the state's information technology infrastructure.

“We are concerned about the various kinds of tech out there, primarily from China and other suppliers that pose a potential cybersecurity threat,” state Rep. Peter Somssich, D-133, said. “I spoke with CIO [Denis] Goulet about this issue and how purchasing for the state works in regard to cybersecurity.”

This conversation, he said, led to the creation of the bill. However, due to unforeseen circumstances related to last year’s SolarWinds cyber attack, it was placed on hold.

“Goulet asked us to hold off on the bill until an amended version that includes recommendations from the federal government about the SolarWinds incident can be proposed,” he said.

CIO Denis Goulet expanded on the issue, saying, “SolarWinds changed the game for us. At this point, we couldn’t pull the bill back, but we could wait a year to see what the feds enact regarding SolarWinds.”

“We don’t want to get ahead of ourselves and the federal government,” he added. “They may enact something related to the acceptance of federal funds in states to address cybersecurity needs. We need to wait and see.”

As a result, the bill will most likely be reintroduced next session to give state lawmakers the chance to amend the bill, Goulet said.

“I think one lesson we can take away from this is being aware of what type of security your computer system has against cyber threats,” Somssich said. “Check the protection of your personal computer. Check and see if the companies you are working with to handle your cybersecurity have a good track record.”

“If someone else’s government has access to your information just because they can,” Somssich said, “that is not a company you want to work with to manage your cybersecurity.”
Katya Diaz is a staff writer for Government Technology. She has a bachelor’s degree in journalism and a master’s degree in global strategic communications from Florida International University.