The Defense Department is taking a harder look at supply chain risks posed by government contractors who provide IT products and services, so compliance officers at those businesses should prepare to review how their supply chain risks might affect eligibility to bid on future contracts.
Last month the department issued a final rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) and implement Section 806 of the National Defense Authorization Act. The final rule generally retains the same controversial provisions contained in an interim rule issued in 2013, including a clause that allows the DoD to bar contractors from providing IT for a “national security system” if the contractor or its subcontractors present “a supply chain risk.”
The final rule generally defines a national security system as an information system used for intelligence or military operations. A supply chain risk is “the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a national security system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.”
Although the rule itself is limited in scope, it is only latest measure in a broader government-wide effort to protect supply chain integrity in government procurement. “This fits into the government’s larger focus on the supply chain risk generally,” says Peter Eyre, a partner in Crowell & Moring’s government contracts group. The fear: that sophisticated operators could infiltrate or sabotage national security systems by inserting counterfeit parts or malware into products they government buys.
The final rule gives the DoD far-reaching authority to exclude IT contractors without any hearing or explanation, which is a sore point for government industry groups. “There is no due process, and there is no appeal,” says Alan Chvotkin, executive vice president and counsel of the Professional Services Council, the national trade association of the government professional and technical services industry. “That’s a pretty broad set of authorities.”
Under the final rule, the following preliminary measures must be taken, however, before DoD may exercise its authority:
The Under Secretary of Defense for Acquisition, Technology, and Logistics and the Chief Information Officer of the Defense Department must first make a joint recommendation that “there is a significant supply chain risk to a covered system;”
The DoD must make a determination in writing, with the concurrence of the Under Secretary of Defense for Acquisition, Technology, and Logistics, that Section 806 authority is “necessary to protect national security by reducing supply chain risk,” and that "less intrusive measures are not reasonably available to reduce such supply chain risk;” and
Classified or unclassified notice of the determination must be provided to certain congressional committees.
From a practical standpoint, IT contractors need to protect themselves as best they can in case DoD invokes its exclusion authority. For example, contractors should have a range of alternative suppliers in case procurement officers decide that one poses a supply chain risk, says Michael Mutek, former general counsel of Raytheon’s Intelligence, Information and Services business, a $6 billion business unit of Raytheon.
“It is difficult to know exactly what controls will be satisfactory to the government.”
Peter Eyre, Partner, Government Contracts Group, Crowell & Moring
Although the Defense Department has power to exclude IT contractors at will, “I don’t expect this to be widely invoked,” Chvotkin says. It will be a “rare occasion” when the DoD uses its Section 806 authority, he predicts.
Nonetheless, the final rule puts further pressure on compliance officers of IT contractors to vet, monitor, and audit the entire supply chain. “You really need to do all you can to try to determine if you have an issue in your supply chain,” says Mutek, now senior counsel at law firm Steptoe.
Furthermore, because the final rule does not identify specific standards or controls for IT contractors to mitigate supply chain risks, compliance will prove to be a particularly complex task. “There is no one-size-fits-all standard of risk assessment and risk mitigation,” Chvotkin says.
‘Not a Bright Line Rule’
The DoD explained in the final rule that standards or controls would depend on the risks and risk tolerance that would apply to each procurement. “It is not a bright line rule,” Eyre says. Both the NDAA and the implementing regulation leave IT contractors with a great deal of discretion. “It is difficult to know exactly what controls will be satisfactory to the government.”
The Defense Department explained this lack of clarity in the final rule itself: “Risk levels, risk tolerance, and appropriate risk management measures must be determined at the local level. Evaluation factors are specified at the individual acquisition level and not in the DFARS.”
Nevertheless, Chvotkin says IT contractors need more guidance than what they currently have. “There needs to be some benchmark, some framework for companies to know what they should be doing and how they’ll know they’re on the right path to get there,” he says. “That is absent from this rule.”
DEFENSE DEPARTMENT’S FINAL RULE
The following is an excerpt from the Defense Department’s final rule, “Requirements Relating to Supply Chain Risk.”
Significant Changes from the Interim Rule
1. Language is added to the rule to clarify that section 806 authority is only applicable when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, including clarification of the prescriptions for DFARS provision 252.239–7017, Notice of Supply Chain Risk, and DFARS clause 252.239–7018, Supply Chain Risk.
2. Guidance on the use of an evaluation factor regarding supply chain risk is modified to require the inclusion of the evaluation factor when acquiring information technology, whether as a service or as a supply that is a covered system, is a part of a covered system, or is in support of a covered system. Additional text regarding an evaluation factor has been added at DFARS 212.301, 213.106–1, 214.201–5, and 214.503–1.
3. DFARS clause 252.239–7018, Supply Chain Risk, is changed as follows—
a. Paragraph (b), is modified to state that the contractor shall mitigate supply chain risk in the provision of supplies and services to the Government; and
b. Paragraph (c) is removed as the clause will no longer contain a requirement to flow down the clause to sub-contractors.
Source: Department of Defense.
That being said, nothing in the rule precludes contractors from engaging in discussions with the government to determine whether particular sub-contractors or suppliers pose any risks or concerns, Eyre says.
Chvotkin agrees that some conversations still need to be had while the DoD continues to develop the application of the rule. “Companies ought to ask those questions, and I would hope DoD would be forthcoming in answering some of those questions on a case-by-case-basis,” he says.
The final rule does depart from the interim rule in several important ways. First, the scope of the rule has been narrowed. Whereas the proposed rule applied to “the development or delivery of any information technology, whether acquired as a service or as a supply,” the final rule applies only if the IT is “part of” or “in support of” a national security system.
Rather than the rule applying to virtually every IT component in all systems used by the Defense Department, it expressly omits routine administrative and business applications, “including payroll, finance, logistics, and personnel management applications,” according to the final rule.
Another difference from the proposed rule: where the original would have pushed down the responsibility to identify and mitigate supply chain risk on subcontractors, the final rule imposes that requirement only on prime contractors. “Nevertheless, the Defense Department reserves the right to exclude a subcontractor from performance of a contract, if DoD in their subjective judgment determines that a subcontractor poses a risk in performance,” Chvotkin warns.
Translation: even though the DoD has eliminated the flow down clause for its own purposes, prime contractors should still flow down some responsibility and authority to its subcontractors, “particularly because the government can deny access to a sub-contractor,” Chvotkin says. “The prime contractor must protect itself.”
You have to know who you’re doing business with not just among your first-tier sub-contractors, “but all the way through the supply chain,” Chvotkin says. “Having visibility into the supply chain is very important, particularly for these critical national security systems.”
As cyber-incidents grow more common (and more severe), government agencies are only going to grow more cautious when deciding who wins future contracts. For national security systems in particular, agencies likely will assess both the past and current performance of an IT contractor’s security controls in its supply chain.
That means compliance officers at IT contractors face greater responsibility, as well. Historically, supply management used to be an administrative function that rested with the purchasing department, “ensuring that you got the right part at the right time to the right place at right price,” Mutek says.
Well, “supply management has evolved,” he says. “It’s no longer just a purchasing function. Supply management is a compliance function, with responsibility for policing a global network of suppliers and ensuring compliance with laws and regulations, government contracting rules, and company policies.”