Contractors have until Jan. 17 to comment on an interim rule published by the U.S. Department of Defense (DOD) that addresses supply chain security in bids, orders, and services for national security systems.
The rule, issued on Nov. 18, is an amendment to the Defense Federal Acquisition Regulation Supplement. It seeks to assure the integrity of information technology products in key applications, such as intelligence and cryptology, military command-and-control systems, and integral weapons components (e.g., guidance systems).
The rule took effect on publication, so supply chain professionals at contractors must now determine how it affects their products for these areas and, more important, the steps they must take to assure that the components they source -- many from overseas -- pose no security hazards.
In an analysis on the Lexology
website on Nov. 26, attorneys Peter McLaughlin, Bradley Wine, and Rick Vacura of Morrison & Foerster LLP, a San Francisco-based law firm, wrote that the rule is part of a program to minimize supply chain risks under section 806 of the National Defense Authorization Act of 2011. The Pentagon's concern is that an adversary - whether a foreign government, criminal organization, or hacker - could use compromised IT components to subvert critical systems and degrade their functions.
"[T]he challenge for DOD ... and the contracting community is to determine an appropriate mechanism for identifying and handling supply chain risk that meets legitimate security concerns, while providing the contractors with sufficient compliance guidance and a means to understand and ... challenge the DOD's determination of a contractor falling short of its commitment," the authors noted.
One problem is that the rule lacks information about what DOD wants from contractors beyond their current supply chain security. Nor does the rule advise what particular safeguards contractors should have.
A contractor can be excluded from bids for national security systems if the DOD does not believe it has sufficient supply chain security, or it can be barred from using a subcontractor that also fails to meet the agency's security criteria.
Moreover, the attorneys wrote, a rejected bidder might not be told that its supply chain is deficient - at least in the government's assessment. "The lack of such information could prevent contractors from understanding or remedying inadequacies in their integrity program or responding to erroneous information relied upon by DOD," they stated.
The DOD can also withhold the information it uses to determine a contractor's supply chain security is deficient. This means the "decision will not be subject to appeal and cannot be the subject of a bid protest."
There is a procedure for challenging such a decision, but it is complicated.
The attorneys concluded that the rule raises the bar quite a bit for supply chain professionals when it comes to proving the integrity and security of their supply chains. The comments due in January should encourage the DOD to clarify requirements for an "acceptable integrity program rating," the attorneys advised, while urging for a transparent appeals process to be in place should a company be disqualified from a bid.