By George W. Thompson
The Department of Defense has adopted a final DFARS (Defense Federal Acquisition Regulation Supplement) rule establishing “supply chain risk” as an evaluation factor in procurement of “national security systems”. The rule, which was effective on October 30, 2015, implements Section 806 of the National Defense Authorization Act for Fiscal Year 2011. It applies to Defense acquisitions of “information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system.”
Covered Systems Covered
In turn, a “covered system” is defined in the existing DFARS as a “national security system” for use by or on behalf of a Federal agency in such activities as intelligence, cryptologic or military command and control or in a weapon or weapon system.
“Supply chain risk” is defined as “the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a national security system . . .so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system. To forestall such events, “risk levels, risk tolerance, and appropriate risk management measures” will be “specified at the individual acquisition level.”
COTS and Micropurchases Included
These factors will apply to contracts and subcontracts, and to acquisitions below the Simplified Acquisition Threshold, currently $20,000 for contracts or purchases inside the U.S. and $30,000 for those elsewhere. Procurements of Commercially Available Off-the-Shelf (COTS) items are covered.
Although supply chain risk concerns may lead to a contractor’s exclusion from a contract, the implementing notice emphasized that the Defense Department hopes to “work with its offerors to mitigate supply chain risk using less intrusive measures than exclusion.” It points out that “risk will be evaluated on a case-by-case basis, and any exclusion will be for a particular source selection and not a blanket exclusion. Contractors are eligible to compete for future solicitations even after application of the section 806 authority has excluded them from a particular source selection.”
Potential Long Reach
Of course, we must await the rule’s application to specific acquisitions to determine its practical effect. On its face, however, it appears to be quite broad, and has potential application well beyond DFARS acquisitions. Steps taken to meet the DFARS evaluation factors will almost certainly require changes in supply chain security for all COTS information technology items offered to the Defense Department.
Because COTS items are sold into other markets, including FAR and non-government acquisitions, identical goods destined for non-DFARS purchasers will be swept up by these changes as well. I anticipate there will be a focus on both physical and digital threats, so a contractor will have to take into account not only its own risk profile but those of its suppliers and subcontractors too. Implementation at the local level could result in a plethora of different standards and requirements.
Unless the evaluation factors are toothless or are honored more in the breach, I expect this new rule will prove disruptive, particularly for contractors with foreign-sourced articles and components.
