The definite trend for the past few years has been to increase oversight and management of the supply chain, especially with protection of information technology (IT) and enhanced cybersecurity. Contractors that sell IT hardware or services need to be aware of these requirements to manage the risk associated with the supply chain. Additionally, I predict this trend will impact almost all government contractors because SCRM requirements will extend to many other procurements. Contractors should start assessing changes to their procurement process relating to SCRM.
Section 881 of the 2019 National Defense Authorization Act (NDAA) emphasizes the focus on IT's supply chain risk management (SCRM) by making the DoD's authority to assess SCRM as part of the proposal evaluation process. The requirements are implemented in DFARS 239.73, Requirements for Information Relating to Supply Chain Risk, and the related DFARS provision, 252.239-7017 Notice of Supply Chain Risk, and clause,252.239-7018 Supply Chain Risk.
The SCRM requirements for IT enable the Department of Defense to exclude companies from a competition for certain covered contracts for IT hardware and services. While this may appear to be a de facto suspension or debarment, the Courts have already upheld correctly phrased evaluation factors. See Iron Bow Techs., Inc. v. United States, 136 Fed. Cl. 519 (2018). In Iron Bow, the Social Security Administration rejected an offeror that provided printers in which the Chinese government owned a portion of the printer manufacturer. Because it was phrased as evaluation criteria, the Court upheld the rejection.
It used to be that contractors only had to worry about the sourcing of materiel and components under the Buy American Act, Trade Agreements Act or Berry Amendment. SCRM is now becoming more complicated and critical. Contractors at all tiers - prime and subcontractors - should assess their supply chains for potential risks to include foreign ownership, cybersecurity protections, ability to manage quality of products and services, and ability to detect and prevent counterfeit parts. The increased concern of weakening the defenses to government information through the procurement of IT hardware, software and services is resulting in more SCRM oversight and requirements.
As such, prime contractors will need to perform sufficient due diligence on the entire supply chain and subcontractors will need to have systems in place to be competitive. The SCRM processes should ensure prime contractors (i) know the ownership of each subcontractor in the chain and source of all material and parts, (ii) have a process to oversee a company's ability to protect unclassified information, (iii) and ensure compliance with the criteria in DFARS 239.73. Prime contractors should also require subcontractors to notify of changes during performance of the contract.
SCRM will most probably create a burden for all contractors but especially for small businesses. While some companies may elect not to enter or to exit the federal marketplace, those who wish to remain will need to embrace SCRM - the Information Technology or IT thing.