DoD enacts rule on excluding contractors based on supply chain risk
The Defense Department may now officially exclude contractors or subcontractors from receiving information technology contracts based on the risk their supply chain poses to national security systems.
The authority comes from earlier national defense authorization bills and it expires in September 2018. In an interim rule published Nov. 18 in the Federal Register, DoD says the authority applies to the acquisition of any IT product or service, including commercial items, so long as the contractor in question operates a supply chain that poses a significant risk to a particular national security system.
Although the clause permitting the DoD to exclude contractors will now be a part of all defense IT contractors, the interim rule notes that it can apply only to national security systems, and then only to items "the loss of integrity of which could result in a supply chain risk to the entire system."
The bar for excluding a company from a contract is set rather high; the exclusion process must officially begin with an official at least at the level of a service acquisition executive asking for permission from a committee constituted by the undersecretary for acquisition, technology and logistics, and the DoD chief information officer, who in turn must have a risk assessment from the undersecretary for intelligence.
If the application is approved, the official seeking it must make out a written determination that less intrusive measures aren't reasonably available. Before it can become official, Congress must be notified.
Once actually carried out, however, the decision is more or less irrevocable. The excluded company need not be notified of their exclusion, and a secret decision to exclude can't be litigated in a federal court or taken before the Government Accountability Office as a bid protest.
Supply chain risk has gained increasing visibility as a cybersecurity issue in recent years, although many cybersecurity experts downplay the current risk of supply chain attacks, noting that Internet-delivered malicious software attacks are easier and less costly to undertake.
- read the interim rule in the Federal Register