Now, more than ever before, contractors need to employ good contracting and subcontracting practices to secure their supply chains. Government contractors are required to deliver what they promise in their proposals and, ultimately, under their contracts. As a prime contractor, or higher tier subcontractor, you are responsible for the integrity and compliance of your supply chain. Recent developments may make that supply chain a potential trap for the unwary unless you are taking adequate steps to vet your suppliers:
- Supply Chain Risk clauses: Department of Defense (DoD) is including several clauses in acquisitions and contracts that warrant your increased attention. DFARS 252.239-7018 Supply Chain Risk clause is being included in DoD information technology procurements. This clause allows DoD to decide not to award a contract, or to cancel one that has been awarded, if DoD considers the prime contractor or its supply chain to pose “the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a national security system… so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.” DFARS 252.246-7007 Contractor Counterfeit Electronic Part Detection and Avoidance System and DFARS 252.246-7008 Sources of Electronic Parts require contractors to protect against counterfeit electronic parts in all tiers of their supply chain. Contractors and subcontractors must employ trusted sources, maintain traceability, and report on actual or suspect counterfeit parts. FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems, as well as DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, require contractors and their subcontractors to comply with specific cyber security controls and cyber incident reporting requirements.
- DHS Binding Operational Directive (BOD) Ban on Products: The Department of Homeland Security (DHS) has authority to ban the use of certain products that pose risks to the national security. In Fall 2017, DHS issued its first BOD 17-01, requiring government agencies to take steps to scan, identify and remove/replace Kaspersky products in their systems.
- Other Legal Bans on Products: In December 2017, Congress passed the National Defense Authorization Act for FY 2018, prohibiting the use of any software platform developed in whole, or in part, by Kaspersky Lab. Effective July 16, 2018, FAR 52.204-23 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities will be included in procurements and resultant contracts; the clause also may be added to existing contracts through a bilateral amendment.
- Tariffs and Other Actions: President Trump’s National Security Strategy issued in December 2017 identified national security risks posed by certain economic activities of foreign countries. Tariffs and other actions are being taken to address these concerns.
- Private Lawsuits and Government Investigations: Counterfeit parts continue to infiltrate the market. Counterfeit parts may involve the theft of a company’s intellectual property, and result in the loss of sales and good will for the company’s brand. In addition, counterfeit parts that do not work as intended pose significant safety and security risks to the United States, other countries, and our citizens. Private companies as well as the Government are seeking to address this problem. For example, in 2018, CISCO Systems filed a lawsuit against two Florida companies for importing and selling counterfeit electronic parts. One of these companies is a government contractor and is now under investigation by the Defense Logistics Agency.
Key Takeaways –
- Failing to adequately protect the integrity of your supply chain has untold costs. Take steps to protect your supply chain by vetting your suppliers and their products throughout the procurement lifecycle.
- Track notices of product and supplier risks and bans to reduce your supply chain risks.
- Negotiate and include appropriate clauses in your contracts to assure supply chain integrity and to identify appropriate processes and remedies for reporting, correcting and obtaining recourse in the event of a problem.
- Identify your incident response team members and develop a plan so you can take the necessary steps to prepare for and address any detected quality or performance problem, actual or suspected counterfeit part or cyber incident.
A safe and secure supply chain is in everyone’s interest. If you are a government contractor or subcontractor and have questions about your supply chain responsibilities, or the impact of these supply chain risk rules and requirements, contact Susan Warshaw Ebner, or your FortneyScott contact, for assistance.