Contractors' supply chains continue to be a focus of Department of Defense (DoD) regulatory interest. On October 30, 2015, DoD adopted as final, with certain key changes, an interim rule released in 2013 that amends the Defense Federal Acquisition Regulation Supplement (DFARS) and implements mandates found in the National Defense Authorization Acts (NDAA) for Fiscal Year (FY) 2011 and FY 2013. This final rule, called Requirements Relating to Supply Chain Risk, should be given careful attention by defense contractors because it requires that DoD agencies use supply chain risk as an evaluation factor and allows DoD to exclude contractors due to such risk in procurements related to National Security Systems (NSS).
The final rule implements section 806 of the FY 2011 NDAA (Pub.L. 111-383) as amended by section 806 of the FY 2013 NDAA (Pub.L. 112-239). This final rule is implemented through DFARS subpart 239.73 “Requirements for Information Relating to Supply Chain Risk” (revised October 30, 2015). In addition to addressing the section 806 mandates, this DFARS subpart also addresses elements of DoD Instruction 5200.44, “Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN).”
Contractors should note that this final rule is a further manifestation of the continuing strong focus on risk in the supply chain, and it is an example of the lead position that DoD has taken in addressing such risk. (For more information, see related discussion in our Supply Chain Toolkit.)
The objective of the October 30, 2015, final rule on supply chain risk is to implement “protection against risks to the supply chain affecting National Security Systems (NSS).” Congress in Pub.L 111-383 defined supply chain risk “as the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.” As a result, this final rule requires contractors providing DoD with information technology, whether as a service or as a supply, that is a covered system, to mitigate supply chain risk related to the services or supplies. Importantly, this final rule:
- Requires the use of supply chain risk as an evaluation factor for covered contracts
- Enables DoD to exclude sources identified as possessing supply chain risk from consideration for the award of a covered contract
What is a “Covered Contract?”
DFARS 239.7301 states that:
“Covered system” means a national security system, as that term is defined at 44 U.S.C. 3542(b) (see section 806(e)(5) of Pub. L. 111-383). It is any information system, including any telecommunications system, used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency—
(1) The function, operation, or use of which—
(i) Involves intelligence activities;
(ii) Involves cryptologic activities related to national security;
(iii) Involves command and control of military forces;
(iv) Involves equipment that is an integral part of a weapon or weapons system; or
(v) Is critical to the direct fulfillment of military or intelligence missions, but this does not include a system that is to be used for routine administrative and business applications, including payroll, finance, logistics, and personnel management applications; or
(2) Is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.
The scope of the interim rule was broad and the solicitation provision and contract clause were to be included in all solicitations and contracts involving the development or delivery of any information technology, whether acquired as a service or a supply. The final rule, however, limits use of the solicitation provision and contract clause to solicitations and contracts for information technology, whether acquired as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined above.
Key Points for Defense Contractors
Key points on this final rule include:
- Focus on DoD National Security Systems. The rule is specific to DoD and focuses on the systems that often have a lower risk tolerance due to the criticality of missions utilizing such systems.
- Evaluation Factor. Supply chain risk is a required evaluation factor for information technology when supplies or services are being procured for a covered system, a part of a covered system, or in support of a covered system;
- Exclusion as a Source of Supply or Services. Sources identified by DoD as possessing supply chain risk can be excluded from consideration for award in order to minimize risk. The final rule does not expressly provide for a dispute resolution process in the case of such exclusion. DoD's response to two comments submitted on the interim rule is informative in this regard. DoD notes that exclusions “will be based generally on classified intelligence information.” As a result “a dispute resolution mechanism is not appropriate under those circumstances.”
- Limited Notification. DoD’s notification of exclusion to affected parties will be limited and the DFARS states that such notice will be “only to the extent necessary to effectuate action.” There is also a requirement to notify other DoD components or other Federal agencies responsible for procurements that may be subject to the same or similar supply chain risk, and to ensure the confidentiality of any such notifications.
- Rule is Applicable to Acquisitions Below the Simplified Acquisition Threshold (SAT) and to Commercial Items, Including Commercially Available Off-the-Shelf (COTS) Items. This rule is applicable to a broad range of information technology supplies and services because of the determination that it would not be in the best interests of the United States to exempt acquisitions not greater than the SAT and commercial items including COTS.
- Not a Flow Down Clause. The final rule modifies the interim rule and the clause is no longer required to be flowed down to subcontractors.
- More to Come. The “Analysis of Public Comments” provides an alert to contractors. DoD notes that this rule’s “sole purpose” is implementing the section 806 mandate. DoD goes on to say that it “has provided, and will continue to provide, additional guidance for the management and mitigation of supply chain risk.”
A Similar Requirement Exists in the Intelligence Community
This final DFARS rule is specific to DoD and, as noted above, focuses on the systems that have a lower risk tolerance due to the criticality of missions utilizing such systems. Since December 7, 2013, contractors that support the Intelligence Community (IC) have been working under a Directive that is similar to the DFARS rule. Intelligence Community Directive 731, called “Supply Chain Risk Management,” outlines duties and responsibilities to protect the supply chain. This Directive applies to the procurement of mission-critical products, materials, and services in all stages of the IC supply chain. Notably, the IC rule also provides for the exclusion of contractors, subcontractors, or vendors from procurements of information technology based on supply chain risk factors that may be noted during a risk assessment. In addition, the disclosure of information relating to that exclusion may be limited to protect national security. A copy of that ICD is available here.
Contractors that provide covered systems supplies and services should consider careful vetting of suppliers, review of quality assurance systems, and specific clauses to protect them from a subcontractor’s claim if a determination is made by DoD to exclude that subcontractor. Remember this rule covers acquisitions below the SAT and commercial items, including COTS. Commercial companies may have limited knowledge of unique DoD requirements.
- The rule includes a rigorous determination process that is to be followed by DoD prior to exclusion of a source. That proscribed process includes a limited list of individuals authorized to exercise section 806 authority and the requirement to make the determination in writing, with the concurrence of the Under Secretary of Defense for Acquisition, Technology, and Logistics, that use of section 806 authority is necessary to protect national security by reducing supply chain risk.
- The rule also requires a determination that less intrusive measures are not reasonably available to reduce such supply chain risk. Less intrusive measures are not described, but could include the substitution of an alternative source or a “make” instead of a “buy.” The “less intrusive measures” review appears to provide an avenue for the contractor to present its position.
- Pay attention to further supply chain risk rules. This rule makes clear that it is focused narrowly on section 806 and, further, in response to five comments that requested that DoD harmonize the requirements of this rule with industry- and government-led supply chain risk management regimes and initiatives in order to avoid inconsistencies, DoD responded that it “is involved in a myriad of efforts to address supply chain risks, specifically, as well as cybersecurity broadly” and notes that it will continue to provide further “guidance for the management and mitigation of supply chain risk.”