On Sept. 19, 2018, the U.S. Department of Defense (DoD) issued a corrected Class Deviation 2018-O0020, to remove the sunset provision in DFARS 239.73, "Requirements for Information Relating to Supply Chain Risk," that was due to expire on Sept. 30, 2018. The deviation is effective immediately. This new deviation implements Section 881 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019. Section 881 made the requirements for supply chain risk management under DFARS 239.73 permanent by placing its authority under a statute (10 U.S.C. § 2239a). This reauthorization reflects the continual efforts by Congress and the DoD to increase oversight on contractors supply chain and use risk management as a metric for contract performance.

DFARS Subpart 239.73, along with its contract clauses DFARS 252.239-7017 and DFARS 252.239-7018, places a significant onus on contractors to investigate its own supply chain to minimize and mitigate any perceived security risks. Failure to meet the requirements of the regulations creates significant risk to a contractor. First, there is an explicit requirement in DFARS 252.239-7018 requiring contractors to actively mitigate supply chain risk during performance of the contract. However, the clause provides no additional information or standard to what is considered adequate mitigation. Second, there is an implicit incentive for contractors to ensure that their supply chain is risk-free because the contractor is not the only entity to investigate risks in its supply chain. DFARS 252.239-7018 provides the government with an incredible oversight capability by permitting it to consult both public and non-public information, including all-source intelligence, to determine whether a contractor's supply chain creates a risk. This enhanced authority gives the government additional information regarding the contractor's supply chain that may exceed the contractor's capability to obtain. As such, if the contractor does not evaluate its own supply chain adequately, the government may obtain relevant information which it can use to evaluate the contractor's performance, which may be restricted from disclosure at the government's discretion. This is particularly concerning because DFARS 252.239-7018 prohibits the contractor from remedies in federal court or at General Accountability Office (GAO) to object to the government's decision to restrict this information.

While the new class deviation does not substantively change the current requirements under DFARS 239.73, it does ensure that these requirements are permanent contract performance requirements that must be applied to covered defense contracts. It further indicates DoD is increasing its efforts to evaluate supply chain risk management as a metric upon which it may assess a contractor's past performance evaluation and/or assert a contract action. A failure to adequately mitigate a supply chain risk could be viewed by the government as support for a negative past performance evaluation or even a termination for default. Additionally, a negative past performance evaluation could have a lingering effect on the contractor's ability to obtain future contracts.

Given the significant consequences for failure to ensure adequate supply chain management, it is important for contractors to carefully review both solicitations and modifications to determine whether DFARS Class Deviation 2018-O0020 is present. Should this new class deviation apply, contractors should be prepared to implement a supply chain risk management program. Holland & Knight's Government Contracts team is ready to assist you in navigating these regulations and increased government oversight.