Identifying threats and improving network and supply chain security has been an ongoing effort by Congress and the Department of Defense (DoD) for the past several years. Congress has included multiple provisions in the annual National Defense Authorization Acts to spur action by the DoD to address weaknesses in contractor supply chains for electronic parts and vulnerabilities to cyber threats in contractor information technology systems. In turn, the DoD has amended the Defense Federal Acquisition Regulation Supplement (DFARS) to impose new performance requirements on contractors and subcontractors in DoD procurement contracts. This cascading effort of turning policy into contract performance has been steady but slow and of questionable efficacy.
A new initiative under consideration by the DoD could change that. In June testimony to Congress, the DoD said it has started a new initiative known as “Deliver Uncompromised” to “elevate the private sector’s focus on security.” The DoD’s goal is to establish security as a “fourth pillar” in acquisition, “on par with cost, schedule and performance.” The hope is to create incentives for industry to “embrace security, not as a ‘cost center,’ but as a key differentiator” in competitions for procurement contracts.
In August 2018, the nonprofit group Mitre Corporation (Mitre) released a report called “Deliver Uncompromised,” which describes how the DoD and the intelligence community face daily strategic attacks from foreign adversaries in the supply chain domain (e.g., software, hardware, and services) and cyber domain (e.g., informational technology and cyber-physical such as weapons systems). Mitre’s report calls for a unified focus of resources from both the DoD and government contractors to prioritize risk mitigation through enhanced infrastructure and better coordination. While the DoD cannot require private companies to invest in specific security measures, the Mitre report recommends that the DoD use its purchasing power and regulatory authority to influence and shape the conduct of the DoD suppliers. For example, the DoD may begin defining procurement requirements with new security measures, or rewarding contractor proposals with superior security measures by elevating security as a primary metric for evaluation during the source selection process. The DoD could also include terms and conditions in its contracts that impose security requirements, and then use those contractual terms post-award to monitor contractor compliance.
Mitre’s recommendations are still under consideration at the Pentagon. It remains to be seen how the DoD will proceed with its goal to increase supply chain security through its acquisition strategy. In the meantime, questions come to mind for contractors in the defense industry space that will purportedly be competing under this new competitive source selection methodology. For example:
- How will a contractor’s security plan be assessed? Will the DoD use a more subjective, descriptive evaluation metric, similar to an agency’s evaluation of past performance? Or will contractors’ security be assessed on a pass/fail basis?
- How will a contractor’s security be validated for assessment purposes? Will the DoD conduct security audits against offerors’ security systems to “pressure” test security adequacy?
- Similarly, as an awardee, how would a contractor prove adequacy of its security systems and defend potential protest allegations of inadequacy?
- Alternatively, as a protester, how would a disappointed offeror challenge the adequacy of an awardee’s security system, or the reasonableness of an agency’s evaluation of an offeror’s security?
- Given the complexity of security risks and assessments, how will the DoD’s evaluation team be trained—especially if the security assessment is beyond a checklist, pass/fail evaluation?
The above are just a few of the questions resulting from the DoD’s “Deliver Uncompromised” initiative and its potential impact on acquisition strategy. Contractors should be aware of these potential changes and continue to monitor DoD’s actions as it implements changes.