In 2011, Congress recognized a need to protect national security systems (NSS) from various attacks on information technology (IT) systems and networks. In particular, the 2013 Federal Register notice pointed to the risk of allowing the malicious insertion of software code or an unwanted function that could degrade the operation of such systems. (This need was recognized by the National Defense Authorization Act (NDAA) of 2011, and affirmed in the 2013 NDAA.)
In a more general sense, a supply-chain risk is defined as “the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a national security system (as that term is defined at 44 U.S.C. 3542(b)) so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.” A national security systems is IT that—
- Involves intelligence or cryptologic activities.
- Is used for command and control of military forces.
- Is an integral part of a weapon system.
- Is critical to the direct fulfillment of military or intelligence missions. (This does not include routine administrative or business applications related to payroll, finance, logistics, and personnel management.)
If equipment is damaged and repair parts or services aren’t quickly and easily available, the expense of repairing such systems—or putting in place other mitigation measures—is very high. Hence, Congress and DoD reasoned that the risk to interruption of the supply chain should be a consideration in contracting for IT systems and networks.
So now, all IT bids involving NSS must be evaluated on the basis of the bidder’s ability to reduce supply-chain risk.
The rules allow the government to exercise “Section 806” authority to exclude—
- A source that doesn’t have the ability to reduce supply-chain risk.
- A source that doesn’t achieve an acceptable rating for reducing supply-chain risk.
In addition, the government can withhold consent for a contractor to subcontract to such sources.
This rule applies even to acquisitions of items normally subject to the simplified acquisition threshold (SAT), commercial items, and commercially available off-the-shelf (COTS) items. Normally, if an item falls below a certain amount (the SAT), it will be exempt from this type of restriction, but the director of defense procurement and acquisition policy (DPAP) determined that the normal exemption would not be in the best interest of the government.
Likewise, this type of restriction is typically not applied to the acquisition of commercial items or COTS items. But again, the government has found that exempting such items is not in the best interest of the government. In short, the government believes some commercial and COTS items may be in the supply chain for a covered NSS.
Bottom Line for Contractors
Supply-chain risk is now a consideration in IT procurements involving NSS. Check what needs to be done to reduce this risk. In general, this direction will come from the procuring agency. (There is no national standard for evaluating this requirement.)
Items on this web page are general in nature. They cannot—and should not—replace consultation with a competent legal professional. Nothing on this web page should be considered rendering legal advice.