Defense Increases Scrutiny of Supply Chain

By Susan Cassidy and Alex Hastings

Photo: iStock

The Defense Department has offered some clarification on how it plans to deal with suppliers that pose potential security risks.

The department issued a final rule amending the Defense Federal Acquisition Regulation Supplement and clarifying the scope of the government’s ability to evaluate and exclude contractors that represent “supply chain risks” in solicitations and contracts — specifically those that involve the development or delivery of information technology products and services in national security systems. In general, these are systems used by an agency or a government contractor for intelligence missions, command and control of military forces, or cryptologic.

The final rule presents some positive developments for contractors, as it clarifies that the Defense Department’s exclusion authority is limited to procurement of national security systems, and establishes that exclusion decisions apply on a procurement-by-procurement basis. The final rule, however, leaves contractors without any significant protections to ensure they are not improperly precluded from doing business with the department.

The amendments implement Section 806 of the 2011 National Defense Authorization Act and give DoD the authority to take action to exclude IT contractors or withhold consent to subcontract if the department determines that a contractor or subcontractor presents a supply chain risk. 

A “supply chain risk” could be a U.S. adversary being able to sabotage or subvert the design, integrity, manufacturing, production, distribution, installation, operation or maintenance of a national security system.

Based on the sensitive nature of these systems, the government’s desire to protect the defense supply chain is understandable. Of concern to contractors is the lack of procedural protections that would give them a seat at the table when exclusion decisions are being made. DoD may take Section 806 actions without providing pre- or post-exclusion notice to or engaging in dialogue with contractors. 

DoD declined to implement these potential contractor protections in the final rule, implicitly suggesting that such protections were unnecessary — because Section 806 exclusions would be made on a case-by-case basis — or impossible, because national security considerations limit the department’s ability to communicate with the contractor. 

The final rule affirms that Section 806 actions are not reviewable in a bid protest before the Government Accountability Office or in any federal court. The lack of procedural protections led commentators to the interim rule to suggest that contractors could be effectively excluded from DoD procurements without advance notice or an opportunity to object.

Defense officials attempted to address this de facto debarment concern by clarifying that each Section 806 decision to exclude is done on a procurement-by-procurement basis. Nevertheless, multiple exclusions without an opportunity to object or address the government’s concerns could effectively result in a blanket exclusion.

A Section 806 action may only be approved by high-ranking officials such as the secretaries of the military departments or the most senior procurement officials within those departments. The authorized official must provide written notice to congressional defense and intelligence committees and to other agencies responsible for procurement that may carry the same or similar supply chain risks.

Notably, the DoD authority under Section 806 expires Sept. 30, 2018, and the department is required to issue a report by Jan. 1, 2017, that addresses the effectiveness of the Section 806 actions and the frequency with which the department exercises this authority.  Although this reporting obligation provides some limited oversight of DoD’s determinations, the final rule leaves contractors without any recourse against exclusions from procurements due to perceived supply chain risk.

The final rule adds an “evaluation factor” to assess supply chain risk when making procurement decisions for IT products and services related to national security systems. The rule itself contains no further clarifications as to how it will be implemented but DoD indicated that DFARS procedures, guidance and information are forthcoming. Until this guidance is provided, it remains unclear how supply chain risk will be assessed and scored in a contractor’s proposal. 

Finally, the rule imposes on contractors an ongoing obligation to “mitigate supply chain risk” and encourages contracting officers to consider imposing a “government consent” requirement for all subcontracts. DoD did not offer guidance on the means of mitigating supply chain risk, but instead explained that it is working with industry to promulgate best practices.

In the meantime, contractors should seek to document their processes for vetting subcontractors, especially those operating in regions or industries prone to presenting a supply chain risk. Contractors should consider including subcontractors in their initial proposal so that any increased use of the subcontractor consent clause will not impact their ability to use their preferred teammates.

The implications of the final rule could be significant. Contractors subject to a Section 806 action could be excluded from a procurement without notice or an opportunity to be heard, an impartial review of the decision, or an opportunity to take corrective action. Given the lack of procedural protections, contractors should seek an open dialogue with the relevant contracting authorities. Although such communications will not necessarily increase the procedural protections afforded to contractors, they could help to preemptively address the department’s supply chain concerns. 

Contractors must address a new supply chain risk evaluation factor and satisfy an ongoing obligation to “mitigate supply chain risk” without guidance on how such measures should be realized.  

Susan Cassidy is a partner in the government contracts group, Roger Zakheim is counsel in the public policy and government affairs group and Alex Hastings is an associate in the government contracts group at the law firm of Covington & Burling LLP.

Topics: Defense Contracting, Defense Department, DOD Policy, Procurement

Comments (0)

Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
Please enter the text displayed in the image.