Concerns raised by top ICT advocacy organization, the Information Technology Industry Council (ITI), over additions to the Defense Federal Acquisition Regulation interim rule, “Requirements Relating to Supply Chain Risk,” bring Department of Defense (DoD) acquisition policy into question. The interim ruling, published in the 18 November 2013 Federal Register mandates that commercial vendors be excluded from federal procurements for assessed Supply Chain Risk Management (SCRM) vulnerabilities (Section 806 of the NDAA for FY 2013 (Pub. L. 112–239.)
On 21 January, ITI submitted a letter to the Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics (OUSD (AT&L)) stating that the interim ruling lacks specific SCRM requirements and standards for vendors to deploy. Furthermore, ITI stated that this would result in excluded vendors and a downturn of the Defense Industrial Base (DIB).
The DFAR interim rule does lack significant amounts of specific tactics, techniques and procedures for vendors to use.
Government regulations and standards, however, are not the be all and end all SCRM solution. Industry will have to take the lead on securing its suppliers (see our February 6 entry on the O-TTPS!) We will need to continue to have open dialogue with all parties at the table – Government and Industry – to show how innovation and competition drive the solution.
It should also be noted, that in the same DFAR, in effort for the Government to enact this power, they must:
- Use the power over procurements for National Security System (NSS);
- Be signed by the head of the Agency, ie the Secretary of Defense and the Secretaries of the military departments with delegation limited to officials at or above the level of the service acquisition executive for the agency; AND
- Obtain a joint recommendation from the Under Secretary of Defense for Acquisition, Technology, and Logistics (USD(AT&L)) and the Chief Information Officer of the Department of Defense (DoD CIO), based on a risk assessment from the Under Secretary of Defense for Intelligence (USD(I)) that there is significant supply chain risk to a particular NSS.
This is not an easy task!
Suppliers have to recognize that supply chain risk is a clear and present danger – especially as they go deeper into the tiers of the supply chain, where visibility gets muddier. At the same time, Government needs to realize that until they understand where their vulnerabilities lie, it will be difficult to get any supplier to sign up that they ‘warranty’ 100% against any impact. It’s too loose and the risk of exposure is too great.
In the case of Section 806, dangers to NSS are serious and high impact, requiring Government power and industry innovation to be necessary components of security.
Suppliers must take the lead in developing risk mitigation strategies that demonstrate a deep understanding of the problem and a solution to provide a secure supply chain for systems and components that support National Security.