Recent Legislative Proposals Seek to Address Supply Chain Risks in Information Technology Procurements
The White House and Congress recently proposed legislation addressing supply chain risks in information technology (IT) procurement. Two legislative proposals, the Federal Acquisition Supply Chain Security Act of 2018 (FASCA) and Federal Information Technology Supply Chain Risk Management Improvement Act, are discussed below. These legislative initiatives are in addition to the policy developments addressed in the report by the MITRE Corporation, addressed separately in this Newsletter.
The Federal Acquisition Supply Chain Security Act
On June 19, 2018, Senators James Lankford, R-OK, and Claire McCaskill, D-MO, introduced FASCA. The bill would, among others, create a Federal Acquisition Security Council comprised of seven agencies, with the authority to exclude sources from federal acquisitions for IT and supply chain security purposes. The Council would have a number of different functions, including: developing criteria and processes for assessing supply chain threats and vulnerabilities posed by the acquisition of IT to national security and the public interest; issuing guidance to executive agencies for incorporating information relating to supply chain risks into procurement decisions for the protection of national security and the public interest; and determining whether the exclusion of a source by one executive agency for IT security purposes should apply to all executive agencies.
FASCA would also extend to civilian agencies the authority to take procurement actions based on IT and supply chain security risks, similar to the authority previously granted to DOD in Section 806 of the FY 2011 NDAA, which is implemented in DFARS Subpart 239.73 and was recently reauthorized in the FY 2019 NDAA. This extension would authorize all executive agencies to (1) exclude a source that fails to meet certain qualification requirements intended to reduce supply chain risk in the acquisition of IT; (2) exclude a source that fails to achieve an acceptable rating with regard to an evaluation factor providing for the consideration of supply chain risk in the evaluation of proposals for the award of a contract or the issuance of a task or delivery order; and (3) withhold consent for a contractor to subcontract with a particular source or direct a contractor to exclude a particular source from consideration for a subcontract under the prime contract. The executive agency would also be able to limit, in whole or in part, the disclosure of information relating to the basis for carrying out one of the aforementioned procurement actions. Importantly, if an executive agency has exercised its authority to limit disclosure of information, “no procurement action undertaken by the head of the agency under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal Court.”
FASCA was read twice and referred to the Senate Committee on Homeland Security and Governmental Affairs on June 19, 2018. No further action has been taken.
Federal Information Technology Supply Chain Risk Management Improvement Act of 2018
On July 10, 2018, the Trump administration sent a legislative proposal for the Federal Information Technology Supply Chain Risk Management Improvement Act of 2018 to Congress. The proposal is similar to FASCA. In a press release, Senator McCaskill’s office stated that “[b]oth McCaskill’s bill [FASCA] and the Administration’s language use similar methods to require greater accountability and increase transparency in the information technology acquisition process.”
Like FASCA, the Federal Information Technology Supply Chain Risk Management Improvement Act proposes to establish a Federal Information Technology Acquisition Security Council as well as a Critical Information Technology Supply Chain Risk Evaluation Board, with many of the same member agencies as those identified in FASCA. The responsibilities of the Council would include, among others, identifying and recommending supply chain risk management standards for use by executive branch agencies and identifying criteria for sharing information with respect to supply chain risk. The responsibilities of the Board would include establishing criteria for recommending the exclusion of sources from executive agency procurements.
The Federal Information Technology Supply Chain Risk Management Improvement Act would also authorize executive agencies to take certain procurement actions to keep supply chain risks at bay. In addition to those procurement actions authorized by FASCA (i.e., excluding sources that fail to meet certain qualifications or ratings and withholding consent for subcontractors), the Federal Information Technology Supply Chain Risk Management Improvement Act would authorize executive agencies to determine that a contractor is not responsible based on supply chain risk considerations.
Recommendations for Contractors
Considering the similarities between the two legislative proposals, the trend is clear: the White House and Congress are interested in mitigating IT and supply chain risks through inter-agency councils and increased civilian agency authority to make procurement decisions (including source exclusions) based on supply chain risk. Although neither legislative proposal poses imminent change, the trend is clear. In the meantime, it will be important for contractors to anticipate these changes and shore up their IT and supply chain posture and ensure that key supply chain partners will withstand additional scrutiny. Contractors should also seek opportunities for engagement in shaping the implementation of these new trends. For example, one of the functions of the proposed Federal Acquisition Security Council would be to consult, as appropriate, with the private sector and other nongovernmental stakeholders on issues relating to the management of supply chain risks posed by the acquisition of IT.