The federal government’s focus on security—some would say obsessive or intrusive focus—exploded last year with the now-famous revelations by Edward Snowden. An interesting post on Industry Market Trends addresses a new Department of Defense rule that directly impacts supply chain professionals of manufacturers selling to the government, a rule driven by that focus on security:
The rule, issued on Nov. 18, is an amendment to the Defense Federal Acquisition Regulation Supplement. It seeks to assure the integrity of information technology products in key applications, such as intelligence and cryptology, military command-and-control systems, and integral weapons components (e.g., guidance systems). The rule took effect on publication, so supply chain professionals at contractors must now determine how it affects their products for these areas and, more important, the steps they must take to assure that the components they source—many from overseas—pose no security hazards.
Rising Concerns regarding the National Defense Authorization Act
Elsewhere, on Lexicology, three attorneys from Morrison & Foerster LLP, a San Francisco-based law firm, wrote that the rule is part of a program to minimize supply chain risks under section 806 of the National Defense Authorization Act. The Pentagon’s principal concern is that an adversary (e.g., foreign government, criminal organization, or hacker) could use compromised IT components to subvert critical systems and degrade their functions. According to the authors:
The challenge for DOD … and the contracting community is to determine an appropriate mechanism for identifying and handling supply chain risk that meets legitimate security concerns, while providing the contractors with sufficient compliance guidance and a means to understand and … challenge the DOD’s determination of a contractor falling short of its commitment.
But here’s the rub: the rule lacks information about what the DOD wants from contractors beyond their current supply chain security. It also fails to indicate what particular safeguards contractors should have. Contractors can be excluded from bids if the DOD does not believe they have adequate supply chain security, and further, they can be barred from using subcontractors who fail to meet the DOD’s security criteria.
Information Withholding could effect Supply Chain Integrity
Here’s where the Kafkaesque turn comes: rejected bidders might not be told that their supply chains are deficient, and the DOD can withhold information used to determine if a contractor’s security is deficient. As the authors note:
The lack of such information could prevent contractors from understanding or remedying inadequacies in their integrity program or responding to erroneous information relied upon by DOD.
As the world cries out for transparency, the government establishes murky rules. Doesn’t seem right.