Final DFARS Rule Heightens Importance of Supply Chain Risk Management for Contractors
The Department of Defense (DoD) published its final rule requiring it to consider the impact of supply chain risk as a factor in certain procurements related to national security systems on October 30, 2015.1 Although some elements of the interim rule were modified, many of the most disconcerting parts for some government contractors remain unchanged. Most significantly, DoD retains the ability to exclude a contractor from certain procurements, without a hearing and potentially without an explanation, should DoD find a risk to the contractor's supply chain. While use of this exclusion authority requires senior official approval within DoD and has been relatively rare to date, it creates the potential that some contractors may be excluded without any process to dispute the government's determination. This lack of process may be even more unsettling for subcontractors than prime contractors because a subcontractor may not even know that they have been excluded if DoD directs the prime contractor not to use a particular subcontractor. For example, the prime contractor may learn of the fact that DoD has exercised its supply chain risk authority, but may not know the basis for DoD's determination, whereas a subcontractor may not even be made aware of the fact that they have been excluded. In light of the final rule, contractors should ensure that they are investing adequate resources in supply chain risk management.
In November 2013, DoD issued an interim rule on supply chain risk, pursuant to authority granted in the National Defense Authorization Act (NDAA) for Fiscal Year 2011.2 The rule resulted in a great deal of comment, both because it was not issued as part of a formal rulemaking and because of its breadth, as discussed below.3 On October 30, 2015, DoD published the final rule, solidifying the importance of supply chain risk management for those interested in bidding on certain federal contracts.
Supply chain risk is defined as "the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a national security system… so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system."4 As discussed in greater detail below, a national security system is one that is used for intelligence operations, cryptologic activities, equipment integral to weapon systems, control of military operations, or is critical to the direct fulfillment of military or intelligence missions.
The final rule establishes the importance of supply chain risk in future procurements in two different ways: it gives DoD significant power to exclude a potential contractor from a national security system procurement should that contractor fail to attain what DoD determines to be an acceptable level of supply chain risk management, and it requires supply chain risk be included as an evaluation factor in national security system solicitations.
The section 806 exclusion power
DoD codified its power to exclude a potential contractor from national security systems procurements in this final rule. This power is referred to as the "section 806 power," after the relevant section of the authorizing legislation. Specifically, under section 806 of the NDAA for FY 2011, the Secretaries of Defense, the Army, the Navy, the Air Force, and their delegates may take one of three actions:
- "Exclude a source that fails to meet qualification standards established in accordance with the requirements of 10 U.S.C. § 2319, for the purpose of reducing supply chain risk in the acquisition of covered systems;
- Exclude a source that fails to achieve an acceptable rating with regard to an evaluation factor providing for the consideration of supply chain risk in the evaluation of proposals for the award of a contract or the issuance of a task or delivery order;
- Withhold consent for a contractor to subcontract with a particular source or direct a contractor for a covered system to exclude a particular source from consideration for a subcontract under the contract."5
This means that should DoD determine that a contractor's supply chain risk management systems are inadequate, that contractor will be barred from competing for a certain contract, without a hearing and oftentimes without explanation.
If DoD decides to exercise the section 806 power, it need not disclose the reasons for its determination. DoD is authorized to limit, "in whole or in part, the disclosure of information relating to the basis for carrying out any of the actions authorized by" section 806. Furthermore, the use of the section 806 power to exclude is not subject to review in a bid protest before the Government Accountability Office or in federal court. Also, notice of a contractor's disqualification for supply chain risk reasons will only be provided to "appropriate parties," not to the general public, so it is possible that contractors will not even know whether their subcontractors have ever been disqualified because of supply chain risk.6
There are a few, limited protections in place that must be satisfied before DoD may exercise the authority given under section 806.7 First, the Under Secretary of Defense for Acquisition, Technology, and Logistics and the Chief Information Officer of the Department of Defense must make a joint recommendation that "there is a significant supply chain risk to a covered system." Second, there must be a finding that exercise of the section 806 power is "necessary to protect national security by reducing supply chain risk" and that "less intrusive measures are not reasonably available to reduce such supply chain risk." Finally, notice must be given to certain congressional committees. These safeguards will provide little comfort to a contractor disqualified for unspecified reasons and without a forum in which to protest.
While the rule provides sweeping authority to disqualify a contractor from a given contract, without public reason or hearing, this power to exclude is limited to the procurement at issue. DoD cannot issue a "blanket exclusion" under this rule; contractors are eligible to compete for future solicitations after DoD has utilized the section 806 authority to exclude them from a particular procurement. This may provide little reassurance to a contractor who fears the same issue that resulted in disqualification from one contract will lead to exclusion in a future solicitation, but has not been informed of what the problem was that led to disqualification in the first place.
Risk management as an evaluation factor
The rule also requires supply chain risk be included as an evaluation factor in procurements of national security systems. A notice will be included in future solicitations, containing the definition of supply chain risk, a notification that the government may use the powers granted by section 806 to disqualify a contractor, and an explanation that should a contractor be disqualified, there is no potential for review of that action at the GAO or in federal court.8
Changes from the Interim Rule
The final rule changes the interim rule, originally published on November 18, 2013, in three relatively small ways.
First, the scope of the rule is narrowed. Whereas the preliminary rule applied to "the development or delivery of any information technology, whether acquired as a service or as a supply,"9 the final rule only applies if the information technology "is part of a covered system, or is in support of a covered system."10 A "covered system" is defined as a "national security system," meaning:
"Any information system, including any telecommunications system, used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency-
(1) The function, operation, or use of which-
- Involves intelligence activities;
- Involves cryptologic activities related to national security;
- Involves command and control of military forces;
- Involves equipment that is an integral part of a weapon or weapons system; or
- Is critical to the direct fulfillment of military or intelligence missions but this does not include a system that is to be used for routine administrative and business applications, including payroll, finance, logistics, and personnel management applications; or
(2) Is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy."11
Thus, rather than the rule applying to virtually every information technology component in all systems used by DoD, it is now more limited in application and expressly does not cover routine administrative and business applications.
Second, whereas the preliminary rule required that the notice regarding supply chain risk be flowed down to subcontractors, the final rule only requires it be included in prime solicitations. This change was made in response to concerns that the loss of a supplier at a lower tier could have "ripple effects" on higher-tier contractors, creating large potential costs and disruption to the procurement process.12
Third, the supply chain risk language in national security systems solicitations was changed from requiring contractors to "maintain controls in the provision of supplies and services to the Government to minimize supply chain risk" to requiring them to "mitigate supply chain risk."13 Respondents noted that the "maintain controls" wording implied that certain controls were necessary for contractors to implement, and the interim rule failed to specify which standards DoD preferred. The final rule clarifies that DoD does not have a preference for a specific supply chain risk strategy; it just requires that contractors have one.
Commonalities: What Hasn't Changed
Contractors may be most troubled by what has not changed in the rule. Namely, the rule still gives DoD the power to exclude, absolutely, proposed contractors who fail to meet unspecified standards on supply chain risk management. Responses to the interim rule suggesting that this power be tempered in any way, including by being subject to a dispute resolution mechanism, were disregarded as contrary to the intent of the authorizing legislation.
Furthermore, no guidance is given as to what supply chain risk management systems DoD desires. DoD justified this lack of direction by responding that "risk levels, risk tolerance, and appropriate risk management measures must be determined at the local level," explaining that "evaluation factors are specified at the individual acquisition level and not in the DFARS."14 This could leave contractors unsure of how to proceed in light of DoD's section 806 authority.
Finally, the secrecy provisions of the interim rule remain in place. The final rule does not provide for any additional information sharing about threats DoD identifies to contractors' supply chains or disclosure of reasons why a particular contractor was disqualified. The reason given for this nondisclosure is that exclusions under section 806 will be based on classified intelligence information, and open discussion of such procurements is inappropriate.
In light of this final rule, government contractors should take a number of actions.
First, contractors should proactively conduct supply chain audits to ensure the integrity of their sourcing systems. As contracts can now be lost on the basis of supply chain risk, it pays to expose and remedy potential liabilities before they could result in the loss of valuable business opportunities.
Likewise, to the extent practicable, contractors should have a range of possible suppliers should one be found to pose a supply chain risk.
Finally, contractors should stay tuned as DoD may give guidance as to its preferred supply risk management techniques. DoD plans to issue DFARS Procedures, Guidance, and Information on developing and using supply chain risk evaluation factors designed for use by contractors. It also intends to work with industry to identify best practices in risk management. By following established practices, contractors may be able to minimize the risk that they are excluded from a solicitation.
In conclusion, the final rule on supply chain risk maintains the interim rule's drastic exclusion remedy without providing much guidance on how it will be applied. DoD has stated that it will utilize less intrusive measures than the section 806 authority wherever possible and that it anticipates such mitigations will normally sufficiently manage any supply chain risk it identifies. That said, when DoD exercises its section 806 authority, the contractor is excluded without a hearing and without being informed of the specific risks DoD identified.
DoD likewise says that it does not anticipate this rule will result in significant costs to the industry, because contractors have an existing interest in having a reliable supply chain and the rule does not require any specific risk protections. Given the seriousness of the potential penalty and the lack of process, though, it is likely that many contractors will expend extra resources to ensure supply chain integrity.
See Ronald D. Lee, Nicholas L. Townsend, and Lauren J. Schlanger, "New DoD Requirements for Defense Contractor Cyber Incident Reporting, Safeguarding Technical Information, and Supply Chain Risk," Arnold & Porter Advisory (December 2013).
The Intelligence Community has a similar, but separate, exclusion power. See Section 309 of the Intelligence Authorization Act for FY 2012 (Pub. L. 112-87), entitled "Enhanced Procurement Authority to Manage Supply Chain Risk" and codified at 50 U.S.C. § 3329, note.