The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for supply chain security

By

GSA introduces vendor risk assessment program in draft solicitation

The General Services Administration could soon start requiring on-site assessments of certain federal contractors under a new program to scrutinize risks to the supply chain. 

Tucked into the draft of a new governmentwide acquisition vehicle for information technology services called Polaris is language describing a tool to “identify, assess and monitor supply chain risks of critical vendors.”  It would use classified and unclassified sources.

GSA said once the tool it’s developing—referred to as the Vendor Risk Assessment Program — is complete, “the contractor agrees the government may, at its own discretion, perform audits of supply chain risk processes or events,” adding, “on site assessments may be required.”

The Vendor Risk Assessment Program first appeared online in a Sept. 2017 blogpost by GSA’s Shon Lyublanovits describing plans to address risks to the supply chain of the government’s information and communications technology. Around that time, agencies would have been busy working to remove Kaspersky software from their systems.  And GSA was engaged in a series of pilots toward a service that would be shared across the government to uncover businesses’ due diligence, including for cybersecurity concerns.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2021/01/gsa-introduces-vendor-risk-assessment-program-draft-solicitation/171289/

By

Number of foreign companies within Defense supply chain grew over past decade

Reliance on foreign suppliers in the defense industrial base rose — notably in packaged software and IT services — even as calls for reshoring increase, according to a new report.

Reshoring the defense supply chain may reduce national security risks, but a new report detailing a heavy dependency on goods and services from foreign countries like China shows reshoring may be easier said than done.

Researchers at Govini, a decision science company supporting the defense industry, analyzed data from over 1,000 Defense Department vendors across 100 industries to show how supply chain reliance on products from foreign countries has increased over the past decade. According to the survey, the number of Chinese suppliers in DOD’s base increased by a total of 420% since 2010.

For cyber and information technology, two statistics stick out.  The share of companies based in foreign nations in the supply chain grew the most in the packaged software and IT services between 2010 and 2019. Companies based in foreign countries made up 3% of the packaged software supplier base in 2010.  That number rose to 7% in 2019. The numbers are similar for IT services: Companies based in foreign countries made up 3% of the IT services supplier base in 2010 and 7% in 2019.

Keep reading this article at: https://www.defenseone.com/threats/2020/08/number-foreign-companies-within-defense-supply-chain-grew-over-past-decade-report-says/167767/

By

Cutting Chinese suppliers from government supply chains will cost billions every year

Prospective contractors are invited to comment on how much it might cost them.
Click on image above to see Federal Register notice.

Implementation of a rule barring federal agencies from entering into contracts with entities that use equipment from a selection of Chinese telecommunications and surveillance companies is expected to cost the government $11 billion in year one, and just over $2 billion each subsequent year, according to an action published in the Federal Register on July 14th.

The Federal Register action details an interim rule from the Department of Defense, the General Services Administration and NASA to implement the second part of section 889 of the John S. McCain National Defense Authorization Act of 2019.

Starting Aug. 13., Contracting Officers will include provisions in their solicitations that prohibit contractors from using the covered equipment and require bidders to state whether they do.  Agency leaders can issue waivers in the case of emergencies, or other conditions, under the interim rule.

Covered equipment and services refer to those provided by Huawei, ZTE, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company or Dahua Technology Company, or any subsidiary or affiliate of those entities.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/07/cutting-chinese-suppliers-government-supply-chains-will-cost-billions-every-year/166846/

By

Defense contractor certification body says maintenance of companies’ cybersecurity posture is within its role

The accreditation body overseeing the Defense Department’s cybersecurity certification for prospective contractors is also authorized to provide certified companies with cybersecurity services, according to members of the group’s board of directors. 

“A continuous monitoring capability could provide benefits to organizations in the defense supply chain by increasing their awareness of changes to their current cybersecurity posture,” Mark Berman, chairman of the board’s communications committee told Nextgov. “This initiative is a potential avenue where we can provide value add to enhance and maintain the security posture.”

Berman was responding to comments from observers who say an April 22 request for proposal the accreditation board issued for a “continuous monitoring solution” marks a departure from the training and certification functions the group is expected to perform.

The Pentagon’s Cybersecurity Maturity Model Certification program is scheduled to take effect this fall following a change to defense federal acquisition regulations. Companies will have to attain third-party certification of their cybersecurity practices if they want to do business with the department. Defense contractors currently state whether they adhere to standards such as those outlined by the National Institute of Standards and Technology without any outside entity verifying their claims.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/05/defense-contractor-certification-body-says-maintenance-companies-cybersecurity-posture-within-its-role/165131/

By

DoD sees CMMC as new way to monitor supply chain, spot shell companies

The Defense Department wants to implement its much-discussed Cybersecurity Maturity Model Certification program mainly to ensure every single one of its vendors is undertaking minimum levels of commonly-understood cybersecurity practices so it can protect its supply chain.

But Defense officials increasingly see CMMC as a way to monitor aspects of that supply chain that aren’t strictly about cybersecurity.

DoD expects tens of thousands of its contractors to earn a CMMC certification over the next five years. But to get one — even at the most rudimentary Level One of CMMC — each company will need an in-person visit from a third-party assessor. Those visits are primarily so that auditors can verify companies have actually implemented the security practices required for their level of certification, since no self-attestations will be allowed.

But there’s another reason DoD also wants a set of human eyes on each CMMC applicant: the department wants to make sure each firm that’s certified is actually a real company with real employees.

Keep reading this article at: https://federalnewsnetwork.com/defense-main/2020/04/dod-sees-cmmc-as-new-way-to-monitor-supply-chain-spot-shell-companies/

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter