On September 19, 2018, the DoD issued Class Deviation 2018-O0020. This action removed the sunset date applicable to DFARS 239.7300(b) and made the provision permanent. The DFARS provision at issue confers expansive powers on the government to evaluate a contractor’s supply chain risk and places obligations on contractors to identify and mitigate such risks. The provision has been operative for the past few years, but by removing the sunset date, the DoD made it permanent. The day the Class Deviation was issued, Deputy Defense Secretary Patrick Shanahan—while speaking at the Air Force Association’s annual Air, Space & Cyber Conference—stated that cybersecurity likely would to join quality, cost and schedule as the fourth key factor in acquisition decisions made by DoD.
The requirements itemized in DFARS 239.7300 are implemented into solicitations and contracts through DFARS clauses 252.239-7017 and DFARS 252.239-7018. The former clause applies to solicitations, giving the government a right to consider supply chain cybersecurity risk as an evaluation factor. This clause allows the government to exclude an offeror on the basis of undue risk in the supply chain. The latter clause requires contractors to investigate their supply chain throughout prime contract performance and mitigate security risks during their provision of supplies and services to the government. See DFARS 252.239-7018(b). The clause, however, includes no standard by which adequate mitigation is judged.
The clauses apply when a contractor will employ a “covered system” in contract performance. A “covered system” is defined as “any information system, including any telecommunications system” that is “used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency” that involves “intelligence activities,” “cryptologic activities related to national security,” “command and control of military forces,” or “equipment that is an integral part of a weapon or weapons system” or that is “critical to the direct fulfillment of military or intelligence missions.” See DFARS 239-7301.
A supply chain risk is defined as “the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.” See DFARS 239-7301.
Contractors are incentivized to investigate their own supply chain risk, because if they do not, the government might. The government can use both public and non-public information, including “all-source intelligence,” to determine whether a contractor’s supply chain creates undue risk. DFARS 252.239-7017(b); DFARS 252.239-7018(c). Its use of non-public information about a contractor’s supply chain might mean that the government can evaluate a contractor’s supply chain risks on the basis of information outside the four corners of a proposal—including information that might not be available to the proposing contractor. Further, the government can restrict its non-public information from disclosure to the contractor, and the provisions prohibit a contractor from challenging in a bid protest the government’s decision to so restrict the information. DFARS 252.239-7017(c); DFARS 252.239-7018(d). Failure to adequately mitigate a supply chain risk during contract performance could be used by the government to support a negative past performance evaluation or a termination for default—both of which would negatively affect the contractor’s ability to obtain future contracts.
DFARS 239.7300 joins the recently finalized DFARS Cybersecurity clause, DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, in the DoD trend toward making cybersecurity part of the contracting process. Assistant Secretary of Defense for Acquisition Kevin Fahey, speaking at the Farnborough Air Show in July, stated, “The only way you make [cybersecurity] serious to industry is you make it part of the competition.” For these reasons, contractors must carefully review solicitations and contract modifications to see whether these clauses are present. If so, contractors should immediately develop adequate supply chain risk identification and mitigation practices.
In related news, the Government Accountability Office yesterday issued a report on cybersecurity vulnerabilities in United States major weapons systems. Pillsbury’s Government Contracts team is reviewing that report and expects to issue an advisory about it in the very near future.