DOD Rules on “Blacklist” Option – Supply Chain Risk Evaluation Added to IT Procurement Process

by Steve Charles, Co-founder and Executive Vice President

The Department of Defense is exerting more control over its IT supply chain with a new rule effective November 18 requiring additional contract clauses when purchasing Information Technology.

DFARS Case 2012-D050 implements §806 of the FY11 National Defense Authorization Act as amended in the FY13 NDAA. Section 806 defines supply chain risk as ‘‘the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise  degrade the function, use, or operation of such system.’’

The Defense Federal Acquisition Regulation Supplement (DFARS) is now updated in several places requiring that supply chain risk considerations for IT purchases be considered before buying via any government contracting method or contract vehicle including GSA Schedule contracts. The processes, procedures and clauses are described and prescribed at DFARS 239.73 Requirements of Information Relating to Supply Chain Risk. The two new contract clauses required in all DOD IT contract actions are 252.239-7017 and 252.239-7018.

The burden now falls on contractors to maintain supply chain integrity by demonstrating how they are excluding questionable and potentially risky sources. Further, it exempts the government from bid protest review should it use Section 806 authority to sideline a contractor, subcontractor or supplier perceived as a supply chain risk. Critics of the law contend that it gives the government unilateral “blacklist” authority with no opportunity for due process, however, such authority only exists relative to National Security Systems and even then, requires quite a bit of justification and Secretary-level sign-off.

Industry has responded with various types of programs to assure that items delivered are genuine and have only been handled by trusted parties. For example, the immixGroup Trusted Supplier Program guarantees and warrants the authenticity of any product delivered at no additional cost to government customers, systems integrators, or immixGroup channel partners.

Comments to the interim rule submitted prior to January 17, 2014 will be considered in the formulation of the final rule. Statutory authority for this rule will expire September 30, 2018 unless Congress amends the current law.