Enhanced due diligence procedures and business technology are changing supply chain risk management in GovCon, experts say

The global supply chain has come under increased scrutiny and concern in recent years, largely due to the disruptions caused by COVID-19. As U.S. leaders focus on building and maintaining a secure and resilient supply chain, federal agencies are taking a closer look at the vendors they partner with in national security missions.

Due diligence has become a top priority for public sector leaders as the defense industrial base expands and supply chain threats increase. But historically, the practice of holistically understanding the vendors an organization partners with has taken a back seat in government contracts.

Carrie Wibbenpresident of Government Solutions Demandsaid in previous years, due diligence — or “just knowing, at the surface level, who we are doing business with” — was not happening as part of the federal procurement process.

“Contracts were awarded based on cost, schedule and performance. In fact, being diligent to understand upfront, prior to an award, whether there was undue foreign influence, control, ownership, or anything like that in the companies we choose to do business with , really wasn’t even a consideration,” Wibben said during a panel discussion at the Potomac Officers ClubDefense Technology Summit.

The round table — moderated by Jennifer SantosSenior Director of National Security and Space Strategic Initiatives at Draper Lab — invited participants to explore the theme of creating a robust, resilient, secure and innovative defense manufacturing base.

Dr. Imes Chiu, Tara Murphy Dougherty, Michele Iversen, Carrie Wibben and moderator Jennifer Santos participate in a panel discussion during the POC Defense Technology Summit. Photo by Alex Mangione.

Although Wibben admits that progress has been made in this area since she has been in government, more needs to be done to thoroughly vet suppliers.

During her tenure as Deputy Director of the Defense Counterintelligence and Security Agency, Wibben worked with Congress to expand the concept of FOCI—foreign ownership, control, and influence—in National Defense Authorization Act 847. This effort established that the Department of Defense must conduct a FOCI Assessment on every company with which it has a relationship of $5 million or more.

“We should have done this from day one,” Wibben said of the increased focus on FOCI assessments. “But I can tell you that we haven’t, and we still aren’t. We are in the process of extending this. We did this for the 12,000 companies that perform classified work for the federal government — which is DCSA’s job to oversee those companies — but not for the defense industrial base as a whole.

Over the past year, the DIB has grown significantly, further emphasizing the need to know exactly who these vendors are.

“There has been an absolute massive proliferation of DOD activities focused on bringing new companies into the defense ecosystem,” revealed Tara Murphy DoughertyCEO of Govini. “In fiscal year 2021, the data shows that the number of new entrants is finally on the rise.”

This growth in the defense contractor base has prompted federal officials to think about how they would deal with an adversary who is already part of our supply chain.

Michele IversenDOD’s director of risk assessment and operational integration, said a vendor “could be a US company, but they have subsidiaries in countries of concern where laws require them to work with their intelligence service. foreign”.

“If the adversary writes your code, they don’t need to hack you to get in,” Iversen warned. “We have to make sure the adversary is not our supply chain.”

Software bills of materials, often referred to as SBOMs, help federal agencies better understand where their software and other digital tools come from, Iversen commented.

As the government works to more thoroughly assess its trading partners, federal leaders are also able to take on this work themselves using a combination of government guidance and industry technology.

“Now we’re looking at how CIOs and CISOs are starting to look at supply chain risk management on their own using commercially available tools to do their own due diligence,” Iversen said.

According to Iversen, the National Institute of Standards and Technology has published a rubric that organizations can use to ask more specific FOCI questions, accurately identify a vendor’s cyber posture, assess financial condition, and better understand the process of development. This kind of information helps “our IT and technology staff start doing a bit of their own due diligence,” Iversen explained.

Small businesses, which are increasingly making up the DIB, are also benefiting from more accessible supply chain risk management tools, Murphy Dougherty said.

“What technology can and has done, I would argue, is it has made the advanced capabilities that provide the data, the tools to perform analysis and, I think most importantly, the risk indicators in your supply chain, available in a way that is completely tolerable even for a small business,” said Murphy Dougherty.

Despite the damage inflicted on the supply chain by COVID-19, Dr. Imes ChiuSupply Chain Management and Sustainability Program Manager for the Defense Logistics Agency, highlighted some bright spots and lessons we can learn from the shortcomings revealed by the pandemic.

“The pandemic has really had a positive impact on the attitude of the defense industrial base towards supply chain risk management. Why? ‘a box you check off when you do pre-contract checks. But this is persistent monitoring even post-contract, and there’s a move towards more integration of maintenance and risk management of supply chain early in the product life cycle to reduce or lessen your risk,” she commented.

Dr Chiu also said a number of factors – including greater management focus on supply chain risk management issues and increased investment in technology that can track and trace materials raw materials needed for production – kick off an “exciting time” in GovCon, as federal leaders step out of their comfort zones and build relationships with “innovative, dual-use, and alternative vendors.”

Learn more about how public and private sector leaders are changing procurement in the digital age at GovCon Wire 3rd Annual Defense Digital Acquisition and Innovation Forum November 2. Lt. Gen. David Bassett, director of the Defense Contract Management Agency, is due to deliver a keynote address. Register now for this virtual event not to be missed!

Previous CDC paves way for California to require school COVID vaccines – but lawmakers have given up so far | New
Next FBI warns that poorly protected VPN servers are under attack