House of Representatives Approves Bill in Effort to Ensure Supply Chain Safety

On September 4, 2018, Congress passed a bill titled “Securing the Homeland Security Supply Chain Act of 2018 (H.R. 6430)” following a bipartisan introduction led by Rep. Pete King (R-N.Y.) of the House Homeland Security Subcommittee on Counterterrorism and Intelligence. Some have noted that the bill appears to come in response largely to a growing concern over commercially-successful companies who have been contracted by the U.S. government, particularly in the IT industry, that later demonstrated to pose significant supply chain risks that are a threat to national security. While these reports generally entail foreign-based cyber firms, the bill seeks to address risky vendors both internationally and domestically.

What does the bill authorize Homeland Security to do?

As an amendment to the Homeland Security Act of 2002, this bill would give warrant for the DHS to restrict procurement of products and services in the ever-advancing information-technology industry. Covered articles include: “cloud computing, telecommunications equipment and services, information processing on a federal or nonfederal system, and devices or services that included embedded IT.”[1]

In essence, the bill allows the Department of Homeland Security to exclude vendors and subcontractors from various contracts or task/delivery orders that have not demonstrated adequate measures taken against supply chain risk. Additionally, if the case requires, the DHS may ban vendors from procurement outright and has the right to withhold information regarding the decision. While the DHS would have to provide an opportunity for a vendor to challenge within 30 days, their decisions would not be subject to bid protests in federal court.[2]

What is supply chain risk?

According to a bill summary on congress.gov, a “supply chain risk” is recognized as any risk that an actor may “…sabotage, maliciously introduce an unwanted function, extract or modify data, or otherwise manipulate the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered article.”[3]

What should you do, as a government contractor?

1. 1. Be vigilant in establishing your firm’s supply chain principles. In today’s day and age, it is not enough to believe that a breach or unwanted exposure will not happen to you. Accept that threats and risk are inevitable, and use this mindset to shape the way in which you approach your supply chain safety.
2. 2. Protect yourself first by creating a culture that values best practices in physical and cybersecurity. Even outside of the federal market, your supply chain safety should always be a priority.
3. 3. Educate yourself on current government standards for supply chain risk management. Presently, there are government agencies in place already using different metrics for evaluating cybersecurity for both government agencies and their contractors. One place to find helpful information is the National Institute of Standards and Technology (NIST). NIST is an agency housed in the Department of Commerce that is often tasked with providing metrics and regulations for cybersecurity and other technological disciplines.
4. 4. Get professional help. If you want to ensure supply chain safety for your IT or cyber firm, reach out to someone who has expert knowledge in assisting government contractors with cybersecurity regulations.

Contact Winvale to learn about Federal supply chain security requirements for government contractors.

[1] https://www.congress.gov/bill/115th-congress/house-bill/6430/text

[2] https://www.bgov.com/core/legislation/federal/bills/#!/6579870750586175535

[3] https://www.congress.gov/bill/115th-congress/house-bill/6430