On May 11, 2017, the U.S. China Economic and Security Review Commission (“Commission”) issued a Request for Proposal to “to provide a one-time unclassified report on supply chain vulnerabilities from China in U.S. federal information technology (IT) procurement.”

Congress established the Commission in 2000 to monitor and report to Congress on the national security implications of China’s economic relationship with the United States.  See Commission website here.  The Commission is composed of 12 members serving two year terms, three of whom are selected by each of the Majority and Minority Leaders of the Senate, and the Speaker and the Minority Leader of the House.

The report being sought via the RFP will serve as a “reference guide for policymakers on how the U.S. government manages risks associated with Chinese-made products and services and the participation of Chinese companies in its information technology (IT) supply chains.”  It is envisioned that the report would be briefed to the Commission and interested members of Congress, among others.  The winning contractor must produce a report that addresses at least the following:

  • Summary of the laws, regulations, and other requirements since the passage of the Federal Information Technology Acquisition Reform Act in 2015.  See our discussion of final OMB guidance on implementing FITARA here.  Among the requirements is a comparison of the risk management process for non-national security and national-security-related IT procurements.
  • Evaluation of how Chinese firms and Chinese-made IT products and services enter U.S. government IT supply chains.  In particular, an evaluation of how reliant U.S. government and U.S. government IT contractors are on Chinese firms and Chinese-made IT products and services.
  • Assessment of points of vulnerability in the procurement system, particularly for IT products and services designated as high risk by the U.S. government’s Chief Information Officers (CIO).  Evaluation of whether the CIOs are adequately assessing risk in their ratings of IT products and services.
  • Assessment of why the vulnerability points identified above exist, and an explanation of the factors contributing to the challenge of supply chain insecurity.  Explanation of how vulnerabilities are expected to shift in the next 5–10 years, particularly as Chinese firms move up the value-added chain.
  • Assessment of whether the U.S. government’s management of the risks associated with Chinese firms and Chinese-made products and services to its IT procurement supply chains is sufficient.  Provide a comprehensive description of cases in which the Chinese government, Chinese companies, or Chinese products have been implicated in connection with U.S. supply chain vulnerabilities or exploitation.

This focus on supply chain vulnerabilities is consistent with DoD’s emphasis in the past few years on protecting its supply chain, including rules that address the exclusion of contractors that DoD perceives as presenting a supply chain risk in national security systems, as well as the Department’s rules requiring contractors to provide more oversight of their supply chains to help prevent counterfeit electronic parts.

Proposals are due on June 14 with a report due 90 days from contract execution.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan Cassidy co-chairs Covington’s Aerospace and Defense Industry Group, and has been advising government contractors for more than 35 years on the requirements imposed on companies contracting with the U.S. Government.

Susan’s practice focuses on the intersection of cybersecurity, national security, and supply…

Susan Cassidy co-chairs Covington’s Aerospace and Defense Industry Group, and has been advising government contractors for more than 35 years on the requirements imposed on companies contracting with the U.S. Government.

Susan’s practice focuses on the intersection of cybersecurity, national security, and supply chain risk management for companies that sell products and services to the U.S. Government. Susan advises contractors at all phases of the procurement cycle, and regularly:

advises clients on compliance obligations imposed by the FAR, DFARS, and other agency regulatory requirements;
leads internal and government False Claims Act (FCA) investigations addressing allegations of violations of government cybersecurity, national security, supply chain, quality, and MIL-SPEC requirements; and
advises clients who have suffered a cyber breach where U.S. government information may have been impacted.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 252.204-7012, FedRAMP, controlled unclassified information (CUI), and NIST SP 800-171 requirements;
Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 semiconductor product and service restrictions, and limitations on sourcing a variety of products from China; and
Federal Acquisition Security Council (FASC) regulations and product exclusions.

 

Susan previously served as senior in-house counsel for two major defense contractors (Northrop Grumman Corporation and Motorola Incorporated) and is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. Chambers USA has quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Susan’s pro-bono work extends to assisting veterans in a variety of matters, as well as providing advice to elderly clients on their wills and other end-of-life planning documents.

Read more about Susan B. CassidyEmail
Show more Show less