The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (“CISA”) Information and Communications Technology (“ICT”) Supply Chain Risk Management Task Force (the “Task Force”) recently released an interim public report.  The report describes the Task Force’s efforts over the last year to develop recommendations for securing the Government’s supply chain, and outlines the potential focus areas of each of its working groups over the coming year.

The report is particularly relevant to contractors that either sell ICT related products or services to the Government, or that sell ICT related components to higher tier contractors, because it offers some insight into potential supply chain risk management (“SCRM”) best practices, as well as requirements that the Government may seek to impose on contractors in the future.

Overview of the Task Force and the Interim Report

The Task Force was established in 2018 to provide a means to allow for “the collaboration of private sector owners and operators of ICT critical infrastructure” and to “provide advice and recommendations to DHS on means for assessing and managing risks associated with the ICT supply chain.”  It is chaired by CISA, the US Telecom Communications Sector Coordinating Council, and the Information Technology Sector Coordinating Council.  Its members include 60 representatives from 17 different defense and civilian agencies that have been focused on assessing and protecting security vulnerabilities in their supply chains, including the Department of Defense, the Federal Bureau of Investigation, the Department of Justice, the Office of the Director of National Intelligence, and the National Security Agency.  The Task Force also includes industry representatives across the information technology and communications sectors.

Collective actions of the Task Force have involved assisting with ongoing Government supply chain efforts, including by coordinating with the Federal Acquisition Security Council and by providing input to the ICT criticality assessment contemplated by EO 13873 (which we discussed here).

The Task Force is divided into four working groups, each of which focuses on one of the following issue areas: (1) Information Sharing, (2) Threat Evaluation, (3) Qualified Bidder Lists (“QBLs”) and Qualified Manufacturer Lists (“QMLs”), and (4) Policy Recommendations to Incentivize Purchase of ICT from Original Equipment Manufacturers (OEM) & Authorized Resellers.

The efforts and status of the Task Force’s working groups are generally summarized below:

  • Information Sharing Working Group: This working group is tasked with “developing a common framework for the bi-directional sharing of actionable supply chain risk information across the community.”  To achieve this goal, the group focused on identifying the supply chain information that would be most valuable in mitigating risk, and assessing the barriers that might exist to accessing this information.  The group identified inherent challenges with sharing potentially “derogatory” information, and has concluded that further legal guidance is needed to fully evaluate the risks of information sharing and how such risks can be mitigated.
  • Threat Evaluation Working Group: This group has principally focused on developing an inventory of threats and cataloging the threats’ sources and event descriptions.  These threats have been divided into the same “threat group” categories discussed above.  The working also created illustrative “threat scenarios” for ICT suppliers, intended to provide supporting guidance under various situations.  The group noted that in the coming year, it will continue to build these scenarios, and may expand more broadly to cover ICT products and services.
  • QBL & QML Working Group: The group has focused on the appropriate use of Qualified Bidder Lists and Qualified Manufacturer Lists, working to identify how QBL and QML lists already are used in Government procurement, developing factors for helping organizations determine when they should create their own QBLs or QMLs, and identifying use cases where QBLs and QMLs are appropriately leveraging SCRM criteria.  The group has created an initial list of factors for when these types of QBL and QML can be used.  These factors include addressing whether a product is commoditized, the relative importance of a product to an organization’s mission, the relative level of control the organization can exhibit over its sources for products, and the existence of standards applicable to the article (e.g., ISO or NIST).  Over the coming year, the group plans to finalize the factors for when these types of lists are appropriate.
  • Policy Recommendations for Purchase of ICT from Original Equipment Manufacturers (OEMs) or Authorized Resellers Working Group: To achieve the working group’s goal of developing recommendations, it has, among other things, looked at extending certain policy requirements of the DFARS 252.246-7007 (Contractor Counterfeit Electronic Part Detection and Avoidance System) clause to apply to civilian agencies.  The group also developed a policy recommendation that ICT be purchased only from OEMs or from authorized resellers, and has made recommendations for defining the term “authorized reseller” to the Federal Acquisition Security Council.  The group will shift its focus over the coming year to try and identify SCRM educational opportunities and develop standardized templates for vendors to describe or attest to their SCRM practices.

In the coming year, the Task Force as a whole will continue to identify new topic areas for the working groups, and will look for further opportunities to coordinate with the Federal Acquisition Security Council.

Impact to Contractors

Although the efforts of the Task Force to date have not yet resulted in immediate changes to official Government procurement regulations or requirements, the efforts of the Task Force are informative to contractors, in part, for the following reasons:

  • Clear Commitment to Supply Chain Risk Mitigation Efforts.  The scope and scale of the questions being addressed by the Task Force confirms the Government’s concerns with managing and securing its ICT supply chain.  The activities of the Task Force, in combination with recent Government measures such as the issuance of EO 13873 and the passage of the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act (the “SECURE Technology Act”) (discussed here), demonstrates that the Government is focused on ensuring the security of its supply chain and that additional requirements for contractors are forthcoming in this space.
  • Involvement of Civilian Agencies.  The widespread representation from agencies, in addition to involvement from the National Security Council and the Office of Management and Budget, in the Task Force indicates that Government attention in this space is not just limited to the Defense market.  Indeed, one of the working groups has considered whether aspects of the DFARS counterfeit parts clause should apply more broadly than to just the Department of Defense.  Thus, contractors with a relationship to the ICT industry that primarily do business in the civilian agency market should take note of the Government’s focus.
  • Best Practices.  At this relatively early stage, much of the efforts of the various working groups have appeared to focus on compiling best practices, including a lengthy list of various industry and Government standards relating to supply chain risk mitigation in the ICT industry.  This inventory of standards are categorized into nine “Threat Groups,” including Cybersecurity, System Development Life Cycle (“SDLC”) Processes and Tools and Insider Threats.  These resources could prove helpful to contractors charged with designing their own SCRM programs.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain…

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain, artificial intelligence, and software development requirements.

Ryan also advises on Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) compliance, public policy matters, agency disputes, and government cost accounting, drawing on his prior experience in providing overall direction for the federal contracting system to offer insight on the practical implications of regulations. He has assisted industry clients with the resolution of complex civil and criminal investigations by the Department of Justice, and he regularly speaks and writes on government contracts, cybersecurity, national security, and emerging technology topics.

Ryan is especially experienced with:

  • Government cybersecurity standards, including the Federal Risk and Authorization Management Program (FedRAMP); DFARS 252.204-7012, DFARS 252.204-7020, and other agency cybersecurity requirements; National Institute of Standards and Technology (NIST) publications, such as NIST SP 800-171; and the Cybersecurity Maturity Model Certification (CMMC) program.
  • Software and artificial intelligence (AI) requirements, including federal secure software development frameworks and software security attestations; software bill of materials requirements; and current and forthcoming AI data disclosure, validation, and configuration requirements, including unique requirements that are applicable to the use of large language models (LLMs) and dual use foundation models.
  • Supply chain requirements, including Section 889 of the FY19 National Defense Authorization Act; restrictions on covered semiconductors and printed circuit boards; Information and Communications Technology and Services (ICTS) restrictions; and federal exclusionary authorities, such as matters relating to the Federal Acquisition Security Council (FASC).
  • Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
  • Federal Cost Accounting Standards and FAR Part 31 allocation and reimbursement requirements.

Prior to joining Covington, Ryan served in the Office of Federal Procurement Policy in the Executive Office of the President, where he focused on the development and implementation of government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year.  While in government, Ryan helped develop several contracting-related Executive Orders, and worked with White House and agency officials on regulatory and policy matters affecting contractor disclosure and agency responsibility determinations, labor and employment issues, IT contracting, commercial item acquisitions, performance contracting, schedule contracting and interagency acquisitions, competition requirements, and suspension and debarment, among others.  Additionally, Ryan was selected to serve on a core team that led reform of security processes affecting federal background investigations for cleared federal employees and contractors in the wake of significant issues affecting the program.  These efforts resulted in the establishment of a semi-autonomous U.S. Government agency to conduct and manage background investigations.