This post continues our ongoing coverage of the FY 2024 NDAA. 

The FY 2024 NDAA includes numerous supply chain and stockpile management provisions aimed at addressing a host of perceived vulnerabilities and weaknesses in Department of Defense (“DoD”) supply chain networks used to secure goods and services for our national defense.  Of particular note, this year’s NDAA seeks to address China’s and Russia’s continued dominance in the global supply chain for many critical materials and rare earth elements.  Supply chain- and stockpile-related measures in the NDAA could present significant opportunities for contractors poised to support the U.S. Government’s efforts to on-shore and friend-shore U.S. and DoD sourcing and manufacturing, but Congress’s focus on increasing supply chain visibility could also herald new rounds of compliance and reporting requirements attached to federal procurements.

Continue Reading Key Supply Chain Provisions of the National Defense Authorization Act (“NDAA”) for Fiscal Year (“FY”) 2024

On February 4, 2022, the National Institute for Standards and Technology (“NIST”) published its Recommended Criteria for Cybersecurity Labeling of Consumer Software (“Software Labeling Criteria”).  NIST also published guidance to federal agencies regarding practices for enhancing software supply chain security when they acquire software (“Supply Chain Security Guidance”).  Both the Software Labeling Criteria and the Supply Chain Security Guidance were issued by NIST pursuant to Section 4 of Executive Order 14028, “Improving the Nation’s Cybersecurity” (the “Cyber EO”), which was issued by President Biden on May 12, 2021.  The Cyber EO and its implementation are the subject of several previous Covington blogs that are available here.

These documents have relevancy to U.S. government contractors and technology companies alike.  The Software Labeling Criteria may serve as a model for labeling requirements on software products purchased by consumers, and therefore should be reviewed closely by all software developers and resellers.  The Supply Chain Security Guidance will likely have more immediate impacts, as the Cyber EO requires (1) that the Office of Management and Budget (“OMB”) take “appropriate steps” to require that agencies comply with the Guidance with respect to software purchased after the date of the EO, and (2) that the FAR to be amended to require all agencies to procure software (defined to include firmware, operating systems, applications, and cloud-based services) in accordance with the Guidance.

Continue Reading NIST Publishes Recommended Criteria for Cybersecurity Labeling for Consumer Software and Guidance to Federal Agencies on Practices to Enhance Supply Chain Security When Procuring Software

Last month, the Biden administration released its report on the results of its 100-day review of U.S. supply chains for critical products:  “Building Resilient Supply Chains, Revitalizing American Manufacturing, and Fostering Broad-Based Growth” (the “Report”).  Alongside the Report’s slate of policy recommendations, the Biden administration also announced immediate actions to strengthen supply chains and stimulate domestic competitiveness.

The Report is the result of President Biden’s February 24 “Executive Order on America’s Supply Chains” (the “Order”), which directed federal departments and agencies to conduct a review of supply chain risks in four critical product areas,[1] including pharmaceuticals and active pharmaceutical ingredients (“APIs”).  The Report and its recommendations further the Biden administration’s broader goal of rebuilding the U.S. industrial base, reducing reliance on foreign competitors, and bolstering national and economic security.

The U.S. Department of Health and Human Services (“HHS”) led the review of the supply chain for pharmaceuticals and APIs, which focused primarily on drugs, in particular small-molecule drugs and therapeutic biological products.  The Report makes a number of recommendations discussed herein that have the potential to impact pharmaceutical companies’ business plans and generate significant opportunities, though many such recommendations are long-term and will require dedicated funding so the actual impact of the Report’s suggestions remains to be seen. Continue Reading Biden Administration 100-Day Supply Chain Assessment: Insights for Pharmaceutical Manufacturers

On February 24, 2021, President Biden signed an Executive Order entitled “Executive Order on America’s Supply Chains” (the “Order”). Among other things, the Order is an initial step toward accomplishing the Biden Administration’s goal of building more resilient American supply chains that avoid shortages of critical products, facilitate investments to maintain America’s competitive edge, and strengthen the country’s national security posture. The Order imposes no new regulatory obligations on industry, but rather outlines a process for federal departments and agencies to assess risks to U.S. supply chains. The first set of reviews focusing on four critical product areas will take place over a 100-day period, while the second set of reviews targeting a broader set of key sectors will be completed over a one-year period. The Order raises a number of key questions that may impact future business plans for companies operating in the industries or sectors to be reviewed.

 

Additional details on the Order and its impact are available in a client alert that we published on March 2, available here.

In recent years, both Congress and the Executive Branch have made it a key priority to mitigate risks across the industrial and innovation supply chains that provide hardware, software, and services to the U.S. government (“USG”).  Five of these initiatives are likely to result in new regulations in 2020, each of which could have a fundamental impact on companies’ ability to sell Information, Communications, Technology and Services (“ICTS”) to the USG.  As these requirements begin to take hold, federal contractors should be mindful of potential impacts and the actions that can be taken now to prepare for increased USG scrutiny of their supply chain security.

Continue Reading Contractor Supply Chain Readiness – An Update on Expected Regulatory Changes

On May 5, 2020 the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (“CISA”) Information and Communications Technology (“ICT”) Supply Chain Risk Management (“SCRM”) Task Force (the “Task Force”) released a six-step guide for organizations to start implementing organizational SCRM practices to improve their overall security resilience.  The Task Force also released a revised fact sheet to further raise awareness about ICT supply chain risk.

As we discussed in a prior blog post on the Task Force’s efforts, the Task Force was established in 2018 with representatives from 17 different defense and civilian agencies, as well as industry representatives across the information technology and communications sectors.  The Task Force has been focused on assessing and protecting security vulnerabilities in government supply chains.  Since its founding, the Task Force has inventoried existing SCRM efforts across the government and industry, including some of the practices reflected in the guide. Continue Reading CISA Information and Communications Technology Supply Chain Risk Management Task Force Releases New Guidance on Security Resiliency

On November 27, 2019, the Department of Commerce issued a proposed rule to implement the May 15, 2019 Executive Order entitled “Securing the Information and Communications Technology and Services Supply Chain.”  Once finalized and effective, the regulations will govern the process and procedures that the Secretary of Commerce will use to determine whether certain transactions involving information and communications technology or services (“ICTS”) should be prohibited or otherwise restricted.  As currently drafted, the proposed rule goes further than many other legal authorities, in that it allows the government to prohibit or otherwise restrict a broad range of wholly commercial transactions that the Secretary determines present national security risks.

Details on key aspects of the proposed rule are in a Client Alert that we published on November 27, available here.  The public comment period remains open until December 27.  Given the breadth of the proposed rule and the significant number of open questions, thoughtful comments will be critically important in scoping a final rule. Continue Reading Commerce Department Proposes Rule Impacting Information and Communications Technology Supply Chains

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (“CISA”) Information and Communications Technology (“ICT”) Supply Chain Risk Management Task Force (the “Task Force”) recently released an interim public report.  The report describes the Task Force’s efforts over the last year to develop recommendations for securing the Government’s supply chain, and outlines the potential focus areas of each of its working groups over the coming year.

The report is particularly relevant to contractors that either sell ICT related products or services to the Government, or that sell ICT related components to higher tier contractors, because it offers some insight into potential supply chain risk management (“SCRM”) best practices, as well as requirements that the Government may seek to impose on contractors in the future. Continue Reading CISA Information and Communications Technology Supply Chain Risk Management Task Force Issues New Interim Report

On the eve of the recent government shutdown over border security, Congress and the President were in agreement on a different issue of national security:  mitigating supply chain risk.  On December 21, 2018, the President signed into law the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act (the “SECURE Technology Act”) (P.L. 115-390).  The Act includes a trio of bills that were designed to strengthen the cyber defenses of the Department of Homeland Security (“DHS”) and mitigate supply chain risks in the procurement of information technology.  The last of these three bills, the Federal Acquisition Supply Chain Security Act, should be of particular interest to contractors that procure information technology-related items related to the performance of a U.S. government contract.  Among other things, the bill establishes a Federal Acquisition Security Council, which is charged with several functions, including assessing supply chain risk.  The bill also gives the Secretary of DHS, the Secretary of the Department of Defense (“DoD”) and the Director of National Intelligence authority to issue exclusion and removal orders as to sources and/or covered articles based on the Council’s recommendation.  Finally, the bill allows federal agencies to exclude sources and/or covered articles deemed to pose a supply chain risk from certain procurements.

Continue Reading Jumping to Exclusions: New Law Provides Government-Wide Exclusion Authorities to Address Supply Chain Risks

This post first appeared on Covington’s Global Policy Watch blog on September 7, 2018

Generating and sustaining the United States’ global economic and military superiority over more than the last half century has depended on a dominant U.S. global economic position and perpetual technological innovation. The United States has increasingly relied on a global industrial supply chain and a relatively open environment for foreign investment in early stage technology development to sustain this dominant position, but in so doing has built risk into the foundation of its competitive advantage. The U.S. Government has growing concerns that these past practices meant to extend the U.S. economic and military advantage are contributing to its erosion. As a result, the Department of Defense (DoD), other Executive agencies, and Congress are taking steps to mitigate risks across the defense industrial and innovation supply chains that provide hardware, software, and services to the U.S. Government.

The U.S. Government has been focused on supply chain issues for more than a decade.  As the threats have increased, so has the Government’s scrutiny of its contractors and their suppliers.  Underlying these efforts is the concern that a foreign government will be able to expropriate valuable technologies, engage in espionage with regard to sensitive government information, and/or exploit vulnerabilities in products or services. Many senior policymakers across the Executive Agencies and the Congress believe these threats are increasing, and they are focused on taking further steps to make security a business differentiator for those seeking to compete for U.S. Government contracts. Contractors need to understand these security obligations and implement compliance processes, or they may find themselves at competitive disadvantage or even precluded from competition.

Companies seeking to sustain and grow business with the U.S. federal government must ask: how well do you actually know your supply chain—from the materials you acquire to the software you include in your products or services?  If you have not answered this question recently, you should consider adding it to your “to do” list.  Not only does the United States Government want to know, the Government is seeking to integrate national security considerations into the acquisition process and expect contractors to be the first line of defense.

A cross-functional team from Covington’s Government Contracts, Public Policy, and National Security practices have studied the major initiatives the Government has launched to protect its supply chain.  In a recent article (available here), we analyze new provisions in the recently enacted Fiscal Year 2019 John S. McCain National Defense Authorization Act, including restrictions on the procurement and use of certain telecommunications equipment, software, and services from manufacturers connected to the Chinese government, and stringent disclosure obligations related to foreign review of software code. Finally, we discuss how the Deliver Uncompromised initiative is likely to influence DoD going forward, and what impact this could have on defense contractors and suppliers.

Contractors and the U.S. Government share the strategic objectives of protecting the United States’ competitive edge and sustaining overmatch on the battlefield.  Our recent article highlights some of the friction points in pursuing those goals.  With planning, forethought, and experienced counsel, contractors can minimize disruption and continue to accomplish their business goals while furthering U.S. national security interests.