Rule Lets Pentagon Weigh IT Supply Chain Risk in National Security Procurement

The U.S. Department of Defense has issued an interim rule allowing the agency to consider supply chain risk in certain procurements related to national security systems, citing an “urgent need” to protect such programs from sabotage.

Under the rule, suppliers that fall short of risk-reduction standards can be excluded from certain national security systems-related information-technology contracts.

“It is necessary to reduce the supply chain risk in the acquisition of sensitive information-technology systems” used for intelligence or cryptologic activities, for command and control of military forces, or that form integral weapons-systems parts, the DoD’s Defense Acquisition Regulations System says in a Nov. 18 Federal Register notice.

The rule addresses the risk, as defined by Congress, “that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system,” the notice says.

This blog recently reported on a paper from a Brookings Institution senior fellow who warned that the defense supply chain is vulnerable to potential malicious tampering of electronic chips used in key military systems.

The rule implements certain supply-chain risk-management approaches, including the exclusion of a source that fails to meet risk-reduction qualification standards established under federal law for covered systems. The decision to exclude a contractor can be made only by certain high-level military officials.

“The objective of this rule is to protect DoD against risks arising out of the supply chain,” the register notice says.

No specific reporting or compliance measures are required under the rule. The rule does, however, recognize the need for IT contractors to implement appropriate safeguards and countermeasures to minimize supply chain risk.

“This rule, by itself, does not require contractors to deploy additional supply chain risk protections, but leaves it up to the individual contractors to take the steps they think are necessary to maintain existing or otherwise required safeguards and counter-measures as necessary for their own particular industrial methods to protect their supply chain,” the DoD says.

The department considered having all contractors report their manufacturing supply-chain risk mitigation efforts for all contracts, but found such a requirement would be “unduly burdensome for both contractors and the government,” the notice says.

The DoD invites public comments on the rule’s potential effects on small businesses. The department says it determined that “urgent and compelling reasons exist” to issue the interim rule without previous public comment. “This action is necessary because of the urgent need to protect the national security systems and the integrity of the supply chain to NSS.”

The globalization of IT “has increased the vulnerability of DoD to attacks on its systems and networks. Failure to implement this rule may cause harm to the government and to individuals relying on the integrity of NSS, for example, the risk of allowing the malicious insertion of software code or an unwanted function designed to degrade DoD’s sensitive systems,” the department says.

Comments must be submitted in writing by Jan. 17, 2014, to be considered in crafting the final rule.