The global supply chain has come under heightened scrutiny and concern in the past few years, largely due to disruptions caused by COVID-19. As U.S. leaders turn their focus toward building and maintaining a secure, resilient supply chain, federal agencies are taking a closer look at the vendors they partner with in national security missions.
Due diligence has become a top priority for leaders in the public sector as the defense industrial base widens and supply chain threats increase. But historically, the practice of holistically understanding the vendors an organization is partnering with has taken a back seat in government contracting.
Carrie Wibben, president of Exiger Government Solutions, said in previous years, due diligence — or “just knowing, surface-level, who we’re doing business with” — was not happening within the federal acquisition process.
“Contracts were awarded based on cost, schedule and performance. Actually doing diligence to understand up front, in advance of an award, if there was undue foreign influence, control, ownership or anything like that in the companies we were choosing to do business with, was really not even a consideration,” Wibben shared during a panel discussion at the Potomac Officers Club’s Defense Technology Summit.
The panel conversation — moderated by Jennifer Santos, principal director for strategic initiatives in national security and space at Draper Laboratory — invited participants to explore the topic of creating a robust, resilient, secure and innovative defense manufacturing base.
Though Wibben admits progress has been made in this area since her time in government, there is still much left to accomplish in comprehensively vetting vendors.
During her tenure as deputy director of the Defense Counterintelligence and Security Agency, Wibben worked with Congress to expand the concept of FOCI — foreign ownership, control and influence — in National Defense Authorization Act 847. This effort established that the Department of Defense must conduct a FOCI assessment on each company with which it has a relationship of $5 million or more.
“We should have been doing that from day one,” Wibben said of the increased focus on FOCI assessments. “But I can tell you we did not, and we still are not. We’re in the process now of expanding that. We did it for the 12,000 companies that do classified work for the federal government — which is DCSA’s mission to oversee those companies — but not for the defense industrial base at large.”
In the last year, the DIB has significantly expanded, further underscoring the need for knowing exactly who these vendors are.
“There has been an absolute massive proliferation of DOD activities focused on bringing new companies into the defense ecosystem,” revealed Tara Murphy Dougherty, CEO of Govini. “In fiscal year 2021, the data shows that the number of new entrants is finally on the rise.”
This growth in the defense contractor base has prompted federal officials to consider how they would address an adversary who is already in our supply chain.
Michele Iversen, the DOD’s director of risk assessment and operational integration, said a vendor “might be a U.S. company, but they own subsidiaries in countries of concern where the laws require them to work with their foreign intelligence service.”
“If the adversary is writing your code, he doesn’t have to hack you to get in,” Iversen warned. “We have to make sure that the adversary isn’t our supply chain.”
Software bills of material, often referred to as SBOMs, are helping federal agencies better understand where their software and other digital tools are coming from, Iversen commented.
While the government is working to more comprehensively assess its commercial partners, federal leaders are also being enabled to take charge of this work themselves using a combination of government guidance and industry technology.
“Now, we’re looking at how do the CIOs and CISOs start to look at supply chain risk management themselves using commercially provided tools to do their own due diligence,” stated Iversen.
According to Iversen, the National Institute of Standards and Technology has published a rubric that organizations can use to ask more specific FOCI questions, accurately identify a vendor’s cyber posture, assess financial standings and better understand the development process. This kind of information is helping “our IT and technology personnel start to do a little bit of their own due diligence,” Iversen explained.
Small businesses, which are comprising more and more of the DIB, are benefiting from more accessible supply chain risk management tools as well, Murphy Dougherty mentioned.
“What technology can do and has done, I’d argue, is it has made advanced capabilities that provide the data, the tools for conducting analysis and I think most importantly, the indicators about risk in your supply chain, available in a way that is completely tolerable to even a small business,” said Murphy Dougherty.
Despite the damage inflicted upon the supply chain by COVID-19, Dr. Imes Chiu, supply chain management and sustainability program manager for the Defense Logistics Agency, pointed to a few silver linings and lessons we can learn from the gaps that the pandemic revealed.
“The pandemic has truly impacted in a positive way the attitude of the defense industrial base towards supply chain risk management. Why? Because it’s no longer just a box that you check when you do due diligence pre-contract. But it’s persistent monitoring even post-contract, and there’s a movement towards greater integration of sustainment and supply chain risk management early on in the product’s lifecycle to buy down or reduce your risk,” she commented.
Dr. Chiu also said a number of factors — including a greater focus from executive leadership on supply chain risk management issues, and increased investments on technology that can track and trace raw materials required in production — are initiating a particularly “exciting time” in GovCon, as federal leaders move out of their comfort zones and forge relationships with “innovative, dual-use, alternative suppliers.”
Learn more about how public and private sector leaders are changing acquisition in the digital age during GovCon Wire’s 3rd Annual Defense Digital Acquisition and Innovation Forum on Nov. 2. Lt. Gen. David Bassett, director of the Defense Contract Management Agency, is scheduled to keynote. Register now for this can’t-miss virtual event!