Supply chain risk in focus: FY22 NDAA provisions that should be “top of mind” for federal contractors

Over the past decade, Congress has relied increasingly on National Defense Authorization Acts [1] (NDAAs) as an important tool in managing and mitigating risks presented by the Defense Industrial Base (DIB) and their suppliers. The FY22 NDAA continues that trend, with a significant focus on building supply chain resiliency and strengthening supply chain risk management (SCRM) policies within the Department of Defense (DoD). Historically, many of the provisions found in NDAAs also end up impacting civilian agencies’ behavior – and that expectation holds true for FY22.

A major reason why the U.S. is focusing on protecting its supply chain is because of the damage and disruption that supply-chain-related attacks can cause. In late 2020, the U.S. had an eye-opening moment when it fell victim to the Solar Winds compromise that wreaked havoc on federal agency networks (see Baker Tilly webinar for more details). As attacks like these become more prevalent, it is important for the government to improve its supply chain security posture. Provided below are details on the sections of the FY22 NDAA that are focused on securing the supply chain.

Section 841: Modernizing Acquisition Processes to Ensure Integrity of the Industrial Base

Possibly the most important of the highlighted sections, Section 841 aims to modernize acquisition processes by developing capabilities to “illuminate” supply chains and map third-party ecosystems. Specifically, DoD is required to “develop capabilities to map supply chains and to assess risks to the supply chain for major end items by business sector, vendor, program, part, and other metrics.” This requires an assessment of tools, technologies and approaches to “modernize the systems of record, data sources and collection methods, and data exposure mechanisms” with an end goal of a unified approach to collecting data and assessing and mitigating risks. This should require the deployment of “data analytics and business intelligence tools”, and the “continuous development and delivery of secure software to implement the activities.” By enhancing risk intelligence associated with the DIB, Congress believes DoD will be better able to proactively address risks.

Section 847: Plan to Reduce Reliance on Services, Supplies, or Materials from Certain Countries

Section 847 requires the DoD and the Department of State to implement a plan that will reduce the nation’s reliance on services, supplies or materials obtained from sources located in geographic areas that are controlled by China, Russia, North Korea and Iran. The ultimate goal here is to mitigate the risks to national security and to the defense supply chain that arise from our nation’s reliance on such sources for services, supplies or materials.