Supply chain risks: responding to new federal demands after “SolarWinds”

The “SolarWinds” event made public in Dec. 2020 has drawn intense scrutiny of how commercial enterprises as well as government agencies are exposed to threats that can be delivered through the supply chain. The result will be many government initiatives, and new contract requirements, obligating companies to improve and disclose measures taken to assess and minimize supply change risks.  

Even before “SolarWinds,” the federal government had increased a regulatory focus on strengthening and securing the federal supply chain. New rules have emerged, including cybersecurity compliance frameworks (like CMMC), tighter restrictions on foreign investment, limitations on foreign source technology and new authority to remove suspect equipment or exclude high risk sources. The many initiatives serve common objectives but at a practical level companies are challenged to understand new demands and undertake measures of governance and compliance.

In the Biden administration, even stronger supply chain measures are expected. Federal procurements have increasingly included requirements for offerors to describe supply chain risk management (SCRM) practices and provide detailed plans-of-action to protect hardware, software and embedded components from compromise (otherwise known as a “SCRM plan”). Several procurements have gone so far as to state outright that supply chain risk processes and/or events may be subject to audit, at the Government’s discretion. The CMMC assessment regime could well be extended to SCRM practices.

Given the anxiety over secure sources of supply and the damage done by “SolarWinds,” organizations serving federal customers should map the present and expected landscape of SCRM requirements and carefully consider strategy, tools, techniques and implementation to produce strong “SCRM plans,” which meet or exceed acquisition demands.