Government Contractor Supply Chain Risk Management
Government contractors have been subject to a growing regulatory focus in recent years on strengthening and securing the federal supply chain. These new rules are wide ranging – from domestic preference regimes, to foreign investment oversight, to technology bans and restrictions – imposing significant new supplier governance requirements on federal prime contractors. As contractors navigate these unique challenges, Baker Tilly stands ready to offer industry insights and tailored approaches to establishing an effective third-party risk management practice to meet the government’s emerging needs.
A full spectrum of capabilities
Contact usGiven the globally-distributed and interconnected nature of modern supply chains, there is no one-size-fits-all solution for a government contractor seeking to establish an effective supply chain risk management (SCRM) practice, and not understanding the potential dangers lurking in your supply chain can be costly. As the regulatory environment continues to shift and federal acquisitions continue to require detailed plans-of-action around SCRM, contractors should carefully consider how they screen, select, and oversee subcontractors and suppliers. The optimal SCRM structure depends on a variety of factors including current resources and infrastructure, short and long-term business strategy, contract portfolio and risk profile, and the “trust protocols” that secure the supply chain. By leveraging its understanding of industry best practices and leading SCRM frameworks, Baker Tilly can develop a tailored supply chain risk management plan for your organization that strikes the right balance between government requirement and business need.
To help government contractors with supplier risk management and federal contractor risk management requirements, Baker Tilly offers:
SCRM program development
- Assessment of current supplier governance processes against leading practices in supply chain management related frameworks and requirements (both cyber supply chain, or C-SCRM, and supply chain resiliency)
- Identification of potential supply chain risks that may arise out of any subcontractor or supplier agreements that allow contractor to understand vulnerabilities
- Direction on how the current structure can be leveraged to meet future business needs and recommendations for remediating identified gaps
- Future state design, implementation road map, and change management guidance
- Foster collaboration between critical organizational stakeholders (information security, physical security, enterprise risk management, acquisition, and procurement)
SCRM plan development
- Support the development of a SCRM plan that articulates current practices and adherence to governing frameworks and regulatory requirements (as required by a specific targeted acquisition)
- Support annualized refreshes (as required by contract specific requirements)
SCRM plan audit support
- Support contractor response to government audit of supply chain risk processes or events
Supplier due diligence
- Support the formulation and execution of due diligence checks including:
– Foreign ownership, control or influence (FOCI)
– Financial
– Corporate social responsibility
– Geopolitical
– Data security
– Regulatory
– Operational
– Business continuity
– Fraud - Support the deployment and implementation of “all-source intelligence” technological platforms to bolster risk assessment activities, provenance, and institute continuous risk monitoring of Nth tier suppliers
Health checks
- Support periodic health checks on SCRM practices and high risk/critical suppliers and/or subcontractors
- Support new vendor onboarding
Mitigating measures as required by the Committee on Foreign Investment in the United States (CFIUS) and Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) rules
- Support adoption and implementation of SCRM programs as required by mitigation agreement
Deep understanding of the latest regulations and guidance including but not limited to:
- Intelligence Community Directive (ICD) 731: Supply Chain Risk Management
– Intelligence Community Standard (ICS) 731-01: Supply Chain Criticality Assessments
– Intelligence Community Standard (ICS) 731-02: Supply Chain Threat Assessment
– Intelligence Community Standard (ICS) 731-03: Supply Chain Information Sharing - National Institute of Standards and Technology (NIST) Special Publication (SP) 800-161, Cybersecurity Supply Chain Risk Management (C-SCRM) Practices for Systems and Organizations
- National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations
- Federal Acquisition Security Council (FASC) exclusion and removal determinations for any information and communications technology and services (ICTS) considered to represent a security risk (41 CFR Part 201)
- Section 889 (Part A and B) of the John S. McCain National Defense Authorization Act for the Fiscal Year 2019
- Cybersecurity and Infrastructure Security Agency’s (CISA) SCRM Essentials
- Software Bill of Materials (SBOM) as required per implementation of Section 4 of Executive Order 14028, titled "Enhancing Software Supply Chain Security"
For more information on how our government contractor supply chain risk management team can help you contact our team:
Our services
Baker Tilly also offers a comprehensive set of services relating to supply chains and cybersecurity.