On the eve of the recent government shutdown over border security, Congress and the President were in agreement on a different issue of national security: mitigating supply chain risk. On December 21, 2018, the President signed into law the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act (the “SECURE Technology Act”) (P.L. 115-390). The Act includes a trio of bills that were designed to strengthen the Department of Homeland Security’s (“DHS”) cyber defenses and mitigate supply chain risks in the procurement of information technology. The last of these three bills, the Federal Acquisition Supply Chain Security Act, should be of particular interest to contractors that procure information technology-related items related to the performance of a U.S. government contract. Among other things, the bill establishes a Federal Acquisition Security Council, which is charged with several functions, including assessing supply chain risk. One function of the Council is to identify, as appropriate, executive agencies to provide common contract solutions to support supply chain risk management activities, such as subscription services or machine-learning-enhanced analysis applications to support informed decision making. The bill also gives the Secretary of DHS, the Secretary of the Department of Defense (“DoD”) and the Director of National Intelligence authority to issue exclusion and removal orders as to sources and/or covered articles based on the Council’s recommendation. Finally, the bill allows federal agencies to exclude sources and/or covered articles deemed to pose a supply chain risk from certain procurements.

Federal Acquisition Security Council

The bill creates the Federal Acquisition Security Council, which is comprised of civilian, DoD, and Intelligence Community agencies.[1] The Council is tasked with developing a government-wide strategy for addressing supply chain risks from information and communications technology purchases, facilitating information sharing within the government and with the private sector, and serving as the central, government-wide authority for supply chain risk mitigation activities.[2]

The Council’s other primary function is to establish procedures for and facilitate the exclusion of sources or covered articles[3] broadly from agency procurements and the removal of covered articles from agency information systems when it determines that those sources or articles present a supply chain risk. Although the Council is tasked with recommending exclusion or removal orders, the heads of DHS, DoD, and ODNI (or their delegates) have the authority to issue (and rescind) exclusion or removal orders for the civilian, defense, or intelligence agencies, respectively. Before providing its recommendation to the heads of DHS, DoD, or ODNI, the Council must provide the named source with notice of the recommendation and a thirty-day opportunity to respond to the recommendation. Based on the Council’s recommendation and the source’s response, the DHS, DoD, and ODNI officials may issue exclusion or removal orders for a source or covered article. Once an authorized official has issued an order, the corresponding agencies and systems that official is responsible for are required to abide by the order. In the event all three agencies issue the same exclusion orders — resulting in a government-wide exclusion — officials at GSA and other agencies are required to effectuate the order government-wide.

If an exclusion order is issued, the issuing official must notify the excluded source, Congress, and the agency designated as responsible for collecting and sharing supply chain risk information. It is unclear whether the government will maintain a public list of these orders or otherwise affirmatively share this information with industry in some way.

Other than the opportunity to respond to the Council’s recommendation, a source may only challenge an order by seeking relief directly in the U.S. Court of Appeals for the District of Columbia Circuit (“D.C. Circuit”) through what is equivalent to Administrative Procedure Act review.[4] And this challenge must be filed within 60 days of being notified of a covered procurement action. Otherwise, the Council is required to review exclusion and removal orders annually and provide an annual report to Congress.

This authority under the statute terminates in five years.

Agency Authority Over Covered Procurement Actions

The bill also allows a federal agency to exclude a source from a single procurement or a class of procurements[5] where it determines that the source poses a significant supply chain risk — something referred to as a “covered procurement action.” Specifically, covered procurement actions include:

  1. excluding a source that fails to meet a qualification requirement (see 41 U.S.C. § 3311) for the purpose of reducing supply chain risk in the acquisition or use of covered articles.
  2. excluding a source deemed unacceptable during the consideration of supply chain risk as an evaluation factor for the award of a contract, task order, or delivery order.
  3. excluding a source upon determining that the source is not responsible (see 41 U.S.C. § 113) based on considerations of supply chain risk.
  4. withholding consent to subcontract with a particular source or excluding a particular source from consideration for a subcontract.

Covered procurement actions can only take place in the context of contract actions where there are specifications, evaluation factors, or clauses relating to supply chain risks, where supply chain risk considerations are included in the agency’s determination of whether a source is responsible, or for any procurements otherwise determined appropriate by the FAR Council.

The head of an agency (or certain delegates) can take a covered procurement action only upon a determination that exclusion is necessary to protect national security and that less intrusive measures are not reasonably available. To take this action, the agency must first (i) receive a joint recommendation from the agency’s chief acquisition officer and chief information officer (or their functional equivalents), (ii) provide notice of the joint recommendation to the source proposed for exclusion, with a thirty-day opportunity for the source to respond before a final determination can be made, and (iii) provide notice to the appropriate congressional committees. However, if the head of the agency determines that an urgent national security interest requires an immediate exclusion, the notice to the source and to Congress may be temporarily delayed.

Apart from the opportunity to respond to the agency’s joint recommendation, exclusions are not subject to protest before the agency, the Government Accountability Office, or the Court of Federal Claims. Indeed, as with the exclusion and removal orders discussed above, a source may only challenge an agency exclusion in the D.C. Circuit and challenges by the source must be filed within 60 days of being notified of exclusion.

This authority under the statute also terminates in five years.

Considerations for Contractors

The Federal Acquisition Supply Chain Security Act is another step in the government’s continuing efforts to secure its information technology supply chain. Most recently, contractors have seen exclusions of specific manufacturers such as Kaspersky Labs and ZTE. But for the past decade, the government’s focus on supply chain issues has been on an agency by agency basis. See our analysis here. Although this new law operates government-wide, many of the details for how this process will unfold have yet to be developed. However, given the significant consequences, contactors should be attuned to these requirements. Indeed, the potential government-wide exclusion and removal authority is akin to suspension/debarment with arguably less due process. In particular, there is no informal or administrative resolution procedure beyond the 30-day notice, and challenges in the D.C. Circuit are very public and need to be undertaken quickly given the 60-day limit.

Adding to the potential for confusion is the need for clarity for some key terms in the new law. For example, “covered articles” include “hardware, systems, devices, software, or services that include . . . incidental information technology.” It is unclear what is meant by “incidental” in this context. Similarly, agencies can issue exclusion and removal orders as to a “class of procurements,” which also remains undefined.   Presumably these types of issues will be clarified in subsequent regulations.

How much of this process will be public also remains unclear. Exclusion and removal recommendations and notices are “confidential” until an order is issued and the source has been notified, and covered procurement action notices are confidential until a covered procurement action has been made. But there is no clear mechanism yet for publishing that information or determining who will have access to that information. For the time being, contractors should consider modifying agreements with suppliers and teammates to require notice if the supplier or teammate receives information that it or its products may be subject to an exclusion or removal order.

The information upon which agencies can rely for these decisions also remains unclear. The new law states that the Council shall use the criteria it develops, the information made available by the agency designated as responsible for collecting and sharing supply chain risk information, and “any other information the Council determines appropriate to issue recommendations.” This last category could include almost anything. Although the government has promoted information sharing with and required disclosures from some success in the cybersecurity and counterfeit parts context, it is unclear how such disclosures could be used by an agency in making an exclusion decision. The Council is only required to provide the source with the information that forms the basis for its exclusion/removal recommendation “to the extent consistent with national security and law enforcement interests.” This could create concerns by contractors about how much to share with the government, depending on how that information may be shared within the government.

Overall, this new law has the potential to significantly impact procurements in the information technology area and contractors should continue to follow the regulatory process as the Council is formed and the statutes are implemented

[1] The Council includes representatives from the Office of Management and Budget (which also chairs the Council), the General Services Administration (“GSA”), DHS, the Office of the Director of National Intelligence (“ODNI”), the Department of Justice, DoD, and the Department of Commerce.

[2] “Supply chain risk” includes risks to covered articles or information stored or transmitted on the covered articles.

[3] “Covered articles” include information technology (see 40 U.S.C. § 11101), including cloud computing technology; telecommunications equipment or services (see 47 U.S.C. § 153); “the processing of information on a Federal or non-Federal information system, subject to the requirements of the Controlled Unclassified Information Program”; or “hardware, systems, devices, software, or services that include embedded or incidental information technology.”

[4] A source may also seek remedies under the Contract Disputes Act (see 41 U.S.C. §§ 7101 et seq.) to the extent they are available, but the bill specifies that the D.C. Circuit “shall have exclusive jurisdiction” over claims against the United States arising from the use of the newly created exclusion authorities.

[5] The term “class of procurements” is not defined.