The Federal Acquisition Security Council (FASC), compelled by the SECURE Technology Act, is a recently established interagency body tasked with developing “uniform criteria for supply chain risk management (SCRM) programs” across federal agencies, improving information sharing on supply chain risk, and setting forth procedures for making exclusion and removal determinations for any information and communications technology (ICT) considered to represent a security risk. Just recently, the FASC’s strategic plan and charter was submitted to Congress. 

In light of the recent SolarWinds supply chain infiltration into federal networks, Baker Tilly has summarized several important takeaways from the strategic plan as the FASC will be a critical actor in the nation’s strategic activities to secure the federal supply chain. In a post-SolarWinds world, federal contractors would be wise to remain mindful of the broad discretion of the FASC – particularly in the council’s ability to issue exclusion and removal notices which would result in an automatic referral for potential suspension and debarment. 

Introduction

On Sept. 1, 2020, the Office of Management and Budget (OMB) issued an interim rule implementing the Federal Acquisition Supply Chain Security Act of 2018, which established the FASC and empowered it to oversee an “overarching effort to establish standardized SCRM practices across the federal ICT enterprise.” Recently, the Office of the Federal CIO released the FASC’s strategic plan outlining its core mission and objectives. As put succinctly in the plan:

“ICT SCRM is the process of identifying, assessing, and mitigating the risks associated with the global and distributed nature of ICT product and service supply chains. Because each federal agency’s supply chain is as unique as each agency’s mission, no single SCRM program can be universally applied across the federal government. But now, all federal agencies will be able to look to the FASC for guidance, including for:

• addressing supply chain risks in the procurement and use of ICT;
• updates on supply chain risk management standards and guidelines based on NIST standards;
• federal SCRM expertise to support government-wide coordination; and,
• sharing of applicable risk information to inform agency SCRM programs and ICT acquisition decisions.”

Three central pillars are identified to enhance security, reliability and resiliency of federal ICT. These are described in further detail below. 

Pillar one: Standards, guidelines and practices for federal SCRM programs

In order to meet the statutory mandates from the SECURE Technology Act, the FASC outlines several core activities it expects to undertake:

• Strengthen agencies’ SCRM capabilities: The SECURE Technology Act compels federal agencies to assess supply chain risk in accordance with standards and practices set forth by the FASC. In order to help agencies determine their SCRM maturity level and implement improvements, the FASC will identify “common initiatives, standards, guidelines, processes and proven practices implementable by all organizations”. As a member of the council, the National Institute of Standards and Technology (NIST) will be instrumental in developing guidance to achieve synchronization in government-wide SCRM governance. NIST SP 800-161, “Supply Chain Risk Management Practices for Federal Information Systems and Organizations,” issued in April 2015 and slated for revision over the coming months, will likely factor in each agency’s review of its information system assets (among other SCRM frameworks). 
• Identify existing authorities for addressing risks: In addition to providing a path to strengthening agency-specific SCRM practices, the FASC will establish a knowledge management repository to increase awareness of agency authority under the SECURE Technology Act, avoid duplication and increase adoption of SCRM strategies and implementation plans. 
• Identify best practices and procedures: The FASC intends to research past, present and future agency efforts related to implementation of SCRM programs. To accomplish this, the FASC will be conducting “data calls” to collect details on “SCRM policies, initiatives, practices, and processes and associated resources.” The information collected will be reviewed to understand and identify those SCRM activities that should be propagated across the executive branch.
• Address cross-agency SCRM services: The FASC will work to identify shared services (e.g., supply chain risk assessments) and common contract solutions (e.g., acquisition methods) that can be leveraged to address supply chain threats. 
• Develop exclusion and removal criteria: Informed by applicable NIST standards and guidance, the FASC will establish the criteria and procedures necessary to recommend exclusion or removal orders of risky ICT products or services. 
• Evaluate the effect of implementing new policies or procedures on existing contracts: Understanding that the goals associated with changes to SCRM practices may not be fully realized under existing ICT contractual commitments, the FASC will evaluate the impact of practice changes and determine whether contract modifications may be necessary to fully mitigate supply chain risks. 
•  Measuring outcomes: Understanding that annual FISMA reporting will act as a mechanism for measuring SCRM capabilities, the FASC will “develop and recommend to OMB appropriate measurable programmatic metrics.” In addition, the FASC will produce an annual report to describe its ongoing efforts to evolve SCRM-related practices throughout the federal government. 

Pillar two: Information sharing

 A key statutory mandate for the FASC is to develop criteria and improve information sharing related to supply chain risk (government to government, government to industry, and industry to industry). Understanding that agencies each have their own policies and procedures that may constrain information sharing, the FASC will “develop criteria to delineate the specific categories (mandatory and voluntary) of information to be shared to ensure the security of federal ICT (including sharing with non-executive branch federal entities) while ensuring the information sharing process complies with applicable legal and policy requirements.” Additionally, within the strategic plan, the FASC has appointed the Department of Homeland Security (DHS), acting through the Cybersecurity and Infrastructure Security Agency (CISA), as the executive agency for overseeing information sharing guidance set forth by the FASC.

Pillar three: Stakeholder engagement

 Recognizing the importance of engagement with non-federal entities (private sector, private-public partnerships, federally funded research development centers and academic institutions) on this complex issue, the FASC plans to prepare a “stakeholder management plan” to identify relevant stakeholders and develop a means of communication to “ensure that the FASC’s activities are informed by all relevant information as well as meet the needs of a diverse ecosystem of stakeholders.”

Conclusion

As cybersecurity and surveillance threats become ever more present, federal contractors should expect to see increasingly strict efforts to secure and strengthen the federal supply chain. This particular strategic plan makes clear that the FASC will be a critical voice in our nation’s growing measures to reduce ICT risk – with impacts that are likely to make their way to companies that do business with the federal government. These organizations should remain vigilant in addressing supply chain risks, as they look to partner with federal customers. As the recent SolarWinds event makes clear, the risks to our national security are much too great. In addition to assessing their supply chains, federal contractors should look to develop an effective SCRM program that puts the systems, policies and processes in place that will allow them to effectively mitigate and manage ongoing supplier risks. 

For more information on this and SCRM, or to learn how Baker Tilly specialists can help – please contact us:

• Jeff Clayton
• Matt Gilbert
• Leo Alvarez