Over the past decade, Congress has relied increasingly on National Defense Authorization Acts  (NDAAs) as an important tool in managing and mitigating risks presented by the Defense Industrial Base (DIB) and their suppliers. The FY22 NDAA continues that trend, with a significant focus on building supply chain resiliency and strengthening supply chain risk management (SCRM) policies within the Department of Defense (DoD). Historically, many of the provisions found in NDAAs also end up impacting civilian agencies’ behavior – and that expectation holds true for FY22.
A major reason why the U.S. is focusing on protecting its supply chain is because of the damage and disruption that supply-chain-related attacks can cause. In late 2020, the U.S. had an eye-opening moment when it fell victim to the Solar Winds compromise that wreaked havoc on federal agency networks (see Baker Tilly webinar for more details). As attacks like these become more prevalent, it is important for the government to improve its supply chain security posture. Provided below are details on the sections of the FY22 NDAA that are focused on securing the supply chain.
Possibly the most important of the highlighted sections, Section 841 aims to modernize acquisition processes by developing capabilities to “illuminate” supply chains and map third-party ecosystems. Specifically, DoD is required to “develop capabilities to map supply chains and to assess risks to the supply chain for major end items by business sector, vendor, program, part, and other metrics.” This requires an assessment of tools, technologies and approaches to “modernize the systems of record, data sources and collection methods, and data exposure mechanisms” with an end goal of a unified approach to collecting data and assessing and mitigating risks. This should require the deployment of “data analytics and business intelligence tools”, and the “continuous development and delivery of secure software to implement the activities.” By enhancing risk intelligence associated with the DIB, Congress believes DoD will be better able to proactively address risks.
Section 847 requires the DoD and the Department of State to implement a plan that will reduce the nation’s reliance on services, supplies or materials obtained from sources located in geographic areas that are controlled by China, Russia, North Korea and Iran. The ultimate goal here is to mitigate the risks to national security and to the defense supply chain that arise from our nation’s reliance on such sources for services, supplies or materials.
Section 851 amends section 2533d of title 10, United States Code and section 841 of the FY21 NDAA, which ban the sourcing of covered printed circuit boards from China, Russia, North Korea, and Iran for use in mission-critical systems, and modified the definition of covered, printed circuit boards to focus on products and services other than commercial products and services. It modifies the code and Section 841 from FY21 to delay the originally contemplated implementation date from Jan. 1, 2023 to Jan. 1, 2027. Delaying implementation of this requirement has likely become important due to a shortage of available circuit boards from non-covered countries and a shortage of U.S. manufacturing capabilities in this area.
Section 855 requires that for each of fiscal years 2023 and 2024, companies performing under “covered” contracts and subcontracts have to report to the government when they submit a bid or proposal for such contracts, if they have employees who will perform work in the People’s Republic of China on said covered contract. Failure to disclose this information will have a negative impact on contractors, as the DoD will be prohibited from awarding or renewing contracts unless the contractor has submitted each disclosure it is required to submit. “Covered” contracts are defined as contracts and subcontracts over $5 million that are not for commercial products or services, and this requirement goes into effect on July 1, 2022.
These provisions in the FY22 NDAA make it clear that supply chain security continues to be a national security concern. Federal contractors should consider the following when thinking about how they manage and understand their third-party ecosystems and extended supply chains.
In Section 841, Congress has directed DoD to develop capabilities to map supply chains and to assess risks to the supply chain for major end items by business sector, vendor, program, part and other metrics. As DoD and potentially other federal agencies make this a priority, federal contractors should be thinking about how these initiatives could impact customer expectations. Will federal contractors be expected to follow suit and be able to map their own supply chains? Could a federal agency’s review of a contractor’s supply chain lead to a contract being awarded (or withheld) due to a specific contractor’s supply chain and its risk profile? These are important questions that federal contractors supporting sensitive federal programs should consider.
In recent years, federal procurements have increasingly included requirements for offerors to describe SCRM practices and cyber SCRM practices, with detailed plans-of-action to protect hardware, software and embedded components from compromise (otherwise known as a SCRM plan). These plans explore and detail the policies, processes and systems that an organization has established to manage its third-party risk. To be considered sufficient and effective, it is often the case that these plans and the individuals designing and operating them have an in-depth understanding of governmental standards. As such, it is important that federal contractors look ahead and examine those processes currently in place and decide whether improvements are needed. Organizations in certain industries, who do business with DoD and the intelligence community, may also want to consider developing and documenting their SCRM program/plan, so that they are ready to provide it to the government when required.
As with previous NDAAs and rulemaking, the FY22 NDAA puts an emphasis on limiting the amount of materials sourced from adversarial countries such as China, Russia, North Korea and Iran, while placing an emphasis on purchasing materials from American companies or companies from allied nations. This further signals a need for federal contractors to have a strong understanding of their supply chains, and a capacity to proactively manage their supply chains. Whether this requires a formal SCRM program/plan as described above, or something different, this will be an important consideration for federal contractors who want to ensure that they are well-positioned to meet customer expectations.
As seen in Section 855, the government is requiring that contractors disclose information about employees who are working in China. This section requires that if DoD is not made aware of employees performing on a covered contract who are working in China, they will be not be allowed to award or renew any contracts with the company that fails to report this information. The result of an error or omission here is essentially a suspension of the contractor, making them ineligible for new contract awards, and making this requirement one that is critical to get right.
Baker Tilly is here to assist with solidifying your SCRM practices, starting by performing a gap assessment or utilizing other evaluation procedures to assess your risk. We also can help you understand aspects of these updated requirements that are applicable to your organization, while helping you best allocate time and resources to understand what is “fit for purpose” for your SCRM program.
Additionally, your organization may require a SCRM plan, either now or in the future. These plans explore the processes you currently have in place to manage your third-party risk and oftentimes require an in-depth understanding of governmental standards. We regularly assist organizations with preparing SCRM plans in order to avoid complications that may arise with federal review and evaluation of these plans.
As the pandemic and recent supply chain “shocks” made clear, risk management procedures and business continuity plans can be tested at any time. Federal contractors should look to develop an effective SCRM program that puts the systems, policies and processes in place that will allow them to effectively mitigate and manage ongoing supplier risks. Baker Tilly stands ready to support your organization.
For more information or to learn how our specialists can help, reach out to your Baker Tilly professional or contact our team.
 NDAAs authorize defense spending and set the policy by which funds will be spent.