Man working on risk management

The “SolarWinds” event made public in Dec. 2020 has drawn intense scrutiny of how commercial enterprises as well as government agencies are exposed to threats that can be delivered through the supply chain. The result will be many government initiatives, and new contract requirements, obligating companies to improve and disclose measures taken to assess and minimize supply change risks.  

Even before “SolarWinds,” the federal government had increased a regulatory focus on strengthening and securing the federal supply chain. New rules have emerged, including cybersecurity compliance frameworks (like CMMC), tighter restrictions on foreign investment, limitations on foreign source technology and new authority to remove suspect equipment or exclude high risk sources. The many initiatives serve common objectives but at a practical level companies are challenged to understand new demands and undertake measures of governance and compliance.

In the Biden administration, even stronger supply chain measures are expected. Federal procurements have increasingly included requirements for offerors to describe supply chain risk management (SCRM) practices and provide detailed plans-of-action to protect hardware, software and embedded components from compromise (otherwise known as a “SCRM plan”). Several procurements have gone so far as to state outright that supply chain risk processes and/or events may be subject to audit, at the Government’s discretion. The CMMC assessment regime could well be extended to SCRM practices.

Given the anxiety over secure sources of supply and the damage done by “SolarWinds,” organizations serving federal customers should map the present and expected landscape of SCRM requirements and carefully consider strategy, tools, techniques and implementation to produce strong “SCRM plans,” which meet or exceed acquisition demands.

In a recent webinar, Baker Tilly’s Jeff Clayton, Matt Gilbert and Leo Alvarez joined Rogers Joseph O'Donnell’s Robert S. Metzger and Eleanor Ross for a discussion on SCRM and what its use in recent solicitations means for federal contractors.

Watch the webinar to gain insight into the following topics:

  • The state of measures taken by federal agencies to protect against supply chain risks.
  • Lessons known from “SolarWinds” and actionable recommendations to industry.
  • New and emerging requirements impacting how federal contractors manage their supply chains.
  • How “CMMC 2.0” may operate at the nexus between SCRM and information security.
  • NIST and other practices and standards useful to the acquisition community and federal suppliers.
  • How “Supply Chain Illumination” fits into federal and enterprise supply chain risk management.
  • Sources of insight and intel into emerging supply chain vectors, threats and attacks.

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.

Leo Alvarez
Jeff K. Clayton
Matt Gilbert
Business professionals review documents
Next up

PPP update: loan forgiveness and tax implications