Geospatial amp Remote Sensing Law Workshop December 5 2017 Susan Warshaw Ebner Michael Garson Michael W Mutek Fortney amp Scott LLC Ankura Consulting ID: 737376
Download Presentation The PPT/PDF document "Protecting the Supply Chain" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Protecting the Supply Chain
Geospatial & Remote SensingLaw WorkshopDecember 5, 2017
Susan
Warshaw
Ebner Michael Garson Michael W. Mutek
Fortney & Scott, LLC
Ankura
Consulting
Steptoe
& Johnson LLPSlide2
Protecting the Supply Chain
2
Shareholder
Fortney Scott
(202) 689-1200
sebner@fortneyscott.com
Senior Managing Director
Ankura
Consulting
(202) 449-7957michael.garson@ankura.com
Senior Counsel
Steptoe &
Johnson LLP
(202) 429-1376
mmutek@steptoe.comSlide3
Protecting the Supply Chain
Supply Chain Management Today
Cyber Risks and the Supply Chain
Counterfeit Parts
Summary
3
Outline of PresentationSlide4
Protecting the Supply Chain
1. Supply Chain Management Today
Government contracting supply
chain:
Contractors must understand the importance of supply chain risk management Rules/systems/oversight/flow downsGovernment concerns with supply chain riskPrivity issue/address concerns through prime due diligence/flow downsPrimes/higher tier subs have oversight and policing responsibilitiesEvolving – and important – rules include cyber and counterfeit parts
4Slide5
5
Supply Chain Risk is:
“The risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of an item of supply or a system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of a system.”
The Ike Skelton National Defense Authorization Act for Fiscal Year 2011, (Section 806).
Supply Chain Management TodaySlide6
Historical
context:
“
Purchasing
” — the corporate function charged with obtaining the right part, at the right time, at the right price—has evolved into a more complex “supply chain” function Today, a contractor’s supply chain function must manage the risk associated with a globally dispersed network of suppliersAnd, address compliance with a broad range of laws and regulations Evolution from a purchasing focus to a risk management and compliance focus demonstrates the importance of supply chain Whether a prime or subcontractor, a CO, or a legal adviser to a company or an agency, you are likely to see supply chain issues
6Slide7
Why?
Supply chains are vital & subject to a variety of laws, supply chain regulations, and individual contract obligations For government contractors, supply chain management addresses (among other things) the requirements found in the FAR and agency FAR Supplements
Many provisions must be flowed down to suppliers
The rules address a variety of issues &
concerns For example: counterfeit parts; human trafficking; supplier business ethics; cyber threats; and restrictions relating to international trade; as well as socio-economic & other policies
7
Supply Chain Management TodaySlide8
Supply Chain Management Today
Government oversight:
FAR
has
a framework for government examination of a contractor’s purchasing system Contractor Purchasing System Review (CPSR) evaluates supply chain risk Assesses contractor’s effectiveness & efficiency in spending government funds Compliance with government policy Updated guidance: http://www.dcma.mil/Portals/31/Documents/CPSR/CPSR_Guidebook_100217.pdf Recently, the DCMA developed a new tool called “Prime Control of Subcontractors Assessment” or “PCSA” PCSA designed to help determine whether the prime contractor has processes to effectively administer its supply chain. PCSA is an assessment; CPSR is a full audit.
8Slide9
Supply Chain Management Today
Government oversight – responsibility determinations:
The FAR requires that:
“[p]
urchases shall be made from, and contracts shall be awarded to, responsible prospective contractors only”
9Slide10
Supply Chain Management Today
Government oversight – responsibility determinations:
The FAR makes it very clear that prime contractors should consider equivalent standards in evaluating and selecting subcontractors
:
“Generally, prospective prime contractors are responsible for determining the responsibility of their prospective subcontractors…. Determinations of prospective subcontractor responsibility may affect the government’s determination of the prospective prime contractor’s responsibility.”
10Slide11
Supply Chain Management Today
Government oversight – responsibility determinations:
S
ubcontractor
responsibility:“When it is in the Government’s interest to do so, the contracting officer may directly determine a prospective subcontractor’s responsibility ... In this case, the same standards used to determine a prime contractor’s responsibility shall be used by the Government to determine subcontractor responsibility.”
11Slide12
Supply Chain Management Today
Government oversight:
GAO recently confirmed the Government’s ability to directly address subcontractor responsibility in the face of a contractor challenge
Leidos
Innovations Corporation, B-414289.2, June 6, 2017, 2017 CPD ¶200Requirements Relating to Supply Chain Risk rule (DFARS 252.239.7017)Implemented mandates found in the 2011 and 2013 National Defense Authorization Acts (NDAA) Requires DoD agencies use supply chain risk as an evaluation factor & allows the DoD to exclude contractors due to risk related to National Security Systems (NSS) Intelligence Community has a similar rule: ICD 713
12Slide13
Supply Chain Management Today
GAO Backs Army Rejection Of SubcontractorLaw360, Washington (July 7, 2017, 6:57 PM EDT) -- The U.S. Army reasonably determined that Leidos’ bid on a $272 million logistics support deal
wasn’t responsive to requirements because its proposed subcontractor was ineligible for access to bases where the work would be carried out
, the U.S. Government Accountability Office said in a decision made public Thursday.
Leidos Innovations Corp. had not shown that the Army’s decision to exclude it from consideration from the deal, despite being the highest-rated offeror, was unreasonable, given the base access restrictions on its proposed subcontractor, which was expected to carry out a significant portion of the contracted work, the GAO said in its June 6 decision….Leidos was initially in line for the contract award, with both the highest technical rating and lowest evaluated cost. But the CO issued an adverse responsibility determination, finding Leidos ineligible for the task order based on its proposed use of a subcontractor who would carry out a substantial amount of work under the deal. 13Slide14
Supply Chain Management Today
Notable Developments – Executive Orders:
Reducing Regulation
Regulatory reform is a goal of the new
administration – this objective is reflected in the president’s January 30, 2017, Executive Order on Reducing Regulation and Controlling Regulatory CostsThis EO, which was immediately effective, requires executive agencies to repeal at least two existing regulations before issuing a new regulation, which is the reason why this EO is referred to as “one in and two out” Furthermore, during fiscal year (FY) 2017, executive agencies must achieve a “net zero” increase in costs of new regulations Then, in FY 2018 and later FYs, the executive agencies will have a “cost budget” for regulatory changes
14Slide15
Supply Chain Management Today
Notable Developments – Executive Orders:
Buy American Executive Order Means Greater Attention to Contractor Supply Chains
“Buy American – Hire American” Executive Order (EO)
signed on Tuesday, April 18, 2017, and requires that “[e]very agency shall scrupulously monitor, enforce, and comply with Buy American laws, to the extent they apply, and minimize the use of waivers, consistent with applicable law”The EO is consistent with the Administration’s stated desires to increase support for American goods The immediate impact of this EO is to require federal agencies to undertake an assessment of the monitoring, enforcement, implementation, and compliance with Buy American laws Assessments mandated by the EO may result in new requirements and regulations
15Slide16
Notable Developments
Executive Orders:Defense Industrial Base and Supply Chain Resiliency
Noting that a strong industrial base and resilient supply chains are critical to the economic strength and national security of the United States, the President on July 21 signed an Executive Order (EO) on Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States
The EO notes that supply chains today
“are often long and the ability of the United States to manufacture or obtain goods critical to national security could be hampered by an inability to obtain various essential components” As a result, “the United States must maintain a manufacturing and defense industrial base and supply chains capable of manufacturing or supplying [essential] items”
16
Supply Chain Management TodaySlide17
Supply Chain Management Today
Notable Developments – Section 809 Panel:
The Department of Defense spends nearly $300 billion annually acquiring systems, goods, and services in support of the nation’s defense.
Section 809 of the National Defense Authorization Act for Fiscal Year 2016 (Public Law 114–92), as amended by Section 863(d) of the National Defense Authorization Act for Fiscal Year 2017 (Public Law 114–328), established an independent Advisory Panel on Streamlining and Codifying
AcquisitionLatest in a line of streamlining efforts this industry has seenHistorical observation: Defense acquisition reform can impact all agencies – Defense acquisition reform can be adopted other agencies
17Slide18
Supply Chain Management Today
Notable Developments – Section 809 Panel:
By statute, the panel’s mission is
to:
Review the acquisition regulations with a view toward streamlining and improving the efficiency and effectiveness of the acquisition process and maintain technological advantageMake recommendations for the amendment or repeal of such regulations that the panel considers necessarySupply chain issues are being examined
18Slide19
Supply Chain Management Today
Notable Developments – Section 809 Panel:
Sample
supply chain recommendations
:Employ existing supply-chain audit and review toolsBalance the oversight required for the implementation of the rule against the amount and type of risk that prompted the rule in the first placeConsider making supply-chain management experience an evaluation factor when appropriateConsider and address the applicability of flow down requirements outside of the United States when such clauses conflict with country and other local laws applicable to prime and subcontractors in global supply chainsDraft policies to increase diversity of the industrial pool, especially at the level of prime contractors
19Slide20
Supply Chain Management Today
Best Practices Dialogue
Supply
chain management deserves
appropriate senior management attentionSupply chain issues can affect the company in many ways, including its legal exposure, past performance ratings, contract award, and reputationThe supply chain function should be viewed as a compliance function and it should be staffed and managed accordinglyThis function does more than issue purchase orders. It must vet suppliers, negotiate tailored terms and conditions, engage in adequate oversight of suppliers, appropriate reporting, mitigation, and remediationTraining of supply chain personnel is essential because this is a rapidly changing areaVital that the supply chain function stay on top of new initiatives and rules Some rules expressly require training of suppliers and third parties
20Slide21
Protecting the Supply Chain
2. Cyber Risks and the Supply Chain
Cyber Security Concerns for the Federal Government and its Contractors
Evolving, Complicated, and Unsettled Legal Framework at the Prime Level
Cyber Security within the Supply ChainCyber Security within Third Party Support FunctionsPrime Contractor Responsibilities and LiabilitiesSubcontractor Responsibilities and LiabilitiesPractical Issues in Cyber Security in the Supply Chain
21Slide22
Cyber Risks and the Supply Chain
Cyber Security Concerns for the Federal Government and Its Contractors
22
OPM Data Breach – 2014:
4.2 million personnel files
21.5 million security clearance background investigation information
OMB FY16 FISMA Report:
Over 30,899 cyber incidents that led to the compromise of information or system functionality
GAO Sept. 2017 Report:
Continued weaknesses due to ineffective implementation of information security.Slide23
Cyber Risks and the Supply Chain
23
Cyber Security Concerns for the Federal Government and Its Contractors (Continued)
“Cleared industry must continue to advance cyber defenses and reduce cyber vulnerabilities since cyber actors will almost certainly continue to adjust existing exploitation techniques and develop new ones.”
Defense
Security
Service
September 2017
“Our adversaries are becoming more adept at using cyberspace to threaten our interests and advance their own, and despite improving cyber defenses, nearly all information, communication networks, and systems will be at risk for years.”
Daniel CoatsODNIMay 2017Slide24
Cyber Risks and the Supply Chain
24
Cyber Security Concerns for the Federal Government and Its Contractors (continued)
It’s not just a supply chain issue in the United States
Revealed in summer 2017 that Swedish classified and sensitive government and citizenship information was likely disclosed to uncleared Romanian, Czech, and Serbian subcontractors of IBM Sweden, who had partnered with the Swedish Transportation Agency to manage its IT systems.Slide25
Cyber Risks and the Supply Chain
Evolving, Complicated, and Unsettled Legal Framework at the Prime Contractor Level in the United States
Federal
Information Security Management Act (FISMA)
FedRAMPNIST Special Publication Series (800-53, 800-171)NIST Cybersecurity FrameworkFAR/DFARS/Other Agency Supplement Clauses on Cyber SecurityProposed FAR Rules on Cyber SecurityOMB Memos on Information SecurityIndividual Agency Memos and GuidanceNARA Final Rule on CUI ProtectionCUI Registry(And Don’t Forget Data Privacy/Transfers, Export Control, and Other Applicable Laws Related to Cyber Security)
25Slide26
Cyber Risks and the Supply Chain
Cyber Security within the Supply Chain
Mandatory
Flow down
ExamplesFAR 52.204-21Basic Safeguarding of Covered Contractor Information Systems DFARS 252.204-7000Disclosure of Information DFARS 252.204-7012Safeguarding Covered Defense Information and Cyber Incident ReportingDFARS 252.204-7012Cloud Computing Services Discretionary Flow downs/RequirementsImplementation Prime Contractor Certificates
Prime Contractor QuestionnairesPrime Contractor Audit Requirements
26
FLOWDOWNSlide27
Cyber Risks and the Supply Chain
Cyber
Security within Third Party Support Functions
Not Necessarily a Matter of
Flow downs
Boundary and Scope of Contractor and Subcontractor NetworksThird Party Hosted ApplicationsCloud Providers (SaaS, IaaS, PaaS)Mobile Device Management
Remote Access ServicesThird Party Independent ContractorsThird Party Contract Terms and Conditions
Third Party Cyber Security Reviews and Audits
27Slide28
Cyber Risks and the Supply Chain
Prime Contractor Responsibilities and Liabilities
Responsibilities:
Ensure
Flow down of Applicable RequirementsReview of Subcontractor Certifications, Statements, PoliciesConduct Cyber Security Reviews of Key/Important SubcontractorsEducation of Purchasing/Subcontracting Department PersonnelIT Department Mindfulness of Third Party Support Security RequirementsMandatory Disclosures and Coordination with SubcontractorsPotential Liabilities:Breach of contractThird party liabilities for information breach/disclosureNon-responsibility determinationsLoss of certain contracting privileges/determinations of non-complianceFCA (implied certification theory); False Statements liability
28Slide29
Cyber Risks and the Supply Chain
Subcontractor Responsibilities and Liabilities
Responsibilities
:
Ensure Acceptance of Only Applicable RequirementsCan be hard to do!Develop/Update Applicable Policies and ProcessesConduct Internal Cyber Security ReviewsEducate Contracts Managers/NegotiatorsEnsure IT Department Mindfulness of Requirements and Third Party Support Security Issues“Flowup” - Coordinate Mandatory Disclosures with Prime ContractorsPotential Liabilities:Breach of contractThird party liabilities for information breach/disclosureSubcontractor non-responsibility determinationsFCA (implied certification theory); False Statements liability
29Slide30
Cyber Risks and the Supply Chain
Practical Issues in Cyber Security in the Supply Chain
Application of FAR/DFARS Rules
When/To Whom Is a
Flow down Required?What Elements of the Flow down Need To Be Implemented?What Types of Information Need to Be Protected?What Constitutes “Adequate Security”? How Much Security Is Required?How Best to Respond to Cybersecurity Questionnaires and Certifications?
30Slide31
Cyber Risks and the Supply Chain
Best Practices Dialogue
For
Prime Contractors
Be deliberate and knowledgeable about flow down requirementsDon’t require more than is reasonably necessaryWork collaboratively with your key and important subcontractorsBe mindful of risk appropriate practices at the subcontractor levelFor SubcontractorsBe deliberate and knowledgeable about flow down requirementsBe prepared to demonstrate cyber security complianceHave concrete plans to implement security requirementsConsider a holistic view of data management and securityMake sure to prioritize and address key cyber security risk areas first
31Slide32
Protecting the Supply Chain
3. Counterfeit Parts and the Supply Chain
Congressional
Investigations
Congressional ActionsExecutive Actions Policy RegulationsActions
32Slide33
33
Counterfeit
Parts and the Supply Chain
“The failure of a single electronic part can leave a soldier, sailor, airman, or Marine vulnerable at the worst possible time. Unfortunately, a flood of counterfeit electronic parts has made it a lot harder to prevent that from happening.”
Senate Armed Services CommitteeMay 2012“DoD agencies and contractors submitted 526 suspect counterfeit parts reports in the Government-Industry Data Exchange Program (GIDEP) from fiscal years 2011 through 2015, submitted primarily by contractors.”GAOFebruary 2016Slide34
Counterfeit Parts and the Supply Chain
Congressional
Investigations
SASC
HASCGAO Multiplication of risks poses clear and present danger to public safety and national security Aim is to address risks and get what government needs
34Slide35
Counterfeit Parts and the Supply Chain
Congressional
Actions
NDAAs, FY ’11, ‘12, ‘13, ‘14, ‘15, ’16, ‘17
FY ‘11, Sec. 818, as amended, Detection and Avoidance of Counterfeit Electronic PartsImplement Item Unique Identification (IUID)Address Threats to National Security Technology and Defense Industrial BaseIdentify and Replace Obsolete PartsIdentify and Track Sourcing
35Slide36
Counterfeit Parts and the Supply Chain
Executive Branch Actions
Public Meetings
Notice and Comment Rulemakings
Initial DPAP Plan for Triumvirate of Rules DFARS Case 2012-DO55Detection/Avoidance of Counterfeit Electronic PartsFAR Case 2013-002Expanded Reporting of Non-Conforming ItemsFAR Case 2012-032
Modify Higher-Level Contract Quality Requirements
36Slide37
Counterfeit Parts and the Supply Chain
Expanding
beyond triumvirate with many provisions in play, including
252.246-7007 Contractor Counterfeit Electronic Part Detection and Avoidance System
252.246-7008 Sources of Electronic Parts 252.239-7018 Supply Chain Risk 252.246-7003 Notification of Potential Safety Issues 252.246-7004 Safety of Facilities, Infrastructure, and Equipment for Military Operations 252.246-7005 Notice of Warranty Tracking of Serialized Items
37Slide38
Counterfeit Parts and the Supply Chain
FAR
Provisions, e.g
.,
46.202-4 and 52.246–11 Higher-Level Contract QualityFAR Case 2013-002 Expanded Reporting of Non-Conforming Items – Still pending DoD Instructions and Other Guidance, e.g., DoDI 4140.67 DoD Counterfeit Prevention PolicyDoDI 5000.02 Operation of the Defense Acquisition System DoDI
5200.44 Protection of Mission Critical Functions to Achieve Trusted Systems and Networks
38Slide39
Counterfeit Parts and the Supply Chain
252.246-7007 Contractor Counterfeit Electronic Part Detection and Avoidance System
Sourcing
of electronic parts
Contractor counterfeit electronic part detection and avoidance systemReporting, Remediation and Mitigation252.246-7008 Sources of Electronic Parts
39Slide40
Counterfeit Parts and the Supply Chain
252.246-7007 Contractor Counterfeit Electronic Part Detection and Avoidance System
Applies
to the procurement
of:Electronic partsEnd items, components, parts, or assemblies containing electronic partsServices where contractor will supply electronic parts or components, parts, or assemblies containing electronic parts Does not apply to small business set asides But does apply to CAS-covered primes and their subcontractors at all tiers
40Slide41
Counterfeit Parts and the Supply Chain
252.246-7007 Contractor Counterfeit Electronic Part Detection and Avoidance System
Requires
contractor to establish and maintain an acceptable counterfeit electronic part detection and avoidance system
Failure to maintain may result in Disapproval of purchasing systemWithholding of payments Nonallowability of costs of counterfeit or suspect counterfeit electronic parts and rework or corrective action to remedy use or inclusion of such parts
41Slide42
Counterfeit Parts and the Supply Chain
What is an acceptable counterfeit electronic part detection and avoidance system?
42
Risk-based
Includes 12 elements
Training
Inspection
and testing per Gov’t/Industry
techniquesSuppliersMethods to identify suspect part and determine if counterfeit
Processes to abolish counterfeit parts proliferationReporting Tracking of electronic partsDesign, operate, maintain detection and avoidance systemsProcess to keep continually informed
Flow down
Process for screening GIDEP and other credible sources
Control of obsolete electronic parts through life cycleSlide43
Counterfeit Parts and the Supply Chain
Flow down
Subcontracts
at all tiers
Includes commercial items Includes electronic parts or assemblies containing electronic partsSafe Harbor Changes in clauseCan and will a contractor have any safe harbor?
43Slide44
Counterfeit Parts and the Supply Chain
252.246-7008 Sources of Electronic Parts
Selection
of Suppliers Requires Selection
of:Original Manufacturer (OM)Authorized Aftermarket Manufacturer (AAM)Authorized Supplier Supplier that obtains parts exclusively from OM or AAMIf not available, contractor:Must use established counterfeit prevention industry standards and processes such as DOD-adopted standardsAssume responsibility for parts’ authenticitySubject to review and audit by CO
44Slide45
Counterfeit Parts and the Supply Chain
252.246-7008 Sources of Electronic Parts
Selection
of Suppliers (
continued)Must notify the CO in writing promptly if:Part does not come from OM, AMM, or authorized supplierCannot confirm new or previously unused and has not been comingled in supplier stock with used, refurbished, reclaimed or returned partsMust inspect, test, authenticate per industry standardsTraceability through risk-based processes per industry standardsMaintain documentation of traceability and inspection and testing and make available to Gov’t upon request
45Slide46
Counterfeit Parts and the Supply Chain
Government Plays Many Roles,
Including:
Government
as Source to provide GFP/GFI re electronic partsGovernment Industry Data Exchange Program (GIDEP)DCMA Instruction 1205 Counterfeit Mitigation DCMA ChecklistDCMA Contract Integrity CenterIPR Center Operation Chain ReactionPast Performance evaluations (CPARS)Present Responsibility, Evaluation, and Award Criteria
46Slide47
Counterfeit Parts and the Supply Chain
Research and Development
Plant DNA
Optical Scanning Technologies
DARPA Shield47Slide48
Counterfeit Parts and the Supply Chain
Best Practices
Dialogue
Counterfeit parts
activities must not be viewed as isolated compliance activities, but as part of the supply chain continuumSupply chain security is really a responsibility issueDo you have the necessary business systems and controls, facilities, supplies, personnel/expertise to make sound risk-based decisions, properly vet your suppliers, test your supplies, and timely assess, report and address suspected problems?Do your subcontractors? These activities require partnerships, training, and constant vigilance to ferret out and address the weakest links
48Slide49
Protecting the Supply Chain
4. Summary
The goal of this presentation was to provide you with:
A
n understanding of supply chain management’s importance today Issues facing government customers and contractors in this area The focus on cyber and counterfeit parts risks in the supply chain We should anticipate that new laws and implementing regulations will continue to affect supply chain compliance Note: the reports and reviews mandated by the EOs (stay tuned!)This highlights the need for government customers and government contractors to keep abreast of new legal and regulatory developments
49Slide50
Protecting the Supply Chain
Questions?
50