Helping Agencies Manage Supply Chain Risks Is a New SEWP Focus

As a supplier of IT to all federal agencies, including the Defense Department and intelligence organizations, the SEWP program office has made it part of its refocused mission to also help its customers with some of the broader implications involved in procurements. Supply chain risk is one that’s come to the fore in recent years.

With the global spread of IT manufacturing, a lot of the components that go into the products used by the government are made outside of the U.S. and in places that have unknown quality control. Some, such as China, have to be assumed to be potentially hostile and capable of slipping in systems that could help with such things as electronic espionage in the US.

Joanne Woytek, SEWP program manager, made it a goal for the SEWP program office to develop a way to help its users assess the risks involved with the products and solutions they buy through the contract. She worked with the DOD and other agencies, as well as through participation in international standards organizations such as the Open Group’s Trusted Technology Forum, to come up with the right contract language.

The approach so far is to query SEWP contract holders on their authorized reseller relationship with various manufacturers. When they add a new company or a product from a manufacturer to their list, they have to notify the SEWP program office about what their relationship is with that company or manufacturer. The program office then checks to see if they are in fact working with the vendor.

“We don’t just rubber stamp things,” Woytek said. “We actually have a verification process via email between the contract holder, our office and the manufacturer to ensure that, when they say they are an authorized reseller, that’s also what the manufacturer means by authorized reseller.”

The goal is that when someone comes to SEWP to get a quote, the program office can provide an assessment of the risk for the customer about where the item they are buying came from, if it has any security issues, and whether it could be counterfeit or not. They won’t be given a yes or no about whether they should buy it, but they’ll at least have a decent understanding of the risk involved with using it if they do. That might not matter so much if the product is a cable, but it could if it’s a router or a computer.

Other government IT suppliers are also jumping on the supply chain risk wagon. The GSA issued request for information at the end of 2014 looking for ways to do due diligence for IT procurements that “will be used by the federal acquisition, grant, and oversight communities to support government risk assessments.”

The whole process of developing this supply chain risk assessment “has been an interesting learning experience,” Woytek said. Things could change in the future depending on what customers tell the SEWP program office, but she thinks from the evidence so far that the process that was originally envisioned and is in place now is pretty much the right way to do it. It’s starting to provide the office with a “really good database of information,” she said.

The reaction so far from SEWP contract holders also reinforces that perception. In the first month of SEWP V operation, Woytek said holders had already logged into the SEWP system between 3,000 and 4,000 times to provide authorized reseller information.