IT Product Protection

Global Supply Chains Are Only as Strong as their Weakest Links.

Global IT supply chains have many benefits, including cost control, but the complexity of those supply chains makes them vulnerable to tampering, malware and counterfeit products. A governmentwide acquisition contract run by NASA uses policies that can help government customers avoid those pitfalls in their purchasing.

To minimize the potential for problems in the supply chain, the Solutions for Enterprisewide Procurement (SEWP) contract program office implemented in July 2017 the Established Authorized Reseller Program, or EARP. A key differentiator from other contract vehicles, EARP ensures that a relationship exists between resellers and original equipment manufacturers (OEMs), or as SEWP calls them, providers. That’s important because government buyers need to ensure product reliability in their effort to track and reduce risk in the supply chain.

To comply with EARP, SEWP’s Quote Request Tool shows quotes only from verified authorized resellers. If agencies want to see all quotes, they may click a button to change the default setting.

EARP evolved from a desire by the SEWP program management office to make it easier for government customers to track the supply chain. The office confirms with OEMs the bona fides of contractors claiming to be authorized resellers. “If the manufacturer says, ‘We haven’t heard of them,’ we take them out of our system,” said Theresa Kinney, SEWP’s deputy program manager. “When the federal government is going out there and they’re looking for an authorized reseller or an approved reseller of something, that work has already been done.”

Following the Rules

OEMs must follow four rules to become part of EARP. First, the provider must assign specific companies as authorized resellers. Second, the company must have a documented process to prove the relationship. Third, OEMs need to provide a point of contact who can verify the relationship. Last, SEWP makes clear that there is the potential for risks or negative consequences should an agency go without an established authorized reseller. In addition to security risks, those include availability of OEM warranty, lack of specialty technical services or post-award complications.

In addition, all vendor quotes include a verification file with information that government customers can review and assess for supply-chain risks before buying a product. An agency looking for a specific router may prefer to buy it from an authorized reseller, but officials may be less concerned about where the power cord comes from. SEWP provides granular product details that allow buyers to assess risk. EARP is especially important for Defense Department purchasers who need to know that the equipment they’re buying has not been compromised or hacked. NASA, via SEWP, and DOD are working to establish an International Organization for Standardization standard that addresses supply-chain risk. The program office is pushing vendors to get certified.

Although there is no way to guarantee complete supply- chain security – the National Institute of Standards and Technology calls it supply-chain risk management – SEWP has one of the most robust implementations of SCRM within the context of an IDIQ contract.

“SEWP is the first GWAC to really institute terms in the contract to address supply chain risk head on,” said Jeff Trent, vice president of federal government sales for Connection, a global IT solutions provider said. “Connection takes this seriously and has invested to become Open Trusted Technology Provider-certified through the Open Group, which assures customers that we are actively working to prevent the sale of maliciously tainted and counterfeit products.”