Bill seeks to protect against counterfeit IT
Defense Department officials worry that globalization of the IT industry increases its vulnerability to malicious or counterfeit IT systems.
The Senate Armed Services Committee has proposed giving the Defense Department authority to exclude companies from competing for contracts if the firms threaten IT system development, according to legislation.
The committee’s concern for the supply chain stems from a 2009 DOD
report on trusted defense systems. DOD found that the globalization of
the IT industry has increased the vulnerability of the department's IT systems. The
report found a growing risk that systems and networks critical to DOD
could be exploited through counterfeit systems or malicious code and
other defects introduced by suppliers.
Under the measure, an agency in DOD would be able exclude a company from competing for a contract, task or delivery order, or even a subcontract, but officials would not be required to disclose who’s on the list, according to the Senate’s National Defense Authorization Act (S. 3454).
Related stories:
DOD builds infrastructure to support cyber forces
Report suggests cyberattacks against DOD are falling
The director of the Defense Intelligence Agency and the assistant secretary of defense for networks and information integration would make the decision “that the exclusion of a particular source is necessary to avoid an unacceptable supply chain risk,” the bill states.
Furthermore, it states that a company “shall not be subject to disclosure.”
“The committee concludes that the secretary should have the authority needed to address this risk,” according to the committee’s report that sheds light on the bill’s provisions.
The current session of the Senate is not likely to act on the bill, but the upper chamber may revisit the legislation after the new Congress begins.
“The new Congress will have to start over, but the delay will not have any significant impact,” said Robert Burton, former deputy administrator in the Office of Federal Procurement Policy and now a partner at the Venable law firm.
Despite the committee’s attempts at protection, the provision has raised concerns in the acquisition community. Experts fear DOD and the government overall could go too far with authority.
“It is stunning," Burton said. "Basically, any contractor can be excluded from a competition because of an ‘unacceptable supply chain risk.' I think the provision is overly broad and could be abused.”
Companies on such a list also could spread to other agencies, even beyond DOD, and lead other agencies to question a company’s reputation, said the American Small Business Association. This could start de facto debarments across the government without due process.
Alan Chvotkin, executive vice president and counsel at the Professional Services Council (PSC), said the government can find better options for keeping a check on supply chain risks.
“Exclusion should be the last approach,” he said.
However, DOD has a legitimate concern for malicious IT systems, he said. Standards are too broad when determining a risky system, which needs to be worked out. The PSC and other industry groups have met with the Senate committee, and Chvotkin said the committee staff members have been engaged in open, substantive discussions.