The interim regulation sets down rules for excluding vendors from federal procurement if an interagency panel deems them untrustworthy.
The Office of Management and Budget has released an interim regulation outlining the interagency process that will allow agencies to bar companies from federal contracting when they constitute a supply chain security risk.
The rule, authorized by the the Federal Acquisition Supply Chain Security Act of 2018, offers a number of pathways to request excluding a particular vendor from contracting with the federal government. Individual member agencies or the full Federal Acquisition Security Council can make a recommendation, outside agencies or governmental bodies can submit a written request, or the council can consider tips from "any individual or non-federal entity that the FASC determines to be credible."
The council must then conduct "due diligence" to determine if the risks are valid, including "ensuring to the extent possible, that the information is credible or that the level of confidence in the information is appropriately taken into consideration," examining "other relevant publicly available information as necessary and appropriate" and consulting with the National Institute for Standards and Technology to ensure such exclusion is in line with federal guidelines and standards.
After that, the council can make a recommendation to the Director of National Intelligence or Secretaries of Homeland Security or Defense, who will ultimately decide whether to issue an exclusion order barring that company or product from future federal contracts. They must also give notice to the supplier that they are being recommended for exclusion and offer an opportunity to clarify or rebut any credible claims that they their product or relationship with a foreign government poses a supply chain risk.
"This due process procedure is intended to provide the named source(s) with the information needed for the source(s) to respond to the recommendation," the rule states.
Even if the council opts not to recommend exclusion, they may still share the information they received with others under certain circumstances.
The FASC is made up of representatives from across government and was designed to formalize the sort of ad-hoc decision-making that led to the banning of vendors like Kaspersky Labs, Huawei and ZTE from federal procurement channels, on the logic that they are too closely tied to adversarial foreign governments. Such connections, U.S. officials argue, represent an unacceptable risk of espionage through backdoors placed in their products or by the companies routing data to home countries where foreign laws may make it easier to access them. All three companies have vigorously denied charges that they spy or facilitate spying on behalf of foreign governments.
One thing the rule doesn't address is legal liability for private companies who share information about possible supply chain threats. A working group under the Supply Chain Task Force has determined that private companies seeking to pass along tips or suspicious behaviors in the supply chain space could face lawsuits for defamation or interfering with a contract if the information doesn't pan out. While federal officials want to take advantage of such tips, broad liability protections could also create an incentive for false reporting or bad faith accusations about competitors.
The comment period on the rule closes Nov. 2.