For years, United States security agencies have recognized a threat to government information technology systems posed by contractor supply chains. The Government has struggled, however, to balance national security assessments of a contractor’s supply chain (which may include classified or otherwise sensitive information) against policies that favor transparency and competition. In many cases, a potential supplier may be excluded from a procurement for a risk based only on an agency official’s cursory research and with little warning. The excluded bidder may seek relief through a bid protest, but federal agencies receive significant deference in deciding matters of national security, as was displayed in Iron Bow Technologies, LLC v. United States, 136 Fed. Cl. 519 (2018), in which the U.S. Court of Federal Claims upheld the Social Security Administration’s exclusion of desktop printers manufactured by Lexmark based solely on the company’s Chinese ownership and connections to the Chinese government.
The Senate showed continued interest in this topic last year by unanimously passing the Federal Acquisition Supply Chain Security Act of 2018 (S. 3085), a bill that would have stood up a Federal Acquisition Security Council and established procedures for federal agencies to exclude from competitive procurements certain items or offerors that pose a supply chain risk.
The bill would have allowed an agency, for a single procurement or a class of procurements, to exclude a source from competition or deem a source unacceptable or not responsible on the basis of a perceived supply-chain risk upon determining (1) exclusion is necessary to protect national security, and (2) less intrusive measures are not reasonably available. Under the bill, a source could be excluded either based on explicit solicitation criteria (i.e., failing to meet qualification requirements or not achieving an acceptable rating under an evaluation factor) or as part of the source-selection authority’s overall responsibility determination. However, the authority to make an exclusion determination could not be delegated further than one level below the Deputy Secretary or Principal Deputy Director; would require the joint recommendation of the agency’s chief acquisition officer and chief information officer; and would require the agency to provide notice to Congress. The bill does not describe the sources of information on which an agency official may rely in reaching the conclusions underlying exclusion — including, apparently, unsubstantiated internet research. The proposed statute would, however, address some of the transparency and accountability issues that have dogged this area of procurement review, as before exercising this authority, the agency would be required to notify the source of its potential exclusion and allow it 30 days to respond, unless there are “urgent national security interests,” in which case the notice to the excluded source and notice to Congress could be delayed.
Under the bill as written, an excluded source would be limited to seeking judicial relief directly in the U.S. Court of Appeals for the District of Columbia Circuit, which would adopt a standard of review similar to that in the Administrative Procedure Act, with the exception that a contractor may also seek remedies under the Contract Disputes Act (CDA), 41 U.S.C. §§ 7101 et seq., to the extent they are available. This would preclude traditional bid protest remedies and cases like Iron Bow.
The bill also would have established procedures for sources to be excluded more broadly by the Department of Homeland Security, Department of Defense, and the Director of National Intelligence from procurements by civilian, defense, or intelligence agencies, respectively, upon recommendation by the Federal Acquisition Security Council established by the bill. This Council — which would be chaired by a representative from the Office of Management and Budget (OMB) and would also include representatives from the General Services Administration (GSA), Department of Homeland Security (DHS), the Office of the Director of National Intelligence (ODNI), Department of Justice (DOJ), Department of Defense (DOD), and the National Institute of Standards and Technology (NIST) — would be charged with establishing criteria and procedures for such exclusions and exceptions to them.
Additionally, the Council would be responsible for identifying and recommending supply chain risk management standards, guidelines, and practices for executive agencies (which NIST would develop), as well as establishing requirements for non-federal entities to share information about supply chain risk with federal agencies and identifying the best federal agencies to lead and facilitate this sharing.
All in all, this bill, which may or may not be reintroduced in the new Congress, with its procedure for review and challenge prior to exclusion and its requirements for Congressional notifications, is a step in the right direction. But there still is room for improvement, particularly in establishing meaningful administrative oversight and standards for thorough and reliable research to guide agencies, who otherwise may cloak a careless decision under the veil of national security. Federal contractors will want to monitor these initiatives and the ongoing balance of national security with procurement transparency, as well as reviewing companies in their own supply chain for possible concerns.