The SolarWinds hack seems to be breathing new life into the supply chain security effort.
The General Services Administration could soon start requiring on-site assessments of certain federal contractors under a new program to scrutinize risks to the supply chain.
Tucked into the draft of a new governmentwide acquisition vehicle for information technology services called Polaris is language describing a tool to “identify, assess and monitor supply chain risks of critical vendors.” It would use classified and unclassified sources.
GSA said once the tool it’s developing—referred to as the Vendor Risk Assessment Program—is complete, “the contractor agrees the government may, at its own discretion, perform audits of supply chain risk processes or events,” adding, “on site assessments may be required.”
The Vendor Risk Assessment Program first appeared online in a Sept. 2017 blogpost by GSA’s Shon Lyublanovits describing plans to address risks to the supply chain of the government’s information and communications technology. Around that time, agencies would have been busy working to remove Kaspersky software from their systems. And GSA was engaged in a series of pilots toward a service that would be shared across the government to uncover businesses’ due diligence, including for cybersecurity concerns.
Since then, there has also been a focus on removing technology from Chinese suppliers from government systems, but the government’s attempts to more comprehensively review its supply chain for risks outside of a product’s country of origin are just getting off the ground. Now the SolarWinds hack, which leveraged a ubiquitous supplier of IT management technology to gain unauthorized access to government agencies, could be providing more urgency.
“Given the increased focus on supply chain risk management, GSA will be implementing the VRAP to strengthen due diligence processes for ensuring vendor compliance,” a GSA spokesperson told Nextgov. “As stated in [the draft Polaris solicitation], GSA is developing a VRAP tool to assess SCRM related issues. Additional details about the tool will be shared at a later date; however, we are seeking feedback on the initial concept.”
There aren’t a lot of details in the draft solicitation. It says the program is designed to monitor: the risk of foreign ownership, control or influence; cyber risk, and factors that would impact the company’s vulnerability, such as financial performance.
“In the event supply chain risks are identified and corrective action becomes necessary, mutually agreeable corrective actions will be sought based upon specific identified risks. Failure to resolve any identified risk in a timely manner may result in Government action up to and including contract termination,” the draft solicitation adds.
But it does not include any reference to—and GSA did not respond to questions about—whether the government would be conducting audits on its own or whether it has entered into a contract to implement the program, for example.
Supply chain risk management firm Interos worked with GSA on the pilots in 2017 and is currently highlighting threats associated with the SolarWinds incident. The company, which is a woman-owned small business, was awarded a contract to support the Vendor Risk Assessment Program but it’s unclear what its role might be in the program going forward. A current Interos contract with GSA ends in June.
GSA asks that feedback on the program and other aspects of the draft solicitation be submitted to Polaris@gsa.gov using the provided response template by Jan. 29.