Government Contractor Supply Chain Risk Management

Given the globally-distributed and interconnected nature of modern supply chains, there is no one-size-fits-all solution for a government contractor seeking to establish an effective supply chain risk management (SCRM) practice, and not understanding the potential dangers lurking in your supply chain can be costly. As the regulatory environment continues to shift and federal acquisitions continue to require detailed plans-of-action around SCRM, contractors should carefully consider how they screen, select, and oversee subcontractors and suppliers. The optimal SCRM structure depends on a variety of factors including current resources and infrastructure, short and long-term business strategy, contract portfolio and risk profile, and the “trust protocols” that secure the supply chain. By leveraging its understanding of industry best practices and leading SCRM frameworks, Baker Tilly can develop a tailored supply chain risk management plan for your organization that strikes the right balance between government requirement and business need.

To help government contractors with supplier risk management and federal contractor risk management requirements, Baker Tilly offers:

SCRM program development

• Assessment of current supplier governance processes against leading practices in supply chain management related frameworks and requirements (both cyber supply chain, or C-SCRM, and supply chain resiliency)
• Identification of potential supply chain risks that may arise out of any subcontractor or supplier agreements that allow contractor to understand vulnerabilities
• Direction on how the current structure can be leveraged to meet future business needs and recommendations for remediating identified gaps
• Future state design, implementation road map, and change management guidance
• Foster collaboration between critical organizational stakeholders (information security, physical security, enterprise risk management, acquisition, and procurement)

SCRM plan development

• Support the development of a SCRM plan that articulates current practices and adherence to governing frameworks and regulatory requirements (as required by a specific targeted acquisition)
• Support annualized refreshes (as required by contract specific requirements)

SCRM plan audit support

• Support contractor response to government audit of supply chain risk processes or events  

Supplier due diligence

• Support the formulation and execution of due diligence checks including:
  – Foreign ownership, control or influence (FOCI)
  – Financial
  – Corporate social responsibility
  – Geopolitical
  – Data security
  – Regulatory
  – Operational
  – Business continuity
  – Fraud
• Support the deployment and implementation of “all-source intelligence” technological platforms to bolster risk assessment activities, provenance, and institute continuous risk monitoring of Nth tier suppliers

Health checks

• Support periodic health checks on SCRM practices and high risk/critical suppliers and/or subcontractors
• Support new vendor onboarding

Mitigating measures as required by the Committee on Foreign Investment in the United States (CFIUS) and Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) rules

• Support adoption and implementation of SCRM programs as required by mitigation agreement

Deep understanding of the latest regulations and guidance including but not limited to:

• Intelligence Community Directive (ICD) 731: Supply Chain Risk Management
  – Intelligence Community Standard (ICS) 731-01: Supply Chain Criticality Assessments
  – Intelligence Community Standard (ICS) 731-02: Supply Chain Threat Assessment
  – Intelligence Community Standard (ICS) 731-03: Supply Chain Information Sharing
• National Institute of Standards and Technology (NIST) Special Publication (SP) 800-161, Cybersecurity Supply Chain Risk Management (C-SCRM) Practices for Systems and Organizations
• National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations
• Federal Acquisition Security Council (FASC) exclusion and removal determinations for any information and communications technology and services (ICTS) considered to represent a security risk (41 CFR Part 201)
• Section 889 (Part A and B) of the John S. McCain National Defense Authorization Act for the Fiscal Year 2019
• Cybersecurity and Infrastructure Security Agency’s (CISA) SCRM Essentials
• Software Bill of Materials (SBOM) as required per implementation of Section 4 of Executive Order 14028, titled "Enhancing Software Supply Chain Security"