By Matthew Weigelt
December 6, 2010
The Senate Armed Services Committee is considering proposed legislation that would allow the Defense Department to blacklist certain companies that might risk a break in the department’s supply chain.
Under the legislaton, a DOD agency would be able to exclude a company from competing for a contract, task or delivery order, or even a subcontract, if the company seems to pose a risk to the supply chain of IT systems. The agency would not be required to disclose who’s on the list, according to the Senate’s National Defense Authorization Act (S. 3454).
The bill under consideration states that the director of the Defense Intelligence Agency and the assistant secretary of defense for networks and information integration would make the decision “that the exclusion of a particular source is necessary to avoid an unacceptable supply-chain risk."
Furthermore, it states that a company “shall not be subject to disclosure.”
The committee’s concern for the supply chain stems from a 2009 DOD report on trusted defense systems. DOD found that the globalization of the IT industry has increased the department's IT systems vulnerability. The report found a growing risk that systems and networks critical to DOD could be exploited through counterfeit systems or malicious code and other defects introduced by suppliers.
“The committee concludes that the secretary should have the authority needed to address this risk,” according to the committee’s report, which sheds light on the bill’s provisions.
However, the current Senate is unlikely to pass the bill and will have to revisit the legislation when the new Congress convenes in January.
“The new Congress will have to start over, but the delay will not have any significant impact,” said Robert Burton, former deputy administrator in the Office of Federal Procurement Policy and now a partner at the Venable law firm.
Nevertheless, the provision has raised concerns in the acquisition community, which fears DOD could go too far extending its authority.
“It is stunning. Basically, any contractor can be excluded from a competition because of an ‘unacceptable supply-chain risk,’” Burton said. “I think the provision is overly broad and could be abused.”
Companies on such a list also could be included in similar action by other agencies, even beyond the defense community, and might lead to their questioning a company’s reputation, said the American Small Business Association. This could start de facto debarments across the government without due process.
Alan Chvotkin, executive vice president and counsel at the Professional Services Council, said the government can find better options for keeping a check on supply-chain risks.
“Exclusion should be the last approach,” he said.
Chvotkin acknowledged that the DOD has a legitimate concern for malicious IT systems. But the legislation's standards are too broad when determining a risky system, he said, and added that those standards need to be worked out.
PSC and other industry groups have met with the Senate committee, and Chvotkin said the committee staff members have been open, substantive discussions.
Matthew Weigelt is acquisition editor for Federal Computer Week.