GSA MAKING SECURE SUPPLY CHAINS AN IDIQ REQUIREMENT
GSA is moving quickly to insert supply chain risk management (SCRM) language into both existing and new contracts. While contractors can initially self-certify that they meet some requirements, others, like CMMC compliance, will have to be verified by third parties (though check back in a few months to see if the CMMC train wreck has cleared the tracks). The bottom line for contractors is that SCRM is becoming another compliance factor that must be taken seriously. GSA officials have stated clearly that they will monitor and follow up with companies to ensure that their systems meet contractual SCRM requirements. Section 889 compliance is another part of SCRM compliance, as will be a new set of requirements now being devised by part of the Federal Acquisition Security Council. The council will refine exactly what those requirements are over the next several months before working with GSA to identify the major contracts that meet federal SCRM business needs. Those contracts will include 8(a) STARS III, a signal that the agency will not spare small firms from meeting whatever new IT security requirements the government deems necessary. This is another incremental cost that takes the government further away from buying commercial items according to commercial standards. It is unclear whether any consideration has been given in GSA or elsewhere to the ability of existing or developing commercial market IT security standards to meet the government’s needs as an alternative to the creation of government unique standards. For now, contractors should prepare to ramp up their SCRM programs as well as prepare for audits and possible whistle-blower cases.