The description of this provision reads: The Secretary of Defense shall streamline and digitize the existing Department of Defense approach for identifying and mitigating risks to the defense industrial base across the acquisition process, creating a continuous model that uses digital tools, technologies, and approaches designed to ensure the accessibility of data to key decision-makers in the Department.
Essentially, the government is directing DoD to adjust their risk mitigation framework so that downstream suppliers are also included.
They are looking specifically at these supply chain risks:
- material sources and fragility;
- counterfeit parts;
- cybersecurity of contractors;
- vendor vetting in contingency or operational environments; and
- other risk areas as determined appropriate.
And these risks posed by contractor behavior:
- ownership structures;
- trafficking in persons;
- workers’ health and safety;
- affiliation with the enemy; and
- other risk areas as deemed appropriate.
Let’s say I am a contractor serving the Department of Defense. I may be supplying an assembly of some kind, a device or a simulator or something. However, I’m just the integrator, not the person actually building the digital pieces.
Now, what happens if some of the parts that I’m using come from a forbidden foreign supplier? Or my manufacturing plant is in a prohibited foreign country. Or the country is not forbidden but they are doing a project (e.g., building a 5G network) using companies that are on the prohibited list.
So you can begin to see that there are tons of implications and risks that track across the entire industrial base, down to whose chips I am using in my digital manufacturing and whose chips I am using to assemble my products. So while this provision seems like a simple thing to update the risk mitigation framework, it represents an enormous issue across the entire DoD.