On October 30, DoD adopted as final, with changes, an interim DFARS rule that allows DoD to consider the impact of supply chain risk in specified types of procurements related to national security systems. A copy of the rule is available here. This final rule calls for contractors providing information technology to DoD, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, to mitigate supply chain risk to the supplies and services being provided to the Government. It also enables agencies to exclude sources identified as having a supply chain risk from consideration for award of a covered contract, in order to minimize the potential risk for supplies and services purchased by DoD to maliciously degrade the integrity and operation of sensitive information technology systems. The final rule is narrower than the interim rule in that the contract clause specified in the rule no longer is to be included in all government IT procurements, but instead is only applicable to covered national security systems and because the clause no longer contains a subcontractor flowdown.
We anticipate a further posting regarding this rule shortly.