DoD makes federal supply chain risk management a requirement

September 20, 2019
Harris Allgeier

DoD makes supply chain risk management required for contractors

The Department of Defense issued a corrected class deviation 2018-O0020 which immediately “removes the sunset date at DFARS 239.7300(b) and changes the statutory citations in DFARS subpart 239.73 from section 806 Pub. L. 111-383 to 10 U.S.C. 2339a.” The changes mark the increasing importance of managing supply chain risk for DoD contractors who supply “covered item[s] of supply” and “covered systems.”

Ok, what?

Before we get into these incredibly important changes, it’s worth knowing what a “covered item” is per the DFARS. The recently published deviation defines it as “an item of information technology that is purchased for inclusion in a covered system and the loss of integrity of which could result in a supply chain risk for a covered system.”

Ok…so what’s a covered system?

The definition is a bit long, but it includes any system involved in military or intelligence activities beyond administrative and business applications. Basically, any IT or telecommunications system that’s critical to national defense aka the U.S.’s most-sensitive technology.

What’s changed about these Government supply systems?

The government is now evaluating the supply chain risk of any contractor or entity working on or interested in working on these systems. That makes this a huge deal to basically everyone in the defense contracting industry.

Supply chain risk sounds kind of vague. 

Sure, but that’s because it’s both incredibly broad and incredibly important. The government has helpfully defined it as “the risk that an adversary may sabotage, maliciously introduce unwarranted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function , use, or operation of such a system.”

Ok, so what’s changing immediately?

The biggest, most immediate change will be to all solicitations that fall under the governance of the DFARS, which means any work being contracted out by the DoD. The government specifically states that the provision will be included “in all solicitations…for the acquisition of commercial items, for information technology, whether acquired as a service or as a supply, that is a covered system or is in support of a covered system…” The provision also states that “in order to manage supply chain risk…the Government may consider information, public and non-public, including all-source intelligence, relating to an offeror and its supply chain.”

So, the Government is now assessing me on this?

Yes! Supply chain risk and security measures are now, explicitly and mandatorily, part of its evaluation criteria on any bid to work on a covered system. The government is also imbuing itself with the authority to consider any and all information it can find as part of that assessment. That means that if you’re failing to provide information or evidence of your attempt to mitigate supply chain risk, the government will check for you. And any action they take to limit the disclosure of information is explicitly not “subject to review in a bid protest.”

But how do I do that?

There’s only one solution that enables you to fully assess supply chain risk, to provide the government with full evidence of your ability to limit sabotage, maliciously introduced unwanted function, and subversion of the covered system’s design, integrity manufacturing, production, etc.

Only one solution on the market today illuminates and fully maps the tiers and sub-tiers of your suppliers to fully uncover any unknown companies or countries’ involvement. Only one platform provides continuous monitoring of all these factors with near-real-time alerts, enabling you to know about a supply chain risk as soon as it’s introduced.


Interos, with AI technology, ingests over 85,000 dynamic and changing aggregated data sources and currently monitors the ripple effect of over 225 million events across more than 15 million suppliers for our customers every month. The data is run through our proprietary algorithms to provide up-to-date visualizations of your ecosystem, risk health scores for your suppliers, and insights tailored to each user and company.

Government agencies already use Interos to:

  • Map the tiers and sub-tiers of their suppliers to uncover unknown company and country involvement
  • Assess and monitor the risk of existing suppliers and their supply chains
  • Provides Health Scores for each business
  • Delivers 24×7 near-real-time continuous global monitoring

The DoD has spoken. Are you listening?

View next

Ensure Operational Resilience

Request Contact

Build operational resiliency into your extended supply chain:

  • 889 compliance – ensure market access
  • Data sharing with 3rd parties and beyond – protect reputation
  • Concentration risk – ensure business continuity
  • Cyber breaches – assess potential exposure
  • Unethical labor – avoid reputational harm
  • On-boarding and monitoring suppliers – save time and money