PROCURE-TO-PAYTRAINING SYMPOSIUM 2018

Supplier Risk Management

Presented by: Ms. LeAntha SumpterMs. Lisa Romney

Mr. Alan RobinsonApril 2018

1

2

DoD is developing processes to proactively address supply chain threats that present counterintelligence risk to our enterprise. • The Deputy Secretary of Defense published new

procedures to manage supply chain risk when procuring and integrating information and communications technology (ICT) into DoD national security systems (NSS) on March 13, 2018.

Supply Chain Threat Procedures

3

Supply Chain Threat Procedures• Enhanced procedures provide for the enterprise use of

authorities in Section 806 of the Ike Skelton National Defense Authorization Act for Fiscal Year 2011, and authorities and procedures implemented at DFARS Subpart 239.73, Requirements for Information Related to Supply Chain Risk. The new procedures allow:

• ‘Class Determinations’ to exercise Section 806 authority for a class of procurements vice an individual procurement transaction

• Notification of the acquisition workforce regarding all section 806 Class Determinations

• Notification of each affected entity of each Class Determination

4

Supply Chain Threat Procedures• The DoD continues to pursue the following efforts to

address gaps in supply chain management and to respond to industry and government needs.

• Improve threat information sharing cross the intelligence community (including interagency), and with acquisition and operational users

• Evaluating current threat and vulnerability analysis capabilities

5

Supply Chain Threat Procedures• Supply Chain Risk Management practices should include

being aware of foreign ownership, control and influence and the risk to the U.S.

• Corporate supply chain risk management activities should be augmented with open source information, and risk mitigation practices that can increase awareness and mitigate Foreign Ownership, Control, or Influence (FOCI)risk.

• Leverage opportunities and be thoughtful to legal findings from any related lawsuits regarding suppliers of concern.

6

On the Horizon• Legislation may address national security risk by

• Excluding sources in statute• Redefining limited competition• Redefining scope of responsibility

determinations• Strengthening vendor reviews• Enhancing vendor reps and certs• Enhancing data about vendors

Other Supplier-Focused Changes• Implemented the Supplier Performance Risk System (SPRS)• Implemented several improvements to the CAGE code assignment process

– Established a 5-year expiration date for CAGE codes if not updated during that timeframe

– Implemented address verification services– Improved processes for the CAGE status code

• Implemented several improvements to SAM– Nov 2017 – a number of enhancements to the Exclusions area,

providing more clarity regarding listed suspensions and debarments• Additional automation for SAM and CAGE for look-up / assignment

of CAGE codes to excluded firms planned for modernized site– Jan 2018 – added capability for entity administrators to restrict access

for other users to act as admins for other entities in their hierarchy7

Other Near-Term CAGE Improvements• Reviewing all new registrations that come from SAM• Expanding use of address services• Expanded watch-list of items related to suspect data• Expanding the process of expiring CAGE code records after five

years without an update• Establish 5-year expiration date on CAGE codes that did not originate

with SAM• Requires methodical review of process with potential stakeholders• Note – had already established a 5-year clock on CAGE codes

established during SAM registration

8

New SAM Procedures• GSA’s SAM program office is supporting an active investigation by the GSA

IG and DoD investigative units into alleged, third party fraudulent activity in SAM. At this time, a limited number of entities registered in SAM are suspected of being impacted by this fraudulent activity.

• As of March 22, 2018, SAM now requires an original, signed notarized letter identifying the authorized Entity Administrator for the entity before a new entity registration will be activated.

• Effective April 29, 2018, this process will be applied to entities updating a SAM record (one time application unless Entity Administrator changes)

• Required for all types of registrants other than federal government• GSA intends to replace the notarized letter process with more automated

controls as soon as they can9

Notarized Letter Process• Alert posted on SAM.gov across the website with

instructions to entity; email sent to reiterate after CAGE Code assignment

• Requires notarized letter designating entity administrator IAW the posted instructions

• Original letter signed by notary must be mailed to the Federal Service Desk (FSD):

FEDERAL SERVICE DESKATTN: SAM.GOV REGISTRATION PROCESSING100 CAPITOL COMMERCE BLVD STE 309MONTGOMERY, AL 36117-4260

• No time limit, but will not be activated without it• FSD can receive FedEx, UPS, etc.

10

Section 806 – “Do Not Buy” List• SPRS will allow gov’t users access to entire Do Not Buy list

11

Section 806 – “Do Not Buy” List• Risk Analysis will flag items on the Do Not Buy list

12

Section 806 – “Do Not Buy” List

13

• Risk Analysis will flag items on the Do Not Buy list

14