What is going to come out of "the sausage factory"?
The machine that is the U.S. federal government—and, by implication, the Department of Defense (DoD) supply chain—can be difficult to understand, and the law-making process is not always pretty. As the old saying goes, "Laws are like sausages, it's best not to see them being made." Yet we really do need to keep our eye on the sausage making process because what comes out is a significant driver of our supply chains. Our lives in the supply chain are in many ways constrained, and often specifically directed, by what the U.S. Congress decides in Washington, D.C. If a company doesn't pay attention, it can be "blindsided."
The supply chain implications of the blindside hits can be significant. Consider the continuing trade tensions with China. The total value of bilateral trade between the United States and China dropped by nearly 14 percent in the first half of this year versus the same period in 2018, according to data from the U.S. Commerce Department. There are a variety of opinions on whether this is a positive development or a negative one. What is not in dispute is that the trade war has resulted in seismic shifts in some industrial supply chains, not a ripple.
Prepare for impact?
There may be another disruption on the way. On June 27, at the beginning of the summer, the U.S. Senate passed its version of the National Defense Authorization Act (NDAA) for Fiscal Year 2020. The Senate's version of the defense budget for the next year has an obscure feature built in. Section 831 provides for the "modernization of acquisition processes to ensure integrity of industrial base." In plain English, the way the government buys things will change, an attempt to better secure the industrial base data that supports DoD operations.
If the provision in the Senate version of the budget survives the reconciliation process with the House of Representatives, will Section 831 generate a seismic shift across the defense industrial base that cascades through the echelons in the private sector, or will it be just a ripple?
The focus of the bill is, "digitization and modernization." Specifically, "The Secretary of Defense shall streamline and digitize the existing Department of Defense approach for identifying and mitigating risks to the defense industrial base across the acquisition process, creating a continuous model that uses digital tools, technologies, and approaches designed to ensure the accessibility of data to decision makers in the Department."
This requires every organization under the secretary to identifynot only a framework for managing the risk but also the tools, technologies, and approaches for monitoring that risk. That monitoring provides decision makers with theability to identify a level of risk, compare it to a tolerance level, and rapidly identify mitigations to the risk.
Embedded supply chain risk—think Huawei's 5G technology—is influencing the thinking on Capitol Hill and legislation is in play to address it. Huawei is an obvious example of the embedded risk that Congress is trying to address, but the risk is bigger than Huawei. According to CNBC, "U.S. intelligence agencies have been backing away from China-made infrastructure for well over a decade, with companies such as Huawei and ZTE facing bans and skepticism." The U.S. Federal Government buys some of the most sophisticated, complex equipment on earth. From jet fighters to space shuttle components, the world's largest super computers, or leading edge medical devices, the government buys items made up of parts, These parts flow through a supply chains with tiers upon tiers of suppliers, pulling from every corner of the globe to create a capability.
A broadening scope
Section 831 of the 2020 NDAA directs the Under Secretary of Defense for Acquisition and Sustainment to take the lead in resolving this issue. Specifically, the under secretary will characterize and monitor supply chain risks, including the origin and vulnerability of the products, counterfeit products, cybersecurity sophistication of contractors, vendor vetting, and other risk areas as are determined appropriate. This risk characterization and monitoring extends through every tier of the supporting supply chain, beyond internal DoD structures to all supporting tiers in the commercial supply chain.
That is a broad directive.
Some industry experts support the bill. On a publicly accessible MITRE website, Peter Modigliani says, "There are critical risks across the industrial base which include adversaries stealing designs of critical systems to controlling and corrupting key elements of the supply chain. DoD must also develop contract strategies at portfolio and enterprise levels to minimize winner-take-all contracts that create a monopoly for key defense sectors and instead enable vibrant competition from many vendors from the primes down to all tiers of the supply chain. Digital solutions help DoD maintain an enterprise view."
While Modigliani and others may endorse the idea of the federal government being involved "from the primes [prime contractors to the department of defense] down to all tiers of the supply chain," there are contractors supporting the defense industrial base with a different point of view. Suppliers in the private sector often consider that type of information to be competition sensitive proprietary intellectual property; it's a basis of competitive advantage.
The bill directs the Department of Defense to take responsibility for the "characterization and monitoring of the health and activities of the defense industrial base." If this language passes, the Department can pass judgement on a company's profitability, investment, innovation, and technological and manufacturing sophistication, as well as the "culture of performance."
The world's best financial investors and venture capitalists attempt to do this daily, becoming experts in niche areas, trying to predict the outcome of a company's decisions in a specific market. Sometimes they get it right, and sometimes they don't. If the bill passes, Congress is assigning that same responsibility to federal employees who likely have dozens of contracts they are trying to manage, including vendor performance. Even using the same technology that the investors use to identify and rate risk, the magnitude of the challenge is significant.
The bill goes further. Currently individuals—not an office or a department—award federal contracts. There is a specific individual, known as the contracting officer, who generally has absolute final decision authority. Part of that final decision is the "responsibility determination," where contracting officers certify that, in their judgement, the contractor has the means and ability to complete the contract. If that determination is extended to encompass the risk associated with the tiers of the supplier's supply chain, however, the contracting officer might lack the skill, knowledge, and experience to accomplish the task.
The Senate version of the National Defense Authorization Act broadens the scope of the contracting officer's responsibility to include "consideration of the need for special standards of responsibility to address the risks." There is no definition of what is meant by standards of responsibility to address the risk; interpretation is left to the discretion of the contracting officer. A reasonable person could assert that the Senate wording isn't meant to be astandard; it's a catch-all. The "consideration" can be whatever the contracting officer wants it to be.
The issue of reliance on international sources of supply is real. Consider the need to prevent internationally sourced chips with snooper capability from being introduced into government equipment. The challenge lies in the implementation language. The complexity of requiring every commercial supplier to certify all tiers of the supply chain globally is prohibitive. Congress's approach is to use catch-all phrasing and expect the industry to figure it out. There is no consideration of the cost of implementing multitier oversight, certifications, and mechanisms (including insurance) to secure all tiers of the supply chains.
From the "spy chip" to foreign firms that pretend to be a U.S. firm, to the delivery of nonstandard parts, there are any number of nuances to the risk challenge. It is a complex problem. The largest producer of computer chips is China. Steel is also a vital defense commodity, and the United States imports substantial quantities from Russia. Another example is rare earth elements. According to the U.S. Government Accountability Office (GAO), "Rare earths are essential to the production, sustainment, and operation of U.S. military equipment. Reliable access to the necessary material, regardless of the overall level of defense demand, is a bedrock requirement for DoD." What the GAO delicately avoids mentioning is that China is the principal—and for some of the elements, the only—source.
Congress has a challenge. There is merit to both perspectives on Section 831. While we all like sausage, sometimes it's good to help make the sausage. If you have an opinion, share it with a congressional liaison, or pick up the phone and call Capitol Hill directly.
Editor's Note: A previous version of this article incorrectly stated that the MITRE Corp. supported the bill, it was actually Peter Modigliani writing on MITRE's website. His views do not necessarily reflect MITRE's.
