On May 11, 2017, the U.S. China Economic and Security Review Commission (“Commission”) issued a Request for Proposal to “to provide a one-time unclassified report on supply chain vulnerabilities from China in U.S. federal information technology (IT) procurement.”

Congress established the Commission in 2000 to monitor and report to Congress on the national security implications of China’s economic relationship with the United States.  See Commission website here.  The Commission is composed of 12 members serving two year terms, three of whom are selected by each of the Majority and Minority Leaders of the Senate, and the Speaker and the Minority Leader of the House.

The report being sought via the RFP will serve as a “reference guide for policymakers on how the U.S. government manages risks associated with Chinese-made products and services and the participation of Chinese companies in its information technology (IT) supply chains.”  It is envisioned that the report would be briefed to the Commission and interested members of Congress, among others.  The winning contractor must produce a report that addresses at least the following:

• Summary of the laws, regulations, and other requirements since the passage of the Federal Information Technology Acquisition Reform Act in 2015.  See our discussion of final OMB guidance on implementing FITARA here.  Among the requirements is a comparison of the risk management process for non-national security and national-security-related IT procurements.
• Evaluation of how Chinese firms and Chinese-made IT products and services enter U.S. government IT supply chains.  In particular, an evaluation of how reliant U.S. government and U.S. government IT contractors are on Chinese firms and Chinese-made IT products and services.
• Assessment of points of vulnerability in the procurement system, particularly for IT products and services designated as high risk by the U.S. government’s Chief Information Officers (CIO).  Evaluation of whether the CIOs are adequately assessing risk in their ratings of IT products and services.
• Assessment of why the vulnerability points identified above exist, and an explanation of the factors contributing to the challenge of supply chain insecurity.  Explanation of how vulnerabilities are expected to shift in the next 5–10 years, particularly as Chinese firms move up the value-added chain.
• Assessment of whether the U.S. government’s management of the risks associated with Chinese firms and Chinese-made products and services to its IT procurement supply chains is sufficient.  Provide a comprehensive description of cases in which the Chinese government, Chinese companies, or Chinese products have been implicated in connection with U.S. supply chain vulnerabilities or exploitation.

This focus on supply chain vulnerabilities is consistent with DoD’s emphasis in the past few years on protecting its supply chain, including rules that address the exclusion of contractors that DoD perceives as presenting a supply chain risk in national security systems, as well as the Department’s rules requiring contractors to provide more oversight of their supply chains to help prevent counterfeit electronic parts.

Proposals are due on June 14 with a report due 90 days from contract execution.