Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

DoD and GSA Take Aim at Supply Chain Risks

By Adelicia R. Cliffe, Kate M. Growley, CIPP/G, CIPP/US, Evan D. Wolff, Michael G. Gruden, CIPP/G & Christopher Hebdon on January 15, 2021
Email this postTweet this postLike this postShare this post on LinkedIn

The Department of Defense (DoD) recently implemented additional procedures for the mitigation of cybersecurity risks in its supply chain. Designed to identify and mitigate cybersecurity and related supply chain risks throughout a program’s lifecycle, DoD Instruction 5000.90, Cybersecurity Acquisition Decision Authorities and Program Managers, requires program managers to:

  • Assess contractors’ cybersecurity posture, including, where applicable, verifying compliance with the DoD’s newly introduced Cybersecurity Maturity Model Certification (CMMC);
  • Consider the extent to which contractors have experienced “significant” incidents resulting in network breaches or data loss;
  • Avoid program requirements that may necessitate the use of contractors or suppliers that are owned or controlled by a foreign adversary government or are subject to the jurisdiction of a foreign adversary government;
  • Manage any supply chain risks associated with foreign ownership, control, or influence (FOCI); and
  • Mitigate supply chain risks using a framework that prescribes escalating risk management actions across four risk tolerance levels.

Alongside the DoD, the General Services Administration (GSA) recently introduced, as part of a draft solicitation for the Polaris small business government-wide IT contract, its own Vendor Risk Assessment Program (VRAP). According to the draft solicitation, the VRAP is designed to identify, assess, and monitor supply chain risks associated with FOCI, cybersecurity, and other factors, such as financial performance.

Photo of Adelicia R. Cliffe Adelicia R. Cliffe

Adelicia Cliffe is a partner in the Washington, D.C. office, a member of the Steering Committee for the firm’s Government Contracts Group, and a member of the International Trade Group. Addie is also co-chair of the firm’s National Security practice. Addie has been…

Adelicia Cliffe is a partner in the Washington, D.C. office, a member of the Steering Committee for the firm’s Government Contracts Group, and a member of the International Trade Group. Addie is also co-chair of the firm’s National Security practice. Addie has been named as a nationally recognized practitioner in the government contracts field by Chambers USA.

Read more about Adelicia R. CliffeEmail
Show more Show less
Photo of Kate M. Growley, CIPP/G, CIPP/US Kate M. Growley, CIPP/G, CIPP/US

Kate M. Growley (CIPP/US, CIPP/G) is a partner in the Washington, D.C. office of Crowell & Moring. She is a member of the Steering Committee for the firm’s Privacy & Cybersecurity Group, while working closely with the firm’s Government Contracts and Litigation Groups. …

Kate M. Growley (CIPP/US, CIPP/G) is a partner in the Washington, D.C. office of Crowell & Moring. She is a member of the Steering Committee for the firm’s Privacy & Cybersecurity Group, while working closely with the firm’s Government Contracts and Litigation Groups. Her practice covers a wide range of information security counseling and litigation engagements, including cybersecurity compliance, incident response, regulatory assessments and investigations, and disputes surrounding data breaches and trade secrets.

Read more about Kate M. Growley, CIPP/G, CIPP/USEmail
Show more Show less
Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Read more about Evan D. WolffEmail
Show more Show less
Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is an associate in Crowell & Moring’s Washington, D.C. office where he is a member of the firm’s Government Contracts and Privacy & Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is an associate in Crowell & Moring’s Washington, D.C. office where he is a member of the firm’s Government Contracts and Privacy & Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Read more about Michael G. Gruden, CIPP/GEmail
Show more Show less
Photo of Christopher Hebdon Christopher Hebdon
Read more about Christopher HebdonEmail
  • Posted in:
    Administrative, Corporate Compliance
  • Blog:
    Government Contracts Legal Forum
  • Organization:
    Crowell & Moring LLP
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • The FTI Award Journal
  • International Dispute Resolution
  • China Law Update Blog
  • Law of The Ledger
  • Antitrust Law Blog
Copyright © 2022, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo