Is there baseline/benchmark established RFP verbiage for this? What would you recommend?
From a literature review and interviews with Supply Chain and Contracting leaders and POCs, I was unable to find an established, widely used, standardized baseline/benchmark for RFP verbiage specifically related to Supply Chain Risk Management (SCRM). The supply chain risks that SCRM is targeted to mitigate are very broad (noted below).
Recommendation: In addition to the DFARS clauses noted below (no doubt the questioner is already aware of these clauses), a potentially helpful update to mandatory RFP verbiage is a requirement for the vendor to include in their response a “Supply Chain Resiliency Plan” targeted to address known, stipulated supply chain risks as well as risks unique to the requirement. This is for the government’s awareness and tracking as well as for the vendor’s compliance if their response is successful.
- The question of what a Supply Chain Resiliency Plan would look like is fodder for further research. But the recommended response (above) does go to the “Question Title” noted above, “How to include supply chain risk management parameters in RFP?” Regarding inclusion of SCRM requirements in RFPs, the Cyber mission set could be further along than other fields. For example, DoDI 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN). Appendix E, pg. E-7, Flowchart E-3, Agency Implementation of Information and Communications Technology (ICT) SCRM Plan, references in the flow chart, “Publish ICT SCRM Plan Requirements in RFP/RFQ.”
- Also include (provided by one of the interviewees noted below):
- The relatively new DFARS provision 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements
- The relatively new DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, which adds additional cybersecurity measures to those already required under DFARS 252.204-7012 by establishing enforcement methodologies for ensuring contractors have implemented the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology. This is related to contract cybersecurity requirements for DoD contractors. Assessments related to the cybersecurity requirements are posted to the Supplier Performance Risk System (SPRS) at https://www.sprs.csd.dia.mil.
- DFARS 252.204-7018 Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services (Can’t buy equipment from Huawei Technologies, ZTE Corporation, etc.)
- DFARS 252.246-7007 Contractor Counterfeit Electronic Part Detection and Avoidance System
- DRAFS 252.246-7008 Sources of Electronic Parts