PROCURE-TO-PAY TRAINING SYMPOSIUM 2018 Supplier Risk Management Presented by: Ms. LeAntha Sumpter Ms. Lisa Romney Mr. Alan Robinson April 2018 1
Supply Chain Threat Procedures DoD is developing processes to proactively address supply chain threats that present counterintelligence risk to our enterprise. The Deputy Secretary of Defense published new procedures to manage supply chain risk when procuring and integrating information and communications technology (ICT) into DoD national security systems (NSS) on March 13, 2018. 2
Supply Chain Threat Procedures Enhanced procedures provide for the enterprise use of authorities in Section 806 of the Ike Skelton National Defense Authorization Act for Fiscal Year 2011, and authorities and procedures implemented at DFARS Subpart 239.73, Requirements for Information Related to Supply Chain Risk. The new procedures allow: Class Determinations to exercise Section 806 authority for a class of procurements vice an individual procurement transaction Notification of the acquisition workforce regarding all section 806 Class Determinations Notification of each affected entity of each Class Determination 3
Supply Chain Threat Procedures The DoD continues to pursue the following efforts to address gaps in supply chain management and to respond to industry and government needs. Improve threat information sharing cross the intelligence community (including interagency), and with acquisition and operational users Evaluating current threat and vulnerability analysis capabilities 4
Supply Chain Threat Procedures Supply Chain Risk Management practices should include being aware of foreign ownership, control and influence and the risk to the U.S. Corporate supply chain risk management activities should be augmented with open source information, and risk mitigation practices that can increase awareness and mitigate Foreign Ownership, Control, or Influence (FOCI) risk. Leverage opportunities and be thoughtful to legal findings from any related lawsuits regarding suppliers of concern. 5
On the Horizon Legislation may address national security risk by Excluding sources in statute Redefining limited competition Redefining scope of responsibility determinations Strengthening vendor reviews Enhancing vendor reps and certs Enhancing data about vendors 6
Other Supplier-Focused Changes Implemented the Supplier Performance Risk System (SPRS) Implemented several improvements to the CAGE code assignment process Established a 5-year expiration date for CAGE codes if not updated during that timeframe Implemented address verification services Improved processes for the CAGE status code Implemented several improvements to SAM Nov 2017 a number of enhancements to the Exclusions area, providing more clarity regarding listed suspensions and debarments Additional automation for SAM and CAGE for look-up / assignment of CAGE codes to excluded firms planned for modernized site Jan 2018 added capability for entity administrators to restrict access for other users to act as admins for other entities in their hierarchy 7
Other Near-Term CAGE Improvements Reviewing all new registrations that come from SAM Expanding use of address services Expanded watch-list of items related to suspect data Expanding the process of expiring CAGE code records after five years without an update Establish 5-year expiration date on CAGE codes that did not originate with SAM Requires methodical review of process with potential stakeholders Note had already established a 5-year clock on CAGE codes established during SAM registration 8
New SAM Procedures GSA s SAM program office is supporting an active investigation by the GSA IG and DoD investigative units into alleged, third party fraudulent activity in SAM. At this time, a limited number of entities registered in SAM are suspected of being impacted by this fraudulent activity. As of March 22, 2018, SAM now requires an original, signed notarized letter identifying the authorized Entity Administrator for the entity before a new entity registration will be activated. Effective April 29, 2018, this process will be applied to entities updating a SAM record (one time application unless Entity Administrator changes) Required for all types of registrants other than federal government GSA intends to replace the notarized letter process with more automated controls as soon as they can 9
Notarized Letter Process Alert posted on SAM.gov across the website with instructions to entity; email sent to reiterate after CAGE Code assignment Requires notarized letter designating entity administrator IAW the posted instructions Original letter signed by notary must be mailed to the Federal Service Desk (FSD): FEDERAL SERVICE DESK ATTN: SAM.GOV REGISTRATION PROCESSING 100 CAPITOL COMMERCE BLVD STE 309 MONTGOMERY, AL 36117-4260 No time limit, but will not be activated without it FSD can receive FedEx, UPS, etc. 10
Section 806 Do Not Buy List SPRS will allow gov t users access to entire Do Not Buy list 11
Section 806 Do Not Buy List Risk Analysis will flag items on the Do Not Buy list 12
Section 806 Do Not Buy List Risk Analysis will flag items on the Do Not Buy list 13
14