While Congress dithers about tax rates, a crucial piece of legislation, the National Defense Authorization Act of 2011, is still not resolved. This legislation may allow government officials to secretly blacklist contractors, with no notice, and no public accountability.
We examined some of the potentially alarming implications of Section 815 of this Act last week, and continue our analysis here.
Section 815 of the 2011 NDAA defines a supply chain risk as:
(4) The term ‘supply chain risk’ means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system or a covered item of supply so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of the system or item.
An "adversary" is not defined by this legislation, and there is no reference to an accepted definition in the U.S. Code. An obvious example would be an al Qaida terrorist. No one wants such a person working for a government contractor or subcontractor.
But what about a mischievous person? Someone who slips in a line of code as a joke or calling card? How about a careless programmer? A quick jaunt around StackOverflow.com can yield plenty of examples of funny comments, little "features," and all manner of bugs that made it into programs because programmers were coding for three days straight on only eight hours' sleep and gallons of coffee. If a little joke affects the performance of a "covered system," will the whole company be debarred?
What about a bug? The section mentions "maliciousness," but it also says "and otherwise subvert"--meaning that maliciousness may not be a criteria for deciding whether a programmer's actions fall under the definition of subversion. All code has bugs; the open-ended language of this legislation makes it ambiguous whether those bugs could be fixed with a patch or bankrupt the contractor.
This bill basically puts a premium on prime contractors to closely monitor the actions of all their employees as well as the employees of their subcontractors. While a terrorist might not have the patience to infiltrate a major prime contractor, build up years of trust, and then quietly place malicious code into crucial systems, contractors will still face devastating outcomes if an employee goes rogue.
No prime contractor is going to have the ability to examine every line of code in every program supplied by a subcontractor for bugs, pranks, or malicious code. The cost of doing so is prohibitive. This doesn't even cover the intellectual property issues that might come into play; subcontractors may have trade secrets to protect in their code that they do not want a larger company to co-opt. Subcontractors may find that the increased scrutiny or intellectual property risks are not worth it, and are, in effect, self-selected out of government contracting. And, of course, the cost of whatever "qualification requirements" could be prohibitive to smaller businesses, leading to either more self-selection out of contracting or the de facto debarment that the American Small Business League warns about.
It is important to remember that we already have measures in place to effectively debar contractors who deal with foreign terrorists or whose practices might weaken the supply chain. In addition to the measures identified in the Federal Acquisition Regulations and supplements, the Excluded Parties List provides a means of achieving the goal of excluding potentially terrorist-linked firms without the secrecy and potential abuse at the hands of a consolidated few heads of agencies.
Even if Section 815 of this Act does not survive the legislative process to become law, a seed has been planted. The notion of withholding payments from contractors with "inadequate" business systems started in a proposed DFARS, and subsequently appeared in a modified form in Section 841 of the 2011 NDAA. Another version of Section 815 may crop up in the Federal Acquisition Regulations.
Not only that, but these legislative and regulatory moves point to a larger trend: federal government officials are increasingly seeking to monitor prime contractor and subcontractor work, with potentially crippling consequences if they don't like what they see. Subcontractors are coming under increasing scrutiny; they are taking unnecessary risk if they do not have an effective means to manage the information in the Federal Acquisition Regulations. Meanwhile, prime contractors are forced to become increasingly risk-averse and only deal with companies they can trust to follow regulations while they, themselves, grapple with managing the regulations that apply to them.
No comments:
Post a Comment