1. Home
  2. |Insights
  3. |DoD and GSA Take Aim at Supply Chain Risks

DoD and GSA Take Aim at Supply Chain Risks

Client Alert | 1 min read | 01.15.21

The Department of Defense (DoD) recently implemented additional procedures for the mitigation of cybersecurity risks in its supply chain. Designed to identify and mitigate cybersecurity and related supply chain risks throughout a program’s lifecycle, DoD Instruction 5000.90, Cybersecurity Acquisition Decision Authorities and Program Managers, requires program managers to:

  • Assess contractors’ cybersecurity posture, including, where applicable, verifying compliance with the DoD’s newly introduced Cybersecurity Maturity Model Certification (CMMC);
  • Consider the extent to which contractors have experienced “significant” incidents resulting in network breaches or data loss;
  • Avoid program requirements that may necessitate the use of contractors or suppliers that are owned or controlled by a foreign adversary government or are subject to the jurisdiction of a foreign adversary government;
  • Manage any supply chain risks associated with foreign ownership, control, or influence (FOCI); and
  • Mitigate supply chain risks using a framework that prescribes escalating risk management actions across four risk tolerance levels.

Alongside the DoD, the General Services Administration (GSA) recently introduced, as part of a draft solicitation for the Polaris small business government-wide IT contract, its own Vendor Risk Assessment Program (VRAP). According to the draft solicitation, the VRAP is designed to identify, assess, and monitor supply chain risks associated with FOCI, cybersecurity, and other factors, such as financial performance. 

Contacts

Insights

Client Alert | 2 min read | 07.15.26

CMMC Phase II Suspension Requires Reconsideration of Such Requirements in Solicitations

As discussed in more detail here, the U.S. Department of War (DoW) recently issued a memorandum (Memo 26-P-1023, dated July 13, 2026) directing the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements (Level I and II self assessments are still permitted). Significantly, the memo directs that “all pending and future CMMC implementation milestones across DoW solicitations and contracts are held in abeyance until further notice.” Moreover, the DoW issued a memorandum on implementing these requirements (available here), directing agencies to issue amendments removing CMMC Level 2 and 3 requirements from active solicitations “as soon as practicable.” Contractors should monitor the government’s compliance with this requirement and should be prepared, if needed, to file a bid protest to protect their rights....