GSA introduces supply chain security process under Polaris contract

The General Service Administration is working on a tool to better gauge risks to the supply chain, and it could require on-site assessments for vendors.

The so-called Vendor Risk Assessment Program (VRAP) is described briefly in a draft request for proposals for the Polaris Governmentwide Acquisition Contract, the agency’s new information technology vehicle geared towards small businesses.

The program would use both classified and unclassified information to “identify, assess and monitor supply chain risks of critical vendors,” according to the draft. The government could then audit the supply chain for risky processes or events.

The program’s goal would be to monitor the risk of foreign influence, cyber risk and other factors that could impact a company’s vulnerability.

“In the event supply chain risks are identified and corrective action becomes necessary, mutually agreeable corrective actions will be sought based upon specific identified risks,” the draft adds. “Failure to resolve any identified risk in a timely manner may result in Government action up to and including contract termination.”

The idea of VRAP first appeared in a 2017 blog post about reducing cybersecurity risks in supply chain risk management, suggesting the creation of “a well-defined process and robust capability to evaluate known or potential risks related to suppliers of products and services using open source information.”

The creation of such a program could have increased urgency now, in the wake of the SolarWinds hack that left many federal agencies vulnerable to cyber espionage. In December, the Government Accountability Office found that many agencies do not have accurate supply chain risk management practices in place.

GSA is allowing feedback on the program and the draft solicitation as a whole until Jan. 29.