DoD just cancelled Anthropic, government style. To do so, it used a procurement law directed to the military to designate Anthropic a supply chain risk. [Here is The Defense Salon article discussing this.]
That is not the only law permitting the federal government can cancel a contractor. The Federal Acquisition Supply Chain Security Act (FASCSA) (41 U.S.C. §§ 1321–1328; 41 U.S.C. § 4713) also allows for the federal government to ban businesses that present a “significant supply chain risk” from federal contracts and subcontracts.
This is the law that the government used to ban the Chinese telecom company Huawei from Federal Government contracting. (Click here for The Defense Salon’s post on this ban.) It has been used to bansome other Chinese companies and Kaspersky, a Russian company from government contracting.
While FASCSA was not used to ban Anthropic, make no mistake: the government absolutely can use it to designate a business as a supply chain risk and to exclude it from contracting.
The FASCSA legal requirements in some ways are like the law that DoD used with Anthropic but, it also has significant differences.
Read on for more.
Authority: FASCSA created the Federal Acquisition Security Council (FASC), an interagency committee that coordinates government wide review of supply chain risks and mitigation of identified risks. This Council must develop criteria for determining when a business is a significant supply chain risk.
Identifying Supply Chain Risks: The FASC must develop criteria for determining when a business is a significant supply chain risk and determine when a business should be excluded from government contracting or limited in what it may provide the government.
Definition of a Supply Chain Risk: As in the law DoD used to designate Anthropic a supply chain risk, the definition of supply chain risk is similar and the risk being evaluated is the risk of certain technologies being disruptive. More specifically, a supply chain risk is the risk that a person or business “may sabotage, maliciously introduce unwanted function, extract data, or otherwise manipulate the design, integrity, manufacturing, production, distribution, installation, operation, maintenance, disposition, or retirement of certain technology in such a way that the technology may surveil, deny, disrupt, or otherwise manipulate the function, use, or operation of technology or information stored or transmitted[…].
The covered technologies include, for example:
- cloud computing services
- telecommunications equipment
- telecommunications service,
- processing of information on federal IT systems
- processing of federal information non-federal information systems
- hardware, systems, devices, software
Notice and Opportunity to be Heard: Businesses who have been designated as a significant supply chain risk must be given at least 30 days’ notice of the proposed exclusion, some information on why it is being banned, and the opportunity to respond with evidence on why it should not be banned. This is due process: notice and an opportunity to be heard.
Written Findings: The FASC must draft a written determination, which can be classified or unclassified, explaining:
- The national security risk
- Why the action is necessary
- Why less restrictive measures are insufficient
If there is an urgent national security risk, this process can be temporarily bypassed so a company can be banned, but ultimately the process must be followed.
Result of Being a Supply Chain Risk: Once a company is designated as a supply chain risk the government may exclude it from Federal Government contracting or limit when its technology may be purchased for certain procurements. The supply chain risk designation also supports the determination that a business is not a responsible source. Significantly, like the law DoD used to ban Anthropic, FASCSA applies only to federal procurement, not to private sector commercial business.
Congress & The Courts: Agencies must report to Congress on their decision to designate a company as a supply chain risk, to include explaining the bases of its decision. Designated companies may appeal the decision in Federal court to assure that the government followed the requirements of FASCSA.
Take Aways for Contractors and Subcontractors
- Understand and comply with your obligations in the FAR and DFARS to avoid those businesses that have been banned under FASCSA, like Huawei.
- Your contracts and subcontracts require that you certify you are complying with the bans against Huawei and other companies.
Know where your technology is coming from. That means conducting due diligence on suppliers and business partners that provide technology and on subcontractors that perform on your prime contracts. And document the diligence done.
ARTICLE
