Mitigating Risk

2015 SEWP Acquisition Summit and Training

1 December 8-10, 2015

Information Flow

As a central Program for decentralized Government Acquisition, SEWP is an information channel between Industry and Government and between Agency decision makers and their Acquisition teams

2

Definitions

• Definitions are important

• Supply Chain

• Supply Chain Risk Management (SCRM)

• Levels of Assurance

• Counterfeit/tainting

• Authorized reseller

• Gray market vs. Black market3

Standards

• Standards and guidelines under development• Over 100 groups

• Indicates both level of interest and degree of difficulty• NIST

• NIST Special Publication 800-161. Supply Chain Risk Management. Practices for Federal Information. Systems and Organizations

• Workshops• Open Trusted Technology Provider Standard: OTTP-S

• Included in SEWP V RFP• Industry led with DoD and NASA SEWP participation• http://www.opengroup.org/

4

The Open Group

• Open Trusted Technology Provider™ Standard (O-TTPS)• Mitigating Maliciously Tainted and Counterfeit Products• The O-TTPS is an open standard containing a set of

organizational guidelines, requirements, and recommendations for integrators, providers, and component suppliers to enhance the security of the global supply chain and the integrity of Commercial Off The Shelf (COTS) Information and Communication Technology (ICT)

• The O-TTPS™ Accreditation Program• The O-TTPS Accreditation Program enables customers to

identify secure and trusted technology providers and their products in the global supply chain

• Now an ISO standard:• ISO/IEC International Standard (ISO/IEC 20243:2015)

5

SCRM Issues

• 100% Assurance impossible to achieve• Risk can be identified and assessed• There is a cost associated with lowering the risk• Acquirer needs to do a risk/benefit analysis

• SEWP provides risk based information - product provenance

6

Supply Chain Risk Management

Levels of Provider designation:Manufacturer

Authorized Reseller - All provider itemsAuthorized Reseller - Subset of provider items

Provider does not have an authorized reseller program

Authorized Partner or DistributorAuthorized Reseller - One Item / One Time

Unidentified or unknown source

7

Authorized Reseller

• For some large Manufacturers, “authorized reseller”• Is a defined program/process that often requires technical

knowledge and/or money• Has repercussions if non-authorized reseller is used

• Manufacturer may not warrant the item• Provenance cannot be established

• Some companies allow resellers to officially resell their products without being an official authorized reseller• Many manufacturers and resellers utilize approved

distributors

8

Other Issues

• Many manufacturers do not have Authorized Reseller Programs or do not distinguish between an Authorized Reseller and Distributor• Resellers can be authorized for specific product lines

• SEWP handles/verifies partial authorization• SEWP also allows for a single instance authorization

• 100% reliance on Authorized Reseller has negative connotations• Small business effect• Reduced competition• Decision making as to which companies succeed or fail is

fully in the hands of the manufacturer

9

Verification Process

• Authorization and verification process is not standard• In some cases there are certification letters that are

rubber stamped with a “Enter Reseller Name here” (we have seen these letter – mistakenly sent in)• Who is authorizing – a close friend or an official person in

the company?

• SEWP utilizes a verification process with the manufacturer

10

Steps for Assurance Verification

1. Contract Holder indicates relationship

2. Provides POC for company or distributer

3. POC receives email from SEWP to verify relationship

4. Provider relationship is removed if not valid

11

Ways customers can find information: Provider Lookup Tool Market Research Tool (MRT) Verification File

Quote Verification

Verifies items on contract and properly priced Shows discount off contract price Supply Chain – Level of Provider Authorization Trade Agreements Act (TAA) EPEAT/Energy Star compliance

12

Verification File

Verification File

Small Business

• Most small businesses do not have the personnel and/or money to be authorized for all product lines• Typically they use a distributer who is authorized to

distribute the Manufacturer’s products• SEWP recognizes that use of an authorized distributer can

be a risk mitigator

• If all Government resellers were required to be directly authorized resellers for all products, most would have to go out of business – especially the smaller ones• Trade-offs in recognition of Government policy encouraging

small businesses needs to be considered

13

Some Recommendations

• Base decision on risk management:• Critical parts of critical systems will need the lowest

risk – authorized reseller requirement can reduce risk at this level• Basic parts for general systems may be better served

with allowing resellers obtaining products through a distributer channel• Preferences can be given to provide price, technical,

and risk trade-offs

• Know what the information means:• For the given manufacturer, what is the meaning and

effect of authorized reseller?

14

Order Fulfillment and Contract Adherence

• Regardless of Authorization level:

• Contract Holder must fulfill order as quoted

• All items must be authentic

• All items must be warrantable/maintainable

• Items must be new unless noted on Quote and

allowed on RFQ

• Quote must match all aspects of customer

requirement/specification

15

Post-Award Correspondence

• If a company/non-awardee tells the CO that the awardee cannot fulfill an order; is using counterfeit parts; cannot maintain the products; etc:

• Do not assume provided information is correct regardless of

source

• Even the manufacturer may have a stake in a different award

• Awardee MUST fulfill order as quoted with authentic and

maintainable parts

• Notify SEWP of any legitimate concerns (

help@sewp.nasa.gov)

• Contact awardee (ccing the SEWP Office) for confirmation16

Other Important Points about SCRM

• Rely only on SEWP provided information, not industry

• Customer can indicate requirements in RFQ• Customer can state “Authorized only”

• If a quote is returned with non-authorized, ignore and notify help@sewp.nasa.gov

• Contract Holder must identify products quoted as used/refurbished

• Customers can require other proof of SCRM mitigation such as OTTP-S certification or other ISO/IEC International Standards

17

Future SCRM Plans for SEWP

• Use of assessed list• Companies/products that are assessed & cleared by

an agency (ex. NASA 516 Rule)

• Adding address of parent company to Market Research Tool• Flag for compliance with ISO/OTTP-S in QRT and

verification file• Authorized reseller button in QRT for customer to

request authorized quotes only• Be careful – this may limit competition or not allow

for any responses

18

Questions?

19