GSA Introduces Vendor Risk Assessment Program in Draft Solicitation

GSA Introduces Vendor Risk Assessment Program in Draft Solicitation

The General Services Administration could soon start requiring on-site assessments of certain federal contractors under a new program to scrutinize risks to the supply chain. 


Tucked into the draft of a new governmentwide acquisition vehicle for information technology services called Polaris is language describing a tool to “identify, assess and monitor supply chain risks of critical vendors” using classified and unclassified sources.


GSA said once the tool it’s developing—referred to as the Vendor Risk Management Program—is complete, “the contractor agrees the government may, at its own discretion, perform audits of supply chain risk processes or events,” adding, “on site assessments may be required.” 


The Vendor Risk Assessment Program first appeared online in a Sept. 2017 blogpost by GSA’s Shon Lyublanovits describing plans to address risks to the supply chain of the government’s information and communications technology. Around that time, agencies would have been busy working to remove Kaspersky software from their systems. And GSA was engaged in a series of pilots toward a service that would be shared across the government to uncover businesses’ due diligence, including for cybersecurity concerns.  


Since then, there has also been a focus on removing technology from Chinese suppliers from government systems, but the government’s attempt to more comprehensively review its supply chain for risks outside of a product’s country of origin are just getting off the ground. Now the SolarWinds hack, which leveraged a ubiquitous supplier of IT management technology to gain unauthorized access to government agencies, could be providing more urgency.


“Given the increased focus on supply chain risk management, GSA w ..