Supply Chain Risk Management (SCRM) for Government Contractors
Supply chain security has become a critical evaluation factor in federal procurement. From the Section 889 ban on certain telecommunications equipment to SBOM requirements for software, contractors must demonstrate robust supply chain risk management practices to win and perform on government contracts.
This guide covers the key regulations, frameworks, and practical steps for building a defensible SCRM program.
100M+ government records · 300+ gov/news sources · Updated hourly
Section 889: Telecommunications Equipment Ban
Section 889 of the FY 2019 National Defense Authorization Act is the most impactful supply chain regulation for government contractors. It operates in two parts that have been phased in over time.
Part A (effective August 2019) prohibits federal agencies from procuring or obtaining any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component. The covered entities are Huawei Technologies, ZTE Corporation, Hytera Communications, Hangzhou Hikvision Digital Technology, and Dahua Technology, along with their subsidiaries and affiliates.
Part B (effective August 2020) goes further: it prohibits agencies from contracting with any entity that uses covered telecommunications equipment or services, regardless of whether that equipment is related to the government contract. This means contractors must remove covered equipment not just from government-facing systems but from their entire enterprise.
Contractors must complete the representation at FAR 52.204-26, declaring whether they use any covered equipment. False representations can result in False Claims Act liability, suspension, and debarment.
NIST SP 800-161: Cyber Supply Chain Risk Management
NIST Special Publication 800-161 Rev 1 (“Cybersecurity Supply Chain Risk Management for Systems and Organizations”) provides the framework for identifying, assessing, and mitigating cybersecurity risks throughout the supply chain. While not yet universally mandated in contracts, it is increasingly referenced as the standard for C-SCRM programs.
The framework integrates supply chain risk management into the broader NIST Risk Management Framework (RMF) and addresses risks at three levels: the organizational level (governance and policies), the mission/business level (supply chain due diligence), and the operational level (technical controls on acquired components).
Key practices from NIST 800-161 that contractors should implement include:
- Establishing a C-SCRM team with executive sponsorship
- Developing supplier criticality assessments to prioritize risk management efforts
- Implementing supplier qualification and monitoring processes
- Requiring security provisions in supplier contracts and agreements
- Validating the integrity and provenance of acquired products and components
- Maintaining awareness of threats targeting your supply chain
FASCSA: Federal Acquisition Supply Chain Security Act
The Federal Acquisition Supply Chain Security Act (FASCSA), enacted as part of the SECURE Technology Act of 2018, established the Federal Acquisition Security Council (FASC) — a cross-agency body responsible for evaluating and responding to supply chain risks in federal procurement.
The FASC can issue supply chain risk orders that apply government-wide, directing agencies to exclude specific products, vendors, or services from federal procurement. These orders can be based on intelligence assessments, vulnerability analyses, or other risk factors identified by member agencies including CISA, GSA, the DoD, and the intelligence community.
For contractors, FASCSA means that supply chain exclusions can be imposed beyond the named entities in Section 889. The FASC can act on a broader range of threats, and its orders can apply to hardware, software, and services from any country or entity deemed to pose an unacceptable risk. Contractors should monitor FASCSA orders and ensure their supply chains do not include excluded sources.
Software Bill of Materials (SBOM) Requirements
Executive Order 14028 (“Improving the Nation's Cybersecurity,” May 2021) directed federal agencies to require SBOMs from software suppliers. An SBOM is a machine-readable, structured inventory of all components, libraries, and dependencies in a software product.
The minimum elements of an SBOM, as defined by NTIA, include:
- Supplier name for each component
- Component name and version string
- Unique identifiers (e.g., CPE, PURL)
- Dependency relationships between components
- Author of the SBOM data
- Timestamp of when the SBOM was generated
Accepted SBOM formats include SPDX (Linux Foundation) and CycloneDX (OWASP). Contractors developing software for federal agencies should integrate SBOM generation into their CI/CD pipelines and be prepared to deliver SBOMs in one of these standard formats.
SBOM requirements are appearing in solicitations for custom software development, IT modernization, cloud services, and cybersecurity contracts. CISA has published guidance on SBOM practices, and agencies like the FDA now require SBOMs for medical device software submissions.
Key Agencies in Supply Chain Security
CISA
Cybersecurity and Infrastructure Security Agency
Leads national efforts to secure critical infrastructure supply chains. Publishes ICT supply chain risk management guidance, maintains the Known Exploited Vulnerabilities (KEV) catalog, and coordinates supply chain threat intelligence sharing.
GSA
General Services Administration
Manages federal procurement vehicles and implements supply chain security requirements across GSA Schedules, GWACs, and BPAs. GSA's Federal Acquisition Service plays a key role in FASCSA enforcement.
DoD
Department of Defense
Drives SCRM requirements through DFARS clauses, CMMC, and the Defense Industrial Base (DIB) sector coordination. DoD's supply chain risk management extends to all tiers of defense contractors and subcontractors.
NIST
National Institute of Standards and Technology
Develops the standards and frameworks (800-161, 800-171, SSDF) that underpin federal supply chain security. Provides the technical foundation for C-SCRM programs.
Demonstrating SCRM in Proposals
Federal solicitations increasingly include supply chain risk management as an evaluation factor. To score well, your proposal should demonstrate a mature, documented SCRM program. Here are the key elements evaluators look for:
Supplier Vetting and Qualification
Describe your process for evaluating and approving suppliers. Include criteria such as country of origin, ownership structure, security certifications, financial stability, and past performance. Show that you maintain an approved supplier list and conduct periodic reviews.
Component Provenance and Integrity
Explain how you verify the authenticity and integrity of hardware and software components. This includes anti-counterfeit measures for hardware, code signing and secure development practices for software, and SBOM generation for delivered products.
Continuous Monitoring
Demonstrate that SCRM is not a one-time activity. Describe how you monitor for changes in supplier risk profiles, emerging vulnerabilities in components, and new threat intelligence relevant to your supply chain.
Incident Response for Supply Chain Events
Show that your incident response plan covers supply chain compromise scenarios. Include procedures for notifying affected customers, isolating compromised components, and coordinating with CISA and other relevant authorities.
Regulatory Compliance Evidence
Provide clear evidence of Section 889 compliance, NIST 800-161 alignment, and any agency-specific SCRM requirements. Reference your FAR 52.204-26 representations and any third-party assessments of your SCRM program.
Frequently Asked Questions
What is Section 889 and what does it prohibit?
Section 889 of the John S. McCain National Defense Authorization Act for FY 2019 prohibits federal agencies from procuring telecommunications and video surveillance equipment from Huawei, ZTE, Hytera, Hikvision, and Dahua (Part A), and prohibits contracting with any entity that uses such equipment (Part B). Contractors must represent their compliance and remove prohibited equipment from systems used in government work.
What is a Software Bill of Materials (SBOM) and when is it required?
An SBOM is a formal, machine-readable inventory of software components and dependencies in a product. Following Executive Order 14028 on Improving the Nation's Cybersecurity, agencies increasingly require SBOMs for software sold to the government. SBOM requirements are appearing in solicitations for custom software development, IT modernization, and cybersecurity contracts.
How do I demonstrate SCRM capabilities in a proposal?
Effective SCRM demonstration includes documenting your supplier vetting procedures, showing how you validate component provenance, describing your monitoring processes for ongoing supply chain threats, providing evidence of Section 889 compliance, and referencing your NIST 800-161-aligned risk management framework. Include specific examples of how you have identified and mitigated supply chain risks in past performance.
Monitor Supply Chain Requirements Across Federal Contracts
Search across SAM.gov and FPDS for contracts with supply chain security requirements. Track solicitations referencing Section 889, SCRM, and SBOM provisions.