What Happens When the Government Perceives a Cybersecurity Risk in Your Supply Chain

The Federal Government is amping up its efforts to mitigate threats to cybersecurity. You might think that the Department of Homeland Security would be the agency concerned with mitigating risk stemming from cyber threats. But a recent case at the Court of Federal Claims (COFC) shows that Government’s preoccupation with cybersecurity extends to all agencies. In this case, the Social Security Administration (SSA) needed new printers, but was determined to avoid supply chain risks that they felt one bidder’s offer posed. The COFC sided with the agency in this case, which raises the question whether the Federal Government should centralize such decisions.  

An Investigation into Foreign Ownership        

Beyond the usual evaluation factors, the SSA’s solicitation for printers included one unusual evaluation methodology. That is, the solicitation described how the agency would investigate potential supply chain risk by looking at foreign ownership or control over the prime contractor, the subcontractor, and the location of the manufacturing facilities. As such, all offerors, including Iron Bow Technologies, the apparent awardee, were asked to provide detailed information about the printers they were proposing. Iron Bow did so, and waited to hear how their offer was received.

 

A Manufacturer Falls Out of Favor

Iron Bow proposed supplying the SSA with printers by Lexmark, a well-known, long-established printer manufacturer. Turns out, the SSA (and other Government agencies) already used Lexmark in their facilities. So, Iron Bow might have felt they’d be a shoe-in to win the award. But after reviewing Iron Bow’s proposal, the SSA denied them the contract. The agency felt that the contractor’s offer presented an unacceptable supply chain risk, due to Lexmark’s foreign ownership. You see, Lexmark had become wholly owned by three Chinese entities, two of which had close ties to the Chinese Government.

 

The Problem with Printers

Given Lexmark’s connection to the Chinese Government, the SSA investigated US Government’s reports about Chinese Government cyber-espionage efforts. They discovered laws enabling the Chinese Government to obtain sensitive information (like source code). Because the printers would connect to the SSA’s Virtual Private Networks (VPNs) and other networks, they could pose a security risk if compromised. After all, printers are nodes on a network that can be hacked just as easily as any other parts. And many large-scale printers have hard drives that retain a great amount of data even after the user is finished printing.

 

The Protest Heads to GAO, and then the COFC

Although the protest initially started at GAO, it eventually moved to the COFC where a decision was rendered. The Court looked at SSA’s solicitation, and at Iron Bow’s objections to the decision. Iron Bow’s complaints included that Lexmark printers are already in use within the Federal Government. Iron Bow also stated Lexmark’s Chinese acquisition had, at the time of purchase, been reviewed by the US Government under the Committee on Foreign Investment in the United States (CFIUS). CFIUS had approved it and put a national security agreement in place that Iron Bow felt was sufficient protection. Finally, Iron Bow argued that Lexmark’s owners with ties to the Chinese Government only owned a minority of the company, and thus the potential risk was diminished.

The SSA responded to Iron Bow’s objections and the COFC weighed the arguments. To Iron Bow’s point that the Federal Government already used Lexmark printers, SSA stated that those printers had been obtained prior to the Chinese acquisition. To the contractor’s point about the CFIUS agreement, the COFC found that the agreement doesn’t actually address the kind of supply chain risk that SSA was concerned about. And Iron Bow’s point about the owners with ties to the Chinese Government only owning a minority of Lexmark fell short when the Court held that said that the 49% ownership was a large enough investment to pose a potential security risk. All of this added up to an adequate case for SSA not to give Iron Bow the contract, and the protest was denied.

 

The Subtext in Iron Bow’s Case

Iron Bow’s case at the COFC highlights the Government’s challenge in working with contractors whose supply chain includes commercial items produced under foreign ownership. When working with countries like China, there’s a concern about blurred lines between the public and private sectors. The government owns and controls some means of production in a communist country, and the US Federal Government must monitor where there might be a security risk that will bleed over into a foreign country’s products. That concern cost Iron Bow and Lexmark SSA’s business.

The COFC felt that the agency’s decision was reasonable given the potential risk in using Lexmark printers. And potential risk (not actual risk) was all that the agency needed here. It was the standard in the solicitation and the one that the Court applied. As such, the case shows that an agency has broad power to evaluate and decide supply chain risk. Iron Bow’s case also raises the question over whether such decisions should be centralized. Is the interest of the SSA any different from the interest of another agency that might have even more sensitive information to protect? As the global situation changes, it’s possible that a single entity (like Lexmark), may find itself persona non grata on Government-wide scale.

 

Iron Bow Technologies, LLC v. United States, et al., No. 17-1250C, Mar. 27, 2018.

 

For more on this topic, check out my interview with Tom Temin on Federal News Radio’s “Federal Drive.”

Leave a Reply

Your email address will not be published. Required fields are marked *