Supply Chain Risk in Federal Acquisition

Eric Marquette

Welcome back to the Procurement Federal Acquisition Supplement & Defense Federal Acquisition Supplements Clauses podcast. I'm Eric Marquette, here with Ruby Sturt and Paul Netopski. Today we're digging into supply chain risk in federal acquisition—something that, honestly, just keeps getting more complex with every news cycle. Paul, you see this all the time—when we talk about 'supply chain risk', what are we really getting into?

Paul Netopski

Absolutely, Eric. Supply chain risk in this context covers a pretty wide spectrum—everything from counterfeit components sneaking into the hardware stack, to vendor insolvency that disrupts continuity, and of course, cyber vulnerabilities. If a supplier at any tier gets compromised, it can cascade right up into mission-critical systems. It's not just theoretical either; we've seen this play out in recent years with incidents like the Kaspersky software ban, where federal agencies had to scramble to strip out a product due to concerns about foreign influence and data exfiltration. Hardware-wise, think about those supply chain delays from overseas manufacturing; a single choke point can throw off a whole program.

Ruby Sturt

Yeah, and the cyber side's just wild. I mean, look at the NotPetya attack a few years back—one company’s compromised software update and suddenly dozens of organizations got hit. And Paul, you mentioned counterfeit stuff—I’ve heard stories of basic computer parts failing, traced all the way back to some knockoff manufacturer. It’s not just a headache; in federal contracts, that can spell a compliance disaster.

Paul Netopski

Exactly. That reminds me of a contract I worked on with a Navy prime, years ago. We caught a batch of network interface cards that were showing... odd traffic. On deeper inspection, they had undocumented data channels—which, you know, is a giant red flag. Nobody wanted to admit where they'd sourced those components, and it took a massive forensic effort to lock down the origin. Eventually, we had to work overnight to swap out everything on that system—contractors, agency leads, everyone. That incident really brought home how invisible some supply chain vulnerabilities can be, and the cost of not catching them early.

Eric Marquette

It's a stark reminder, isn't it? Supply chain risk isn't just some abstract regulatory box-tick—it shows up in real costs, delays, reputation blows. We talked in previous episodes about how the Supplier Performance Risk System can help spot issues, but as we’re seeing here, even a single weak link can cause ripple effects up and down the line.

Ruby Sturt

Makes you wonder how much gets through undetected, too—like, what's under the hood right now that we won’t find out about until next year?

Paul Netopski

Yeah, so mitigation has to go way beyond basic procurement checks. We do multi-tier vendor vetting now—looking not just at your direct supplier but also second, third, even fourth-tier vendors. Mandatory reporting is part of it—so if a supplier spots something weird in their supply chain, they’ve got to flag it up the chain. And there’s specialized risk assessment tools—stuff like the SPRS, which tracks supplier performance and risk, and extensive background checks on vendors. More recently, Executive Orders like Section 889 of NDAA 2019 have clamped down hard, especially on telecoms from certain foreign providers. That’s meant big upgrades in due diligence and tracking. Eric, you probably remember how fast agencies had to respond after that dropped—it was, uh, all hands on deck for compliance teams.

Eric Marquette

I do, and it introduced a whole new level of urgency, didn’t it? We’ve seen contractors hit pause on entire projects just to double-check that none of their stuff—even off-the-shelf routers—breached those requirements. The ripple effects on procurement timelines and costs are massive.

Ruby Sturt

And, Paul, you brought up SPRS—we had a big chat back in episode eight about how it scores supplier performance on more than just price or delivery. But I’m curious, can AI-driven tools actually spot vulnerabilities earlier than humans? I know from my own work with Jellypod’s tech partners, there’s heaps of potential—pattern recognition, anomaly spotting, that kind of thing. But I’m not sure if it’s really penetrated government procurement yet, or is it more hype?

Paul Netopski

No, you’re onto something, Ruby. AI is starting to play a role, mostly in monitoring huge datasets for anomalies—like catching abnormal order volumes, or spotting a supplier suddenly changing up their delivery routes or the types of components they’re shipping. These tools can flag patterns that human reviewers might miss until it’s too late. They’re not perfect, especially when it comes to context—sometimes it’s just a small vendor scaling up, not a hack—but as a first layer of defense, it’s getting more valuable. The defense sector’s all over this, given how high the stakes are. But it always comes back to combining automation with experienced security teams. The human-in-the-loop thing still matters.

Eric Marquette

It’s never just one magic bullet, is it? It’s a blend—policy, new tech, awareness, and vigilance from everyone involved. And a healthy bit of skepticism whenever something looks a bit too good—or too cheap—to be true.

Ruby Sturt

Yeah, if your bid comes in miles under everyone else’s, probably a reason for it, right?

Paul Netopski

Exactly.

Eric Marquette

So, let’s talk about the regulatory backbone here. When we mention federal acquisition and supply chain security, it basically means knowing your FAR and DFARS clauses cold. Paul, which ones are make-or-break when we’re talking cybersecurity and supply chain?

Paul Netopski

The big ones are DFARS 252.204-7012—that’s the clause mandating protection for covered defense information, incident reporting requirements, and the use of NIST SP 800-171 controls. You’ve also got FAR 52.204-21, focused on safeguarding controlled unclassified information. Critically, these don’t just bind the prime contractor. Through flow down provisions, all subs and sub-subs in the chain have to comply too. If you miss that step, your whole contract could risk default. Prime contractors need to have airtight systems to track compliance, and many don’t realize just how deep they need to go.

Ruby Sturt

So, just to be clear—if you’re a teeny tiny sub 3 levels down and you miss a policy update, you’re still on the hook? That’s... a lot of pressure. I imagine communication’s the hardest bit, especially for folks new to this whole scene.

Eric Marquette

It is—and, funny you mention that, Ruby, because I was once part of a negotiation where a misunderstanding on DFARS flow down almost caused the deal to collapse entirely. The sub wasn’t aware they needed to match the prime’s info security protocols. We paused, walked through FAR and DFARS obligations with them, spelled out exactly what needed to flow down in the contract, and—eventually—the panic cooled off. It’s a good lesson: clear communication, right at the start, can prevent months of headaches. And I think it’s something we keep coming back to in this series, isn’t it? Knowing the rules, communicating them well, and making them part of the team’s actual working mindset, not just a checkbox.

Paul Netopski

Yeah, and I’ll add—understanding your obligations, documenting them, and making sure they really are implemented at every level is where the difference lies. A lot of organizations stumble because they think a contract signature is enough. FAR and DFARS don’t leave much wiggle room.

Ruby Sturt

And if you’re listening and thinking “that sounds intimidating”—don’t worry, we’ll keep breaking it down, one episode at a time. Any last thoughts before we wrap?

Eric Marquette

Just this: supply chain risk isn’t going away. Stay vigilant, stay informed, and remember, every link matters. Ruby, Paul, always a pleasure chatting through the details with both of you.

Ruby Sturt

Same here! Thanks, Eric. Thanks, Paul. And thanks to everyone listening—catch you all next time!

Paul Netopski

Take care, everyone. Stay secure. Goodbye!