Government and Industry Report: COVID Pandemic Illustrates Need for Resilience in ICT Supply Chains
In the midst of the ongoing COVID-19 pandemic, the federal government and private sector used ongoing supply chain partnerships to examine how the crisis exposed vulnerabilities in critical sectors that underpin our national resilience and recovery efforts. The latest examination comes from the Information and Communication Technology (ICT) Supply Chain Risk Management Task Force’s (SCRM), COVID-19 Impact Study Working Group (Study Group), a partnership between DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and the IT and Communications Sector Coordinating Councils. This comes on the heels of an ICT resiliency letter by the President’s National Security Telecommunications Advisory Committee and is yet another indicator of increasing scrutiny of supply chains in the ICT and tech sectors, which are subject to multiple overlapping federal efforts.
In November 2020, the Study Group published “Building a More Resilient ICT Supply Chain: Lessons Learned from the COVID-19 Pandemic,” which contains a deep examination of ICT supply chain weaknesses that have been exposed or exacerbated by the COVID pandemic. The report offers a series of recommendations to increase the resiliency of ICT supply chains in similar crises, while securing the trustworthiness and availability of critical components and materials that are essential to the nation’s ICT networks.
The Study Group completed its assessment through a questionnaire submitted to 50 ICT companies, which included publicly traded and privately-owned IT service providers, broadcasters and communication service providers. The questions were designed to assess the extent and degree to which the pandemic disrupted supply chains and impacted operational resiliency and business continuity. Industry responses to the question set highlighted several commonalities across both the size and type of ICT company. For example, most companies surveyed reported moderate to minor impacts to their organizations supply chains, but most of those disruptions continued to exist at the time of the report’s publication but to a lesser extent. Also, most of the respondents recognize that post-pandemic business operations may require companies to do things differently like increasing steady-state inventory levels, diversifying sources and regions of supply, and insisting on more transparency deeper into the whole supply chain.
The Study Group Identifies Issues and Makes Recommendations
In assessing the results, the Study Group was able to draw three broad conclusions about the pandemic’s impact.
First, COVID-19 highlighted the need for the ICT industry to diversify supply chains and move away from single source suppliers or suppliers from a single region. While some of this movement began in prior years with uncertainty in U.S.-China trade relations and ongoing national security concerns, the pandemic was an intervening event that rapidly outpaced the ability of businesses to respond.
Second, the pandemic exposed a weakness in business models that favored lean inventory reserves and just-in-time delivery of raw materials and critical manufacturing components. Delays caused by the lack of inventory quickly cascaded down the supply chain, which may lead manufacturers and assemblers to better monitor and manage vendor inventory.
Third, ICT companies lacked an understanding of supply chain cross-dependencies and had little visibility into supply chains beyond Tier-1 suppliers. While larger companies were able to perform some level of due diligence on Tier-2 and Tier-3 suppliers, there was still a knowledge gap across industry on the ability of sub-tier providers to react to the disruption and where those sub-tier companies might be single points of failure for a multitude of companies.
To address these issues, the Study Group makes six recommendations:
Technology and communications companies should move beyond reactive supply chain risk management models and look to utilize systemic risk classification techniques that continually analyze events, disasters and political developments that could impact business operations.
Companies need to comprehensively map supply chains, from the extraction of raw materials through the delivery of products to consumers. Additionally, these supply chain maps should promote transparency at all levels of the chain, including Tier-1, Tier-2 and other more junior suppliers, to better understand cross-dependencies and hidden relationships that undermine business resiliency.
ICT companies should increase business resiliency and redundancy by broadening supplier networks and diversifying geographic regions of supply.
The ICT industry should look to standardize a methodology to map and assess supply chains to better focus industry on sub-tier suppliers, geographic regions and logistical bottlenecks that could disrupt production.
ICT manufacturers should look at increasing inventory reserves and utilize metrics that include operational resiliency and business continuity in assessing the cost of holding buffer inventory.
Companies should examine logistics and transportation issues and plan for scenarios or events that could disrupt the delivery of goods and critical components.
Why the Study Group’s Report Matters
Given the timing of the report and the methodology used to reach the conclusions and formulate recommendations, the Study Group’s report is a notable, mid-crisis impact assessment that should be considered across the ICT industry. More broadly, the Study Group’s conclusions come during ongoing assessments and rulemaking proceedings across the federal government impacting ICT supply chain, and track with other post-pandemic supply chain examinations, like some of the Cyberspace Solarium Commission’s white paper conclusions on lessons learned from the pandemic and building trusted ICT supply chains.
Taken together, these studies are likely to inform policy changes that implement legal and/or regulatory changes for industry. For example, all three reports point to the lack of diversification in ICT supply chains, both regional and source diversification, as one of the principle vulnerabilities facing industry and the broader critical infrastructure ecosystem. Each report subsequently puts forward recommendations and proposals that policymakers could use to place legal and regulatory requirements on providers with varying levels of burden on business operations. That said, technology companies and communications providers should monitor these pandemic-related examinations to both look for opportunities to help shape the conversation and anticipate and respond to changes in regulation or policy.
The private sector has been urging the government to harmonize and de-conflict overlapping supply chain security efforts and improve partnership and information sharing. These include the implementation of section 889 of the FY2019 National Defense Authorization Act which prohibits certain equipment from purchase by the government or use by contracts, and the work of the Federal Acquisition Security Council, or calls for “industrial policy” or strategies for the innovation base to try to shape domestic and overseas ICT markets.
Wiley is a leader working on complex regulatory, cyber, and supply chain issues affecting the ICT sector. We help clients manage risk, work with government, and address new procurement obligations. Should you have any questions, please contact one of the attorneys listed for additional information.