A new FAR interim rule requires Supply Chain Risk Management Plans for all IT and professional service contracts above $250,000, significantly expanding the scope of federal SCRM requirements.
The Federal Acquisition Regulatory Council published an interim FAR rule requiring Supply Chain Risk Management Plans for all IT and professional service contracts above $250,000. The new threshold significantly expands SCRM requirements beyond the current focus on systems designated as 'High Value Assets,' bringing an estimated 340,000 additional contracts into scope.
SCRM Plans under the new rule must cover: vendor background assessment using CISA's SCRM scoring methodology, subcontractor flow-down requirements for key supply chain components, incident reporting obligations for supplier-identified vulnerabilities, and annual re-assessment procedures for contracts above $1 million.
Contracting officers are responsible for evaluating the adequacy of vendor SCRM Plans as part of the technical evaluation process, creating a training need for the 24,000 federal contracting professionals who will encounter SCRM requirements in their contract portfolios.
For contractors, the rule creates both a compliance obligation and a competitive differentiator opportunity. Vendors with mature SCRM programs and trained personnel will be better positioned to win contracts against competitors with less developed supply chain security practices.
GovAcademy's Government Vendor Risk Management course (GA-043) directly addresses the new SCRM requirements from the agency perspective. The 20-hour Professional course covers CISA's SCRM methodology, vendor risk questionnaire design, and continuous monitoring procedures.
The Secure Software Supply Chain course (GA-025) addresses the technical SCRM elements that inform SCRM Plans for software supply chains, covering SBOM review, vulnerability disclosure programs, and software provenance verification.
Several large defense and civilian prime contractors have requested enterprise training agreements for GovAcademy's SCRM courses in anticipation of the rule's requirements becoming applicable to their contract portfolios.