The General Services Administration (GSA) Federal Acquisition Service (FAS), Information Technology Category (ITC) has a requirement for a ten year governmentwide Multiple Award Blanket Purchase Agreement (BPA) against GSA Multiple Award Schedules (MAS) that will be referred to as the Supply Chain Risk Illumination Professional Tools and Services (SCRIPTS) BPA.

The General Services Administration has a requirement to establish core, multi-component, supply chain risk illumination tools with the ability to identify self-attested, public, as well as, purchased data, in real time, along with a persistent monitoring capability. This requirement will foster a whole of government (WoG) approach to assess risk across the federal supply chain, domestic commercial Information Technology marketplace, and Defense Industrial Base (DIB), and to further mitigate vendor threats. This capability will become an open resource based on security classification of analyzed data for potential use within the spectrum of information security environments (e.g. Top Secret / Sensitive Compartmented Information (TS/SCI), Secret, and Controlled Unclassified Information (CUI) levels) within the Department of Defense (DoD) and other government agencies.

The current business operating environment presents several Supply Chain Risk Management (SCRM) challenges: (1) reliance on commercial services and technologies and multiple tiers of the global Defense Industrial Base that shift at an increasingly fast rate, and (2) vast availability of commercial items and services through simplified acquisitions and/or purchase cards that may not have been fully vetted for cyber and supply chain risk. Recent events affecting the global industrial base have increased the urgency of SCRM being implemented and executed in support of National Security Systems (under 10 USC Section 2339a) for DoD systems and networks, and in support of the Federal Acquisition Security Council (FASC) established under the SECURE Technology Act, and 41 USC Sections 1326 and 471 and Executive Orders 14017 and 14028.

Through the SCRIPTS Solicitation, the acquisition of deployable supply chain illumination capabilities for cyber hygiene, supply chain, foreign ownership, control, and influence, vendor vetting and affiliated entity, as well as personnel vetting will enable the government to be continuously and dynamically informed on industry supplier health. This SCRIPTS BPA will allow the DoD to holistically screen and vet vendors and underlying supplier networks/affiliated personnel to ensure suppliers are reputable, in good-standing, financially and operationally secure, and will not introduce unacceptable risk to the Government. The SCRIPTS BPA will provide a total solution approach to leverage commercial industry tools (also referred to as platforms when referring to a specific Original Equipment Manufacturer (OEM) supply chain illumination tool), global database resources, and technical analytic support services with prompt, cost-effective delivery, while capturing economies of scale, and fostering small business markets for sustainable technologies.

In the SCRIPTS Solicitation, the DoD and Federal agencies require the following capabilities:

• • A. Increased end-to-end transparency and knowledge of multi-tier supply chain ecosystem(s).
  • B. An understanding of the complex connections and dependencies across specific supply chain ecosystems.
  • C. Ability to answer complex risk and resiliency questions impacting suppliers across their ecosystem.
  • D. Continuous discovery and monitoring of dynamic supply chains for indicators of risks to/from individual suppliers and/or specific parts or products.
  • E. Supply chain ecosystem Maps, Supplier Insights, Risk Scores, Dashboarding Capability, Continuous Monitoring.
  • F. Industry support networks associated with the end-to-end product lifecycle for information communication technology (ICT), ICT services and solutions.
  • G. Products must have an Application Programming Interface (API) capability for interoperability with other federal government cloud capabilities.
  • H. If required, for a cloud service delivery model offering, Federal Risk and Authorization Management Program (FedRAMP) authorized at equivalent DoD Impact Level (IL2,
  • IL4) and Intelligence Oversight compliant within 90 days of contract award, and plans to achieve IL6 with government sponsorship within one calendar year after award.

The platform shall provide business intelligence analytics that address the following Minimum Risk Indicators /Categories for SCRIPTS Small Business (see Attachment 1);

• SCRIPTS Small Business (Set-Aside for Small Business Only)
  1. Financial
  2. Foreign Ownership Control or Influence (FOCI)
  3. Political and Regulatory
  4. Compliance
  5. Technology and Cybersecurity
• The tools should have the ability to expand or adapt as other health risk indicators/categories are prioritized or identified by the government (e.g. Product Quality/Design, Manufacturing and Supply, Transportation and Distribution, Environment). Any additional risk categories above the minimum elements that Small Business tool providers can meet would be viewed more favorably.

The platform shall provide business intelligence analytics that address the following Minimum Risk Indicators /Categories for SCRIPTS Unrestricted (see Attachment 1);

• SCRIPTS Unrestricted – Required Minimum Risk Indicators/Categories:
  1. Financial
  2. Foreign Ownership Control or Influence (FOCI)
  3. Political and Regulatory
  4. Compliance
  5. Technology and Cybersecurity
  6. Manufacturing and Supply
  7. Transportation and Distribution
  8. Product Quality/Design
• Any additional risk categories above the minimum elements that Unrestricted group tool providers can meet would be viewed more favorably.