Part I: QMPs for DIB companies are structured to mitigate risks regarding foreign-sourced materials and components. Focus areas of QMPs include disclosure of foreign access to code and technology and quality assurance across the supply chain. QMPs must also be integrated into the acquisition lifecycle. This strategy session will provide practical implementation best practices to ensure your QMPs are covering the critical materials and mechanisms for effective FOCI mitigation.

• Source code requirements: Mitigate risks of foreign-sourced code or tampering through access controls and code integrity, including enforcing multi[1]factor authentication (MFA) and validating compliance with export controls (e.g., EAR, ITAR)
• Software controls: Mitigate risks to ensure secure systems through secure development, patching, and vetting suppliers and legacy systems
• Hardware controls: Mitigate risks to prevent compromised hardware by using trusted and certified suppliers for critical hardware and physically securing manufacturing and testing facilities (NIST SP 800-171)
• R&D reviews: Mitigate risks by protecting intellectual property, including through exercises to identify risks in R&D workflows
• Acquisition lifecycle requirements: Mitigate risks by requiring CMMC certification or NIST SP 800-171 compliance for subcontractors and including DFARS 252.204-7012 clauses for cyber incident reporting

Part II: Electronic Communications Monitoring Plan (ECMP): Simplifying and Baselining the Electronic Communications Monitoring Plan (ECMP)

An Electronic Communications Monitoring Plan (ECMP) may be required by DCSA for those companies who are operating under a Board Resolution (BR) or Special Board Resolution (SBR) to mitigated lower-level thresholds of for Foreign Ownership, Control, or Influence (FOCI). For companies operating under a BR or SBR for their FOCI mitigation the ECMP is a crucial document for companies working with the Department of Defense to demonstrate the effective review, mitigation and auditing procedures being utilized to ensure secure communication and preventing unauthorized access to sensitive information by a foreign investor(s). This strategy session will provide practical implementation best-practices to ensure the associated risks of electronic communications with lower-level FOCI concerns is effectively mitigated.

• Teleconference and Video Teleconference requirements
• Email review thresholds and processes
• Monitoring configuration changes and defining which ECMP changes require prior approval by DCSA
• Instant messaging and texting: Monitoring procedures
• Social networking, web-based email, file sharing, collaboration tools
• Training senior leadership and employees around the purpose of the ECMP and their responsibilities under the plan