Contracts
Upstream Vendor Amendments: You must amend Master Service Agreements (MSAs) with Tier 1 suppliers immediately.
- Insert "Right to Audit" clauses specifically regarding country of origin and ownership structure.
- Require vendors to disclose *their* upstream suppliers (Tier 2 and 3). You cannot comply with a state subpoena if your contract does not compel your vendor to provide this data.
Hiring/Training
Crisis Simulation: IT and Operations Directors for critical infrastructure (energy, water, telecom) must prepare for state-mandated "Tabletop Exercises."
- Teams must be trained to simulate operations during a "severed supply chain" or "foreign cyberattack" scenario.
- Legal Protocol: Establish a specific internal protocol for responding to Committee subpoenas to avoid contempt of court penalties.
Reporting & Record-Keeping
Supply Chain Mapping: You must generate and maintain records verifying:
- Origin of Manufacture: Physical location of production for critical components.
- Ownership Domicile: Verification that sub-vendors are not owned by state-owned enterprises of foreign adversaries.
- Pharmaceuticals: Specific tracking of Active Pharmaceutical Ingredients (APIs) and Key Starting Materials (KSMs) to country of origin.
Fees & Costs
No New State Fees.
- Operational Cost: High. Expect significant internal costs related to supply chain auditing and legal counsel for subpoena response.
- Insurance Risk: If the "stress test" reveals vulnerabilities you fail to fix, carriers may deny cyber-liability claims based on negligence.
