[Federal Register Volume 84, Number 175 (Tuesday, September 10, 2019)]
[Rules and Regulations]
[Pages 47861-47862]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-19360]
[[Page 47861]]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
48 CFR Parts 1, 4, 13, 39, and 52
[FAC 2019-06; FAR Case 2018-010; Item I; Docket No. FAR-2018-0010,
Sequence No. 1]
RIN 9000-AN64
Federal Acquisition Regulation: Use of Products and Services of
Kaspersky Lab
AGENCY: Department of Defense (DoD), General Services Administration
(GSA), and National Aeronautics and Space Administration (NASA).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: DoD, GSA, and NASA are adopting as final, without change, an
interim rule amending the Federal Acquisition Regulation (FAR) to
implement a section of the National Defense Authorization Act (NDAA)
for Fiscal Year (FY) 2018.
DATES: Effective September 10, 2019.
FOR FURTHER INFORMATION CONTACT: Ms. Camara Francis, Procurement
Analyst, at 202-550-0935 for clarification of content. For information
pertaining to status or publication schedules, contact the Regulatory
Secretariat Division at 202-501-4755. Please cite FAC 2019-06, FAR Case
2018-010.
SUPPLEMENTARY INFORMATION:
I. Background
DoD, GSA, and NASA published an interim rule in the Federal
Register at 83 FR 28141 on June 15, 2018, to revise the FAR to
implement section 1634 of Division A of the NDAA for FY 2018 (Pub. L.
115-91). Section 1634 of this law prohibits the use of products or
services of Kaspersky Lab and its related entities by the Federal
Government on or after October 1, 2018.
The interim rule amended FAR part 4, adding a new subpart 4.20,
Prohibition on Contracting for Hardware, Software, and Services
Developed or Provided by Kaspersky Lab, with a corresponding new
contract clause at 52.204-23, Prohibition on Contracting for Hardware,
Software, and Services Developed or Provided by Kaspersky Lab and Other
Covered Entities. The interim rule also added text in subpart 13.2,
Actions at or Below the Micro-Purchase Threshold, to address section
1634 with regard to micro-purchases. To implement section 1634, the
clause at 52.204-23 prohibits contractors from providing any hardware,
software, or services developed or provided by Kaspersky Lab or its
related entities, or using any such hardware, software, or services in
the development of data or deliverables first produced in the
performance of the contract. The contractor must also report any such
hardware, software, or services discovered during contract performance;
this requirement flows down to subcontractors. For clarity, the rule
defines ``covered entity'' and ``covered article''. A covered entity
includes the entities described in section 1634. A covered article
includes hardware, software, or services that the Federal Government
will use on or after October 1, 2018. The public comment period ended
August 14, 2018.
II. Discussion and Analysis
Three respondents submitted public comments, one of which was
outside the scope of the rule. There are no changes made to the final
rule as a result of the public comments. Responses to comments received
follow below.
Comment: A respondent stated, ``To reduce burden on contractors, a
specific list or definition around `covered article' or `covered
entity' are requested. It is also requested to share how and when an
entity or article would be added to this list and incorporated into
this clause.''
Response: The rule defines ``covered article'' and ``covered
entity'' in FAR 4.2001, Definitions. With respect to use of a products
list, the preamble to the interim rule included a series of detailed
questions designed to elicit feedback on how a list might be developed
and maintained, as well as other steps that might be taken to reduce
burden, but no public input was offered. Due to the continually
evolving nature of technological product and service offerings,
including third-party products that may either add or eliminate
inclusion of elements such as Kaspersky Lab software, and the lack of
suggestions for how this challenge might be managed, DoD, GSA, and NASA
have concluded that providing a definitive list of hardware, software,
or services subject to the definition of ``covered article'' is
impractical, particularly in regulation. Similar challenges regarding
the shifting nature of ownership, affiliate and subsidiary
relationships also apply to the definition of ``covered entity.'' DoD,
GSA, and NASA intend to confer with the Federal Acquisition Security
Council staff as it considers issues related to the appropriate sharing
of information to support management decisions associated with supply
chain risk management.
Comment: A respondent indicated that the prohibition should be
effective immediately to prevent continued use and additional risk to
the Government. The respondent had similar concerns that existing
contracts would not be modified to incorporate the clause unless the
period of performance was being extended for six or more months.
Response: The statutory prohibition in section 1634 took effect on
October 1, 2018, and the interim rule was published in advance of the
effective date in order to provide sufficient time for both Government
and industry to identify any current use or planned procurements of
covered articles from covered entities. Publication of the FAR rule was
one tool to help agencies in their implementation of section 1634, but
the rule did not impact or impair any other planned or ongoing efforts
agencies undertook to address the presence of covered articles.
III. Applicability to Contracts at or Below the Simplified Acquisition
Threshold (SAT) and for Commercial Items, Including Commercially
Available Off-the-Shelf (COTS) Items
This rule applies the requirements of section 1634 of the NDAA for
FY 2018 to contracts at or below the SAT, to include contracts for the
acquisition of commercial items, including COTS items.
A. Applicability to Contracts at or Below the Simplified Acquisition
Threshold
41 U.S.C. 1905 governs the applicability of laws to acquisitions at
or below the simplified acquisition threshold (SAT). Section 1905
generally limits the applicability of new laws when agencies are making
acquisitions at or below the SAT, but provides that such acquisitions
will not be exempt from a provision of law if: (i) the law contains
criminal or civil penalties; (ii) the law specifically refers to 41
U.S.C. 1905 and states that the law applies to contracts and
subcontracts in amounts not greater than the SAT; or (iii) the FAR
Council makes a written determination and finding that it would not be
in the best interest of the Federal Government to exempt contracts and
subcontracts in amounts not greater than the SAT from the provision of
law.
B. Applicability to Contracts for the Acquisition of Commercial Items,
Including COTS Items
41 U.S.C. 1906 governs the applicability of laws to contracts for
the acquisition of commercial items, and is
[[Page 47862]]
intended to limit the applicability of laws to contracts for the
acquisition of commercial items. Section 1906 provides that if a
provision of law contains criminal or civil penalties, or if the FAR
Council makes a written determination that it is not in the best
interest of the Federal Government to exempt commercial item contracts,
the provision of law will apply to contracts for the acquisition of
commercial items.
Finally, 41 U.S.C. 1907 states that acquisitions of COTS items will
be exempt from a provision of law unless the law (i) contains criminal
or civil penalties; (ii) specifically refers to 41 U.S.C. 1907 and
states that the law applies to acquisitions of COTS items; (iii)
concerns authorities or responsibilities under the Small Business Act
(15 U.S.C. 644) or bid protest procedures developed under the authority
of 31 U.S.C. 3551 et seq., 10 U.S.C. 2305(e) and (f), or 41 U.S.C. 3706
and 3707; or (iv) the Administrator for Federal Procurement Policy
makes a written determination and finding that would not be in the best
interest of the Federal Government to exempt contracts for the
procurement of COTS items from the provision of law.
C. Determinations
With the publication of the interim rule the FAR Council has
determined it was in the best interest of the Government to apply the
rule to contracts at or below the SAT and for the acquisition of
commercial items. Likewise, the Administrator for Federal Procurement
Policy determined it was in the best interest of the Government to
apply this rule to contracts for the acquisition of COTS items.
While the law does not specifically address acquisitions of
commercial items, including COTS items, there is an unacceptable level
of risk for the Government in buying hardware, software, or services
developed or provided in whole or in part by Kaspersky Lab. This level
of risk is not alleviated by the fact that the item being acquired has
been sold or offered for sale to the general public, either in the same
form or a modified form as sold to the Government (i.e., that it is a
commercial item or COTS item), nor by the small size of the purchase
(i.e., at or below the SAT). As a result, agencies may face increased
exposure for violating the law and unknowingly acquiring a covered
article absent coverage of these types of acquisitions by this rule.
IV. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). E.O.
13563 emphasizes the importance of quantifying both costs and benefits,
of reducing costs, of harmonizing rules, and of promoting flexibility.
This is not a significant regulatory action and, therefore, was not
subject to review under section 6(b) of E.O. 12866, Regulatory Planning
and Review, dated September 30, 1993. This rule is not a major rule
under 5 U.S.C. 804.
V. Executive Order 13771
This rule is not subject to E.O. 13771, because this rule is not a
significant regulatory action under E.O. 12866.
VI. Regulatory Flexibility Act
A final Regulatory Flexibility Analysis (FRFA) consistent with the
Regulatory Flexibility Act, 5 U.S.C. 601, et seq. was prepared. The
FRFA is summarized below.
This final rule implements section 1634 of Division A of the
National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2018
(Pub. L. 115-91). The objective of the rule is to prescribe
appropriate policies and procedures to enable agencies to determine
that they are not purchasing articles that section 1634 prohibits
for use by the Government on or after October 1, 2018.
There were no significant issues raised by the public in
response to the Initial Regulatory Flexibility Analysis provided in
the interim rule.
The rule applies to all contractors and subcontractors,
regardless of size. Data from the Federal Procurement Data System
(FPDS) indicates that the Government awarded contracts to an average
of 93,792 unique entities in FY 2017 and FY 2018, of which an
average of 68,778 (73 percent) were small entities. It is estimated
that reports will be submitted by 5 percent of contractors, or 3,439
small entities.
The rule requires contractors and subcontractors that are
subject to the clause to report to the contracting officer, or for
DoD, to the website listed in the clause, any discovery of a covered
article during the course of contract performance.
Because of the nature of the prohibition enacted by section
1634, it is not possible to establish different compliance or
reporting requirements or timetables that take into account the
resources available to small entities or to exempt small entities
from coverage of the rule, or any part thereof. DoD, GSA, and NASA
were unable to identify any alternatives that would reduce the
burden on small entities and still meet the objectives of section
1634.
Interested parties may obtain a copy of the FRFA from the
Regulatory Secretariat Division. The Regulatory Secretariat Division
has submitted a copy of the FRFA to the Chief Counsel for Advocacy of
the Small Business Administration.
VII. Paperwork Reduction Act
This rule contains information collection requirements that have
been approved by the Office of Management and Budget under the
Paperwork Reduction Act (44 U.S.C. chapter 35). This information
collection requirement has been assigned OMB Control Number 9000-0197,
entitled ``Use of Products and Services of Kaspersky Lab''.
List of Subjects in 48 CFR Parts 1, 4, 13, 39, and 52
Government procurement.
William F. Clark,
Director, Office of Government-wide Acquisition Policy, Office of
Acquisition Policy, Office of Government-wide Policy.
Interim Rule Adopted as Final Without Change
Accordingly, the interim rule amending 48 CFR parts 1, 4, 13, 39,
and 52 which was published in the Federal Register at 83 FR 28141 on
June 15, 2018, is adopted as a final rule without change.
[FR Doc. 2019-19360 Filed 9-9-19; 8:45 am]
BILLING CODE 6820-EP-P