[Federal Register Volume 86, Number 163 (Thursday, August 26, 2021)]
[Rules and Regulations]
[Pages 47581-47593]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-17532]


=======================================================================
-----------------------------------------------------------------------

FEDERAL ACQUISITION SECURITY COUNCIL

41 CFR Parts 201 and 201-1


Federal Acquisition Security Council Rule

AGENCY: Federal Acquisition Security Council.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: As authorized by the Federal Acquisition Supply Chain Security 
Act of 2018 (FASCSA), the Federal Acquisition Security Council (FASC) 
is issuing this final rule to implement the requirements of the laws 
that govern the operation of the FASC, the sharing of supply chain risk 
information, and the exercise of the FASC's authorities to recommend 
issuance of removal and exclusion orders to address supply chain 
security risks. This rule finalizes the interim final rule and corrects 
the codification structure of the interim final rule.

DATES: Effective September 27, 2021.

FOR FURTHER INFORMATION CONTACT: Kosta I. Kalpos, 202-881-9601, 
[email protected].

SUPPLEMENTARY INFORMATION:

I. Background

    Information and communications technology and services (ICTS) are 
essential to the proper functioning of U.S. Government information 
systems. The U.S. Government's efforts to evaluate threats to and 
vulnerabilities in ICTS supply chains have historically been ad hoc, 
undertaken by individual or small groups of agencies to address 
specific supply chain security risks. Because of the scale of supply 
chain risks faced by Government agencies, and the need for Government-
wide coordination, Congress adopted new legislation in 2018 to improve 
executive branch coordination, supply chain information sharing, and 
actions to address supply chain risks.

[[Page 47582]]

    The Federal Acquisition Supply Chain Security Act of 2018 (FASCSA 
or Act) (Title II of Pub. L. 115-390), signed into law on December 21, 
2018, established the Federal Acquisition Security Council (FASC). The 
FASC is an executive branch interagency council chaired by a senior-
level official from the Office of Management and Budget. It includes 
representatives from the General Services Administration; Department of 
Homeland Security (DHS); Office of the Director of National 
Intelligence (ODNI); Department of Justice; Department of Defense 
(DOD); and Department of Commerce. The FASC is authorized to perform a 
variety of functions, including making recommendations for orders that 
would require the removal of covered articles from executive agency 
information systems or the exclusion of sources or covered articles 
from executive agency procurement actions.

II. Rulemaking

    Pursuant to subsection 202(d) of the FASCSA, the FASC is required 
to prescribe first an interim final rule and then a final rule to 
implement subchapter III of chapter 13 of title 41, U.S. Code. The FASC 
published the interim final rule (interim rule) at 85 FR 54263 on 
September 1, 2020. The interim rule invited interested persons to 
submit comments on or before November 2, 2020. Six entities submitted 
comments. The final rule reflects changes made based upon some of those 
comments, as well as feedback received from internal Federal 
stakeholders. The final rule also corrects certain structural issues 
introduced by the interim rule, as explained in more detail in section 
III. This final rule retains the organization and much of the content 
of the interim rule. It contains three subparts. Subpart A explains the 
scope of the rule, provides definitions for relevant terms, and 
establishes the membership of the FASC. Subpart B establishes the role 
of the FASC's information sharing agency (ISA). DHS, acting primarily 
through the Cybersecurity and Infrastructure Security Agency, will 
serve as the ISA. The ISA standardizes processes and procedures for 
submission and dissemination of supply chain information and 
facilitates the operations of a Supply Chain Risk Management (SCRM) 
Task Force under the FASC. This FASC Task Force consists of of 
designated technical experts who assist the FASC in implementing its 
information sharing, risk analysis, and risk assessment functions. 
Subpart B also prescribes mandatory and voluntary information sharing 
criteria and associated information protection requirements.
    Subpart C provides the procedures by which the FASC will evaluate 
supply chain risk from sources and covered articles and recommend 
issuance of orders requiring removal of covered articles from executive 
agency information systems (removal orders) and orders excluding 
sources or covered articles from future procurements (exclusion 
orders). Subpart C also provides the process for issuance of removal 
orders and exclusion orders and agency requests for waivers from such 
orders.

III. Summary of Changes to Interim Rule

    Headings and section numbers for the final rule have been adjusted 
to match the distinctive structure of CFR title 41. The standard 
structure of 41 CFR, unlike other titles, is:

 Subtitle [capital letter]
 Chapter [Arabic numeral]
 Part [Arabic numeral hyphen Arabic numeral]
 Subpart [capital letter]
 Section [Arabic numeral hyphen Arabic numeral period Arabic 
numeral]

    The interim rule however, did not align with that structure. It did 
not add a chapter to title 41 CFR, and its numbering scheme for part 
and section numbers did not match that of title 41. Because of these 
structural issues, the interim rule added part 201 to subtitle E (where 
the amendments could not be codified) instead of adding chapter 201 to 
subtitle D. The final rule fixes those structural issues, changing 
interim part 201 to part 201-1, adjusting the section numbering 
according, and eliminating the improperly codified interim part 201. 
Internal cross-references within the rule have been updated 
accordingly.
    In general, numerous minor changes were made to the interim rule's 
text to clarify or simplify it. Although the substance of the final 
rule largely matches that of the interim rule, several changes have 
been made in response to public comments and input from Federal 
stakeholders. Those changes, as well as numerous more minor, technical 
changes, are summarized below for each section of the final rule that 
has been modified from the interim rule.

A. Changes to Subpart A

1. Sec.  201-1.101--Definitions
    The final rule incorporates minor technical, clarifying, or 
simplifying changes to the definitions of ``exclusion order,'' 
``national security system,'' and ``removal order,'' and ``supply chain 
risk information.''
2. Sec.  201-1.103--Federal Acquisition Security Council (FASC)
    Minor changes were made to paragraph (c) of this section to track 
the underlying statutory language more closely.

B. Changes to Subpart B

1. Sec.  201-1.200--Information Sharing Agency (ISA)
    Paragraph (a) was modified to clarify that information should be 
submitted to the FASC by sending it to the ISA.
    Paragraph (b) was modified to provide that the ISA, the FASC Task 
Force, and support personnel will carry out information receipt and 
dissemination functions on behalf of the FASC.
    Paragraph (c) was modified to remove the obligation for the ISA to 
provide a physical facility to host the FASC Task Force.
    Paragraph (d) was modified to clarify the nature of the processes 
and procedures to be adopted by the FASC.
    Paragraph (e) of this section of the interim rule has been deleted 
from the final rule. That paragraph, which provided for the ISA to 
identify ``resource gaps'' to the FASC, was determined to be 
unnecessary.
2. Sec.  201-1.201--Submitting Information to the FASC
    Minor technical corrections and clarifying changes were made to 
paragraphs (a) and (b).
    Paragraph (d) was modified to make minor technical and clarifying 
changes and to make clear that its provisions apply only to submissions 
by Federal agencies.
    The section corresponding to this one in the interim rule 
erroneously included two provisions labeled as paragraph (d). The 
second provision labeled paragraph (d) has been labeled paragraph (f) 
in the final rule. Paragraph (f)(3) of the final rule has been modified 
from its analogue in the interim rule to clarify that the FASC will not 
release a recommendation to a non-Federal entity unless an exclusion or 
removal order has been issued based on that recommendation, and the 
affected source has been notified.
    The provision that appeared in paragraph (e) of this section of the 
interim rule has been removed from the final rule because it was 
superfluous and could have been interpreted to imply incorrectly that 
the FASC must explicitly authorize agencies to rely upon information 
disseminated to them by the FASC.

[[Page 47583]]

    Paragraph (e) of this section of the final rule has been added to 
describe the protection that will be afforded to voluntary submissions 
by non-Federal entities.

C. Changes to Subpart C

    1. Sec.  201-1.300--Evaluation of Sources and Covered Articles
    Paragraph (a) was edited for clarity and brevity.
    The heading of paragraph (b) was changed to ``Relevant factors'' 
from ``Criteria.'' The list appearing in that paragraph has been 
modified to clarify or adjust the description of some factors and to 
include as a factor the user environment in which a covered article is 
used or installed.
    The language in paragraph (c) of the interim rule was shifted to 
paragraph (d) and replaced with a statement providing that nothing in 
this section shall be construed to authorize the issuance of a removal 
order based solely on the fact of the foreign ownership of a potential 
procurement source that is otherwise qualified to enter into 
procurement contracts with the Federal Government.
    Paragraph (d)(3) (interim rule paragraph (c)(3)) was removed as 
duplicative of paragraph (d)(1).
    Paragraph (e) of the interim rule was broken into two separate 
paragraphs and moved into Sec.  201-1.301 to simplify the structure of 
the final rule.
2. Sec.  201-1.301--Recommendation
    Paragraph (e) of interim rule Sec.  201.301 has been moved to this 
section as paragraphs (a) and (b). Minor clarifying changes were made 
to the language of those paragraphs.
3. Sec.  201-1.302--Notice of Recommendation To Source and Opportunity 
To Respond
    The language included in paragraphs (c) and (d) of interim rule 
Sec.  201.302 was relocated to paragraphs (d) and (e) in this section 
of the final rule. A new provision was added as paragraph (c) to 
clarify how the FASC may rescind a recommendation upon consideration of 
a source's response in opposition to a notice of recommendation. 
Paragraph (d) of the interim rule, now located in paragraph (e) of the 
final rule, was modified so that the protections afforded under that 
provision are the same as those afforded with respect to information 
submitted voluntarily by non-Federal entities.
4. Sec.  201-1.303--Issuance of Orders and Related Activities
    Various simplifying or clarifying edits were made to the provisions 
of interim rule Sec.  201.303, and the content of that interim rule 
section was also reorganized into a more logical paragraph structure 
for the final rule. The interim rule's description of the authority of 
the Secretary of Homeland Security, the Secretary of Defense, and the 
Director of National Intelligence was modified to mirror the underlying 
statutory language more closely and make clear that the authority to 
issue exclusion and removal orders is discretionary.
5. Sec.  201-1.304--Executive Agency Compliance With Exclusion and 
Removal Orders
    The final rule includes minor technical corrections and 
clarifications that were made to the provisions of this section of the 
interim rule. Paragraph (a)(2) no longer requires agencies to obtain 
FASC approval before publicly releasing an exclusion or removal order. 
Instead, the final rule requires that agencies comply with any 
dissemination or other controls placed upon an exclusion or removal 
order by the issuing official.
    Paragraph (b) of the final rule includes new language specifying 
certain requirements to be met by agencies requesting to be excepted 
from the provisions of an exclusion or removal order. Those agencies 
must submit their request in writing to the official who issued the 
order and provide specified information, including a compelling 
justification for the waiver and a description of any forms of risk 
mitigation to be undertaken if the waiver is granted.

IV. Comments and Responses

    The FASC received six sets of comments from the public in response 
to the publication of the interim rule. Relevant comments from those 
submissions are addressed below in connection with the rule subpart to 
which they relate or, if they do not relate to a particular subpart, 
under the heading ``General Comments.'' Because no comments related 
particularly to subpart A of the interim rule, no heading is provided 
for that subpart in this section for Comments and Responses.

A. Interim Rule Subpart B

    Subpart B establishes the role of the FASC's information sharing 
agency (ISA), provides for an interagency Task Force to support the 
FASC, prescribes mandatory information-sharing criteria for Federal 
agencies, and outlines requirements for marking, handling, and 
disseminating protected supply chain risk information. Multiple 
commenters asked for further clarification of the protections that 
would be afforded to non-Federal entities who voluntarily share 
information with the FASC. In response to these comments, Sec.  201-
1.201(e) was added to the final rule to describe the protection that 
will be afforded to information that is submitted to the FASC by such 
non-Federal entities (NFEs) and that is not otherwise publicly or 
commercially available. If such information is marked by the submitting 
NFE with the legend, ``Confidential and Not to Be Publicly Disclosed,'' 
the FASC will not release the marked material to the public, except to 
the extent required by law. Regardless of any protection offered by 
that general rule, Sec.  201-1.201(e)(2) makes clear that the FASC 
retains broad discretion to disclose information submitted by NFEs to 
appropriate recipients in a range of circumstances.
    The FASC recognizes that its retention of such broad discretion may 
dissuade some NFEs from submitting sensitive information. At this time, 
however, the FASC has chosen to prioritize greater sharing of 
information in appropriate circumstances over the possibility of 
receiving more supply chain risk information from NFEs. If the FASC 
determines over time that the Federal Government's interests would be 
better served by a different weighing of priorities, the FASC may 
revise the rule accordingly.
    One commenter asked whether NFEs who shared information with the 
FASC would receive protection under the Cybersecurity Information 
Sharing Act of 2015 (CISA 2015), Public Law 114-113, div. N. The final 
rule does not address that issue. The FASC is continuing to coordinate 
with FASC member agencies to consider any intersections between CISA 
2015 and the FASC's authorities and may, as appropriate, provide 
further guidance to stakeholders at a future date.
    Several commenters also suggested that the FASC should afford 
protections to NFEs whose information might be used to support the 
issuance of an exclusion or removal order. The final rule provides for 
no such protections. The FASC lacks authority to obviate, restrict, or 
otherwise alter the potential legal liability of one private party to 
another. And other, more indirect forms of protection--such as an 
automatic guarantee of confidentiality or protection from public 
disclosure of the identity of providers of information--could decrease 
the quality of information received from NFEs by removing disincentives 
that would otherwise deter the submission of inaccurate or misleading 
information. Shielding the identity of NFEs who

[[Page 47584]]

submit information might also, depending on the circumstances, unduly 
interfere with the ability of an affected source to respond 
substantively to a notice of the FASC's recommendation for the issuance 
of an exclusion or removal order. In light of these considerations, the 
final rule includes no additional provisions aimed at protecting NFEs 
from legal liability. One commenter asked how the ISA will maintain 
data submitted to the FASC and in what system that data will be stored. 
The FASC anticipates that the ISA will handle, store, and protect 
information in accordance with all applicable laws, regulations, and 
policies. The final rule does not specify the nature of the system in 
which the ISA will store FASC data or provide detailed requirements for 
the technical means by which the ISA will maintain that data; such 
specifications would unduly restrict the ISA.
    Another commenter requested more information about the FASC's 
``influence'' on ``priorities and taskings'' within the intelligence 
community. No changes to the rule have been made in response to that 
request. Executive agencies, including those encompassing components of 
the intelligence community, will continue to follow their relevant 
authorities with regard to their own priorities and taskings.
    Several comments concerned the possible release of information to 
the public by the FASC. Some commenters requested more information 
about the circumstances in which the FASC will share supply chain risk 
information with the private sector; others suggested that the FASC 
should maintain a public list of sources and covered articles that have 
been the subject of exclusion or removal orders. The final rule does 
not specify circumstances in which the FASC must share information with 
the public, or require maintenance of a public list of sources and 
covered articles that have been the subject of exclusion or removal 
orders. The FASC anticipates that determining whether to release supply 
chain risk information--including the names of sources and covered 
articles addressed by exclusion or removal orders--will be a highly 
fact-specific inquiry. Other applicable law and binding government-wide 
policies may also limit the information that the FASC may publicly 
disclose. For instance, national security considerations may require 
that, in some scenarios, the nature of certain covered articles or 
sources or the rationale for some FASC recommendations not be made 
public. Accordingly, the final rule simply states that the FASC will 
comply with applicable legal requirements in light of the particular 
circumstances to decide the extent to which supply chain risk 
information can be released to non-government entities.

B. Interim Rule Subpart C

    Subpart C addresses evaluation of sources and covered articles by 
the FASC. It enumerates the processes by which the FASC may issue a 
recommendation, obtain a response to a recommendation from named 
sources, and, when appropriate, rescind a recommendation. Commenters 
raised several topics in connection with this subpart.
    One commenter asked whether protections would be offered for 
``companies that have been identified to the FASC as a potential risk'' 
but are not the subject of a recommendation or a removal/exclusion 
order. The commenter speculated that contracting offices in the Federal 
Government could create an ``informal blacklist'' that would prevent 
companies that had been identified as security risks from contracting 
with the Federal Government. The FASC has seen no evidence that its 
activities will result in a blacklist. As a result, the final rule does 
not include any changes in response to this public comment.
    Some commenters suggested that because NFEs may submit information 
voluntarily to the FASC, the FASC may receive inaccurate or false 
information from companies attempting to sabotage competitors. 
Commenters suggested various means to address this contemplated 
problem: Requiring NFEs submitting information to execute a 
certification of some kind attesting to their good faith; providing 
affected sources with remedies against NFEs who submit false 
information; enlisting private-sector entities to ``vet'' supply chain 
risk information; or limiting the extent to which information may be 
requested by the FASC or submitted by NFEs. The FASC does not believe 
that the rule should include any of these measures at this time. The 
final rule retains in Sec.  201-1.300(d) the requirement that the FASC 
perform ``appropriate due diligence'' in evaluating supply chain risk. 
The FASC may request and obtain information from a wide range of 
sources within the Federal Government, including investigative and 
intelligence-gathering agencies; it has ample means to assess the 
reliability of information received from the private sector or 
elsewhere. As a result, the FASC concludes that there is little basis 
to believe that the submission of inaccurate information by NFEs will 
subvert the outcome of the FASC's deliberations.
    Commenters also expressed concern that, under Sec.  201-1.300(b), a 
source's ties to foreign countries are expressly identified as one 
factor among many to be considered as part of a supply chain risk 
analysis. These commenters pointed out that many companies have 
connections to other nations, and asserted that companies fear that 
their association with a certain country or countries will 
automatically place them under suspicion within the FASC. In response 
to these comments, the interim rule was modified to include Sec.  201-
1.300(c), which echoes 41 U.S.C. 1323(f)(2)'s text to emphasize that 
nothing in the rule may be construed to authorize the issuance of an 
exclusion or removal order based solely on the foreign ownership of an 
otherwise qualified source. Additionally, the final rule, like the 
interim rule, lists a source's foreign ties merely as one factor among 
a non-exclusive list of factors to be considered in the FASC's 
evaluation; nothing in either rule requires that factor to be given 
determinative weight.
    For that reason, the FASC disagrees with a commenter who suggested 
that such a factor was inconsistent with treaties intended to encourage 
international trade. Such treaties form part of the backdrop against 
which the FASC will make its decisions. Given the international ties of 
many companies and the extensive participation of the United States in 
the global economy, the FASC will not be inclined to recommend 
exclusion of a company simply because it is active in more than one 
country.
    One commenter suggested that the FASC consider foreign ties in its 
analysis only if those ties concern a country other than an ally of the 
United States. Another requested that the rule be amended to specify 
the component of the Federal Government with authority to designate a 
country as ``a country of special concern or a foreign adversary'' 
pursuant to Sec.  201-1.300(b). Neither recommendation has been 
implemented in the final rule because the FASC is already able to 
account for the considerations suggested by the commenters. In 
evaluating the risk posed by a covered article or a source, the FASC 
may consider not just whether a source has connections to a foreign 
country, but also the nature of that country's relationship with the 
United States; it may consider not just whether a Federal agency has 
designated a country as an adversary, but also which agency or official 
made that designation and why.

[[Page 47585]]

    Several comments concerned the process by which exclusion or 
removal orders may be issued. One, for example, recommended that any 
source being evaluated by the FASC should be notified ``at the outset'' 
of that review and allowed to comment ``as early as possible.'' The 
final rule does not implement that recommendation. Depending on the 
circumstances of a particular case, national security considerations 
may weigh against informing a source that it has drawn the attention of 
the FASC at a time when no recommendation has been issued. As a result, 
the final rule does not mandate either early or ongoing communication 
with a source prior to the issuance of a recommendation.
    Other comments raised the concern that sources named in a 
recommendation would not receive enough information from the FASC to 
mount an adequate response. The final rule, like the interim rule, 
provides that the source named in a recommendation must be notified of 
the criteria relied upon by the FASC in developing that recommendation. 
Sec.  201-1.302(b)(2). The source must also be advised of the 
information upon which the FASC based its recommendation, so long as 
disclosure of that information is consistent with national security and 
law enforcement interests. This body of information will allow the 
source to understand the FASC's reasoning and so to prepare a response. 
Contrary to one commenter's suggestion, the ``criteria'' to be 
disclosed to the source are not equivalent to a simple list of the 
generically described factors identified in Sec.  201-1.300(b) of the 
final rule. To make that fact clear, the label for that list of factors 
in the final rule has been changed from ``Criteria'' to ``Relevant 
Factors.''
    The interim final rule provided that the administrative record on 
judicial review of an exclusion or removal order would include, among 
other things, ``any information or materials directly relied upon by 
the'' official who issued the order. One commenter objected that the 
use of the word ``directly'' indicated that the administrative record 
supporting exclusion or removal orders would not conform to the 
requirements of the FASCSA. To prevent any such misinterpretation and 
mirror the language of the FASCSA more closely, the word ``directly'' 
has been removed from paragraphs (b)(4) and (c) of Sec.  201-1.303.
    Some commenters made broader or more general suggestions regarding 
FASC processes. One recommended that the FASC should require what it 
called ``standard due process trappings,'' including ``hearings, 
discovery, right to counsel, [and] the ability to appeal [to the] 
[F]ederal court system.'' No change to the interim rule has been made 
in response to this comment. The final rule, like the interim rule and 
the FASCSA statutory scheme, provides for due process by ensuring that 
affected sources will be notified of possible adverse action and given 
an opportunity to address the Federal Government's basis for such an 
action. The rule and the statutory scheme also provide for review by a 
Federal court of appeals of any exclusion or removal order resulting 
from a FASC recommendation. Discovery is not contemplated by the FASCSA 
and is not a ``standard due process'' element in judicial review based 
upon an administrative record. There is no due process right to counsel 
in civil matters. Mandating additional procedures such as a discovery 
process would make the FASC's proceedings considerably slower and more 
expensive, thereby impeding the Federal Government's ability to protect 
against serious cyber threats to its systems--a result that is contrary 
to the purposes of the FASCSA and would significantly undermine 
important Federal Government interests.
    Another commenter requested that the FASC afford the public the 
opportunity for comment before enacting new rules, and that an 
opportunity for appeal be given for ``measures targeting specific 
companies.'' The FASC has concluded that any applicable requirements of 
the Administrative Procedure Act are fully sufficient to address the 
public interests implicated by new rules. In addition, the FASCSA 
provides sources named in exclusion or removal orders the opportunity 
to appeal an order to a Federal court of appeals. 41 U.S.C. 1327(b). 
Because these requests are addressed by statute, the FASC has not 
modified the interim rule to address them.
    One commenter objected to the statement in the preamble to the 
interim rule that ``the FASC does not intend to publicly disclose 
communications with the source(s) except to the extent required by 
law,'' suggesting that it conflicted with provisions of the interim 
rule concerning the treatment of confidential information submitted by 
a source in response to a notice of a FASC recommendation. For the 
final rule, the relevant provision of the interim rule has been 
modified to clarify that confidential information submitted by a source 
is subject to the same degree of protection provided pursuant to new 
Sec.  201-1.201(d) for confidential information submitted voluntarily 
by NFEs.
    One commenter inquired about the timing of the FASC recommendation 
process, suggesting that the rule prescribe ``a reasonable timeline 
regarding when'' an exclusion or removal order is issued and ``when it 
will go into effect.'' The same commenter asserted that a source named 
in an exclusion or removal order should be afforded at least 60 days 
from the effective date of an order ``to respond to the FASC.'' This 
comment reflects a misunderstanding of the FASC process. The FASC does 
not issue exclusion or removal orders, and so a source has no reason to 
``respond to the FASC'' once such an order is issued. The FASC makes 
recommendations for the issuance of orders. Any sources named in a FASC 
recommendation will have the opportunity to respond to the FASC before 
an order may be issued. The FASC may alter or withdraw its 
recommendation based on a source's response. If the FASC chooses not to 
do so, then an appropriate official from DHS, DOD, or ODNI may issue an 
order based on the recommendation.
    Pursuant to 41 U.S.C. 1327, a source may request judicial review of 
an order within 60 days after being notified of its issuance. The 
ordering official, not the FASC, is responsible both for deciding the 
effective date of the order and for providing notification of the order 
to the source. 41 U.S.C. 1323(c)(5), (6). As a result, the FASC does 
not in the interim or the final rule attempt to constrain the ordering 
official's discretion as to the manner in which the effective date of 
an order is determined or in which notification of an order is issued 
to the source.
    The same commenter opined that the FASC should prescribe in the 
final rule ``a reasonable timeline'' for when a covered procurement 
action may be announced and when it may go into effect. Fact-specific 
considerations, such as the imminence of the risk posed by a source and 
the characteristics of the procurement at issue, will heavily influence 
the timeline for a covered procurement action. The final rule therefore 
allows authorized officials to determine an appropriate timeline on a 
case-by-case basis, rather than prescribing a single approach.
    The same commenter also suggested that the FASC should issue a 
preliminary recommendation, allow submission of a response by the 
affected source(s), and then issue a final recommendation. The final 
rule provides for such a process, although it does not label 
recommendations as ``preliminary'' or ``final.'' Instead, the

[[Page 47586]]

final rule includes a new provision at paragraph (c) of Sec.  201-
1.302, which makes clear that after the FASC issues a recommendation 
and the source submits a response, the FASC has the discretion to 
rescind the recommendation. The final rule thus makes explicit that, if 
a source demonstrates through its response to the FASC that a removal 
or exclusion order is unwarranted, the FASC may withdraw its 
recommendation.
    One commenter asked that the FASC clarify whether the FASC may 
release its recommendation even if no related exclusion or removal 
order is issued. The final rule addresses that issue in paragraph 
(f)(3) of Sec.  201-1.201, providing that if a recommendation is 
rescinded, or the relevant officials determine that no exclusion or 
removal order will be issued based upon it, the recommendation will be 
kept confidential and will not be released to entities, other than the 
source, outside of the Federal Government.
    Two commenters suggested that exclusion or removal orders should be 
narrowly tailored, or should incorporate a finding that the action 
ordered represents the least intrusive measure reasonably available to 
address a given supply chain risk. No change to the rule was made in 
response to these comments. As the interim rule did, the final rule 
requires the FASC to include in a recommendation for an exclusion or 
removal order ``a discussion of less intrusive measures that were 
considered and why such measures were not reasonably available to 
reduce supply chain risk.'' Sec.  201-1.301(a)(4). That requirement 
ensures that the FASC will consider the disruption that may result from 
a contemplated action, weigh it against the threat to be addressed, and 
issue a recommendation of appropriate scope.
    Several comments requested rule provisions establishing the nature 
and extent of contractors' and subcontractors' obligations under 
exclusion or removal orders. The FASC anticipates that such obligations 
will vary widely depending on the nature of the circumstances addressed 
by an exclusion or removal order. As a result, it is not feasible to 
attempt to prescribe those obligations categorically through this 
rulemaking. Instead, those obligations must be ascertained based upon 
the content of the order in question and any guidance issued by the 
ordering agency or the agencies implementing that order, as well as any 
applicable contract terms or procurement regulations.
    One commenter recommended that the FASC adopt a rule requiring the 
notification of prime contractors whenever a subcontractor is the 
subject of a recommendation. The FASC declines to follow that 
suggestion. If a FASC recommendation is not implemented through the 
issuance of one or more exclusion or removal orders, then there may 
never be a need for prime contractors to react to that recommendation. 
Furthermore, alerting primes to the issuance of a recommendation that 
may never yield an order may conflict with national security interests 
and/or the named source's interest in confidentiality.
    One commenter requested further detail on the manner in which an 
agency can obtain a waiver relieving it of obligations under an 
exclusion or removal order. The final rule includes a new paragraph in 
Sec.  201-1.304 that clarifies the waiver process. An agency seeking an 
exception to some or all of the requirements of an order must submit a 
request for that exception to the ordering official. The request must 
identify the relevant order and the covered article or source affected, 
describe precisely the exception sought, and provide a compelling 
justification for the grant of an exception as well as an account of 
any alternative risk reduction techniques the agency will employ in 
lieu of complying with the order. The official who issued the order has 
the authority to decide whether an exception will be granted.
3. Miscellaneous Comments
    Some commenters urged the FASC to adopt rule provisions creating a 
permanent or standardized relationship between the FASC and the private 
sector. Although the FASC recognizes that the private sector has a 
great deal of knowledge about and experience with supply chain risk 
analysis and mitigation, the final rule does not provide for a 
particular type of formal relationship or engagement with industry. The 
FASC is still in the early stages of its operations and requires 
further information--gained from experience--to determine the most 
effective ways to interact with the private sector. It is premature to 
prescribe regulations dictating the nature of that engagement at this 
time.
    Some comments suggested that the FASC rely upon an already existing 
task force housed within the Department of Homeland Security. Although 
the FASC certainly intends to draw upon the knowledge and experience of 
that task force to the extent feasible, the final rule does not mandate 
a role for it. The task force managed by the Department of Homeland 
Security is not a permanent entity. It would therefore be impractical 
to mandate a role for that task force in FASC operations.
    Other comments emphasized the numerous supply chain risk 
initiatives within the Federal Government and requested that the FASC 
make efforts to bring coherence to the standards and activities 
stemming from those various initiatives. The FASC recognizes that the 
Federal Government's supply chain risk management activities may 
benefit from greater consistency and coordination and intends to work 
toward those goals.
    Similarly, one comment urged the FASC to operate through an 
``inter-agency process'' that accounts for ``other supply chain-related 
laws, regulations, and risk mitigation measures.'' The FASC emphasizes 
that it is itself an interagency body drawing upon the efforts and 
resources of its constituent members. The final rule, like the interim 
rule, provides that the FASC will be supported by a FASC Task Force 
composed of SCRM experts drawn from across the Federal Government. 
Because the FASC's activities necessarily constitute an ``inter-agency 
process,'' no changes have been made to the interim rule in response to 
this comment.
    One commenter protested that exclusion or removal orders could have 
``disparate impacts'' on small businesses. But that commenter did not 
suggest any specific change that might address that putative problem 
while ensuring the FASC retained its ability to address supply chain 
risks. Both the interim and the final rule require the FASC to consider 
the intrusiveness of its recommendations; the effect of a recommended 
order on contractors, including small business, may be considered as 
appropriate as part of that analysis. As a result, no change to the 
rule has been made based on this comment.
    No change to the rule has been made in response to a comment 
asserting that complying with exclusion and removal orders is likely to 
be ``incredibly expensive'' to American companies. The FASC expects to 
weigh the burden likely to result from a recommended order against the 
anticipated benefit and would not lightly recommend an order that would 
be ``incredibly expensive'' either to the Federal Government or to the 
private sector. The final rule requires the FASC to include in a 
recommendation for an exclusion or removal order ``a discussion of less 
intrusive measures that were considered and why such measures were not 
reasonably available to reduce supply chain risk.'' That requirement 
will help to ensure that the costs of exclusion and

[[Page 47587]]

removal orders are not disproportionate to the scale of the risk at 
issue.
    Finally, one commenter asserted that commercial products and 
commercial-off-the-shelf (COTS) items should be excluded from the reach 
of the FASC because addressing them through exclusion or removal orders 
would ``deprive government of significant innovation and the latest 
technologies.'' The FASC strongly disagrees with that recommendation. 
The ubiquity of commercial products and COTS items, not only within the 
Federal Government, but within the private sector as well, means that 
they are a frequent target of malicious actors seeking to find and 
capitalize upon technological vulnerabilities. Excluding those items 
from oversight by the FASC would undermine the Council's ability to 
reduce the Federal Government's exposure to supply chain risk. No 
changes have been made in response to this comment.

V. Procedural Requirements

    Executive Orders 12866 (Classification): This final rule has been 
designated non-significant and therefore was not reviewed by the Office 
of Management and Budget under Executive Order 12866.
    Regulatory Flexibility Act: Because the FASC was not required to 
publish a notice of proposed rulemaking for either the interim rule or 
this final rule under 5 U.S.C. 553, no Regulatory Flexibility Analysis 
is required. See 5 U.S.C. 603(a), 604(a).
    Congressional Review Act: Pursuant to the Congressional Review Act, 
(5 U.S.C. 801 et seq.), the Office of Information and Regulatory 
Affairs designated this rule as not a ``major rule,'' as defined by 5 
U.S.C. 804(2).
    Unfunded Mandates Reform Act of 1995: This rule does not contain 
any unfunded mandate or significantly or uniquely affect small 
governments, as described in the Unfunded Mandates Reform Act of 1995.
    Executive Order 13132 (Federalism): This rule does not have 
Federalism implications as specified in Executive Order 13132.
    Executive Order 12630 (Governmental Actions and Interference with 
Constitutionally Protected Property Rights): This rule does not 
implement policies that have takings implications as identified in 
Executive Order 12630.
    Executive Order 13175 (Consultation and Coordination with Indian 
Tribes): The rule does not have tribal implications and will not impose 
substantial direct costs on tribal governments or preempt tribal law as 
specified by Executive Order 13175.
    National Environmental Policy Act: This rule does not require a 
detailed environmental analysis as the establishment and operation of 
FASC will not ``individually or cumulatively have a significant effect 
on the human environment'' (40 CFR 1508.4).

List of Subjects in 41 CFR Part 201-1

    Computer technology, Cybersecurity, Government procurement, 
Government technology, Information technology, National security, 
Security measures, Science and technology, Supply chain, Supply chain 
risk management.

Christopher DeRusha,
Chair, Federal Acquisition Security Council.

    For the reasons set out in the preamble, the FASC amends 41 CFR 
subtitles D and E as follows:

Subtitle D--Federal Acqusition Supply Chain Security

0
1. Revise the heading to subtitle D to read as set forth above.

0
2. Add chapter 201, consisting of part 201-1, to subtitle D to read as 
follows:

Chapter 201--FEDERAL ACQUISITION SECURITY COUNCIL

PART 201-1--GENERAL REGULATIONS

Subpart A--General
Sec.
201-1.100 Scope.
201-1.101 Definitions.
201-1.102 Federal Acquisition Security Council (FASC).
Subpart B--Supply Chain Risk Information Sharing
201-1.200 Information sharing agency (ISA).
201-1.201 Submitting information to the FASC.
Subpart C--Exclusion and Removal Orders
201-1.300 Evaluation of sources and covered articles.
201-1.301 Recommendation.
201-1.302 Notice of recommendation to source and opportunity to 
respond.
201-1.303 Issuance of orders and related activities.
201-1.304 Executive agency compliance with exclusion and removal 
orders.

    Authority: 41 U.S.C. 1321-1328, 4713.

Subpart A--General


Sec.  201-1.100  Scope.

    (a) Applicability. Except as provided in paragraph (b) of this 
section, this part applies to the following:
    (1) The membership and operations of the FASC, including all 
Federal Government and contractor personnel supporting the FASC's 
operations;
    (2) Submission and dissemination of supply chain risk information; 
and
    (3) Recommendations for, issuance of, and associated procedures 
related to removal orders and exclusion orders.
    (b) Clarification of scope. This part does not require the 
following:
    (1) Mandatory submission of supply chain risk information by non-
Federal entities; or
    (2) The removal or exclusion of any covered article by non-Federal 
entities, except to the extent that an exclusion or removal order 
issued pursuant to subpart C of this part applies to prime contractors 
and subcontractors to Federal agencies.


Sec.  201-1.101  Definitions.

    For the purposes of this part:
    Appropriate congressional committees and leadership means:
    (1) The Committee on Homeland Security and Governmental Affairs, 
the Committee on the Judiciary, the Committee on Appropriations, the 
Committee on Armed Services, the Committee on Commerce, Science, and 
Transportation, the Select Committee on Intelligence, and the majority 
and minority leader of the Senate; and
    (2) The Committee on Oversight and Government Reform, the Committee 
on the Judiciary, the Committee on Appropriations, the Committee on 
Homeland Security, the Committee on Armed Services, the Committee on 
Energy and Commerce, the Permanent Select Committee on Intelligence, 
and the Speaker and minority leader of the House of Representatives.
    Council or FASC means the Federal Acquisition Security Council.
    Covered article means any of the following:
    (1) Information technology, as defined in 40 U.S.C. 11101, 
including cloud computing services of all types;
    (2) Telecommunications equipment or telecommunications service, as 
those terms are defined in section 3 of the Communications Act of 1934 
(47 U.S.C. 153);
    (3) The processing of information on a Federal or non-Federal 
information system, subject to the requirements of the Controlled 
Unclassified Information program or subsequent U.S. Government program 
for controlling sensitive unclassified information; or
    (4) Hardware, systems, devices, software, or services that include 
embedded or incidental information technology.
    Covered procurement means:
    (1) A source selection for a covered article involving either a 
performance specification, as provided in subsection (a)(3)(B) of 41 
U.S.C. 3306, or an evaluation factor, as provided in subsection 
(b)(1)(A) of 41 U.S.C. 3306,

[[Page 47588]]

relating to a supply chain risk, or where supply chain risk 
considerations are included in the executive agency's determination of 
whether a source is a responsible source;
    (2) The consideration of proposals for and issuance of a task or 
delivery order for a covered article, as provided in 41 U.S.C. 
4106(d)(3), where the task or delivery order contract includes a 
contract clause establishing a requirement relating to a supply chain 
risk;
    (3) Any contract action involving a contract for a covered article 
where the contract includes a clause establishing requirements relating 
to a supply chain risk; or
    (4) Any other procurement in a category of procurements determined 
appropriate by the Federal Acquisition Regulatory Council, with the 
advice of the FASC.
    Covered procurement action means any of the following actions, if 
the action takes place in the course of conducting a covered 
procurement:
    (1) The exclusion of a source that fails to meet qualification 
requirements established under 41 U.S.C. 3311, for the purpose of 
reducing supply chain risk in the acquisition or use of covered 
articles;
    (2) The exclusion of a source that fails to achieve an acceptable 
rating with regard to an evaluation factor providing for the 
consideration of supply chain risk in the evaluation of proposals for 
the award of a contract or the issuance of a task or delivery order;
    (3) The determination that a source is not a responsible source, 
based on considerations of supply chain risk; or
    (4) The decision to withhold consent for a contractor to 
subcontract with a particular source or to direct a contractor to 
exclude a particular source from consideration for a subcontract under 
the contract.
    Executive agency means:
    (1) An executive department specified in 5 U.S.C. 101;
    (2) A military department specified in 5 U.S.C. 102;
    (3) An independent establishment as defined in 5 U.S.C. 104(1); and
    (4) A wholly owned Government corporation fully subject to chapter 
91 of title 31, United States Code.
    Exclusion order means an order issued pursuant to 41 U.S.C. 
1323(c)(5) that requires the exclusion of one or more sources or 
covered articles from executive agency procurement actions.
    Information and communications technology means:
    (1) Information technology as defined in 40 U.S.C. 11101;
    (2) Information systems, as defined in 44 U.S.C. 3502; and
    (3) Telecommunications equipment and telecommunications services, 
as those terms are defined in section 3 of the Communications Act of 
1934 (47 U.S.C. 153).
    Information technology has the definition provided in 40 U.S.C. 
11101.
    Intelligence Community includes the following:
    (1) The Office of the Director of National Intelligence;
    (2) The Central Intelligence Agency;
    (3) The National Security Agency;
    (4) The Defense Intelligence Agency;
    (5) The National Geospatial-Intelligence Agency;
    (6) The National Reconnaissance Office;
    (7) Other offices within the Department of Defense for the 
collection of specialized national intelligence through reconnaissance 
programs;
    (8) The intelligence elements of the Army, the Navy, the Air Force, 
the Marine Corps, the Coast Guard, the Federal Bureau of Investigation, 
the Drug Enforcement Administration, and the Department of Energy;
    (9) The Bureau of Intelligence and Research of the Department of 
State;
    (10) The Office of Intelligence and Analysis of the Department of 
the Treasury;
    (11) The Office of Intelligence and Analysis of the Department of 
Homeland Security;
    (12) Such other elements of any department or agency as may be 
designated by the President, or designated jointly by the Director of 
National Intelligence and the head of the department or agency 
concerned, as an element of the Intelligence Community.
    National security system has the definition provided in 44 U.S.C. 
3552.
    Removal order means an order issued pursuant to 41 U.S.C. 
1323(c)(5) that requires the removal of one or more covered articles 
from executive agency information systems.
    Responsible source means a responsible prospective contractor and 
subcontractors, at any tier, as defined in part 9 of the Federal 
Acquisition Regulation (48 CFR part 9).
    Source means a non-Federal supplier, or potential supplier, of 
products or services, at any tier.
    Supply chain risk means the risk that any person may sabotage, 
maliciously introduce unwanted functionality, extract data, or 
otherwise manipulate the design, integrity, manufacturing, production, 
distribution, installation, operation, maintenance, disposition, or 
retirement of covered articles so as to surveil, deny, disrupt, or 
otherwise manipulate the function, use, or operation of the covered 
articles or information stored or transmitted by or through covered 
articles.
    Supply chain risk information includes, but is not limited to, 
information that describes or identifies:
    (1) Functionality and features of covered articles, including 
access to data and information system privileges;
    (2) The user environment where a covered article is used or 
installed;
    (3) The ability of a source to produce and deliver covered articles 
as expected;
    (4) Foreign control of, or influence over, a source or covered 
article (e.g., foreign ownership, personal and professional ties 
between a source and any foreign entity, legal regime of any foreign 
country in which a source is headquartered or conducts operations);
    (5) Implications to government mission(s) or assets, national 
security, homeland security, or critical functions associated with use 
of a source or covered article;
    (6) Vulnerability of Federal systems, programs, or facilities;
    (7) Market alternatives to the covered source;
    (8) Potential impact or harm caused by the possible loss, damage, 
or compromise of a product, material, or service to an organization's 
operations or mission;
    (9) Likelihood of a potential impact or harm, or the exploitability 
of a system;
    (10) Security, authenticity, and integrity of covered articles and 
their supply and compilation chain;
    (11) Capacity to mitigate risks identified;
    (12) Factors that may reflect upon the reliability of other supply 
chain risk information; and
    (13) Any other considerations that would factor into an analysis of 
the security, integrity, resilience, quality, trustworthiness, or 
authenticity of covered articles or sources.


Sec.  201-1.102  Federal Acquisition Security Council (FASC).

    (a) Composition. The following agencies and agency components shall 
be represented on the FASC:
    (1) Office of Management and Budget;
    (2) General Services Administration;
    (3) Department of Homeland Security;
    (4) Cybersecurity and Infrastructure Security Agency;
    (5) Office of the Director of National Intelligence;
    (6) National Counterintelligence and Security Center;
    (7) Department of Justice;
    (8) Federal Bureau of Investigation;
    (9) Department of Defense;
    (10) National Security Agency;
    (11) Department of Commerce;

[[Page 47589]]

    (12) National Institute of Standards and Technology; and
    (13) Any other executive agency, or agency component, as determined 
by the Chairperson of the FASC.
    (b) FASC information requests. The FASC may request such 
information from executive agencies as is necessary for the FASC to 
carry out its functions, including evaluation of sources and covered 
articles for purposes of determining whether to recommend the issuance 
of removal or exclusion orders, and the receiving executive agency 
shall provide the requested information to the fullest extent possible.
    (c) Consultation and coordination with other councils. The FASC 
will consult and coordinate, as appropriate, with other relevant 
councils and interagency committees, including the Chief Information 
Officers Council, the Chief Acquisition Officers Council, the Federal 
Acquisition Regulatory Council, and the Committee on Foreign Investment 
in the United States, with respect to supply chain risks posed by the 
acquisition and use of covered articles.
    (d) Program office and committees. The FASC may establish a program 
office and any committees, working groups, or other constituent bodies 
the FASC deems appropriate, in its sole and unreviewable discretion, to 
carry out its functions. Such a committee, working group, or other 
constituent body is authorized to perform any function lawfully 
delegated to it by the FASC.

Subpart B--Supply Chain Risk Information Sharing


Sec.  201-1.200  Information sharing agency (ISA).

    The Act requires the FASC to identify an appropriate executive 
agency--the FASC's information sharing agency (ISA)--to perform 
administrative information sharing functions on behalf of the FASC, as 
provided at 41 U.S.C. 1323(a)(3). The ISA facilitates and provides 
administrative support to a FASC supply chain and risk management Task 
Force, and serves as the liaison to the FASC on behalf of the Task 
Force, as the Task Force develops the processes under which the 
functions described in 41 U.S.C. 1323(a)(3) are implemented on behalf 
of the FASC. The Department of Homeland Security (DHS), acting 
primarily through the Cybersecurity and Infrastructure Security Agency, 
is named the appropriate executive agency to serve as the FASC's ISA. 
The ISA's administrative functions shall not be construed to limit or 
impair the authority or responsibilities of any other Federal agency 
with respect to information sharing.
    (a) Submission of information. Information should be submitted to 
the FASC by sending it to the ISA, acting on behalf of the FASC.
    (b) Receipt and dissemination functions. The ISA, the Task Force, 
and support personnel at the FASC member agencies will carry out 
administrative information receipt and dissemination functions on 
behalf of the FASC.
    (c) Interagency supply chain risk management task force. The FASC 
may identify members for an interagency supply chain risk management 
(SCRM) task force (the Task Force) to assist the FASC with implementing 
its information sharing, analysis, and risk assessment functions as 
described in 41 U.S.C. 1323(a)(3). The purpose of the Task Force is to 
allow the FASC to capitalize on the various supply chain risk 
management and information sharing efforts across the Federal 
enterprise. This Task Force includes technical experts in SCRM and 
related interdisciplinary experts from agencies identified in Sec.  
201-1.102 and any other agency, or agency component, the FASC 
Chairperson identifies. The ISA facilitates the efforts of, and provide 
administrative support to, the Task Force and periodically reports to 
the FASC on Task Force efforts.
    (d) Processes and procedures. The FASC will adopt and, as it deems 
necessary, revise:
    (1) Processes and procedures describing how the ISA operates and 
supports FASC recommendations issued pursuant to 41 U.S.C. 1323(c);
    (2) Processes and procedures describing how Federal and non-Federal 
entities must submit supply chain risk information (both mandatory and 
voluntary submissions of information) to the FASC, including any 
necessary requirements for information handling, protection, and 
classification;
    (3) Processes and procedures describing the requirements for the 
dissemination of classified, controlled unclassified, or otherwise 
protected information submitted to the FASC by executive agencies;
    (4) Processes and procedures describing how the ISA facilitates the 
sharing of information to support supply chain risk analyses under 41 
U.S.C. 1326, recommendations issued by the FASC, and covered 
procurement actions under 41 U.S.C. 4713;
    (5) Processes and procedures describing how the ISA will provide to 
the FASC and to executive agencies on behalf of the FASC information 
regarding covered procurement actions and any issued removal or 
exclusion orders; and
    (6) Any other processes and procedures determined by the FASC 
Chairperson.


Sec.  201-1.201  Submitting information to the FASC.

    (a) Requirements for submission of information. All submissions of 
information to the FASC must be accomplished through the processes and 
procedures approved by the FASC pursuant to Sec.  201-1.200. Any 
information submission to the FASC must comply with information sharing 
protections described in this subpart and be consistent with applicable 
law and regulations.
    (b) Mandatory information submission requirements. Executive 
agencies must expeditiously submit supply chain risk information to the 
ISA in accordance with guidance approved by the FASC pursuant to Sec.  
201-1.200 when:
    (1) The FASC requests information relating to a particular source, 
covered article, or covered procurement; or
    (2) An executive agency has determined there is a reasonable basis 
to conclude that a substantial supply chain risk exists in connection 
with a source or covered article. In such instances, the executive 
agency shall provide the FASC with relevant information concerning the 
source or covered article, including:
    (i) Supply chain risk information identified in the course of the 
agency's activities in furtherance of identifying, mitigating, or 
managing its supply chain risk;
    (ii) Supply chain risk information regarding any covered 
procurement actions by the agency under 41 U.S.C. 4713; and
    (iii) Supply chain risk information regarding any orders issued by 
the agency under 41 U.S.C. 1323.
    (c) Voluntary information submission. All Federal and non-Federal 
entities may voluntarily submit to the FASC information relevant to 
SCRM, covered articles, sources, or covered procurement actions.
    (d) Information protections--Federal agency submissions. To the 
extent that the law requires the protection of information submitted to 
the FASC, agencies providing such information must ensure that it bears 
proper markings to indicate applicable handling, dissemination, or use 
restrictions. Agencies shall also comply with any relevant handling, 
dissemination, or use requirements, including but not limited to the 
following:

[[Page 47590]]

    (1) For classified information, the transmitting agency shall 
ensure that information is provided to designated ISA personnel who 
have an appropriate security clearance and a need to know the 
information. The ISA, Task Force, and the FASC will handle such 
information consistent with the applicable restrictions and the 
relevant processes and procedures adopted pursuant to Sec.  201-1.200.
    (2) With respect to controlled unclassified or otherwise protected 
unclassified information, the transmitting agency, the FASC, the ISA, 
and the Task Force will handle the information in a manner consistent 
with the markings applied to the information and the relevant processes 
and procedures adopted pursuant to Sec.  201-1.200.
    (e) Information protections--submissions by non-Federal entities. 
Information voluntarily submitted to the FASC by a non-Federal entity 
shall be subject to the following provisions:
    (1) Supply chain risk information not otherwise publicly or 
commercially available that is voluntarily submitted to the FASC by 
non-Federal entities and marked ``Confidential and Not to Be Publicly 
Disclosed'' will not be released to the public, including pursuant to a 
request under 5 U.S.C. 552, except to the extent required by law.
    (2) Notwithstanding paragraph (e)(1) of this section, the FASC may, 
to the extent permitted by law, and subject to appropriate handling and 
confidentiality requirements as determined by the FASC, disclose the 
supply chain risk information referenced in paragraph (e)(1) in the 
following circumstances:
    (i) Pursuant to any administrative or judicial proceeding;
    (ii) Pursuant to a request from any duly authorized committee or 
subcommittee of Congress;
    (iii) Pursuant to a request from any domestic governmental entity 
or any foreign governmental entity of a United States ally or partner, 
but only to the extent necessary for national security purposes;
    (iv) Where the non-Federal entity that submitted the information 
has consented to disclosure; or
    (v) For any other purpose authorized by law.
    (3) This paragraph (e) shall continue to apply to supply chain risk 
information referenced in paragraph (e)(1) even after the FASC issues a 
recommendation for exclusion or removal pursuant to 41 U.S.C. 1323.
    (f) Dissemination of information by the FASC. The FASC may, in its 
sole discretion, disclose its recommendations and any supply chain risk 
information relevant to those recommendations to Federal or non-Federal 
entities if the FASC determines that such sharing may facilitate 
identification or mitigation of supply chain risk, and disclosure is 
consistent with the following paragraphs:
    (1) The FASC may maintain its recommendations and any supply chain 
risk information as nonpublic, to the extent permitted by law, or 
release such information to impacted entities and appropriate 
stakeholders. The FASC shall have discretion to determine the 
circumstances under which information will be released, as well as the 
timing of any such release, the scope of the information to be 
released, and the recipients to whom information will be released.
    (2) Any release by the FASC of recommendations or supply chain risk 
information will be in accordance title 41 U.S.C. 1323 and the 
provisions of this subpart.
    (3) The FASC will not release a recommendation to a non-Federal 
entity, other than a source named in the recommendation, unless an 
exclusion or removal order has been issued based on that 
recommendation, and the named source has been notified.
    (4) The FASC (including the ISA, Task Force, and any other FASC 
constituent bodies) shall comply with applicable limitations on 
dissemination of supply chain risk information submitted pursuant to 
this subpart, including but not limited to the following restrictions:
    (i) Controlled Unclassified Information, such as Law Enforcement 
Sensitive, Proprietary, Privileged, or Personally Identifiable 
Information, may only be disseminated in compliance with the 
restrictions applicable to the information and in accordance with the 
FASC's processes and procedures for disseminating controlled 
unclassified information as required by this part.
    (ii) Classified Information may only be disseminated consistent 
with the restrictions applicable to the information and in accordance 
with the FASC's processes and procedures for disseminating classified 
information as required by this part.

Subpart C--Exclusion and Removal Orders


Sec.  201-1.300  Evaluation of sources and covered articles.

    (a) Referral procedure. The FASC may commence an evaluation of a 
source or covered article in any of the following ways:
    (1) Upon the referral of the FASC or any member of the FASC;
    (2) Upon the request, in writing, of the head of an executive 
agency or a designee, accompanied by a submission of relevant 
information; or
    (3) Based on information submitted to the FASC by any Federal or 
non-Federal entity that the FASC deems, in its discretion, to be 
credible.
    (b) Relevant factors. In evaluating sources and covered articles, 
the FASC will analyze available information and consider, as 
appropriate, any relevant factors contained in the following non-
exclusive list:
    (1) Functionality and features of the covered article, including 
the covered article's or source's access to data and information system 
privileges;
    (2) The user environment in which the covered article is used or 
installed;
    (3) Security, authenticity, and integrity of covered articles and 
associated supply and compilation chains, including for embedded, 
integrated, and bundled software;
    (4) The ability of the source to produce and deliver covered 
articles as expected;
    (5) Ownership of, control of, or influence over the source or 
covered article(s) by a foreign government or parties owned or 
controlled by a foreign government, or other ties between the source 
and a foreign government, which may include the following 
considerations:
    (i) Whether a Federal agency has identified the country as a 
foreign adversary or country of special concern;
    (ii) Whether the source or its component suppliers have 
headquarters, research, development, manufacturing, testing, packaging, 
distribution, or service facilities or other operations in a foreign 
country, including a country of special concern or a foreign adversary;
    (iii) Personal and professional ties between the source--including 
its officers, directors or similar officials, employees, consultants, 
or contractors--and any foreign government; and
    (iv) Laws and regulations of any foreign country in which the 
source has headquarters, research development, manufacturing, testing, 
packaging, distribution, or service facilities or other operations.
    (6) Implications for government missions or assets, national 
security, homeland security, or critical functions associated with use 
of the source or covered article;
    (7) Potential or existing threats to or vulnerabilities of Federal 
systems, programs or facilities, including the potential for 
exploitability;

[[Page 47591]]

    (8) Capacity of the source or the U.S. Government to mitigate 
risks;
    (9) Credibility of and confidence in available information used for 
assessment of risk associated with proceeding, with using alternatives, 
and/or with enacting mitigation efforts;
    (10) Any transmission of information or data by a covered article 
to a country outside of the United States; and
    (11) Any other information that would factor into an assessment of 
supply chain risk, including any impact to agency functions, and other 
information as the FASC deems appropriate.
    (c) Foreign Ownership. Nothing in this section shall be construed 
to authorize the issuance of an exclusion or removal order based solely 
on the fact of the foreign ownership of a potential procurement source 
that is otherwise qualified to enter into procurement contracts with 
the Federal Government.
    (d) Due Diligence. As part of the analysis performed pursuant to 
paragraph (b) of this section, the FASC will conduct appropriate due 
diligence. Such due diligence may include, but need not be limited to, 
the following actions:
    (1) Reviewing any information the FASC considers appropriate; and
    (2) Assessing the reliability of the information considered.
    (e) Consultation with NIST. NIST will participate in FASC 
activities as a member and will advise the FASC on NIST standards and 
guidelines issued under 40 U.S.C. 11331.


Sec.  201-1.301  Recommendation.

    (a) Content of recommendation. The FASC shall include the following 
in any recommendation for the issuance of an exclusion or removal order 
made to the Secretary of Homeland Security, Secretary of Defense, and/
or Director of National Intelligence:
    (1) Information necessary to positively identify any source or 
covered article recommended for exclusion or removal;
    (2) Information regarding the scope and applicability of the 
recommended exclusion or removal order, including whether the order 
should apply to all executive agencies or a subset of executive 
agencies;
    (3) A summary of the supply chain risk assessment reviewed or 
conducted in support of the recommended exclusion or removal order, 
including significant conflicting or contrary information, if any;
    (4) A summary of the basis for the recommendation, including a 
discussion of less intrusive measures that were considered and why such 
measures were not reasonably available to reduce supply chain risk;
    (5) A description of the actions necessary to implement the 
recommended exclusion or removal order; and,
    (6) Where practicable, in the FASC's sole and unreviewable 
discretion, a description of the mitigation steps that could be taken 
by the source that may result in the FASC's rescission of the 
recommendation.
    (b) Information sharing in the absence of a recommendation: If the 
FASC decides not to issue a recommendation, information received and 
analyzed pursuant to the procedures in this section may be shared, as 
appropriate, in accordance with subpart B of this part.


Sec.  201-1.302  Notice of recommendation to source and opportunity to 
respond.

    (a) Notice to source. The FASC shall provide a notice of its 
recommendation to any source named in the recommendation.
    (b) Content of notice. The notice under paragraph (a) of this 
section shall advise the source:
    (1) That a recommendation has been made;
    (2) Of the criteria the FASC relied upon and, to the extent 
consistent with national security and law enforcement interests, the 
information that forms the basis for the recommendation;
    (3) That, within 30 days after receipt of the notice, the source 
may submit information and argument in opposition to the 
recommendation;
    (4) Of the procedures governing the review and possible issuance of 
an exclusion or removal order; and
    (5) Where practicable, in the FASC's sole and unreviewable 
discretion, a description of the mitigation steps that could be taken 
by the source that may result in the FASC rescinding the 
recommendation.
    (c) Submission of response by source and potential rescission of 
recommendation. Subject to any applicable procedures or processes 
developed by the FASC, and in accordance with any instructions provided 
to the source pursuant to paragraph (b) of this section, a source may 
submit to the ISA information or argument in opposition to a FASC 
recommendation. If a source submits information or argument in 
opposition:
    (1) The ISA will convey the source's submission to the FASC and any 
appropriate constituent bodies and to the Secretary of Homeland 
Security, the Secretary of Defense, and the Director of National 
Intelligence.
    (2) Upon receipt of such information or argument in opposition, the 
FASC may rescind the recommendation if the FASC, consistent with the 
sole and unreviewable discretion provided in paragraph (b)(5) of this 
section:
    (i) Determines that the source has undertaken sufficient mitigation 
to reduce supply chain risk to an acceptable level; or
    (ii) Decides that other grounds justify rescission.
    (3) In the event that the FASC rescinds its recommendation, the ISA 
will communicate that decision to the source. The ISA will notify 
Secretary of Homeland Security, the Secretary of Defense, and the 
Director of National Intelligence of the rescission, and provide those 
officials with a summary of the FASC's reasoning.
    (d) Confidentiality of notice issued to source. U.S. Government 
personnel shall:
    (1) Keep confidential and not make available outside of the 
executive branch, except to the extent required by law, any notice 
issued to a source under paragraph (a) of this section until an 
exclusion order or removal order is issued and the source has been 
notified; and
    (2) Keep confidential and not make available outside of the 
executive branch, except to the extent required by law, any notice 
issued to a source under paragraph (a) of this section if the FASC 
rescinds the associated recommendation or the Secretary of Homeland 
Security, Secretary of Defense, and Director of National Intelligence, 
as applicable, decide not to issue the recommended order.
    (e) Confidentiality of information submitted by source. Information 
not otherwise publicly or commercially available that is submitted to 
the FASC by a source pursuant to paragraph (c) of this section and 
marked ``Confidential and Not to Be Publicly Disclosed'' will not be 
released to the public, including pursuant to a request under 5 U.S.C. 
552, except to the extent required by law. That general rule 
notwithstanding, such information may be released as provided in Sec.  
201-1.201(d)(2).


Sec.  201-1.303  Issuance of orders and related activities.

    (a) Consideration of recommendation and issuance of orders. The 
Secretary of Homeland Security, the Secretary of Defense, and the 
Director of National Intelligence shall each review the FASC's 
recommendation, any accompanying information and materials provided 
pursuant to Sec.  201-1.301, and any information submitted by a source 
pursuant to Sec.  201-1.302, and determine whether to issue an 
exclusion or removal order based upon the recommendation.

[[Page 47592]]

    (b) Administrative record. The administrative record for judicial 
review of an exclusion or removal order issued pursuant to 41 U.S.C. 
1323(c)(6) shall, subject to the limitations set forth in 41 U.S.C. 
1327(b)(4)(B)(ii) through (v), consist only of:
    (1) The recommendation issued pursuant to 41 U.S.C. 1323(c)(2);
    (2) The notice of recommendation issued pursuant to 41 U.S.C. 
1323(c)(3);
    (3) Any information and argument in opposition to the 
recommendation submitted by the source pursuant to 41 U.S.C. 
1323(c)(3)(C);
    (4) The exclusion or removal order issued pursuant to 41 U.S.C. 
1323(c)(5), and any information or materials relied upon by the 
deciding official in issuing the order; and
    (5) The notification to the source issued pursuant to 41 U.S.C. 
1323(c)(6)(A).
    (6) Other information. Other information or material collected by, 
shared with, or created by the FASC or its member agencies shall not be 
included in the administrative record unless the deciding official 
relied on that information or material in issuing the exclusion or 
removal order.
    (d) Issuing officials. Exclusion or removal orders may be issued as 
follows:
    (1) The Secretary of Homeland Security may issue removal or 
exclusion orders applicable to civilian agencies, to the extent not 
covered by paragraph (d)(2) or (3) of this section.
    (2) The Secretary of Defense may issue removal or exclusion orders 
applicable to the Department of Defense and national security systems 
other than sensitive compartmented information systems.
    (3) The Director of National Intelligence may issue removal or 
exclusion orders applicable to the Intelligence Community and sensitive 
compartmented information systems, to the extent not covered by 
paragraph (d)(2) of this section.
    (4) The officials identified in paragraphs (d)(1) through (3) of 
this section may not delegate the authority to issue exclusion and 
removal orders to an official below the level one level below the 
Deputy Secretary or Principal Deputy Director level, except that the 
Secretary of Defense may delegate authority for removal orders to the 
Commander of U.S. Cyber Command, who may not re-delegate such authority 
to an official below the level of the Deputy Commander.
    (e) Applicability of issued orders to non-Federal entities. An 
exclusion or removal order may affect non-Federal entities, including 
as follows:
    (1) An exclusion order may require the exclusion of sources or 
covered articles from any executive agency procurement action, 
including but not limited to source selection and consent for a 
contractor to subcontract. To the extent required by the exclusion 
order, agencies shall exclude the source or covered articles, as 
applicable, from being supplied by any prime contractor and 
subcontractor at any tier.
    (2) A removal order may require removal of a covered article from 
an executive agency information system owned and operated by an agency; 
from an information system operated by a contractor on behalf of an 
agency; and from other contractor information systems to the extent 
that the removal order applies to contractor equipment or systems 
within the scope of ``information technology,'' as defined in Sec.  
201-1.101.
    (f) Notification of order issuance. The official who issues an 
exclusion or removal order:
    (1) Shall, upon issuance of an exclusion or removal order pursuant 
to paragraph (a) of this section:
    (i) Notify any source named in the order of the order's issuance, 
and to the extent consistent with national security and law enforcement 
interests, of the information that forms the basis for the order;
    (ii) Provide classified or unclassified notice of the order to the 
appropriate congressional committees and leadership;
    (iii) Provide the order to the ISA; and
    (iv) Notify the Interagency Suspension and Debarment Committee of 
the order.
    (2) May provide a copy of the order to other persons, including 
through public disclosure, as the official deems appropriate and to the 
extent consistent with national security and law enforcement interests.
    (g) Removal from Federal supply contracts. If the officials 
identified in paragraphs (d)(1) through (3) of this section, or their 
delegates, issue orders collectively resulting in a Government-wide 
exclusion, the Administrator for General Services and officials at 
other executive agencies responsible for management of the Federal 
Supply Schedules, Government-wide acquisition contracts, and multi-
agency contracts shall facilitate implementation of such orders by 
removing the covered articles or sources identified in the orders from 
such contracts.
    (h) Annual review of issued orders. The officials identified in 
paragraphs (d)(1) through (3) of this section shall review all issued 
exclusion and removal orders not less frequently than annually pursuant 
to procedures established by the FASC.
    (i) Modification or rescission of issued orders. The officials 
identified in paragraphs (d)(1) through (3) of this section may modify 
or rescind an issued exclusion or removal order, provided that a 
modified order shall not apply more broadly than the order before the 
modification.


Sec.  201-1.304  Executive agency compliance with exclusion and removal 
orders.

    (a) Agency compliance. Executive agencies shall:
    (1) Comply with exclusion and removal orders issued pursuant to 
Sec.  201-1.303 and applicable to their agency, as required by 41 
U.S.C. 1323(c)(7) and 44 U.S.C. 3554(a)(1)(B); and
    (2) Comply with handling and/or dissemination restrictions placed 
upon the order or its contents by the issuing official.
    (b) Exceptions to issued exclusion and removal orders. An executive 
agency required to comply with an exclusion or removal order may submit 
to the issuing official a request to be excepted from the order's 
provisions. The requesting agency:
    (1) May ask to be excepted from some or all of the order's 
requirements. The agency may ask, for example, that the order not apply 
to the agency, to specific actions of the agency, or to actions of the 
agency for a period of time before compliance with the order is 
practicable.
    (2) Shall submit the request in writing and include in it all 
necessary information for the issuing official to review and evaluate 
it, including--
    (i) Identification of the applicable exclusion order or removal 
order;
    (ii) A description of the exception sought, including, if limited 
to only a portion of the order, a description of the order provisions 
from which an exception is sought;
    (iii) The name or a description sufficient to identify the covered 
article or the product or service provided by a source that is subject 
to the order from which an exception is sought;
    (iv) Compelling justification for why an exception should be 
granted, such as the impact of the order on the agency's ability to 
fulfill its mission- critical functions, or considerations related to 
the national interest, including national security reviews, national 
security investigations, or national security agreements;
    (v) Any alternative mitigations to be undertaken to reduce the 
risks addressed by the exclusion or removal order; and

[[Page 47593]]

    (vi) Any other information requested by the issuing official.

Subtitle E [Removed and reserved]

0
3. Remove and reserve subtitle E.

[FR Doc. 2021-17532 Filed 8-25-21; 8:45 am]
BILLING CODE 3110-05-P