[Federal Register Volume 88, Number 192 (Thursday, October 5, 2023)]
[Rules and Regulations]
[Pages 69503-69517]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-21320]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
48 CFR Parts 1, 4, 9, 13, 39, and 52
[FAC 2023-06; FAR Case 2020-011; Item I; Docket No. FAR-2020-0011,
Sequence No. 1]
RIN 9000-AO13
Federal Acquisition Regulation: Implementation of Federal
Acquisition Supply Chain Security Act (FASCSA) Orders
AGENCY: Department of Defense (DoD), General Services Administration
(GSA), and National Aeronautics and Space Administration (NASA).
ACTION: Interim rule.
-----------------------------------------------------------------------
SUMMARY: DoD, GSA, and NASA are issuing an interim rule amending the
Federal Acquisition Regulation (FAR) to implement supply chain risk
information sharing and exclusion or removal orders consistent with the
Federal Acquisition Supply Chain Security Act of 2018 and a final rule
issued by the Federal Acquisition Security Council.
DATES:
Effective date: December 4, 2023.
Applicability: The FAR changes apply to solicitations issued on or
after December 4, 2023 in accordance with FAR 1.108(d).
For existing indefinite delivery contracts only, contracting
officers shall modify them, in accordance with FAR 1.108(d), to include
the FAR clause at 52.204-30, Federal Acquisition Supply Chain Security
Act Orders-Prohibition (including any applicable alternate) within 6
months of December 4, 2023, to apply to future orders. However, for
Federal Supply Schedules, Governmentwide Acquisition Contracts, and
Multi-Agency Contracts, if the FASCSA orders are going to be applied at
the order level, then FAR clause 52.204-28 should be included instead,
within 6 months of December 4, 2023.
If exercising an option or modifying an existing contract or task
or delivery order to extend the period of performance, contracting
officers shall include the FAR clause at 52.204-30, Federal Acquisition
Supply Chain Security Act Orders-Prohibition (including any applicable
alternate). When exercising an option, agencies should consider
modifying the existing contract to add the clause in a sufficient
amount of time to both provide notice for exercising the option and to
provide contractors with adequate time to comply with the clause.
Comment date: Interested parties should submit written comments to
the Regulatory Secretariat Division at the address shown below on or
before December 4, 2023 to be considered in the formation of the final
rule.
ADDRESSES: Submit comments in response to FAC 2023-06, FAR Case 2020-
011 to the Federal eRulemaking portal at https://www.regulations.gov by
searching for ``FAR Case 2020-011''. Select the link ``Comment Now''
that corresponds with FAR Case 2020-011. Follow the instructions
provided on the ``Comment Now'' screen. Please include your name,
company name (if any), and ``FAR Case 2020-011'' on your attached
document. If your comment cannot be submitted using https://www.regulations.gov, call or email the points of contact in the FOR
FURTHER INFORMATION CONTACT section of this document for alternate
instructions.
Instructions: Please submit comments only and cite ``FAR Case 2020-
011'' in all correspondence related to this case. Comments received
generally will be posted without change to https://www.regulations.gov,
including any personal and/or business confidential information
provided. Public comments may be submitted as an individual, as an
organization, or anonymously (see frequently asked questions at https://www.regulations.gov/faq). To confirm receipt of your comment(s),
please check https://www.regulations.gov, approximately two to three
days after submission to verify posting.
FOR FURTHER INFORMATION CONTACT: For clarification of content, contact
Ms. Marissa Ryba, Procurement Analyst, at 314-586-1280 or by email at
[email protected]. For information pertaining to status, publication
schedules, or alternate instructions for submitting comments if https://www.regulations.gov cannot be used, contact the Regulatory Secretariat
Division at 202-501-4755 or [email protected]. Please cite FAC 2023-06,
FAR Case 2020-011.
SUPPLEMENTARY INFORMATION:
I. Background
This interim rule revises the FAR to implement section 202 of the
Federal Acquisition Supply Chain Security Act of 2018 (Title II of the
SECURE Technology Act, Pub. L. 115-390, Dec. 21, 2018), and a final
rule issued by the Federal Acquisition Security Council (FASC) (August
26, 2021, 86 FR 47581, effective September 27, 2021).
Foreign adversaries are increasingly creating and exploiting
vulnerabilities in information and communications technology to commit
malicious cyber-enabled actions, including economic and industrial
espionage against the United States and its citizens. Vulnerabilities
may be introduced during any phase of the product or service life
cycle, including: design, development and production, distribution,
acquisition and deployment, maintenance, and disposal. These
vulnerabilities can include the incorporation of malicious software,
hardware, and counterfeit components; flawed product designs; and poor
manufacturing processes and maintenance procedures.
The U.S. Government's efforts to evaluate threats to and
vulnerabilities in supply chains have historically been undertaken by
individual or small groups of agencies to address specific supply chain
security risks. Because of the scale of supply chain risks faced by
Government agencies, and the need for better coordination among a
broader group of agencies, there was an organized effort within the
Executive
[[Page 69504]]
branch to support Congressional efforts in 2018 to pass new legislation
to improve Executive branch coordination, supply chain information
sharing, and actions to address supply chain risks.
Title II of the SECURE Technology Act, also referred to as the
Federal Acquisition Supply Chain Security Act of 2018, established the
Federal Acquisition Security Council (FASC) and authorized it to
perform a variety of functions, including making recommendations for
orders that would require the removal of covered articles from
executive agency information systems or the exclusion of sources or
covered articles from executive agency procurement actions. The FASC is
an Executive branch interagency council, which is chaired by a senior-
level official from the Office of Management and Budget (OMB). The FASC
includes representatives from GSA; Department of Homeland Security
(DHS); Office of the Director of National Intelligence; DoD; Department
of Justice (DOJ); and Department of Commerce (Commerce).
The FASC issued a final rule adding 41 CFR part 201-1, which
implements the Federal Acquisition Supply Chain Security Act of 2018
requirements. The FASC final rule establishes procedures that govern
the operation of the FASC, the sharing of supply chain risk
information, the exercise of its authorities to recommend issuance of
orders requiring removal of covered articles from information systems
(removal orders), and orders excluding sources or covered articles from
future procurements (exclusion orders) that pose a risk to our nation's
supply chain. This rule refers to both exclusion and removal orders as
``FASCSA orders''.
Under the FASC final rule, the FASC will evaluate sources and/or
covered articles by addressing a common set of non-exclusive factors
that are listed in the FASC final rule. Initiation of the process can
begin either by referral of the FASC or any member of the FASC; upon
the written request of any U.S. Government body; or based on
information submitted to the FASC by any individual or non-Federal
entity that the FASC determines to be credible.
The FASC will conduct appropriate due diligence regarding the
information that it is considering. If the FASC does not find that
recommending a removal or exclusion order is warranted, risk
information received and analyzed by the FASC may be shared, as
appropriate, in accordance with the FASC final rule. If the FASC
decides to issue a recommendation, that recommendation will provide
relevant information and analysis for the Secretary of Homeland
Security, the Secretary of Defense, and/or the Director of National
Intelligence (DNI), as appropriate, to consider when deciding whether
to issue a FASCSA order.
Executive agencies must share relevant supply chain risk
information. DHS, acting primarily through the Cybersecurity and
Infrastructure Security Agency (CISA), is the information sharing
agency (ISA), which will share and disseminate information within the
FASC, and other Federal and non-Federal entities, as appropriate.
Collectively, the information sharing requirements and
implementation of FASCSA orders will address risks in supply chains by
reducing or removing threats and vulnerabilities that may lead to data
and intellectual property theft, damage to critical infrastructure,
harm to Federal information systems, and otherwise degrade our national
security. This rule will also help make Government supply chains and
information systems more resilient and less subject to disruptions that
could impact Government operations.
II. Discussion and Analysis
A. Overview of Rule
This interim rule implements within the FAR the requirements of the
Federal Acquisition Supply Chain Security Act of 2018 and the Federal
Acquisition Security Council (FASC) final rule for complying with
exclusion or removal orders and sharing certain supply chain risk
information. Once an order recommended by the FASC is issued by the
Secretary of Homeland Security, the Secretary of Defense, and/or the
Director of National Intelligence, affected Executive agencies are
required to implement the order.
As referred to in this rule, the term FASCSA order may refer to
either an exclusion order or removal order. An exclusion order is
applicable during the process for awarding a new contract or task or
delivery order, as it excludes from the offered supplies or services
any products or services subject to a FASCSA order. A removal order
requires removal of any products or services from an executive agency
information system subject to a FASCSA order. In some instances, a
contracting officer may incorporate a contract term to require
compliance with a FASCSA order issued after award via a modification
that incorporates FAR clause 52.204-28, Federal Acquisition Supply
Chain Security Act Orders-Federal Supply Schedules, Governmentwide
Acquisition Contracts, and Multi-Agency Contracts, or FAR clause
52.204-30, Federal Acquisition Supply Chain Security Act Orders-
Prohibition.
As a result of this interim rule, contracting officers will now
have established procedures to implement FASCSA orders in existing and
new Federal contracts and to share relevant information on potential
supply chain risk. These procedures reduce exploitations of
vulnerabilities, in turn making the supply chain more resilient.
Contractors and offerors will also play a key role in this process
by remaining current on FASCSA orders identified in the solicitation
and contract. When an offeror submits a new offer in response to a
contract solicitation containing the new requirement, the offeror will
represent, after conducting a reasonable inquiry, that the offeror does
not propose to provide or use any prohibited covered articles or
products or services subject to a FASCSA order. These measures are
necessary to build resilience in Government supply chains. Further
procedures allow an offeror to disclose where they cannot comply with a
FASCSA order. The purpose for this disclosure is so that the Government
may decide whether to pursue a waiver.
Throughout contract performance, contractors will be required to
report to the contracting officer once they become aware that a covered
article or product or service subject to a FASCSA order has been
delivered to the Government or used in performance of the contract.
This reporting requirement applies not just to FASCSA orders
incorporated into the contract, but also to new FASCSA orders issued
after contract award or added to the contract through modification.
Reporting this information to the contracting officer will provide the
Government the needed information to assess the risk and make a
determination on how to proceed.
B. Part 1 Updates
The OMB control number for the new information collection required
by this interim rule is being added to FAR 1.106.
C. Part 4 Updates
A new FAR subpart 4.23 titled Federal Acquisition Security Council
is being added to implement requirements for FASCSA orders and supply
chain risk information sharing.
FAR 4.2301 provides definitions in accordance with the FASC final
rule.
FAR 4.2302 requires the contracting officer to work with the
cognizant program office or requiring activity in accordance with
agency procedures to share relevant supply chain risk information with
the FASC if there is a reasonable basis to conclude there exists
[[Page 69505]]
a substantial supply chain risk associated with a source or covered
article.
FAR 4.2303 identifies the requirements for Executive agencies to
implement FASCSA orders when they are issued by the Secretary of
Homeland Security, the Secretary of Defense, or the Director of
National Intelligence. FASCSA orders for sources or covered articles
will be searchable within the System for Award Management (SAM) to make
it easier for contractors and Government to identify the products and
services subject to a FASCSA order; however, in rare cases additional
FASCSA orders, not identified in SAM, will be identified in the
solicitation.
If a covered article or the source is subject to a Governmentwide
FASCSA order, this section directs Executive agencies responsible for
management of the Federal Supply Schedules, Governmentwide acquisition
contracts, and multi-agency contracts to remove the covered articles or
sources identified in the FASCSA order from such contracts.
FAR 4.2304 provides the procedures for a contracting officer to
follow when completing the clause at FAR 52.204-30 identifying
applicable FASCSA orders and when a solicitation or contract may be
updated to incorporate additional FASCSA orders. In the rare case when
a FASCSA order is identified outside of SAM, Executive agencies must
follow agency procedures.
Additional specific procedures are outlined for Federal Supply
Schedules, Governmentwide acquisition contracts, multi-agency contracts
or any other procurement instrument intended for use by multiple
agencies. An agency awarding this type of vehicle may decide to apply
FASCSA orders in the basic contract or the task order or delivery
order.
This section further provides the contracting officer with
procedures to determine whether to pursue a waiver, how to identify a
full or partial waiver in the solicitation, and who to work with when a
contractor submits a report identifying covered articles or sources
subject to a FASCSA order.
FAR 4.2305 identifies the procedures for an agency to submit a
waiver request that includes all necessary information for the official
who issued the FASCSA order (issuing official) to review and evaluate
the request, including alternative mitigations to the risks addressed
by the order and the ability of an agency to fulfill its mission
critical functions. Agencies may reasonably choose not to pursue a
waiver and to make award to an offeror that does not require a waiver
in accordance with the procedures at 4.2304.
FAR 4.2306 prescribes new provision at FAR 52.204-29, Federal
Acquisition Supply Chain Security Act Orders-Representation and
Disclosures, and two new clauses, FAR 52.204-28, Federal Acquisition
Supply Chain Security Act Orders-Federal Supply Schedules,
Governmentwide Acquisition Contracts, and Multi-Agency Contracts, and
FAR 52.204-30, Federal Acquisition Supply Chain Security Act Orders-
Prohibition.
The terms ``covered article'' and ``covered entity'' in FAR 4.2001
and the clause at FAR 52.204-23 are updated to ``Kaspersky Lab covered
article'' and ``Kaspersky Lab covered entity'' to avoid confusion with
the definition of a covered article excluded or removed under the
authority of an issuing official. The definition of ``Kaspersky Lab
covered entity'' was updated to reference the recently adopted name
Kaspersky.
D. Part 9 Updates
Clarification is added at FAR 9.400 that FASCSA orders are covered
at FAR subpart 4.23. FAR subpart 9.4 covers debarment and suspension,
and exclusions.
E. Part 13 Updates
FAR 13.201 is updated to include the prohibition on covered
articles and sources subject to a FASCSA order for micro-purchases.
F. Part 39 Updates
The prohibition is being added to FAR 39.101 to ensure members of
the acquisition workforce working on information technology
procurements are aware of the prohibition.
G. Part 52 Updates
In addition to the name changes discussed in Part 4, the clause at
FAR 52.204-23 is updated to change the reporting time frame for the
initial report from 1 business day to 3 business days to align with the
reporting time frame at FAR 52.204-30(c)(4) and provide sufficient time
for contractors to submit a report.
The new provision at FAR 52.204-29, Federal Acquisition Supply
Chain Security Act Orders-Representation and Disclosures, is added
prohibiting contractors from providing any covered article, or any
products or services produced or provided by a source, including
contractor use of covered articles or sources, if the covered article
or the source is subject to an applicable FASCSA order identified in
the clause at FAR 52.204-30(b)(1). Contractors must search for FASCSA
orders in SAM. To locate the FASCSA orders in SAM, contractors can
search by entity information using the search term ``FASCSA order'' to
locate all FASCSA orders or only those that apply to the solicitation.
Details about the FASCSA orders will be in the additional comments
field. FASCSA orders issued after the date of solicitation are not
effective unless the solicitation is amended. In rare cases, a FASCSA
order may be identified in the solicitation, and not in SAM.
By submitting an offer, an offeror is representing that it has
conducted a reasonable inquiry and is not providing any covered
article, or any products or services subject to an applicable FASCSA
order identified in the solicitation at FAR 52.204-30(b)(1). If an
offeror cannot represent compliance with the prohibition, then the
offeror must disclose this and provide the required information in
accordance with 52.204-29(e). The Government will use this information
to determine whether to seek a waiver or may choose to make an award to
an offeror that does not require a waiver.
The new clause at FAR 52.204-28, Federal Acquisition Supply Chain
Security Act Orders-Federal Supply Schedules, Governmentwide
Acquisition Contracts, and Multi-Agency Contracts, provides contractors
with notice that FASCSA orders will be identified in the request for
quote or in the notice of intent to place an order. Contractors will be
able to identify applicable FASCSA orders in paragraph (b)(1) of FAR
52.204-30, Federal Acquisition Supply Chain Security Act Orders-
Prohibition with its Alternate II. Contractors will also be required to
remove from the basic contract any covered article or any product or
service produced or provided by a source subject to a FASCSA order
issued collectively by DHS, DoD, and DNI.
The new clause at FAR 52.204-30, Federal Acquisition Supply Chain
Security Act Orders-Prohibition, prohibits contractors from providing
any covered article, or any products or services produced or provided
by a source, if the covered article or the source is subject to an
applicable FASCSA order identified in paragraph (b). In most cases, for
solicitations and contracts awarded by DoD, DoD FASCSA orders will
apply; and for all other solicitations and contracts, DHS FASCSA orders
will apply. The clause, when used with its Alternate I, identifies a
different construct for paragraph (b) allowing the contracting officer
to select the applicable FASCSA orders (i.e. DoD FASCSA order, DHS
[[Page 69506]]
FASCSA order, DNI FASCSA order). The clause at FAR 52.204-30 also
requires the contractor to review SAM at least once every three months
or as advised by the contracting officer, and provide a report in the
event the contractor identifies that a covered article, or product or
service produced or provided by a source, that is subject to a FASCSA
order, was provided to the Government or used during contract
performance; or the contractor is notified of such by a subcontractor
at any tier or by any other means. The clause, when used with its
Alternate II is for Federal Supply Schedules, Governmentwide
acquisition contracts and multi-agency contracts when FASCSA orders are
applied at the order level.
FAR 52.212-5, Contract Terms and Conditions Required to Implement
Statutes or Executive Orders-Commercial Products and Commercial
Services, FAR 52.213-4, Terms and Conditions-Simplified Acquisitions
(Other Than Commercial Products and Commercial Services), and FAR
52.244-6, Subcontracts for Commercial Products and Commercial Services
are updated to add the requirements of FAR 52.204-30, Federal
Acquisition Supply Chain Security Act Orders-Prohibition.
III. Specific Questions For Comment
DoD, GSA, and NASA welcome input on the following questions
regarding anticipated impact on affected parties.
What additional information or guidance do you view as
necessary to effectively comply with this interim rule?
What challenges do you anticipate facing in effectively
complying with this interim rule?
IV. Applicability to Contracts at or Below the Simplified Acquisition
Threshold (SAT) and for Commercial Products, (Including Commercially
Available Off-the-Shelf (COTS) Items), or for Commercial Services
This interim rule adds a new contract clause at FAR 52.204-28,
Federal Acquisition Supply Chain Security Act Orders-Federal Supply
Schedules, Governmentwide Acquisition Contracts, and Multi-Agency
Contracts. The clause is prescribed at FAR 4.2306(a) and is required in
the basic solicitation and resultant contract for all Federal Supply
Schedules, Governmentwide acquisition contracts, and multi-agency
contracts when FASCSA orders are contemplated to be applied at the task
or delivery order level. The clause will apply to acquisitions valued
at or below the SAT; acquisitions of commercial products, including
COTS items; and acquisition of commercial services.
This interim rule adds a new provision at FAR 52.204-29, Federal
Acquisition Supply Chain Security Act Orders-Representation and
Disclosures. The provision is prescribed at FAR 4.2306(b) and is for
use in all solicitations for contracts, except that for Federal Supply
Schedules, Governmentwide acquisition contracts and multi-agency
contracts the clause will be inserted in all solicitations for
contracts if FASCSA orders apply at the contract level. The provision
will apply to acquisitions valued at or below the SAT; acquisitions of
commercial products, including COTS items; and acquisition of
commercial services.
This interim rule adds a new contract clause at FAR 52.204-30,
Federal Acquisition Supply Chain Security Act Orders-Prohibition,
including the clause with its Alternate I and Alternate II. The clause
is prescribed at FAR 4.2306(c) for use in all solicitations and
contracts, except that for Federal Supply Schedules, Governmentwide
acquisition contracts, and multi-agency contracts where FASCSA orders
are applied at the contract level, the clause must be used with its
Alternate I in all solicitations and resultant contracts; or, if FASCSA
orders are applied at the order level, the clause shall be used with
its Alternate II in all requests for quotations, or in all notices of
intent to place an order. The clause will apply to acquisitions valued
at or below the SAT; acquisitions of commercial products, including
COTS items; and acquisition of commercial services. The above provision
and clauses are necessary to implement FASCSA orders authorized by the
Federal Acquisition Supply Chain Security Act of 2018 and the Federal
Acquisition Supply Chain Security Act final rule.
A. Applicability to Contracts at or Below the Simplified Acquisition
Threshold
41 U.S.C. 1905 governs the applicability of laws to acquisitions at
or below the SAT. Section 1905 generally limits the applicability of
new laws when agencies are making acquisitions at or below the SAT, but
provides that such acquisitions will not be exempt from a provision of
law under certain circumstances, including when the Federal Acquisition
Regulatory Council (FAR Council) makes a written determination and
finding that it would not be in the best interest of the Federal
Government to exempt contracts and subcontracts in amounts not greater
than the SAT from the provision of law. The FAR Council has made a
determination to apply this statute to acquisitions at or below the
SAT.
B. Applicability to Contracts for the Acquisition of Commercial
Products and Commercial Services, Including Commercially Available Off-
the-Shelf (COTS) Items
41 U.S.C. 1906 governs the applicability of laws to contracts for
the acquisition of commercial products and commercial services and is
intended to limit the applicability of laws to contracts for the
acquisition of commercial products and commercial services. Section
1906 provides that if the FAR Council makes a written determination
that it is not in the best interest of the Federal Government to exempt
commercial products and commercial services contracts the provision of
law will apply to contracts for the acquisition of commercial products
and commercial services.
41 U.S.C. 1907 states that acquisitions of COTS items will be
exempt from certain provisions of law unless the Administrator for
Federal Procurement Policy makes a written determination and finds that
it would not be in the best interest of the Federal Government to
exempt contracts for the procurement of COTS items.
The FAR Council has made a determination to apply this statute to
acquisitions for commercial products and commercial services. The
Administrator for Federal Procurement Policy has made a determination
to apply this statute to acquisitions for COTS items.
C. Determinations
While the law does not specifically address acquisitions at or
below the SAT, or acquisitions of commercial products or commercial
services, including COTS items, there is an unacceptable level of risk
for the Government in buying products or services subject to a FASCSA
order. This level of risk is not alleviated by the fact that the
product or service being acquired has been sold or offered for sale to
the general public, either in the same form or a modified form as sold
to the Government (i.e., that it is a commercial product or commercial
service or COTS item), nor by the small size of the purchase (i.e., at
or below the SAT). As a result, agencies may face increased exposure
for violating the law and unknowingly acquiring products or services
subject to a FASCSA order absent coverage of these types of
acquisitions by this interim rule.
[[Page 69507]]
V. Expected Impact of the Rule
Foreign adversaries are increasingly creating and exploiting
vulnerabilities in information and communications technology to commit
malicious cyber-enabled attacks, including economic and industrial
espionage against the United States and its citizens. Vulnerabilities
may be introduced during any phase of the product or service life
cycle: design, development and production, distribution, acquisition
and deployment, maintenance, and disposal. These vulnerabilities can
include the incorporation of malicious software, hardware, and
counterfeit components; flawed product designs; and poor manufacturing
processes and maintenance procedures.
This rule helps mitigate these supply chain risks by ensuring
agencies and contractors are implementing supply chain risk information
sharing and FASCSA orders for covered articles as required by the FASC
final rule.
Information sharing by Federal agencies with the FASC will ensure
that substantial supply chain risks are communicated with impacted
parties across the Government so agencies can promptly address the
risks. Implementation of FASCSA orders will ensure Federal agencies are
not sourcing products or services determined to have a significant
supply chain risk (i.e. subject to a FASCSA order).
DoD, GSA, and NASA have performed a regulatory impact analysis
(RIA) on this interim rule. The total estimated public costs associated
with this FAR rule in millions of dollars calculated over a ten-year
period (calculated at a 3-percent and 7-percent discount rate) are as
follows:
------------------------------------------------------------------------
3% Discount 7% Discount
Estimated costs rate (million) rate (million)
------------------------------------------------------------------------
Present Value........................... $745 $903
Annualized.............................. 106 105
------------------------------------------------------------------------
The following is a summary from the RIA of the specific compliance
requirements and the estimated costs of compliance. The RIA includes a
detailed discussion and explanation about the assumptions and
methodology used to estimate the cost of this regulatory action,
including the specific impact and costs for small businesses. It is
available at https://www.regulations.gov (search for ``FAR Case 2020-
011'' click ``Open Docket,'' and view ``Supporting Documents'').
The following is a summary of specific compliance requirements that
are considered new for Federal offerors, contractors, and
subcontractors (hereinafter collectively referred to as
``contractors''), as applicable:
Regulatory familiarization
Review the System for Award Management (SAM) for FASCSA orders
Submission of disclosure information
Review SAM for covered articles/sources subject to a FASCSA
order
Review of supply chain for covered articles/source subject to
FASCSA orders
Submit reporting information identifying covered articles/
sources subject to FASCSA orders
Note, at this time no issuing official has issued any FASCSA
orders; therefore, the assumptions made below are based on other
similar cases where a contractor must review their supply chain and
provide alternative sources.
Regulatory Familiarization
It is expected that all contractors will be required to become
familiar with these new compliance requirements in the FAR and will be
required to update policies and procedures to ensure compliance with
FASCSA orders and train their contracts, program, and supply chain
personnel on the requirements. While this is a new requirement,
restrictions on particular sources or articles are not new to the FAR.
This should reduce the impact on contractors from having to establish
entirely new processes and procedures, but rather update current ones
to add covered articles subject to new FASCSA orders, or any products
or services produced or provided by an excluded source. Regulatory
familiarization is only expected to have a regulatory impact during the
first year of implementation.
Review the System for Award Management (SAM) for FASCSA Orders
In accordance with 52.204-29, offerors must search SAM for any
covered articles, or any products or services produced or provided by a
source subject to a FASCSA order, as identified in the solicitation.
All offerors will need to review SAM for any applicable FASCSA
orders using the search term ``FASCSA order''. Offerors and contractors
are familiar with SAM and searching for other exclusions such as
telecommunications equipment and services established under Section 889
of the John S. McCain National Defense Authorization Act for Fiscal
Year 2019, Public Law 115-232. The frequency of which an offeror will
search SAM will likely be based on the number of contracts and orders
that they manage. Some offerors may choose to regularly review SAM for
new FASCSA orders on a corporate level and notify applicable personnel
when a new order is issued, while others may choose to review SAM with
each proposal, likely at least once when the solicitation comes out and
once prior to submitting the proposal to ensure compliance with the
representation before submission. The frequency with which offerors
review SAM will also be based on the number and frequency that FASCSA
orders are issued; however at this time no FASCSA orders have been
issued.
Submission of Disclosure Information
Once the offeror reviews SAM, they must identify if they cannot
represent compliance and intend to propose any covered article or any
products or services produced or provided by a source subject to a
FASCSA order, in response to the solicitation. If the offeror
identifies such items, they must disclose the following information to
the Government:
(1) Name of the product or service provided to the Government;
(2) Name of the covered article or source subject to a FASCSA
order;
(3) If applicable, name of the vendor, including the Commercial and
Government Entity code and unique entity identifier (if known), that
supplied the covered article or the product or service to the Offeror;
(4) Brand;
(5) Model number (original equipment manufacturer number,
manufacturer part number, or wholesaler number);
(6) Item description;
(7) Reason why the applicable covered article or the product or
service is being provided or used.
Depending on the issuing agency, FASCSA orders will only affect
some companies and some contracts.
[[Page 69508]]
Reviewing SAM for Excluded Articles/Sources
In accordance with FAR 52.204-30, contractors must review SAM, at
least once every three months or as advised by the contracting officer,
for any covered articles, or any products or services produced or
provided by a source subject to a FASCSA order issued after the date of
solicitation. The need to review SAM can also be completed when
contractors review SAM as part of their normal business dealings
including this rule, which requires review during the solicitation
phase. Therefore, the cost impact is already accounted for in this
rule; however, the cost impact of submitting a report once a new FASCSA
order is identified is accounted for separately below.
Review of Supply Chain for Covered Articles/Source for FASCSA Orders
In accordance with FAR 52.204-30, when a contractor identifies that
a covered article or product or service produced or provided by a
source is subject to a new FASCSA order, contractors will have to
evaluate their supply chain to determine whether it was provided to the
Government or used during contract performance.
Submit Reporting Information Identifying Excluded Articles/Sources
In accordance with paragraph (c) of FAR 52.204-30, when a
contractor identifies that a covered article or product or service
produced or provided by a source is subject to a new FASCSA order and
was provided to the Government or used during contract performance,
then the contractor must notify the Government within 3 business days
and provide the following information:
Contract number
Order number(s), if applicable
Name of the product or service provided to the Government or
used during contract performance
Name of the covered article or source subject to a FASCSA
order
If applicable, name of the vendor, including the Commercial
and Government Entity code and unique entity identifier (if known),
that supplied the covered article or the product or service to the
Contractor
Brand
Model number (original equipment manufacturer number,
manufacturer part number, or wholesaler number)
Item description
Any readily available information about mitigation actions
undertaken or recommended.
Within 10 business days of submitting the previous information, the
contractor must provide information on mitigation actions taken and
actions taken to prevent future submissions of or use of covered
articles or sources.
VI. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). E.O.
13563 emphasizes the importance of quantifying both costs and benefits,
of reducing costs, of harmonizing rules, and of promoting flexibility.
This rule is a significant regulatory action and, therefore was subject
to review under Section 6(b) of E.O. 12866, Regulatory Planning and
Review, dated September 30, 1993.
VII. Congressional Review Act
As required by the Congressional Review Act (5 U.S.C. 801-808),
DoD, GSA, and NASA will send the rule and the ``Submission of Federal
Rules Under the Congressional Review Act'' form to each House of the
Congress and to the Comptroller General of the United States. A rule
that qualifies under the definition in 5 U.S.C. 804(2) cannot take
effect until 60 days after it is published in the Federal Register. The
Office of Information and Regulatory Affairs (OIRA) in the Office of
Management and Budget has determined that this rule qualifies under the
definition in 5 U.S.C. 804(2).
VIII. Regulatory Flexibility Act
DoD, GSA, and NASA expect that this rule may have a significant
economic impact on a substantial number of small entities within the
meaning of the Regulatory Flexibility Act, 5 U.S.C. 601-612. An Initial
Regulatory Flexibility Analysis (IRFA) has been performed, and is
summarized as follows:
DoD, GSA, and NASA are issuing an interim rule amending the FAR
to implement supply chain risk information sharing requirements and
exclusion or removal orders consistent with the Federal Acquisition
Supply Chain Security Act of 2018 and a final rule issued by the
Federal Acquisition Security Council (FASC).
The objective of this interim rule is to implement supply chain
risk information sharing and FASCSA orders.
The legal basis for the rule is the Federal Acquisition Supply
Chain Security Act of 2018 (title II of the SECURE Technology Act,
Pub. L. 115-390, Dec. 21, 2018), and the final rule issued by the
Federal Acquisition Security Council (August 26, 2021, 86 FR 47581,
effective September 27, 2021). Promulgation of the FAR is authorized
by 40 U.S.C. 121(c); 10 U.S.C. chapter 4 and 10 U.S.C. chapter 137
legacy provisions (see 10 U.S.C. 3016); and 51 U.S.C. 20113.
The interim rule will impact all small entities that are prime
contractors and all small entities that are subcontractors. Data
from the Federal Procurement Data System (FPDS) for fiscal years
(FYs) 2019 through 2021 was used. On average per year the Government
awards contracts and orders for supplies and services to 94,035
unique contractors, of which approximately 65 percent or 61,797 are
small businesses.
This interim rule will require small entities to: (1) become
familiar with the new regulatory requirements; (2) review the System
for Award Management (SAM) for FASCSA orders; (3) submit disclosure
information; (4) review SAM for excluded articles or sources; (5)
review their supply chain for covered articles or sources prohibited
by a FASCSA order; and (6) submit a report identifying if a
prohibited article or source was delivered to the government in the
performance of the contract.
To comply with the new regulatory requirements, it is expected
that all small entities, or 61,797 will need to become familiar with
FASCSA orders. Additionally, this regulatory familiarization may
also include updating policies and procedures to ensure compliance.
However, exclusions are not new to the FAR making the impact less.
Once a small entity intends to respond to a solicitation, they
will need to review the solicitation to identify which FASCSA orders
apply to the current solicitation and subsequent contract, and
search SAM for more information on applicable FASCSA orders. It is
estimated that all small entities, 61,797, will review SAM for
FASCSA orders when responding to a solicitation.
It is estimated that a small number of small entities, 10
percent or 3,090, will not be able to represent compliance with the
prohibition and therefore must disclose to the Government that they
intend to propose a covered article or source prohibited by an
applicable FASCSA order. Failure to comply with the prohibition
poses risk for the contractor in not being awarded a contract if a
waiver from the requirement is not obtained.
Small entities will be required to review SAM for any covered
articles or any products or services produced or provided by a
source, including contractor use of covered articles or sources,
subject to a FASCSA order during the performance of the contract.
This is not expected to create any additional impact because small
entities are already searching SAM as part of this rule when
responding to a solicitation.
When a new FASCSA order is issued, small entities may have to
review their supply chain to determine whether a covered article or
any products or services produced or provided by a source subject to
a FASCSA order were used or provided to the Government during the
performance of the contract. This is estimated to impact
approximately half of small entities, 30,899
[[Page 69509]]
because not all FASCSA orders will apply to every contract or
contractor.
It is estimated that a very small subset of small entities, 3
percent or 927, may identify a covered article or any products or
services produced or provided by a source subject to a FASCSA order
that were delivered during the performance of the contract, and be
required to submit a report to the Government.
The rule does not duplicate, overlap, or conflict with any other
Federal rules.
It was contemplated during the development of this rule to
create a representation requirement in SAM for contractors to
complete annually and then update on a solicitation-by-solicitation
basis, if necessary. The current process reduces the impact by
replacing the SAM representation with a representation by submission
of the offer. There are no other available alternatives to the
proposed rule to accomplish the desired objective of the statute.
The Regulatory Secretariat Division has submitted a copy of the
IRFA to the Chief Counsel for Advocacy of the Small Business
Administration. A copy of the IRFA may be obtained from the Regulatory
Secretariat Division. DoD, GSA, and NASA invite comments from small
business concerns and other interested parties on the expected impact
of this rule on small entities.
DoD, GSA, and NASA will also consider comments from small entities
concerning the existing regulations in subparts affected by the rule in
accordance with 5 U.S.C. 610. Interested parties must submit such
comments separately and should cite 5 U.S.C. 610 (FAR Case 2020-011),
in correspondence.
IX. Paperwork Reduction Act
The Paperwork Reduction Act (PRA) of 1995 (44 U.S.C. 3501-3521)
applies. The rule contains information collection requirements. The PRA
provides that an agency generally cannot conduct or sponsor a
collection of information, and no person is required to respond to nor
be subject to a penalty for failure to comply with a collection of
information, unless that collection has obtained OMB approval and
displays a currently valid OMB Control Number.
DoD, GSA, and NASA are requesting emergency processing of the
collection of information involved in this rule, consistent with 5 CFR
1320.13. DoD, GSA, and NASA have determined the following conditions
have been met:
a. The collection of information is needed prior to the expiration
of time periods normally associated with a routine submission for
review under the provisions of the PRA, because agencies subject to the
FAR would not have a mechanism to implement any FASCSA orders issued by
the FASC.
b. The collection of information is essential to the mission of the
agencies to protect the Government supply chain from vulnerabilities
posed by acquiring products or services that violate a FASCSA order
issued under the authority of the Federal Acquisition Supply Chain
Security Act of 2018 and the final rule issued by the FASC.
c. Moreover, DoD, GSA, and NASA cannot comply with the normal
clearance procedures because public harm is reasonably likely to result
if current clearance procedures are followed. Authorizing collection of
this information will ensure that agencies have a mechanism to
implement FASCSA orders and address vulnerabilities in supply chains
that can enable data and intellectual property theft, loss of
confidence in integrity, or exploitation that causes system and network
failure.
DoD, GSA, and NASA will publish a separate 30-day notice in the
Federal Register requesting public comment on the proposed emergency
information collections contained within this rule under OMB Control
Number 9000-0205, Implementation of Federal Acquisition Supply Chain
Security Act (FASCSA) Orders.
Public Reporting Burden
Public reporting burden for this collection of information is
estimated to average 2 hours per response, including the time for
reviewing instructions, searching existing data sources, gathering and
maintaining the data needed, and completing and reviewing the
collection of information.
The annual reporting burden is estimated as follows:
Respondents: 6,113.
Total Annual Responses: 6,113.
Total Burden Hours: 12,226.
X. Determination To Issue an Interim Rule
Pursuant to 41 U.S.C. 1707(d), a determination has been made under
the authority of the Secretary of Defense, the Administrator of General
Services, and the Administrator of the National Aeronautics and Space
Administration that urgent and compelling reasons exist to promulgate
this interim rule without prior opportunity for public comment. It is
critical that the FAR is revised promptly to reflect the current
requirements of the law, which prohibits the Federal Government from
acquiring products or services that violate the prohibition of an
exclusion or removal order issued pursuant to the Federal Acquisition
Supply Chain Security Act (FASCSA) of 2018 and the final rule issued by
the FASC.
The Secretary of Homeland Security, the Secretary of Defense, and
the Director of National Intelligence may issue a FASCSA order at any
time. For this reason, this FAR rule must take effect without awaiting
the delay associated with solicitation, review, and response to public
comments to ensure agencies and contractors are able to promptly
implement supply chain risk information sharing and FASCSA orders. If a
FASCSA order is issued agencies are required to implement that order.
In the absence of issuing this FAR rule immediately, agencies will be
forced to issue individual agency policies and procedures including
drafting contract provisions for inclusion in all agency contracts. Due
to the complexity of this novel requirement, it has taken several years
to draft and develop the framework of this FAR rule and involved many
Government agencies in the process. Each agency would now be required
to start this process over and develop their own agency policies and
procedures, further delaying the implementation of FASCSA orders and
likely resulting in inconsistent contract terms and implementation
across multiple agencies and gaps in compliance.
Failure to implement FASCSA orders uniformly across the Government
would adversely impact national security making it critical to
implement this FAR rule without delay. Vulnerabilities in supply chains
for covered articles can enable data and intellectual property theft,
loss of confidence in integrity, or exploitation to cause system and
network failure. The cost to our nation comes not only in lost
innovation, jobs, and economic advantage, but also in reduced military
strength. Delaying implementation of this interim rule would increase
national security risks to the Government posed by covered articles
subject to a FASCSA order. Therefore, a Governmentwide FAR rule is the
best tool available now to provide a consistent and reliable
implementation across agencies.
Consistent with the Congressional Review Act (CRA) (5 U.S.C. 801-
808), this rule will not take effect until 60 days after it is
published in the Federal Register, allowing Congress time to review
this interim rule. This short delay in the effective date is beneficial
to both contracting agencies and industry to provide the necessary time
to assess and prepare to implement the new requirements. Both
contracting agencies and industry will need to develop and implement
new policies and procedures, notify and train their workforce on the
new requirements, and update contract writing systems to
[[Page 69510]]
incorporate the new provisions and clause. This 60-day delay associated
with the CRA is significantly shorter than the delay associated with
issuing a proposed rule, and thus avoids the risks associated with
extended delay highlighted above.
Pursuant to 41 U.S.C. 1707 and FAR 1.501-3(b), the Department of
Defense, General Services Administration, and National Aeronautics and
Space Administration will consider public comments received in response
to this interim rule in the formation of the final rule.
List of Subjects in 48 CFR Parts 1, 4, 9, 13, 39, and 52
Government procurement.
William F. Clark,
Director, Office of Government-wide Acquisition Policy, Office of
Acquisition Policy, Office of Government-wide Policy.
Therefore, DoD, GSA, and NASA amend 48 CFR parts 1, 4, 9, 13, 39,
and 52 as set forth below:
0
1. The authority citation for 48 CFR parts 1, 4, 9, 13, 39, and 52
continues to read as follows:
Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 4 and 10 U.S.C.
chapter 137 legacy provisions (see 10 U.S.C. 3016); and 51 U.S.C.
20113.
PART 1--FEDERAL ACQUISITION REGULATIONS SYSTEM
0
2. In section 1.106, amend the table by adding in numerical order
entries for 4.23, 52.204-29, and 52.204-30 to read as follows:
1.106 OMB approval under the Paperwork Reduction Act.
* * * * *
------------------------------------------------------------------------
OMB control
FAR segment No.
------------------------------------------------------------------------
* * * * *
4.23.................................................... 9000-0205
* * * * *
52.204-29............................................... 9000-0205
52.204-30............................................... 9000-0205
* * * * *
------------------------------------------------------------------------
PART 4--ADMINISTRATIVE AND INFORMATION MATTERS
0
3. Revise section 4.2001 to read as follows:
4.2001 Definitions.
As used in this subpart--
Kaspersky Lab covered article means any hardware, software, or
service that--
(1) Is developed or provided by a Kaspersky Lab covered entity;
(2) Includes any hardware, software, or service developed or
provided in whole or in part by a Kaspersky Lab covered entity; or
(3) Contains components using any hardware or software developed in
whole or in part by a Kaspersky Lab covered entity.
Kaspersky Lab covered entity means--
(1) Kaspersky Lab;
(2) Any successor entity to Kaspersky Lab, including any change in
name, e.g., ``Kaspersky'';
(3) Any entity that controls, is controlled by, or is under common
control with Kaspersky Lab; or
(4) Any entity of which Kaspersky Lab has a majority ownership.
4.2002 [Amended]
0
4. Amend section 4.2002 by removing from paragraphs (a) and (b) the
word ``covered'' and adding ``Kaspersky Lab covered'' in its place.
4.2004 [Amended]
0
5. Amend section 4.2004 by removing ``Kaspersky Lab and Other Covered''
and adding ``Kaspersky Lab Covered'' in its place.
0
6. Add subpart 4.23 to read as follows:
Subpart 4.23--Federal Acquisition Security Council
Sec.
4.2300 Scope of subpart.
2301 Definitions.
4.2302 Sharing supply chain risk information.
4.2303 FASCSA orders.
4.2304 Procedures.
4.2305 Waivers.
4.2306 Solicitation provision and contract clauses.
Subpart 4.23--Federal Acquisition Security Council
4.2300 Scope of subpart.
This subpart implements the Federal Acquisition Supply Chain
Security Act of 2018 (title II of Pub. L. 115-390) and the Federal
Acquisition Security Council (FASC) regulation at 41 CFR part 201-1.
The authority provided in this subpart expires on December 31, 2033
(see 41 U.S.C. 1328).
4.2301 Definitions.
As used in this subpart--
Covered article, as defined in 41 U.S.C. 4713(k), means--
(1) Information technology, as defined in 40 U.S.C. 11101,
including cloud computing services of all types;
(2) Telecommunications equipment or telecommunications service, as
those terms are defined in section 3 of the Communications Act of 1934
(47 U.S.C. 153);
(3) The processing of information on a Federal or non-Federal
information system, subject to the requirements of the Controlled
Unclassified Information program (see 32 CFR part 2002); or
(4) Hardware, systems, devices, software, or services that include
embedded or incidental information technology.
FASCSA order means any of the following orders issued under the
Federal Acquisition Supply Chain Security Act (FASCSA) requiring the
removal of covered articles from executive agency information systems
or the exclusion of one or more named sources or named covered articles
from executive agency procurement actions, as described in 41 CFR 201-
1.303(d) and (e):
(1) The Secretary of Homeland Security may issue FASCSA orders
applicable to civilian agencies, to the extent not covered by paragraph
(2) or (3) of this definition. This type of FASCSA order may be
referred to as a Department of Homeland Security (DHS) FASCSA order.
(2) The Secretary of Defense may issue FASCSA orders applicable to
the Department of Defense (DoD) and national security systems other
than sensitive compartmented information systems. This type of FASCSA
order may be referred to as a DoD FASCSA order.
(3) The Director of National Intelligence (DNI) may issue FASCSA
orders applicable to the intelligence community and sensitive
compartmented information systems, to the extent not covered by
paragraph (2) of this definition. This type of FASCSA order may be
referred to as a DNI FASCSA order.
Federal Acquisition Security Council (FASC) means the Council
established pursuant to 41 U.S.C. 1322(a).
Intelligence community, as defined by 50 U.S.C. 3003(4), means the
following--
(1) The Office of the Director of National Intelligence;
(2) The Central Intelligence Agency;
(3) The National Security Agency;
(4) The Defense Intelligence Agency;
(5) The National Geospatial-Intelligence Agency;
(6) The National Reconnaissance Office;
(7) Other offices within the Department of Defense for the
collection of specialized national intelligence through reconnaissance
programs;
(8) The intelligence elements of the Army, the Navy, the Air Force,
the Marine Corps, the Coast Guard, the
[[Page 69511]]
Federal Bureau of Investigation, the Drug Enforcement Administration,
and the Department of Energy;
(9) The Bureau of Intelligence and Research of the Department of
State;
(10) The Office of Intelligence and Analysis of the Department of
the Treasury;
(11) The Office of Intelligence and Analysis of the Department of
Homeland Security; or
(12) Such other elements of any department or agency as may be
designated by the President, or designated jointly by the Director of
National Intelligence and the head of the department or agency
concerned, as an element of the intelligence community.
National security system, as defined in 44 U.S.C. 3552, means any
information system (including any telecommunications system) used or
operated by an agency or by a contractor of an agency, or other
organization on behalf of an agency--
(1) The function, operation, or use of which involves intelligence
activities; involves cryptologic activities related to national
security; involves command and control of military forces; involves
equipment that is an integral part of a weapon or weapons system; or is
critical to the direct fulfillment of military or intelligence
missions, but does not include a system that is to be used for routine
administrative and business applications (including payroll, finance,
logistics, and personnel management applications); or
(2) Is protected at all times by procedures established for
information that have been specifically authorized under criteria
established by an Executive order or an Act of Congress to be kept
classified in the interest of national defense or foreign policy.
Reasonable inquiry means an inquiry designed to uncover any
information in the entity's possession about the identity of any
covered articles, or any products or services produced or provided by a
source. This applies when the covered article or the source is subject
to an applicable FASCSA order. A reasonable inquiry excludes the need
to include an internal or third-party audit.
Sensitive compartmented information means classified information
concerning or derived from intelligence sources, methods, or analytical
processes, which is required to be handled within formal access control
systems established by the Director of National Intelligence.
Sensitive compartmented information system means a national
security system authorized to process or store sensitive compartmented
information.
Source means a non-Federal supplier, or potential supplier, of
products or services, at any tier.
Supply chain risk, as defined in 41 U.S.C. 4713(k), means the risk
that any person may sabotage, maliciously introduce unwanted
functionality, extract data, or otherwise manipulate the design,
integrity, manufacturing, production, distribution, installation,
operation, maintenance, disposition, or retirement of covered articles
so as to surveil, deny, disrupt, or otherwise manipulate the function,
use, or operation of the covered articles or information stored or
transmitted on the covered articles.
Supply chain risk information includes, but is not limited to,
information that describes or identifies:
(1) Functionality and features of covered articles, including
access to data and information system privileges;
(2) The user environment where a covered article is used or
installed;
(3) The ability of a source to produce and deliver covered articles
as expected;
(4) Foreign control of, or influence over, a source or covered
article (e.g., foreign ownership, personal and professional ties
between a source and any foreign entity, legal regime of any foreign
country in which a source is headquartered or conducts operations);
(5) Implications to government mission(s) or assets, national
security, homeland security, or critical functions associated with use
of a covered source or covered article;
(6) Vulnerability of Federal systems, programs, or facilities;
(7) Market alternatives to the covered source;
(8) Potential impact or harm caused by the possible loss, damage,
or compromise of a product, material, or service to an organization's
operations or mission; and
(9) Likelihood of a potential impact or harm, or the exploitability
of a system;
(10) Security, authenticity, and integrity of covered articles and
their supply and compilation chain;
(11) Capacity to mitigate risks identified;
(12) Factors that may reflect upon the reliability of other supply
chain risk information; and
(13) Any other considerations that would factor into an analysis of
the security, integrity, resilience, quality, trustworthiness, or
authenticity of covered articles or sources.
4.2302 Sharing supply chain risk information.
(a) Executive agencies are required to share relevant supply chain
risk information with the FASC if the executive agency has determined
there is a reasonable basis to conclude a substantial supply chain risk
associated with a source or covered article exists (see 41 CFR 201-
1.201).
(b) In support of information sharing described in paragraph (a) of
this section, the contracting officer shall work with the program
office or requiring activity in accordance with agency procedures
regarding the sharing of relevant information on actual or potential
supply chain risk determined to exist during the procurement process.
4.2303 FASCSA orders.
(a) Executive agencies are prohibited from procuring or obtaining,
or extending or renewing a contract to procure or obtain, any covered
article, or any products or services produced or provided by a source,
including contractor use of covered articles or sources, if that
prohibition is established by an applicable FASCSA order issued by the
Director of National Intelligence, Secretary of Defense, or Secretary
of Homeland Security (the ``issuing official'')(see 41 CFR 201-
1.304(a)).
(b) If a covered article or the source is subject to an applicable
Governmentwide FASCSA order issued collectively by the Director of
National Intelligence, Secretary of Defense, and Secretary of Homeland
Security, executive agencies responsible for management of the Federal
Supply Schedules, Governmentwide acquisition contracts, and multi-
agency contracts shall facilitate implementation of a collective FASCSA
order by removing the covered articles or sources identified in the
FASCSA order from such contracts (see 41 CFR 201-1.303(g)).
(c)(1) FASCSA orders regarding sources or covered articles will be
found in the System for Award Management (SAM), by searching for the
phrase ``FASCSA order''. SAM may be updated as new FASCSA orders are
issued.
(2) Some FASCSA orders will not be identified in SAM and will need
to be identified in the solicitation to be effective for that
acquisition. The requiring activity or program office will identify
these FASCSA orders to the contracting officer (see 4.2304(d)).
(3) The contracting officer shall work with the program office or
requiring activity to identify which FASCSA orders apply to the
acquisition.
4.2304 Procedures.
(a) Identifying applicable FASCSA orders. The applicability of
FASCSA orders to a particular acquisition depends on the contracting
office's agency, the scope of the FASCSA order,
[[Page 69512]]
the funding, and whether the requirement involves certain types of
information systems (see the definition of FASCSA order at 4.2301). The
contracting officer shall coordinate with the program office or
requiring activity to identify the FASCSA order(s) that apply to the
acquisition as follows:
(1) Unless the program office or requiring activity instructs the
contracting officer otherwise, FASCSA orders apply as follows:
contracts awarded by civilian agencies will be subject to DHS FASCSA
orders, and contracts awarded by the Department of Defense will be
subject to DoD FASCSA orders. See paragraph (b) of 52.204-30, Federal
Acquisition Supply Chain Security Act Orders-Prohibition.
(2) For acquisitions where the program office or the requiring
activity instructs the contracting officer to select specific FASCSA
orders, the contracting officer must select ``yes'' or ``no'' for each
applicable type of FASCSA order (i.e., ``DHS FASCSA Order'' ``DoD
FASCSA Order'' or ``DNI FASCSA Order''). See paragraph (b)(1) of
52.204-30, Federal Acquisition Supply Chain Security Act Orders--
Prohibition, with its Alternate I.
(b) Federal Supply Schedules, Governmentwide acquisition contracts,
multi-agency contracts specific procedures--(1) Applying FASCSA orders.
An agency awarding this type of contract may choose to apply FASCSA
orders in accordance with agency policy as follows:
(i) Application at the contract level. The agency awarding the
basic contract may choose to apply FASCSA orders to the basic contract
award. This is the preferred method, especially if small value orders
or orders without a request for quotation (RFQ) are expected. Ordering
activity contracting officers may use this contract vehicle without
taking further steps to identify applicable FASCSA orders in the order.
The contracting officer awarding the basic contract would select
``yes'' for all FASCSA orders (i.e., ``DHS FASCSA Order'' ``DoD FASCSA
Order'' and ``DNI FASCSA Order'') (see paragraph (b)(1) of 52.204-30,
Federal Acquisition Supply Chain Security Act Orders--Prohibition, with
its Alternate I). If the contracting officer becomes aware of a newly
issued applicable FASCSA order, then the agency awarding the basic
contract shall modify the basic contract to remove any covered article,
or any products or services produced or provided by a source,
prohibited by the newly issued FASCSA order.
(ii) Application at the order level. The agency awarding the basic
contract may choose to apply FASCSA orders at the order level, as
implemented by the ordering activity contracting officer.
(2) Collective FASCSA orders. If a new FASCSA order is issued
collectively by the Secretary of Homeland Security, Secretary of
Defense, and Director of National Intelligence, then the contracting
officer shall modify the basic contract based upon the requirements of
the order, removing any covered article, or any products or services
produced or provided by a source (see 4.2303(b)).
(3) Interagency acquisitions. For an interagency acquisition (see
subpart 17.5) where the funding agency differs from the awarding
agency, the funding agency shall determine the applicable FASCSA
orders.
(4) Inconsistencies. If any inconsistency is identified between the
basic contract and the order, then the FASCSA orders identified in the
order will take precedence.
(c) Updating the solicitation or contract for new FASCSA orders.
The contracting officer shall update a solicitation or contract if the
program office or requiring activity determines it is necessary to:
(1) Amend the solicitation to incorporate FASCSA orders in effect
after the date the solicitation was issued but prior to contract award;
or
(2) Modify the contract to incorporate FASCSA orders issued after
the date of contract award.
(i) Any such modification should take place within a reasonable
amount of time, but no later than 6 months from the determination of
the program office or requiring activity.
(ii) If the contract is not modified within the time specified in
paragraph (c)(2)(i) of this section, then the contract file shall be
documented providing rationale why the contract could not be modified
within this timeframe.
(d) Agency specific procedures. The contracting officer shall
follow agency procedures for implementing FASCSA orders not identified
in SAM (see 4.2303(c)(2)).
(e) Disclosures. If an offeror provides a disclosure pursuant to
paragraph (e) of 52.204-29, Federal Acquisition Supply Chain Security
Act Orders--Representation and Disclosures, the contracting officer
shall engage with the program office or requiring activity to determine
whether to pursue a waiver, if available, in accordance with 4.2305 and
agency procedures or not award to that offeror. For FASCSA orders
handled at the order level, the disclosures language is found at
paragraph (b)(5) of 52.204-30, Federal Acquisition Supply Chain
Security Act Orders--Prohibition, with its Alternate II.
(f) Waiver. An acquisition may be either fully or partially covered
by a waiver. Partial waiver coverage occurs when only portions of the
products or services being procured or provided by a source are covered
by an applicable waiver. If the requiring activity notifies the
contracting officer that the acquisition is partially covered by an
approved individual waiver or class waiver under 4.2305, then the
contracting officer shall work with the program office or requiring
activity to identify in the solicitation, RFQ, or order, the covered
articles or services produced by or provided by a source that are
subject to the waiver (see 41 CFR 201-1.304(b)).
(g) Reporting. If a contractor provides a report pursuant to
paragraph (c) of 52.204-30, Federal Acquisition Supply Chain Security
Act Orders--Prohibition, the contracting officer shall engage with the
agency supply chain risk management program in accordance with agency
procedures.
4.2305 Waivers.
(a) An executive agency required to comply with a FASCSA order may
submit a request that the order or some of its provisions not apply
to--
(1) The agency;
(2) Specific actions of the agency or a specific class of
acquisitions;
(3) Actions of the agency for a period of time before compliance
with the order is practicable; or
(4) Other activities, as appropriate, that the requesting agency
identifies.
(b) A request for waiver shall be submitted by the executive agency
in writing to the official that issued the order, unless other
instructions for submission are provided by the applicable FASCSA
order.
(c) The request for waiver shall provide the following information
for the issuing official to review and evaluate the request,
including--
(1) Identification of the applicable FASCSA order;
(2) A description of the exception sought, including, if limited to
only a portion of the order, a description of the order provisions from
which an exception is sought;
(3) The name or a description sufficient to identify the covered
article or the product or service provided by a source that is subject
to the order from which an exception is sought;
(4) Compelling justification for why an exception should be
granted, such as the impact of the order on the agency's ability to
fulfill its mission-critical functions, or considerations related to
[[Page 69513]]
the national interest, including national security reviews, national
security investigations, or national security agreements;
(5) Any alternative mitigations to be undertaken to reduce the
risks addressed by the FASCSA order; and
(6) Any other information requested by the issuing official.
(d) The contracting officer, in accordance with agency procedures
and working with the program office or requiring activity, shall decide
whether to pursue a waiver or to make award to an offeror that does not
require a waiver in accordance with the procedures at 4.2304(f). If a
waiver is being pursued, then the contracting officer may not make an
award until written approval is obtained that the waiver has been
granted.
4.2306 Solicitation provision and contract clauses.
(a) In all Federal Supply Schedules, Governmentwide acquisition
contracts, and multi-agency contracts where FASCSA orders are applied
at the order level, the contracting officer shall insert the clause at
52.204-28, Federal Acquisition Supply Chain Security Act Orders--
Federal Supply Schedules, Governmentwide Acquisition Contracts, and
Multi-Agency Contracts, in the basic contract solicitation and
resultant contract (see 4.2304(b)(1)(ii)).
(b) The contracting officer shall insert the provision at 52.204-
29, Federal Acquisition Supply Chain Security Act Orders--
Representation and Disclosures--
(1) In all solicitations, except for Federal Supply Schedules,
Governmentwide acquisition contracts, and multi-agency contracts.
(2) In all solicitations for Federal Supply Schedules,
Governmentwide acquisition contracts, and multi-agency contracts, if
FASCSA orders are applied at the contract level (see 4.2304(b)(1)(i)).
(c) The contracting officer shall insert the clause at 52.204-30,
Federal Acquisition Supply Chain Security Act Orders--Prohibition--
(1) In solicitations and contracts if the conditions specified at
4.2304(a)(1) apply, except for Federal Supply Schedules, Governmentwide
acquisition contracts, and multi-agency contracts. For acquisitions
where conditions specified at 4.2304(a)(2) apply, then the contracting
officer shall use the clause with its Alternate I.
(2) In Federal Supply Schedules, Governmentwide acquisition
contracts, and multi-agency contracts--
(i) Where FASCSA orders are applied at the contract level, with its
Alternate I in all solicitations and resultant contracts. See
4.2304(b)(1)(i).
(ii) Where FASCSA orders are applied at the order level, with its
Alternate II in all RFQs, or in all notices of intent to place an
order. See 4.2304(b)(1)(ii).
PART 9--CONTRACTOR QUALIFICATIONS
0
7. Amend section 9.400 by adding paragraph (c) to read as follows:
9.400 Scope of subpart.
* * * * *
(c) For Federal Acquisition Supply Chain Security Act (FASCSA)
orders, see subpart 4.23.
PART 13--SIMPLIFIED ACQUISITION PROCEDURES
0
8. Amend section 13.201 by adding paragraph (l) to read as follows:
13.201 General.
* * * * *
(l) Do not procure or obtain, or extend or renew a contract to
procure or obtain, any covered article, or any products or services
produced or provided by a source, including contractor use of covered
articles or sources, if prohibited from doing so by an applicable
Federal Acquisition Supply Chain Security Act (FASCSA) order issued by
the Director of National Intelligence, Secretary of Defense, or
Secretary of Homeland Security (see 4.2303).
PART 39--ACQUISITION OF INFORMATION TECHNOLOGY
0
9. Amend section 39.101 by adding paragraph (h) to read as follows:
39.101 Policy.
* * * * *
(h) Executive agencies are prohibited from procuring or obtaining,
or extending or renewing a contract to procure or obtain, any covered
article, or any products or services produced or provided by a source,
including contractor use of covered articles or sources, if prohibited
from doing so by an applicable FASCSA order issued by the Director of
National Intelligence, Secretary of Defense, or Secretary of Homeland
Security (see 4.2303).
PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
10. Amend section 52.204-23 by--
0
a. Revising the section heading, clause heading, and the date of the
clause;
0
b. In paragraph (a):
0
i. Removing the definition ``Covered article'' and adding the
definition of ``Kaspersky Lab covered article'' in its place; and
0
ii. Removing the definition ``Covered entity'' and adding the
definition ``Kaspersky Lab covered entity'' in its place;
0
c. In paragraph (b) removing ``covered article'' wherever it appears
and adding ``Kaspersky Lab covered article'' in its place,
respectively;
0
d. Removing from the first sentence in paragraph (c)(1) ``identifies a
covered article'' and adding ``identifies a Kaspersky Lab covered
article'' in its place;
0
e. Removing from paragraph (c)(2)(i) ``1 business day'' and adding ``3
business days'' in its place; and
0
f. Removing from paragraph (c)(2)(ii) ``covered article'' wherever it
appears and adding ``Kaspersky Lab covered article'' in its place and
removing from the end of the paragraph ``covered articles'' and adding
``Kaspersky Lab covered articles'' in its place.
The revisions and additions read as follows:
52.204-23 Prohibition on Contracting for Hardware, Software, and
Services Developed or Provided by Kaspersky Lab Covered Entities.
* * * * *
Prohibition on Contracting for Hardware, Software, and Services
Developed or Provided by Kaspersky Lab Covered Entities (DEC 2023)
(a) * * *
Kaspersky Lab covered article means any hardware, software, or
service that--
(1) Is developed or provided by a Kaspersky Lab covered entity;
(2) Includes any hardware, software, or service developed or
provided in whole or in part by a Kaspersky Lab covered entity; or
(3) Contains components using any hardware or software developed
in whole or in part by a Kaspersky Lab covered entity.
Kaspersky Lab covered entity means--
(1) Kaspersky Lab;
(2) Any successor entity to Kaspersky Lab, including any change
in name, e.g., ``Kaspersky'';
(3) Any entity that controls, is controlled by, or is under
common control with Kaspersky Lab; or
(4) Any entity of which Kaspersky Lab has a majority ownership.
* * * * *
0
11. Add sections 52.204-28, 52.204-29, and 52.204-30 to read as
follows:
Sec.
* * * * *
52.204-28 Federal Acquisition Supply Chain Security Act Orders--
Federal Supply Schedules, Governmentwide Acquisition Contracts, and
Multi-Agency Contracts.
52.204-29 Federal Acquisition Supply Chain Security Act Orders--
Representation and Disclosures.
[[Page 69514]]
52.204-30 Federal Acquisition Supply Chain Security Act Orders--
Prohibition.
* * * * *
52.204-28 Federal Acquisition Supply Chain Security Act Orders--
Federal Supply Schedules, Governmentwide Acquisition Contracts, and
Multi-Agency Contracts.
As prescribed in 4.2306(a), insert the following clause:
Federal Acquisition Supply Chain Security Act Orders--Federal Supply
Schedules, Governmentwide Acquisition Contracts, and Multi-Agency
Contracts (DEC 2023)
(a) Definitions. As used in this clause--
Covered article, as defined in 41 U.S.C. 4713(k), means--
(1) Information technology, as defined in 40 U.S.C. 11101,
including cloud computing services of all types;
(2) Telecommunications equipment or telecommunications service,
as those terms are defined in section 3 of the Communications Act of
1934 (47 U.S.C. 153);
(3) The processing of information on a Federal or non-Federal
information system, subject to the requirements of the Controlled
Unclassified Information program (see 32 CFR part 2002); or
(4) Hardware, systems, devices, software, or services that
include embedded or incidental information technology.
FASCSA order means any of the following orders issued under the
Federal Acquisition Supply Chain Security Act (FASCSA) requiring the
removal of covered articles from executive agency information
systems or the exclusion of one or more named sources or named
covered articles from executive agency procurement actions, as
described in 41 CFR 201-1.303(d) and (e):
(1) The Secretary of Homeland Security may issue FASCSA orders
applicable to civilian agencies, to the extent not covered by
paragraph (2) or (3) of this definition. This type of FASCSA order
may be referred to as a Department of Homeland Security (DHS) FASCSA
order.
(2) The Secretary of Defense may issue FASCSA orders applicable
to the Department of Defense (DoD) and national security systems
other than sensitive compartmented information systems. This type of
FASCSA order may be referred to as a DoD FASCSA order.
(3) The Director of National Intelligence (DNI) may issue FASCSA
orders applicable to the intelligence community and sensitive
compartmented information systems, to the extent not covered by
paragraph (2) of this definition. This type of FASCSA order may be
referred to as a DNI FASCSA order.
Intelligence community, as defined by 50 U.S.C. 3003(4), means
the following--
(1) The Office of the Director of National Intelligence;
(2) The Central Intelligence Agency;
(3) The National Security Agency;
(4) The Defense Intelligence Agency;
(5) The National Geospatial-Intelligence Agency;
(6) The National Reconnaissance Office;
(7) Other offices within the Department of Defense for the
collection of specialized national intelligence through
reconnaissance programs;
(8) The intelligence elements of the Army, the Navy, the Air
Force, the Marine Corps, the Coast Guard, the Federal Bureau of
Investigation, the Drug Enforcement Administration, and the
Department of Energy;
(9) The Bureau of Intelligence and Research of the Department of
State;
(10) The Office of Intelligence and Analysis of the Department
of the Treasury;
(11) The Office of Intelligence and Analysis of the Department
of Homeland Security; or
(12) Such other elements of any department or agency as may be
designated by the President, or designated jointly by the Director
of National Intelligence and the head of the department or agency
concerned, as an element of the intelligence community.
National security system, as defined in 44 U.S.C. 3552, means
any information system (including any telecommunications system)
used or operated by an agency or by a contractor of an agency, or
other organization on behalf of an agency--
(1) The function, operation, or use of which involves
intelligence activities; involves cryptologic activities related to
national security; involves command and control of military forces;
involves equipment that is an integral part of a weapon or weapons
system; or is critical to the direct fulfillment of military or
intelligence missions, but does not include a system that is to be
used for routine administrative and business applications (including
payroll, finance, logistics, and personnel management applications);
or
(2) Is protected at all times by procedures established for
information that have been specifically authorized under criteria
established by an Executive order or an Act of Congress to be kept
classified in the interest of national defense or foreign policy.
Sensitive compartmented information means classified information
concerning or derived from intelligence sources, methods, or
analytical processes, which is required to be handled within formal
access control systems established by the Director of National
Intelligence.
Sensitive compartmented information system means a national
security system authorized to process or store sensitive
compartmented information.
Source means a non-Federal supplier, or potential supplier, of
products or services, at any tier.
(b) Notice. During contract performance, the Contractor shall be
required to comply with any of the following that apply: DHS FASCSA
orders, DoD FASCSA orders, or DNI FASCSA orders. The applicable
FASCSA order(s) will be identified in the request for quotation (see
8.405-2), or in the notice of intent to place an order (see
16.505(b)). FASCSA orders will be identified in paragraph (b)(1) of
FAR 52.204-30, Federal Acquisition Supply Chain Security Act
Orders--Prohibition, with its Alternate II.
(c) Removal. Upon notification from the contracting officer,
during the performance of the contract, the Contractor shall
promptly make any necessary changes or modifications to remove any
covered article or any product or service produced or provided by a
source that is subject to an applicable Governmentwide FASCSA order
(see FAR 4.2303(b)).
(End of clause)
52.204-29 Federal Acquisition Supply Chain Security Act Orders--
Representation and Disclosures.
As prescribed in 4.2306(b), insert the following provision:
Federal Acquisition Supply Chain Security Act Orders--Representation
and Disclosures (DEC 2023)
(a) Definitions. As used in this provision, Covered article,
FASCSA order, Intelligence community, National security system,
Reasonable inquiry, Sensitive compartmented information, Sensitive
compartmented information system, and Source have the meaning
provided in the clause 52.204-30, Federal Acquisition Supply Chain
Security Act Orders--Prohibition.
(b) Prohibition. Contractors are prohibited from providing or
using as part of the performance of the contract any covered
article, or any products or services produced or provided by a
source, if the prohibition is set out in an applicable Federal
Acquisition Supply Chain Security Act (FASCSA) order, as described
in paragraph (b)(1) of FAR 52.204-30, Federal Acquisition Supply
Chain Security Act Orders--Prohibition.
(c) Procedures. (1) The Offeror shall search for the phrase
``FASCSA order'' in the System for Award Management (SAM)(https://www.sam.gov) for any covered article, or any products or services
produced or provided by a source, if there is an applicable FASCSA
order described in paragraph (b)(1) of FAR 52.204-30, Federal
Acquisition Supply Chain Security Act Orders--Prohibition.
(2) The Offeror shall review the solicitation for any FASCSA
orders that are not in SAM, but are effective and do apply to the
solicitation and resultant contract (see FAR 4.2303(c)(2)).
(3) FASCSA orders issued after the date of solicitation do not
apply unless added by an amendment to the solicitation.
(d) Representation. By submission of this offer, the offeror
represents that it has conducted a reasonable inquiry, and that the
offeror does not propose to provide or use in response to this
solicitation any covered article, or any products or services
produced or provided by a source, if the covered article or the
source is prohibited by an applicable FASCSA order in effect on the
date the solicitation was issued, except as waived by the
solicitation, or as disclosed in paragraph (e).
(e) Disclosures. The purpose for this disclosure is so the
Government may decide whether to issue a waiver. For any covered
article, or any products or services produced or provided by a
source, if the covered article or the source is subject to an
applicable FASCSA order, and the Offeror is unable to represent
compliance, then the Offeror shall provide the following information
as part of the offer:
[[Page 69515]]
(1) Name of the product or service provided to the Government;
(2) Name of the covered article or source subject to a FASCSA
order;
(3) If applicable, name of the vendor, including the Commercial
and Government Entity code and unique entity identifier (if known),
that supplied the covered article or the product or service to the
Offeror;
(4) Brand;
(5) Model number (original equipment manufacturer number,
manufacturer part number, or wholesaler number);
(6) Item description;
(7) Reason why the applicable covered article or the product or
service is being provided or used;
(f) Executive agency review of disclosures. The contracting
officer will review disclosures provided in paragraph (e) to
determine if any waiver may be sought. A contracting officer may
choose not to pursue a waiver for covered articles or sources
otherwise subject to a FASCSA order and may instead make an award to
an offeror that does not require a waiver.
(End of provision)
52.204-30 Federal Acquisition Supply Chain Security Act Orders--
Prohibition.
As prescribed in 4.2306(c), insert the following clause:
Federal Acquisition Supply Chain Security Act Orders--Prohibition (DEC
2023)
(a) Definitions. As used in this clause--
Covered article, as defined in 41 U.S.C. 4713(k), means--
(1) Information technology, as defined in 40 U.S.C. 11101,
including cloud computing services of all types;
(2) Telecommunications equipment or telecommunications service,
as those terms are defined in section 3 of the Communications Act of
1934 (47 U.S.C. 153);
(3) The processing of information on a Federal or non-Federal
information system, subject to the requirements of the Controlled
Unclassified Information program (see 32 CFR part 2002); or
(4) Hardware, systems, devices, software, or services that
include embedded or incidental information technology.
FASCSA order means any of the following orders issued under the
Federal Acquisition Supply Chain Security Act (FASCSA) requiring the
removal of covered articles from executive agency information
systems or the exclusion of one or more named sources or named
covered articles from executive agency procurement actions, as
described in 41 CFR 201-1.303(d) and (e):
(1) The Secretary of Homeland Security may issue FASCSA orders
applicable to civilian agencies, to the extent not covered by
paragraph (2) or (3) of this definition. This type of FASCSA order
may be referred to as a Department of Homeland Security (DHS) FASCSA
order.
(2) The Secretary of Defense may issue FASCSA orders applicable
to the Department of Defense (DoD) and national security systems
other than sensitive compartmented information systems. This type of
FASCSA order may be referred to as a DoD FASCSA order.
(3) The Director of National Intelligence (DNI) may issue FASCSA
orders applicable to the intelligence community and sensitive
compartmented information systems, to the extent not covered by
paragraph (2) of this definition. This type of FASCSA order may be
referred to as a DNI FASCSA order.
Intelligence community, as defined by 50 U.S.C. 3003(4), means
the following--
(1) The Office of the Director of National Intelligence;
(2) The Central Intelligence Agency;
(3) The National Security Agency;
(4) The Defense Intelligence Agency;
(5) The National Geospatial-Intelligence Agency;
(6) The National Reconnaissance Office;
(7) Other offices within the Department of Defense for the
collection of specialized national intelligence through
reconnaissance programs;
(8) The intelligence elements of the Army, the Navy, the Air
Force, the Marine Corps, the Coast Guard, the Federal Bureau of
Investigation, the Drug Enforcement Administration, and the
Department of Energy;
(9) The Bureau of Intelligence and Research of the Department of
State;
(10) The Office of Intelligence and Analysis of the Department
of the Treasury;
(11) The Office of Intelligence and Analysis of the Department
of Homeland Security; or
(12) Such other elements of any department or agency as may be
designated by the President, or designated jointly by the Director
of National Intelligence and the head of the department or agency
concerned, as an element of the intelligence community.
National security system, as defined in 44 U.S.C. 3552, means
any information system (including any telecommunications system)
used or operated by an agency or by a contractor of an agency, or
other organization on behalf of an agency--
(1) The function, operation, or use of which involves
intelligence activities; involves cryptologic activities related to
national security; involves command and control of military forces;
involves equipment that is an integral part of a weapon or weapons
system; or is critical to the direct fulfillment of military or
intelligence missions, but does not include a system that is to be
used for routine administrative and business applications (including
payroll, finance, logistics, and personnel management applications);
or
(2) Is protected at all times by procedures established for
information that have been specifically authorized under criteria
established by an Executive order or an Act of Congress to be kept
classified in the interest of national defense or foreign policy.
Reasonable inquiry means an inquiry designed to uncover any
information in the entity's possession about the identity of any
covered articles, or any products or services produced or provided
by a source. This applies when the covered article or the source is
subject to an applicable FASCSA order. A reasonable inquiry excludes
the need to include an internal or third-party audit.
Sensitive compartmented information means classified information
concerning or derived from intelligence sources, methods, or
analytical processes, which is required to be handled within formal
access control systems established by the Director of National
Intelligence.
Sensitive compartmented information system means a national
security system authorized to process or store sensitive
compartmented information.
Source means a non-Federal supplier, or potential supplier, of
products or services, at any tier.
(b) Prohibition. (1) Unless an applicable waiver has been issued
by the issuing official, Contractors shall not provide or use as
part of the performance of the contract any covered article, or any
products or services produced or provided by a source, if the
covered article or the source is prohibited by an applicable FASCSA
orders as follows:
(i) For solicitations and contracts awarded by a Department of
Defense contracting office, DoD FASCSA orders apply.
(ii) For all other solicitations and contracts DHS FASCSA orders
apply.
(2) The Contractor shall search for the phrase ``FASCSA order''
in the System for Award Management (SAM) at https://www.sam.gov to
locate applicable FASCSA orders identified in paragraph (b)(1).
(3) The Government may identify in the solicitation additional
FASCSA orders that are not in SAM, which are effective and apply to
the solicitation and resultant contract.
(4) A FASCSA order issued after the date of solicitation applies
to this contract only if added by an amendment to the solicitation
or modification to the contract (see FAR 4.2304(c)). However, see
paragraph (c) of this clause.
(5)(i) If the contractor wishes to ask for a waiver of the
requirements of a new FASCSA order being applied through
modification, then the Contractor shall disclose the following:
(A) Name of the product or service provided to the Government;
(B) Name of the covered article or source subject to a FASCSA
order;
(C) If applicable, name of the vendor, including the Commercial
and Government Entity code and unique entity identifier (if known),
that supplied or supplies the covered article or the product or
service to the Offeror;
(D) Brand;
(E) Model number (original equipment manufacturer number,
manufacturer part number, or wholesaler number);
(F) Item description;
(G) Reason why the applicable covered article or the product or
service is being provided or used;
(ii) Executive agency review of disclosures. The contracting
officer will review disclosures provided in paragraph (b)(5)(i) to
determine if any waiver is warranted. A contracting officer may
choose not to pursue a waiver for covered articles or sources
otherwise covered by a FASCSA order and to instead pursue other
appropriate action.
(c) Notice and reporting requirement. (1) During contract
performance, the Contractor
[[Page 69516]]
shall review SAM.gov at least once every three months, or as advised
by the Contracting Officer, to check for covered articles subject to
FASCSA order(s), or for products or services produced by a source
subject to FASCSA order(s) not currently identified under paragraph
(b) of this clause.
(2) If the Contractor identifies a new FASCSA order(s) that
could impact their supply chain, then the Contractor shall conduct a
reasonable inquiry to identify whether a covered article or product
or service produced or provided by a source subject to the FASCSA
order(s) was provided to the Government or used during contract
performance.
(3)(i) The Contractor shall submit a report to the contracting
office as identified in paragraph (c)(3)(ii) of this clause, if the
Contractor identifies, including through any notification by a
subcontractor at any tier, that a covered article or product or
service produced or provided by a source was provided to the
Government or used during contract performance and is subject to a
FASCSA order(s) identified in paragraph (b) of this clause, or a new
FASCSA order identified in paragraph (c)(2) of this clause. For
indefinite delivery contracts, the Contractor shall report to both
the contracting office for the indefinite delivery contract and the
contracting office for any affected order.
(ii) If a report is required to be submitted to a contracting
office under (c)(3)(i) of this clause, the Contractor shall submit
the report as follows:
(A) If a Department of Defense contracting office, the
Contractor shall report to the website at https://dibnet.dod.mil.
(B) For all other contracting offices, the Contractor shall
report to the Contracting Officer.
(4) The Contractor shall report the following information for
each covered article or each product or service produced or provided
by a source, where the covered article or source is subject to a
FASCSA order, pursuant to paragraph (c)(3)(i) of this clause:
(i) Within 3 business days from the date of such identification
or notification:
(A) Contract number;
(B) Order number(s), if applicable;
(C) Name of the product or service provided to the Government or
used during performance of the contract;
(D) Name of the covered article or source subject to a FASCSA
order;
(E) If applicable, name of the vendor, including the Commercial
and Government Entity code and unique entity identifier (if known),
that supplied the covered article or the product or service to the
Contractor;
(F) Brand;
(G) Model number (original equipment manufacturer number,
manufacturer part number, or wholesaler number);
(H) Item description; and
(I) Any readily available information about mitigation actions
undertaken or recommended.
(ii) Within 10 business days of submitting the information in
paragraph (c)(4)(i) of this clause:
(A) Any further available information about mitigation actions
undertaken or recommended.
(B) In addition, the Contractor shall describe the efforts it
undertook to prevent submission or use of the covered article or the
product or service produced or provided by a source subject to an
applicable FASCSA order, and any additional efforts that will be
incorporated to prevent future submission or use of the covered
article or the product or service produced or provided by a source
that is subject to an applicable FASCSA order.
(d) Removal. For Federal Supply Schedules, Governmentwide
acquisition contracts, multi-agency contracts or any other
procurement instrument intended for use by multiple agencies, upon
notification from the Contracting Officer, during the performance of
the contract, the Contractor shall promptly make any necessary
changes or modifications to remove any product or service produced
or provided by a source that is subject to an applicable FASCSA
order.
(e) Subcontracts. (1) The Contractor shall insert the substance
of this clause, including this paragraph (e) and excluding paragraph
(c)(1) of this clause, in all subcontracts and other contractual
instruments, including subcontracts for the acquisition of
commercial products and commercial services.
(2) The Government may identify in the solicitation additional
FASCSA orders that are not in SAM, which are effective and apply to
the contract and any subcontracts and other contractual instruments
under the contract. The Contractor or higher-tier subcontractor
shall notify their subcontractors, and suppliers under other
contractual instruments, that the FASCSA orders in the solicitation
that are not in SAM apply to the contract and all subcontracts.
Alternate I (DEC 2023). As prescribed in 4.2306(c), substitute
the following paragraph (b)(1) for paragraph (b)(1) of the basic
clause:
(b) Prohibition. (1) Contractors are prohibited from providing
or using as part of the performance of the contract any covered
article, or any products or services produced or provided by a
source, if the covered article or the source is prohibited by any
applicable FASCSA orders identified by the checkbox(es) in this
paragraph (b)(1).
[Contracting Officer must select either ``yes'' or ``no'' for each
of the following types of FASCSA orders:]
Yes [ballot] No [ballot] DHS FASCSA Order
Yes [ballot] No [ballot] DoD FASCSA Order
Yes [ballot] No [ballot] DNI FASCSA Order
Alternate II (DEC 2023). As prescribed in 4.2306(c)(2)(ii),
substitute the following paragraph (b) in place of paragraph (b) of
the basic clause. This clause applies to each order as identified by
the Contracting Officer.
(b) Prohibition. (1) Contractors are prohibited from providing
or using as part of the performance of the contract any covered
article, or any products or services produced or provided by a
source, if the covered article or the source is prohibited by any
applicable FASCSA orders identified by the checkbox(es) in this
paragraph (b)(1).
[Contracting Officer must select either ``yes'' or ``no'' for each
of the following types of FASCSA orders:]
Yes [ballot] No [ballot] DHS FASCSA order
Yes [ballot] No [ballot] DoD FASCSA order
Yes [ballot] No [ballot] DNI FASCSA order
(2) The Contractor shall search for the phrase ``FASCSA order''
in the System for Award Management (SAM) at https://www.sam.gov to
locate applicable FASCSA orders identified in paragraph (b)(1) of
this clause.
(3) The Government may identify in the request for quotation
(RFQ) or in the notice of intent to place an order additional FASCSA
orders that are not in SAM, but are effective and apply to the
order.
(4) A FASCSA order issued after the date of the RFQ or the
notice of intent to place an order applies to this contract only if
added by an amendment to the RFQ or in the notice of intent to place
an order or added by modification to the order (see FAR 4.2304(c)).
However, see paragraph (c) of this clause.
(5)(i) If the contractor wishes to ask for a waiver, the
Contractor shall disclose the following:
(A) Name of the product or service provided to the Government;
(B) Name of the covered article or source subject to a FASCSA
order;
(C) If applicable, name of the vendor, including the Commercial
and Government Entity code and unique entity identifier (if known),
that supplied the covered article or the product or service to the
Offeror;
(D) Brand;
(E) Model number (original equipment manufacturer number,
manufacturer part number, or wholesaler number);
(F) Item description;
(G) Reason why the applicable covered article or the product or
service is being provided or used;
(ii) Executive agency review of disclosures. The contracting
officer will review disclosures provided in paragraph (b)(5)(i) of
this clause to determine if any waiver may be sought. A contracting
officer may choose not to pursue a waiver for covered articles or
sources otherwise covered by a FASCSA order and may instead make
award to an offeror that does not require a waiver.
(End of clause)
0
12. Amend section 52.212-5 by--
0
a. Revising the date of the clause;
0
b. Removing from paragraph (a)(2) ``Lab and Other Covered Entities (NOV
2021)'' and adding ``Lab Covered Entities (DEC 2023)'' in its place;
0
c. Redesignating paragraphs (b)(9) through (64) as paragraphs (b)(11)
through (66) and adding new paragraphs (b)(9) and (10);
0
d. Removing from paragraph (e)(1)(iii) ``Lab and Other Covered Entities
(NOV 2021)'' and adding ``Lab Covered Entities (DEC 2023)'' in its
place;
0
e. Redesignating paragraphs (e)(1)(vi) through (xxiv) as paragraphs
(e)(1)(vii) through (xxv) and adding a new paragraph (e)(1)(vi); and
0
f. In Alternate II--
[[Page 69517]]
0
i. Revising the date of the alternate;
0
ii. Removing from paragraph (e)(1)(ii)(C) ``Lab and Other Covered
Entities (NOV 2021)'' and adding ``Lab Covered Entities (DEC 2023)'' in
its place; and
0
iii. Redesignating paragraphs (e)(1)(ii)(F) through (W) as paragraphs
(e)(1)(ii)(G) through (X) and adding a new paragraph (e)(1)(ii)(F).
The revisions and additions read as follows:
52.212-5 Contract Terms and Conditions Required To Implement Statutes
or Executive Orders--Commercial Products and Commercial Services.
* * * * *
Contract Terms and Conditions Required To Implement Statutes or
Executive Orders--Commercial Products and Commercial Services (DEC
2023)
(b) * * *
__(9) 52.204-28, Federal Acquisition Supply Chain Security Act
Orders--Federal Supply Schedules, Governmentwide Acquisition
Contracts, and Multi-Agency Contracts. (DEC 2023) (Pub. L. 115-390,
title II).
__(10)(i) 52.204-30, Federal Acquisition Supply Chain Security
Act Orders--Prohibition. (DEC 2023) (Pub. L. 115-390, title II).
__(ii) Alternate I (DEC 2023) of 52.204-30.
* * * * *
(e)(1) * * *
(vi)(A) 52.204-30, Federal Acquisition Supply Chain Security Act
Orders--Prohibition. (DEC 2023) (Pub. L. 115-390, title II).
(B) Alternate I (DEC 2023) of 52.204-30.
* * * * *
Alternate II. (DEC 2023) * * *
(e)(1) * * *
(ii) * * *
(F)(1) 52.204-30, Federal Acquisition Supply Chain Security Act
Orders--Prohibition. (DEC 2023) (Pub. L. 115-390, title II).
(2) Alternate I (DEC 2023) of 52.204-30.
* * * * *
0
13. Amend section 52.213-4 by--
0
a. Revising the date of the clause;
0
b. Removing from paragraph (a)(1)(ii) ``Lab and Other Covered Entities
(NOV 2021)'' and adding ``Lab Covered Entities (DEC 2023)'' in its
place;
0
c. Redesignating paragraphs (a)(1)(v) through (xi) as paragraphs
(a)(1)(vi) through (xii) and adding a new paragraph (a)(1)(v); and
0
d. Removing from paragraph (a)(2)(vii) ``(SEP 2023)'' and adding ``(DEC
2023)'' in its place.
The revision and addition read as follows:
52.213-4 Terms and Conditions-Simplified Acquisitions (Other Than
Commercial Products and Commercial Services).
* * * * *
Terms and Conditions-Simplified Acquisitions (Other Than Commercial
Products and Commercial Services) (DEC 2023)
* * * * *
(a) * * *
(1) * * *
(v) 52.204-30, Federal Acquisition Supply Chain Security Act
Orders--Prohibition. (DEC 2023) (Pub. L. 115-390, title II).
* * * * *
0
14. Amend section 52.244-6 by--
0
a. Revising the date of the clause;
0
b. Removing from paragraph (c)(1)(v) ``Lab and Other Covered Entities
(NOV 2021)'' and adding ``Lab Covered Entities (Dec 2023) in its place;
and
0
c. Redesignating paragraphs (c)(1)(viii) through (xxi) as paragraphs
(c)(1)(ix) through (xxii) and adding a new paragraph (c)(1)(viii) in
its place.
The revision and addition read as follows:
52.244-6 Subcontracts for Commercial Products and Commercial Services.
* * * * *
Subcontracts for Commercial Products and Commercial Services (DEC 2023)
* * * * *
(c)(1) * * *
(viii)(A) 52.204-30, Federal Acquisition Supply Chain Security
Act Orders--Prohibition. (DEC 2023) (Pub. L. 115-390, title II).
(B) Alternate I (DEC 2023) of 52.204-30.
* * * * *
[FR Doc. 2023-21320 Filed 10-4-23; 8:45 am]
BILLING CODE 6820-14-P