[Federal Register Volume 89, Number 63 (Monday, April 1, 2024)]
[Rules and Regulations]
[Pages 22604-22605]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-06411]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Part 40

[FAC 2024-04; FAR Case 2022-010, Docket No. FAR-2022-0010, Sequence No. 
1]
RIN 9000-AO47


Federal Acquisition Regulation: Establishing Federal Acquisition 
Regulation Part 40

AGENCY: Department of Defense (DoD), General Services Administration 
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: DoD, GSA, and NASA are issuing a final rule amending the 
Federal Acquisition Regulation (FAR) to add the framework for a new FAR 
part on information security and supply chain security. The creation of 
this new FAR part does not implement any of the information security 
and supply chain security policies or procedures. The amendment simply 
establishes the new FAR part.

DATES: Effective May 1, 2024.

FOR FURTHER INFORMATION CONTACT: For clarification of content, contact 
Ms. Malissa Jones, Procurement Analyst, at 571-882-4687, or by email at 
[email protected]. For information pertaining to status or 
publication schedules, contact the Regulatory Secretariat Division at 
202-501-4755 or [email protected]. Please cite FAC 2024-04, FAR Case 
2022-010.

SUPPLEMENTARY INFORMATION: 

I. Background

    DoD, GSA, and NASA are amending the FAR to add the framework for a 
new FAR part 40, which will contain the policies and procedures for 
managing information security and supply chain security when acquiring 
products and services. The creation of this new FAR part does not 
implement any of the policies or procedures related to managing 
information security and supply chain security. The rule simply 
establishes the new FAR part. Relocation of the related existing 
policies or procedures will be done through separate rulemaking.
    Currently, the policies and procedures for prohibitions, 
exclusions, supply chain risk information sharing, and safeguarding 
information that address security objectives are dispersed across 
multiple parts of the FAR, which makes it difficult for the acquisition 
workforce to locate, understand, and implement applicable requirements. 
This new part will provide contracting officers with a single, 
consolidated location in the FAR that addresses their role in 
implementing requirements related to managing information security and 
supply chain security when acquiring products and services. This is 
also helpful to contractors who may want to review the information 
security and supply chain security policies and procedures in FAR part 
40.
    This part will provide a location to cover broad security 
requirements that apply across acquisitions. These include security 
requirements designed to bolster national security through the 
management of existing or potential adversary-based supply chain risk 
across technological, intent-based, or economic means (e.g., 
cybersecurity supply chain risks, foreign-based risks,

[[Page 22605]]

emerging technology risks). The new FAR part 40 would be structured 
based on the objectives of the regulation (similar to the way 
environmental objectives are covered in part 23 and labor objectives 
are addressed in part 22). Security-related requirements that include, 
but are not limited to, information and communications technology (ICT) 
will be covered in FAR part 40. An example of security-related 
requirements that include, but are not limited to, ICT are the 
security-related requirements from section 889 of the John S. McCain 
National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115-
232). Security-related requirements that only apply to ICT acquisitions 
will continue to be covered in part 39.
    Supply chain and information risks that are unrelated to security 
risks are covered in other parts of the FAR (e.g., part 22 for labor 
and human trafficking risks and part 23 for climate-related risks).

II. Publication of This Final Rule for Public Comment Is Not Required 
by Statute

    The statute that applies to the publication of the FAR is 41 U.S.C. 
1707. Subsection (a)(1) of 41 U.S.C. 1707 requires that a procurement 
policy, regulation, procedure, or form (including an amendment or 
modification thereof) must be published for public comment if it 
relates to the expenditure of appropriated funds, and has either a 
significant effect beyond the internal operating procedures of the 
agency issuing the policy, regulation, procedure, or form, or has a 
significant cost or administrative impact on contractors or offerors. 
This final rule is not required to be published for public comment 
because it is only establishing a framework for a new FAR part and does 
not implement any policies or procedures that apply to the public. This 
rule only affects the internal operating procedures of the Government 
and without a significant cost or administrative impact on contractors 
or offerors.

III. Applicability to Contracts at or Below the Simplified Acquisition 
Threshold (SAT) and for Commercial Products, Including Commercially 
Available Off-the-Shelf (COTS) Items, or Commercial Services

    This rule does not create new solicitation provisions or contract 
clauses or impact any existing provisions or clauses.

IV. Executive Orders 12866 and 13563

    Executive Orders (E.O.s) 12866 (as amended by E.O. 14094) and 13563 
direct agencies to assess the costs and benefits of available 
regulatory alternatives and, if regulation is necessary, to select 
regulatory approaches that maximize net benefits (including potential 
economic, environmental, public health and safety effects, distributive 
impacts, and equity). E.O. 13563 emphasizes the importance of 
quantifying both costs and benefits, of reducing costs, of harmonizing 
rules, and of promoting flexibility. This is not a significant 
regulatory action and, therefore, was not subject to review under 
Section 6(b) of E.O. 12866, Regulatory Planning and Review, dated 
September 30, 1993.

V. Congressional Review Act

    Pursuant to the Congressional Review Act, DoD, GSA, and NASA will 
send this rule to each House of the Congress and to the Comptroller 
General of the United States. The Office of Information and Regulatory 
Affairs (OIRA) in the Office of Management and Budget has determined 
that this rule does not meet the definition in 5 U.S.C. 804(2).

VI. Regulatory Flexibility Act

    Because a notice of proposed rulemaking and an opportunity for 
public comment are not required to be given for this rule under 41 
U.S.C. 1707(a)(1) (see section II. of this preamble), the analytical 
requirements of the Regulatory Flexibility Act (5 U.S.C. 601-612) are 
not applicable. Accordingly, no regulatory flexibility analysis is 
required, and none has been prepared.

VII. Paperwork Reduction Act

    This rule does not contain any information collection requirements 
that require the approval of the Office of Management and Budget under 
the Paperwork Reduction Act (44 U.S.C. 3501-3521).

List of Subjects in 48 CFR Part 40

    Government procurement.

William F. Clark,
Director, Office of Government-wide Acquisition Policy, Office of 
Acquisition Policy, Office of Government-wide Policy.


0
Therefore, DoD, GSA, and NASA amend 48 CFR chapter 1 by adding part 40 
to read as follows:

PART 40--INFORMATION SECURITY AND SUPPLY CHAIN SECURITY

Sec.
40.000 Scope of part.
Subpart 40.1--[Reserved]
Subpart 40.2--[Reserved]
Subpart 40.3--[Reserved]

    Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 4 and 10 U.S.C. 
chapter 137 legacy provisions (see 10 U.S.C. 3016); and 51 U.S.C. 
20113.


40.000  Scope of part.

    (a) This part addresses broad security requirements that apply to 
acquisitions of products and services. It prescribes policies and 
procedures for managing information security and supply chain security 
when acquiring products and services that include, but are not limited 
to, information and communications technology (ICT).
    (b) See part 39 for security-related policies and procedures that 
only apply to ICT.
    (c) See parts 4, 24, and 46 for additional policies and procedures 
related to managing information security and supply chain security.
    (d) Information and supply chain policies and procedures that are 
unrelated to security are covered in other parts of the FAR (e.g., part 
22 for labor and human trafficking risks and part 23 for climate-
related risks).

Subpart 40.1--[Reserved]

Subpart 40.2--[Reserved]

Subpart 40.3--[Reserved]

[FR Doc. 2024-06411 Filed 3-29-24; 8:45 am]
BILLING CODE 6820-EP-P