[Federal Register Volume 89, Number 70 (Wednesday, April 10, 2024)]
[Notices]
[Pages 25268-25269]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-07535]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

[Docket No. 2024-0054; Sequence No. 1]


Federal Acquisition Regulation: FAR Part 40, Information Security 
and Supply Chain Security; Request for Information

AGENCY: Department of Defense (DoD), General Services Administration 
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Notice of request for information (RFI).

-----------------------------------------------------------------------

SUMMARY: DoD, GSA, and NASA recently established Federal Acquisition 
Regulation (FAR) part 40, Information Security and Supply Chain 
Security. The intent of this RFI is to solicit feedback from the 
general public on the scope and organization of FAR part 40.

DATES: Interested parties should submit written comments to the 
Regulatory Secretariat Division at the address shown below on or before 
June 10, 2024 to be considered in the formation of the changes to FAR 
part 40.

ADDRESSES: Submit comments in response to this RFI to the Federal 
eRulemaking portal at https://www.regulations.gov by searching for 
``RFI FAR part 40''. Select the link ``Comment Now'' that corresponds 
with ``RFI FAR part 40''. Follow the instructions provided on the 
``Comment Now'' screen. Please include your name, company name (if 
any), and ``RFI FAR part 40'' on your attached document. If your 
comment cannot be submitted using https://www.regulations.gov, call or 
email the points of contact in the FOR FURTHER INFORMATION CONTACT 
section of this document for alternate instructions.
    Instructions: Response to this RFI is voluntary. Respondents may 
answer as many or as few questions as they wish. Each individual or 
entity is requested to submit only one response to this RFI. Please 
identify your answers by responding to a specific question or topic if 
possible. Please submit responses only and cite ``RFI FAR part 40'' in 
all correspondence related to this RFI. Comments received generally 
will be posted without change to https://www.regulations.gov, including 
any personal and/or business confidential information provided. Public 
comments may be submitted as an individual, as an organization, or 
anonymously (see frequently asked questions at https://www.regulations.gov/faq). To confirm receipt of your comment(s), please 
check https://www.regulations.gov, approximately two-to-three days 
after submission to verify posting.

FOR FURTHER INFORMATION CONTACT: For clarification of content, contact 
Ms. Malissa Jones, Procurement Analyst, at 571-882-4687 or by email at 
[email protected]. For information pertaining to status, 
publication schedules, or alternate instructions for submitting 
comments if https://www.regulations.gov cannot be used, contact the 
Regulatory Secretariat Division at 202-501-4755 or [email protected]. 
Please cite FAR Case 2023-008.

SUPPLEMENTARY INFORMATION: The final FAR rule 2022-010, Establishing 
FAR part 40, amended the FAR to establish a framework for a new 
information security and supply chain security FAR part, FAR part 40. 
The final rule does not implement any of the information security and 
supply chain security policies or procedures; it simply established FAR 
part 40. The final FAR rule was published in the Federal Register at 89 
FR 22604, on April 1, 2024. Relocation of existing requirements and 
placement of new requirements into FAR part 40 will be done through 
separate rulemakings.
    Currently, the policies and procedures for prohibitions, 
exclusions, supply chain risk information sharing, and safeguarding 
information that address security objectives are dispersed across 
multiple parts of the FAR, which makes it difficult for the acquisition 
workforce and the general public to understand and implement applicable 
requirements. FAR part 40 will provide the acquisition team with a 
single, consolidated location in the FAR that addresses their role in 
implementing requirements related to managing information security and 
supply chain security when acquiring products and services.
    The new FAR part 40 provides a location to cover broad security 
requirements that apply across acquisitions. These security 
requirements include requirements designed to bolster national security 
through the management of existing or potential adversary-based supply 
chain risks across technological, intent-based, or economic means 
(e.g., cybersecurity

[[Page 25269]]

supply chain risks, foreign-based risks, emerging technology risks). 
The intent is to structure FAR part 40 based on the objectives of the 
regulatory requirement (similar to how environmental objectives are 
covered in FAR part 23, and labor objectives are addressed in FAR part 
22). Security-related requirements that include and go beyond 
information and communications technology (ICT) will be covered under 
FAR part 40. An example of products and services that include and go 
beyond ICT are cybersecurity supply chain risk management requirements 
such as requirements related to section 889 of the John S. McCain 
National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115-
232). Security-related requirements that only apply to ICT acquisitions 
will continue to be covered in FAR part 39. The test for whether 
existing regulations would be in FAR part 40 would be based on the 
following questions:

 Question 1: Is the regulation or FAR case addressing security 
objectives?
    [cir] If yes, move to question 2
    [cir] If no, the regulation would be located in another part of the 
FAR.
 Question 2: Is the scope of the requirements limited to ICT?
    [cir] If yes, the regulation would be located in FAR part 39
    [cir] If no, the regulation would be located FAR part 40.

    The following are examples of the FAR subparts and regulations that 
are under consideration and could potentially be located in, or 
relocated to, FAR part 40:

Part 40--Information Security and Supply Chain Security

40.000 Scope of part.
    [cir] General Policy Statements
    [cir] Cross reference to updated FAR part 39 scoped to ICT
Subpart 40.1--Processing Supply Chain Risk Information
    [cir] FAR 4.2302, sharing supply chain risk information
    [cir] Cross reference to counterfeit and nonconforming parts (FAR 
46.317)
    [cir] Cross reference to cyber threat and incident reporting and 
information sharing (FAR case 2021-017)
Subpart 40.2--Security Prohibitions and Exclusions
    [cir] FAR subpart 4.20, Prohibition on Contracting for Hardware, 
Software, and Services Developed or Provided by Kaspersky Lab
    [cir] FAR subpart 4.21, Prohibition on Contracting for Certain 
Telecommunications and Video Surveillance Services or Equipment
    [cir] FAR subpart 4.22, Prohibition on a ByteDance Covered 
Application, which covers the TikTok application, from FAR case 2023-
010
    [cir] Prohibition on Certain Semiconductor Products and Services 
(FAR case 2023-008)
    [cir] FAR subpart 4.23, Federal Acquisition Security Council, 
except section 4.2302
    [cir] Covered Procurement Action/agency specific exclusion orders 
(FAR case 2019-018)
    [cir] FAR subpart 25.7, Prohibited Sources
    [cir] Prohibition on Operation of Covered Unmanned Aircraft Systems 
from Covered Foreign Entities (FAR case 2024-002)
Subpart 40.3--Safeguarding Information
    [cir] FAR subpart 4.4, Safeguarding Classified Information Within 
Industry
    [cir] Controlled Unclassified Information (CUI) (FAR case 2017-016)
    [cir] FAR subpart 4.19, Basic Safeguarding of Covered Contractor 
Information Systems

    In this notice, DoD, GSA, and NASA are providing an opportunity for 
members of the public to provide comments on the proposed scope of FAR 
part 40. Feedback provided should support the goal of providing a 
single location to cover broad security requirements that apply across 
acquisitions. Providing the acquisition team with a single, 
consolidated location in the FAR that addresses their role in 
implementing requirements related to managing information security and 
supply chain security when acquiring products and services will enable 
the acquisition workforce to understand and implement applicable 
requirements more easily.
    DoD, GSA, and NASA seek responses to any or all the questions that 
follow this paragraph. Where possible, include specific examples of how 
your organization is or would be impacted negatively or positively by 
the recommended scope and subparts; if applicable, provide rationale 
supporting your position. If you believe the proposed scope and 
subparts should be revised, suggest an alternative (which may include 
not providing guidance at all) and include an explanation, analysis, or 
both, of how the alternative might meet the same objective or be more 
effective. Comments on the economic effects including quantitative and 
qualitative data are especially helpful. In addition to the FAR parts 
and subparts proposed for relocation to FAR part 40, let us know:
    1. What specific section(s) of the FAR would benefit from inclusion 
in FAR part 40?
    2. What specific suggestions do you have for otherwise improving 
the proposed scope or subparts of FAR part 40?

William F. Clark,
Director, Office of Government-wide Acquisition Policy, Office of 
Acquisition Policy, Office of Government-wide Policy.
[FR Doc. 2024-07535 Filed 4-9-24; 8:45 am]
BILLING CODE 6820-EP-P