Defense Federal Acquisition Regulation Supplement: Requirements Relating to Supply Chain Risk (DFARS Case 2012-D050), 67243-67252 [2015-27463]

Agencies

• Defense Acquisition Regulations System
• DEPARTMENT OF DEFENSE

[Federal Register Volume 80, Number 210 (Friday, October 30, 2015)]
[Rules and Regulations]
[Pages 67243-67252]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-27463]



[[Page 67243]]

Vol. 80

Friday,

No. 210

October 30, 2015

Part VII





Department of Defense





-----------------------------------------------------------------------





Defense Acquisition Regulations System





-----------------------------------------------------------------------





48 CFR Parts 201, 202, 206, et al.





Defense Federal Acquisition Regulation Supplements; Final Rules

Federal Register / Vol. 80 , No. 210 / Friday, October 30, 2015 / 
Rules and Regulations

[[Page 67244]]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Defense Acquisition Regulations System

48 CFR Parts 202, 208, 212, 213, 214, 215, 233, 239, 244, and 252

[Docket No. DARS 2013-0052]
RIN 0750-AH96


Defense Federal Acquisition Regulation Supplement: Requirements 
Relating to Supply Chain Risk (DFARS Case 2012-D050)

AGENCY: Defense Acquisition Regulations System, Department of Defense 
(DoD).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: DoD has adopted as final, with changes, an interim rule 
amending the Defense Federal Acquisition Regulation Supplement (DFARS) 
to implement a section of the National Defense Authorization Act (NDAA) 
for Fiscal Year (FY) 2011, as amended by the NDAA for FY 2013. This 
final rule allows DoD to consider the impact of supply chain risk in 
specified types of procurements related to national security systems.

DATES: Effective October 30, 2015.

FOR FURTHER INFORMATION CONTACT: Mr. Dustin Pitsch, telephone 571-372-
6090.

SUPPLEMENTARY INFORMATION:

I. Background

    DoD published an interim rule in the Federal Register at 78 FR 
69268 on November 18, 2013, to implement section 806 of the National 
Defense Authorization Act (NDAA) for Fiscal Year (FY) 2011 (Pub. L. 
111-383), entitled ``Requirements for Information Relating to Supply 
Chain Risk,'' as amended by section 806 of the NDAA for FY 2013 (Pub. 
L. 112-239). This rule is part of DoD's retrospective plan, completed 
in August 2011, under Executive Order 13563, Improving Regulation and 
Regulatory Review. DoD's full plan and updates can be accessed at: 
https://www.regulations.gov/#!docketDetail;D=DOD-2011-OS-0036.
    Eight respondents submitted public comments in response to the 
interim rule.

II. Discussion and Analysis

    DoD reviewed the public comments in the development of the final 
rule. A discussion of the comments and the changes made to the rule as 
a result of those comments is provided, as follows:

A. Significant Changes From the Interim Rule

    1. Language is added to the rule to clarify that section 806 
authority is only applicable when acquiring information technology, 
whether as a service or as a supply, that is a covered system, is a 
part of a covered system, or is in support of a covered system, 
including clarification of the prescriptions for DFARS provision 
252.239-7017, Notice of Supply Chain Risk, and DFARS clause 252.239-
7018, Supply Chain Risk.
    2. Guidance on the use of an evaluation factor regarding supply 
chain risk is modified to require the inclusion of the evaluation 
factor when acquiring information technology, whether as a service or 
as a supply that is a covered system, is a part of a covered system, or 
is in support of a covered system. Additional text regarding an 
evaluation factor has been added at DFARS 212.301, 213.106-1, 214.201-
5, and 214.503-1.
    3. DFARS clause 252.239-7018, Supply Chain Risk, is changed as 
follows--
    a. Paragraph (b), is modified to state that the contractor shall 
mitigate supply chain risk in the provision of supplies and services to 
the Government; and
    b. Paragraph (c) is removed as the clause will no longer contain a 
requirement to flow down the clause to subcontractors.

B. Analysis of Public Comments

1. Interim Rule Should Be Reissued as a Proposed Rule
    Comment: Numerous respondents urged DoD to rescind the interim rule 
and reissue the rule as a proposed rule. One respondent suggested that 
the new rule authorizes the exclusion of businesses from the defense 
industrial base and that such authority should not be exercised without 
first hearing the views of and gathering all relevant information from 
the parties that will be directly impacted by this rule. One respondent 
commented that the rule could prevent suppliers from addressing and 
mitigating supply chain security risks, and that a public comment 
period would have allowed industry to suggest alternative approaches 
that could allow for risk mitigation. Another respondent commented that 
the interim rule denies industry and other critical stakeholders ample 
time, opportunity to shape, and ultimately collaborate with the DoD to 
design a complex program that addresses multiple risks and 
complexities. One respondent added that without a standard notice-and-
comment rulemaking process, industry has no opportunity to comment on 
areas of concern before the rule takes effect whereby industry must 
incur costs and move towards compliance without guidance through the 
rulemaking process.
    Response: DoD issued an interim rule because of the need to protect 
national security systems (NSS) and the integrity of its supply chains. 
The rule implements the specific authorities provided in the statute. 
The pilot authority provided for by the statute will expire September 
30, 2018. It is in DoD's interest to initiate the pilot program and 
begin gathering feedback for its report to Congress. DoD considered all 
public comments received during the public comment period in the 
formation of this final rule.
2. Definitions
a. ``Covered Item''/``Covered System''
    Comment: Several respondents objected to the broad definitions of 
``covered system'' and ``covered item.'' One respondent questioned why 
the Council chose to use the term ``covered item'' versus ``covered 
item of supply,'' which is the term used in section 806.
    Response: The definitions in the rule are taken directly from the 
statute. In the final rule, the term ``covered item'' has been replaced 
by the term ``covered item of supply,'' thereby conforming to the 
statute.
b. Information Technology
    Comment: The same respondent commented that the definition of 
``information technology'' is defined even more expansively than in 
Federal Acquisition Regulation (FAR) subpart 2.1, covering information 
systems ranging from systems used for intelligence activities to 
information systems used for the ``direct fulfillment of military or 
intelligence missions.''
    Response: The definition of ``information technology'' in the rule 
is the same as in the statute (40 U.S.C. 11101(6)).
c. Supply Chain Risk
    Comment: One respondent requested that DoD clarify the definition 
of ``supply chain risk,'' stating that DoD should clarify the phrase 
``maliciously introduce unwanted function'' to clearly explain if this 
is a hardware or software concern or both, and recognize that threats 
posed maliciously are just one class of threat.
    Response: The definition of ``supply chain risk'' is taken directly 
from the statute. It addresses both hardware and software concerns and 
is the only class of threat to which section 806 and the rule apply.

[[Page 67245]]

3. Scope and Applicability
a. Prescription
    Comment: Three respondents commented that the scope is overly 
broad, recommending that DoD should include the rule's provisions and 
clauses in NSS solicitations and contracts only. One of these 
respondents commented that the rule should be narrowly scoped to 
reflect the intent of Congress, suggesting that DoD should include the 
rule's provisions and clauses in solicitations and contracts for 
information technology NSS rather than all information technology 
solicitations and contract, i.e., only in ``covered procurements.'' 
Another respondent commented that DoD should establish an independent, 
special review council to evaluate issues such as: (1) ``covered'' 
systems, technologies, items, procurements, and contracts; and (2) 
circumstances where the clause needs to be included and where 
information will be withheld under DFARS 239.7305(d), thus providing an 
independent check to ensure that this authority is being used in a 
manner consistent with section 806 of the FY 2011 NDAA and the 
underlying policy. This respondent also suggested that successful 
offerors be provided information that their contracts are covered by 
the clause. One respondent suggested that DoD should provide offerors 
sufficient notice that the goods or services they offer are to be used 
in a covered procurement.
    Response: The final rule limits use of the solicitation provision 
and contract clause to solicitations and contracts for information 
technology, whether acquired as a service or as a supply, that is a 
covered system, is a part of a covered system, or is in support of a 
covered system, as that term is defined at 239.7301.
b. NSS Classifications
    Comment: One respondent commented that mundane systems will be over 
classified by program managers as NSS and that NSS classifications 
should be reserved to an appropriate level above program manager. This 
respondent further stated that DoD should take steps to clearly 
designate systems as ``NSS'' and limit the NSS classification. Another 
respondent stated that because the interim rule incorporates the 
definition in 44 U.S.C. 3542(b) for ``National Security System'', the 
rule's approach to include the clause in all DoD contracts seems 
contrary to the legislative intent to limit application to ``covered 
procurements'' as defined in section 806(e)(3) of the FY 2011 NDAA. 
This respondent further suggested that DoD more narrowly define when 
contracting officers should include and use this clause (e.g., what 
types of programs) and create some independent review of contracting 
activities' decisions to apply the interim rule.
    Response: In the final rule, the use of the provision and clause is 
only required when acquiring information technology, whether as a 
service or as a supply, that is a covered system, is a part of a 
covered system, or is in support of a covered system, as defined at 
DFARS 252.239-7302. In accordance with DoD Instruction 8510.01, Risk 
Management Framework (RMF) for DoD Information Technology (IT), the 
requiring activity/program office will designate systems as NSS when it 
registers them in the DoD Component registry (e.g., DoD Information 
Technology Portfolio Repository (DITPR)).
c. Flowdown
    Comment: One respondent suggested that because the clause is 
written to require flowdown to subcontractors regardless of tier, the 
Government intends to have the right to direct a supplier at any tier 
to be excluded for a contract. The respondent further stated that this 
could lead to even greater disruption of a program's supply chain since 
the loss of a supplier at a remote tier can have ripple effects on all 
higher-tier contractors and that the potential costs for the delay, 
disruption, and potential workarounds required to address the situation 
could be enormous. Failing to address the effects of exclusion of 
subcontractors almost guarantees that implementation of this rule will 
result in claims and disputes.
    Response: The requirement to include the substance of DFARS clause 
252.239-7018 in subcontracts has been removed from this final rule.
    d. Other Applications
    Comment: One respondent commented that DoD should clarify whether 
or not the rule applies to embedded processing, whether the rule 
applies to cloud computing acquisitions, and whether cloud computing 
acquisitions are covered procurement actions as a class, since these 
types of acquisitions are not directly addressed in the interim rule.
    Response: The rule applies when acquiring information technology, 
whether as a service or as a supply, that is a covered system, is a 
part of a covered system, or is in support of a covered system. This 
includes embedded processing and cloud computing acquisitions if they 
are NSS.
4. Managing Supply Chain Risk
a. General
    Comment: Three respondents commented that the final rule should 
encourage industry to better manage supply chain risk, require that 
robust supply chain risk management principles be applied throughout 
procurement practices, or at the very least require that contracting 
officers apply supply chain risk management to contracts. One of these 
respondents further commented that the final rule should include 
language that reinforces the stated objective in the definition of 
supply chain risk, stating, ``This rule, by itself, does not require 
contractors to deploy additional supply chain risk protections, but 
leaves it up to individual contractors to take the steps necessary. . 
.to protect their supply chain.'' Another of these respondents 
suggested that, if the provisions of section 806 are to be implemented 
as intended, the rule must require robust supply chain analyses. One 
respondent suggested that the interim rule should provide that in all 
critical information technology acquisitions, supply chain security 
must be applied by the relevant Government procurement managers, both 
at the direct contract and supervisorial levels as a mandatory matter.
    Response: This rule has as its sole purpose the implementation of 
section 806. DoD has provided, and will continue to provide, additional 
guidance for the management and mitigation of supply chain risk.
b. Evaluation Factor
    Comment: Three respondents commented that the interim rule should 
provide guidance on evaluation factors. One of these respondents 
commented that the rule creates uncertainty by failing to describe how 
supply chain risk will be used as an evaluation factor and suggests 
that the Government must realize that when managing risk, the steps 
necessary to exhaustively test all software to eliminate all potential 
unwanted functions is unaffordable. One respondent commented that the 
new requirement at DFARS 215.304 for departments and agencies to 
consider ``the need for an evaluation factor regarding supply chain 
risk'' provides insufficient guidance as to the type of supply chain 
risk evaluation factors to be utilized, further stating that while they 
would expect that such risk evaluations would be conducted on a case-
by-case basis, guidance should be provided as to which evaluation 
factors should be used and when. One respondent suggested that the 
statement

[[Page 67246]]

``Consider the need for an evaluation factor. . .'' appears to give the 
contracting activity the discretion to determine whether an evaluation 
factor for supply chain risk is needed but does not provide guidance as 
to when the conditions which necessitate such a factor have been met.
    Response: In the final rule, guidance on the use of an evaluation 
factor regarding supply chain risk is modified to require the inclusion 
of the evaluation factor when acquiring information technology, whether 
as a service or as a supply, that is a covered system, is a part of a 
covered system, or is in support of a covered system. Risk levels, risk 
tolerance, and appropriate risk management measures must be determined 
at the local level. Evaluation factors are specified at the individual 
acquisition level and not in the DFARS. DoD is issuing DFARS 
Procedures, Guidance, and Information for the contracting workforce on 
developing and using supply chain risk evaluation factors.
c. Information Sharing
    Comment: Three respondents commented on the disclosure of 
information regarding supply chain risk to offerors and contractors. 
One of these respondents urged the DoD to use its discretion in sharing 
information concerning threats sufficient to allow suppliers to alter 
product designs and change components on devices to overcome known 
vulnerabilities. Another respondent suggested that a requirement to 
report identified supply chain risks and issues would assure that 
immediate remediation could be undertaken if problems arose. One 
respondent commented that DoD should consider revising the rule to 
promote disclosure of information regarding supply chain risks to 
offerors and contractors whenever possible. Whenever such notice may be 
accomplished ``consistent with the requirements of national security,'' 
DoD should provide notification to the offeror or contractor of 
perceived supply chain risks early in the procurement process in 
accordance with standard Government procurement rules (e.g., during 
discussions in a negotiated procurement), so that the contractor has 
the opportunity to mitigate or eliminate the risk. Contractors are less 
able to mitigate supply chain risk if the Government fails or declines 
to share with them risk information it has developed internally.
    Response: The DoD intends to share information about supply chain 
risk with its contractors to the extent possible, consistent with the 
requirements of national security. The provisions of the rule and 
section 806 that limit disclosure are concerned with risk information 
that, for national security reasons, cannot be shared despite the 
transparency that is normally present in procurement activities.
d. Mitigation/Less Intrusive Measures
    Comment: Several respondents commented on the need for DoD to focus 
on mitigation plans and less intrusive measures. One of these 
respondents commented that DoD should create a mechanism for vendors to 
file supply chain risk mitigation plans with DoD. DoD could take these 
plans into consideration when assessing supply chain risk for any 
particular procurement activity. By viewing filed mitigation plans from 
multiple vendors, DoD could gain greater insight into commercially 
viable supply chain mitigation practices. This respondent further 
stated that DoD should approach supply chain risk with an eye toward 
encouraging mitigation rather than simply disqualifying vendors, 
suggesting that DoD can and should implement robust supply chain 
security practices. One respondent suggested that DoD should clarify 
what it believes are less intrusive measures under section 
239.7304(b)(1)(2), recommending that in order to prevent the interim 
rule from impeding the use of commercial technology (including 
commercially available off-the-shelf items) in NSS, which ultimately 
benefits DoD, the Department should provide wide discretion to the 
judgment of manufacturers in their use of industry standards and 
internal processes to meet its supply chain risk goals. This respondent 
further commented that while DFARS section 239.7304 of the rule 
provides that an exclusion under DFARS 239.7305 may occur when it is 
determined that, among other factors, ``less intrusive measures are not 
reasonably available to reduce such supply chain risk,'' at no point in 
the rule is clarity provided on what this language is defined as or 
what an authorized individual should refer to in order to gauge what 
``less intrusive measures'' are and whether they are ``not reasonably 
available.'' Another of these respondents suggested that the 
opportunity to mitigate or eliminate the noticed risk from the supply 
chain would avoid significant costs that would be passed along to DoD. 
One respondent suggested that DoD modify the interim rule to clarify 
that the exercise of the authorities under DFARS 239.7305 should be a 
``last resort,'' invoked only after other methods of mitigating supply 
chain risk have been considered or attempted.
    Response: Section 806(b)(2) requires that ``less intrusive measures 
are not reasonably available to reduce supply chain risk'' to use its 
authority. Whenever it is appropriate, DoD will work with its offerors 
to mitigate supply chain risk using less intrusive measures than 
exclusion based on section 806 authorities. In the notification to 
congressional committees when exercising section 806 authority, a 
summary of the mitigation analysis evaluating reasonably available 
mitigations will be documented. In most cases, DoD expects these 
mitigations will sufficiently mitigate the risks so that exclusion will 
not be necessary.
e. Standards and Controls
    Comment: Several respondents commented on the need for the rule to 
specify relevant supply chain risk management (SCRM) standards, 
controls, etc. One respondent stated that while it does not suggest DoD 
explicitly endorse one set of controls over another, industry does need 
some guidance beyond ``maintain controls.'' There must be consistency 
in the call out of the relevant SCRM standards and ratings in 
solicitations so as not to create an unnecessary administrative burden 
for contractors to select suppliers and subcontractors based on a 
moving target of standards and ratings. Notwithstanding making a 
reference to the Regulatory Flexibility Act on page 69269 in the 
narrative of the Federal Register document that the rule ``recognizes 
the need for information technology contractors to implement 
appropriate safeguards and countermeasures to minimize supply chain 
risk,'' one respondent commented that the interim rule does not provide 
any guidance about what metric will be applied to its products, 
services, and business models. The respondent further stated that the 
rule requires contractors to ``maintain controls in the provision of 
supplies and services to the Government to minimize supply chain risk'' 
but does not provide any guidance to contractors or Government 
contracting officers as to the type of controls to be maintained to 
meet this requirement, recommending that DoD issue additional guidance 
that uses existing and proposed global, consensus-based standards. One 
respondent commented that the absence of what standard DoD will use to 
evaluate supply chain risks is likely to increase the time and cost of 
pursuing and performing Government contracts.
    Response: The final rule removes the language requiring contractors 
to

[[Page 67247]]

``maintain controls'' and now states that the contractor shall mitigate 
supply chain risk in the provision of supplies and services to the 
Government. This change was made because the DFARS cannot identify 
specific standards or controls as this would be up to each requiring 
activity to identify if any standards or controls are necessary 
particular to the risks and risk tolerance that would apply to each 
procurement. DoD continues to work with industry to identify risk 
management best practices and promulgate best practice documents for 
consideration.
f. Verification/Inspection
    Comment: One respondent commented that suppliers should meet the 
requirement to provide supply chain security verification by 
documentation, suggesting that all levels of the supply chain--
Government, prime contractors, subcontractors, and parts suppliers--
should be in compliance with supply chain integrity requirements and 
have records and production locations available for inspection if 
necessary.
    Response: The practices, documentation, and information suggested 
in the comment are important tools in protecting against supply chain 
risk. However, these suggestions do not comply with the legislative 
requirements to implement section 806.
5. Process
a. General
    Comment: Two respondents commented that the interim rule could 
deprive potential contractors and subcontractors of due process and 
that by improving due process, DoD can better secure the supply chain. 
One of these respondents urged DoD to do more to guarantee due process 
to its suppliers under this rule, stating that notice, dialogue, and 
resolution, (i.e., due process) serve to identify root causes of supply 
chain risk and allow suppliers to clear their names when falsely 
accused. One respondent commented that implementation of the provision 
for a particular procurement or contract action may result in non-
reviewable decisions that deprive actual or potential contractors and 
subcontractors of their property rights, including their right to 
fairly compete for procurements and subcontracts, suggesting that these 
non-reviewable exclusions may violate the due process clause and could 
negatively affect the procurement community. This respondent suggested 
that DoD modify the interim rule to clarify that the exercise of the 
authorities under DFARS 239.7305 should be a ``last resort,'' invoked 
only after other methods of mitigating supply chain risk have been 
considered or attempted.
    Response: Risk will be evaluated on a case-by-case basis, and any 
exclusion will be for a particular source selection and not a blanket 
exclusion. Contractors are eligible to compete for future solicitations 
even after application of the section 806 authority has excluded them 
from a particular source selection.
b. Notice/Appropriate Parties
    Comment: Four respondents commented on the need for timely 
notification to organizations of pre- and post-exclusion status, and/or 
the need to clarify or define the ``appropriate parties'' in DFARS 
239.7305(d)(2)(i). Two of these respondents commented that providing 
notice to the vendor in advance of any procurement action would permit 
appropriate response to the risk and allow offerors to rectify 
instances of unacceptable risk before DoD makes a determination based 
on incorrect or insufficient information, ensuring fairness to the 
offeror and benefitting DoD by enhancing fairness in competition for 
contracts. The opportunity to mitigate or eliminate the noticed risk 
from the supply chain would avoid significant costs that would be 
passed along to the DoD.
    Three of these respondents commented on the need for notification 
to excluded offerors of their post-exclusion status. One respondent 
commented that notification to excluded offerors of their post-
exclusion status and the reasons for exclusion will allow them to take 
steps to remedy those flaws before future opportunities. One respondent 
suggested that if a determination is made that ``less intrusive 
measures are not reasonably available [short of exclusion] to reduce 
such supply chain risk,'' the rule should require that the notion of 
providing notice to the offeror has been explicitly considered and 
deemed unreasonable before a decision to exclude has been finalized. 
Another respondent suggested that DFARS 215.503 and 215.506 should be 
clarified to ensure that unsuccessful offerors are provided information 
demonstrating that DOD complied with the requirements of section 806(b) 
and (c) in making the determination to limit the disclosure of 
information relating to the basis for carrying out a covered 
procurement action.
    One of these respondents commented that clarification/definition of 
the term ``appropriate parties'' as encompassing the impacted offeror/
bidder/contractor would ensure that the impacted offeror/bidder/
contractor is advised, at a minimum, that it has been impacted by a 
supply chain risk determination under this DFARS section, and that any 
information that can be shared about the ``basis for carrying out'' the 
decision ``consistent with the requirements of national security'' will 
be shared with that entity. Another respondent commented that while the 
rule requires notice by the authorized individual to ``appropriate 
parties'' to the extent needed to execute a covered procurement action 
and to DoD and other Federal agencies, it makes no provision to provide 
notice to other Federal contractors that might be impacted by the 
exclusion.
    Response: The written determination detailed in DFARS 239.7304 will 
detail any limitations on disclosure of information related to a 
section 806 exclusion. ``Appropriate parties'' would be determined on a 
case-by-case basis.
c. Exclusion Process
    Comment: Two respondents commented on the exclusions process 
itself. One respondent commented that the exclusion process is 
seriously flawed because it does not connect the acts conducted by 
those at higher levels in DoD with the actions of the contracting 
officers in any rational time phased application that would help 
offerors understand the proposal and business risk involved in any 
given source selection process. This respondent further commented that 
it is fundamentally unclear whether an exclusion will be made on a 
case-by-case basis or be a blanket exclusion of a contractor or 
subcontractor, and that it is unclear at what point in the acquisition 
process such exclusions may be authorized or executed. Under the new 
rule's language, a source could be excluded before, during, and/or 
after a contract award (whether as prime or subcontractor). One 
respondent suggests that its concerns that DoD can reject or modify 
acquisitions based upon concerns about supply chain integrity could be 
addressed by having any sensitive finding subject to review, and 
recommendation for approval or disapproval to the Secretary of Defense, 
by the DoD General Counsel, or a committee appointed by the Secretary 
of Defense charged with assuring the validity of such concerns and 
their sensitivity for release to suppliers.
    Response: Suppliers are expected to manage supply chain risk in 
their offerings. Under section 806 and the rule, exclusion of a source 
may occur during source selection before award (using an evaluation 
factor) or after award (by withholding consent to a subcontract). 
Exclusion of a source would be on a case-by-case basis, as the

[[Page 67248]]

risk tolerance is not the same for all procurement actions. The 
authorization and recommendation mechanisms and participants described 
in the rule are mandated by the statute.
d. Dispute Mechanism
    Comment: Two respondents commented on the need for an impartial 
process for addressing concerns. One respondent urged that the interim 
rule reinforce the need for a fair opportunity pre- and post-exclusion 
for concerns to be addressed by the contractor or vendor at issue. One 
respondent commented that neither section 806 of the NDAA for FY 2011 
nor the interim rule provide for any procedures for proposed 
contractors or subcontractors to challenge a possible exclusion 
determination where DoD decides to limit the disclosure of information. 
This respondent further stated that DoD should provide some dispute 
mechanism for exclusion in protest and claim matters, whereby counsel 
for offerors, contractors, and proposed subcontractors can represent 
their clients and obtain access to information under protective order 
or clearance to assure that the required process was followed and 
proper grounds for invocation of the exclusion exist.
    Response: Exclusions using the authority of section 806 will be 
based generally on classified intelligence information. A dispute 
resolution mechanism is not appropriate under those circumstances.
e. Remediation
    Comment: Two respondents commented on the need to provide equitable 
adjustments, a means of remedy, and/or a pathway to reinstatement once 
a supplier is excluded. One of the respondents commented that while 
DFARS 239.7305 allows DoD to exclude sources, it does not provide a 
pathway to reinstatement or for inclusion once a supplier is excluded, 
proposing that DoD establish a separate rulemaking and coordinate a 
unified policy with an industry-Government working group to gain 
insight into how remediation and rejoining the defense industrial base 
can be accomplished in a responsible manner. This respondent further 
commented that DoD should provide equitable adjustments and other 
remedies for prime contractors whose subcontractors are excluded, 
stating that the new regulations fail to provide relief for prime 
contractors who must exclude a source through no fault of its own. 
Another respondent suggested that a periodic review of excluded 
contractors should be required for ongoing contracts with new task 
orders, adding that if a vendor has been excluded without notice, the 
interim rule should require the agency to review that decision on no 
less than an annual basis for as long as the contract is in place. This 
respondent also commented that the regulation should specifically 
afford remedies, including equitable adjustments, whenever the 
authority at DFARS 239.7305(c) is exercised and a prime must exclude a 
subcontractor.
    Response: Risk will be evaluated on case-by-case basis, and any 
exclusion will be for a particular source selection and not a blanket 
exclusion. Offerors are eligible to compete for future solicitations 
even after section 806 has excluded them from a particular source 
selection. Consistent with national security, i.e., with proper 
clearances and in a manner that will not put the warfighter, the 
system, or intelligence operations at risk, DoD will discuss risks to 
the trust of critical systems or components with its industrial base as 
well as potential remedies. This is particularly true in the system 
integration context where the program office and the prime contractors 
are more likely to have the time and clearances to develop tailored 
mitigations. Where appropriate, DoD will partner with its contractors 
to mitigate supply chain risk in lieu of executing section 806 
authorities. In most cases, non-806 mitigations will sufficiently 
manage the risk; when that is not the case and exclusion of a source is 
required, DoD does not intend to provide equitable adjustments or other 
remedies.
6. Impact of Rule
a. Economic/Cost Impact
    Comment: Numerous respondents commented that the estimates by DoD 
of the costs and economic impact of this rule are inadequate. One of 
these respondents commented that the rule creates costs beyond the 
supply chain risk management a responsible company would undertake in 
the course of ordinary business. Further, the scope of application of 
the interim rule, which requires compliance at all levels of the DoD 
supply chain, would require significant, costly, additional investments 
in supplier management and compliance mechanisms by industry. Another 
respondent suggested that absent a public comment period before 
implementation of the rule, industry has no opportunity to provide 
input regarding the costs and benefits of the approach DoD has taken. 
One respondent commented that the cumulative economic effect of the 
exclusion of any one company from any one contract would result in 
reductions in both Government and commercial business, and the loss of 
employment at the excluded company and the corresponding loss of 
payroll. Other losses would be incurred as a result of the ripple 
effect on primes, subcontractors, or suppliers to the excluded company, 
which will lose that source of supply and must then incur the expense 
of identifying and vetting new sources. One respondent commented that 
by not advising what standard DoD will use to evaluate supply chain 
risks, the interim rule is likely to increase the time and cost of 
pursuing and performing Government contracts.
    Response: DoD does not expect the rule to have a significant 
economic impact on a substantial number of entities. Companies have an 
existing interest in having a supply chain that they can rely on to 
provide it with material and supplies that allow the contractor to 
ultimately supply its customers with products that are safe and that do 
not impose threats or risks to Government information systems. The rule 
does not require contractors to deploy additional supply chain risk 
protections. Section 806 authority applies to a specific contract, task 
order, or delivery order only.
b. Small Business
    Comment: One respondent commented that the rule will drive up costs 
for smaller businesses by requiring significant increase in investments 
in compliance. Another respondent commented that the rule could prompt 
prime contractors to exclude new or small businesses in order to 
improve the evaluation of their supply chain risk profile.
    Response: The rule does not require contractors to deploy 
additional supply chain risk protections.
c. Barriers to the Federal Market
    Comment: Two respondents commented that the rule creates 
significant new barriers to the Federal market, further suggesting that 
the interim regulation poses significant burdens for existing companies 
in the market and will only further dissuade new and innovative 
companies from entering the market.
    Response: Since section 806 decisions rely on intelligence 
information, the operation of the rule presents no barrier to 
participation in the DoD market for either existing participants or new 
entrants.

[[Page 67249]]

d. De Facto Debarment/Suspension
    Comment: Several respondents stated that the exercise of the 
exclusionary authority in the rule could result in a de facto debarment 
or suspension without any due process for the affected offeror.
    Response: Risk will be evaluated on case-by-case basis, and any 
exclusion will be for a particular source selection and not a blanket 
exclusion. Offerors are eligible to compete for future solicitations 
even after section 806 has excluded them from a particular source 
selection.
e. Security
    Comment: One respondent commented that the rule could 
unintentionally but negatively impact the Federal Government's security 
because it prevents DoD from informing suppliers about supply chain 
risks that DoD believes exist and prevents any consultation with 
offerors.
    Response: This will be taken into consideration in any instance 
that the section 806 authority is utilized.
7. Qualification standard
    Comment: Three respondents commented that the interim rule should 
provide more guidance regarding the qualification standard(s) that may 
be established to reduce supply chain risk. One respondent urged DoD to 
develop the systems and data security requirements for covered 
procurements and issue them to potential offerors during the 
procurement process as a requirement for bid eligibility. This approach 
would focus the use of this clause to procurements for covered systems 
or covered items of supply and would increase competition by limiting 
unnecessary disqualification of offerors (and contractors and 
subcontractors/suppliers) that could meet the Government's 
requirements. Another respondent commented that the rule should be 
amended to provide more specificity as to the type of ``qualification 
standards'' that may be established ``for the purposes of reducing 
supply chain risk in the acquisition of covered systems.''
    Response: DoD has no present plans to use section 806 authority to 
exclude a source based on failure to meet a qualification standard to 
reduce supply chain risk. To use this authority DoD must first develop 
qualification standards in accordance with the requirements of 10 
U.S.C. 2319, which include providing the qualification requirements to 
potential offerors.
8. Synchronize/Harmonize With Related Rules/Initiatives
    Comment: Five respondents requested that DoD harmonize the 
requirements of the rule with industry- and Government-led supply chain 
risk management regimes and initiatives in order to avoid 
inconsistencies. One respondent encouraged DoD to harmonize the 
requirements of the rule with the guidance issued by the Secretary of 
Defense memorandum dated October 10, 2013, entitled ``Safeguarding 
Unclassified Controlled Technical Information;'' the Office of 
Management and Budget's circular M-14-13 dated November 18, 2013, 
entitled ``Enhancing the Security of Federal Information and 
Information Systems;'' and other Departmental requirements. This 
respondent further recommends that the final rule include a statement 
that ``the rule complements rather than conflicts with other related 
requirements.'' Another respondent further encouraged DoD to avoid the 
creation of unneeded duplication of certifications of these important 
assurance efforts, by affirming that the interim rule shall not impact 
the duties of contractors and vendors in assessing relevant 
procurements related to NSS.
    Response: DoD is involved in a myriad of efforts to address supply 
chain risks, specifically, as well as cybersecurity broadly. All of 
these policies and strategic efforts aim to improve the overall risk 
posture of the Federal Government's information systems and those of 
its industry partners. A patchwork of policies and regulations is 
sometimes necessary to address the variabilities of the system 
ownership and operation, and the risk tolerance of the mission. The 
rule is specific to DoD and narrowly scoped to NSS, which often have a 
lower risk tolerance due to the criticality of missions utilizing such 
systems.
9. Tracking
    Comment: One respondent commented that DoD should catalog the 
number of source exclusions executed under the section 806 authority 
between 2013 and 2018.
    Response: DoD is required to submit a report on January 1, 2017, on 
the effectiveness of section 806 authorities, to include how frequently 
DoD exercises the authority.

III. Applicability to Acquisitions Not Greater Than the Simplified 
Acquisition Threshold (SAT) and Commercial Items, Including 
Commercially Available Off-the-Shelf (COTS) Items

    Consistent with 41 U.S.C. 1905, 1906, and 1907, the Director 
Defense Procurement and Acquisition Policy (DPAP), determined that it 
would not be in the best interest of the United States to exempt 
acquisitions not greater than the SAT and acquisitions of commercials 
items, including COTS items, from the applicability of section 806 of 
the NDAA for FY 2011 as amended by section 806 of the NDAA for FY 2013.

A. Applicability to Contracts at or Below the SAT

    41 U.S.C. 1905 governs the applicability of laws to contracts or 
subcontracts in amounts not greater than the SAT. It is intended to 
limit the applicability of laws to such contracts or subcontracts. 41 
U.S.C. 1905 provides that if a provision of law contains criminal or 
civil penalties, or if the FAR Council makes a written determination 
that it is not in the best interest of the Federal Government to exempt 
contracts or subcontracts at or below the SAT, the law will apply to 
them. The Director, DPAP, is the appropriate authority to make 
comparable determinations for regulations to be published in the DFARS, 
which is part of the FAR system of regulations. DoD has made that 
determination, therefore this rule does apply below the SAT.
    Given that the requirements of section 806 of the NDAA for FY 2011 
and section 806 of the NDAA for FY 2013 were enacted to protect the 
supply chain, which in turn protects NSS from malicious actions, DoD 
has determined that it is in the best interest of the Federal 
Government to apply the rule to contracts below the SAT, as defined at 
FAR 2.101. An exception for contracts for the acquisition below the SAT 
would exclude contracts intended to be covered by the law, thereby 
undermining the overarching public policy purpose of the law.

B. Applicability to Contracts for the Acquisition of Commercial Items, 
Including COTS Items

    41 U.S.C. 1906 governs the applicability of laws to contracts for 
the acquisition of commercial items, and is intended to limit the 
applicability of laws to contracts for the acquisition of commercial 
items. 41 U.S.C. 1906 provides that if a provision of law contains 
criminal or civil penalties, or if

[[Page 67250]]

the FAR Council makes a written determination that it is not in the 
best interest of the Federal Government to exempt commercial item 
contracts, the provision of law will apply to contracts for the 
acquisition of commercial items. Likewise, 41 U.S.C. 1907 governs the 
applicability of laws to COTS items, with the Administrator for Federal 
Procurement Policy the decision authority to determine that it is in 
the best interest of the Government to apply a provision of law to 
acquisitions of COTS items in the FAR. The Director, DPAP, is the 
appropriate authority to make comparable determinations for regulations 
to be published in the DFARS, which is part of the FAR system of 
regulations.
    Given that the requirements of section 806 of the NDAA for FY 2011 
and section 806 of the NDAA for FY 2013 were enacted to protect the 
supply chain, which in turn protects NSS from malicious actions, DoD 
has determined that it is in the best interest of the Federal 
Government to apply the rule to contracts for the acquisition of 
commercial items, including COTS items, as defined at FAR 2.101. An 
exception for contracts for the acquisition of commercial items, 
including COTS items, would exclude contracts intended to be covered by 
the law, thereby undermining the overarching public policy purpose of 
the law.

IV. Executive Orders 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). E.O. 
13563 emphasizes the importance of quantifying both costs and benefits, 
of reducing costs, of harmonizing rules, and of promoting flexibility. 
This is a significant regulatory action and, therefore, was subject to 
review under section 6(b) of E.O. 12866, Regulatory Planning and 
Review, dated September 30, 1993. This rule is not a major rule under 5 
U.S.C. 804.

V. Regulatory Flexibility Act

    A final regulatory flexibility analysis has been prepared 
consistent with the Regulatory Flexibility Act, 5 U.S.C. 601, et seq., 
and is summarized as follows:
    The objective of this final rule is to implement in the Defense 
Federal Acquisition Regulation Supplement protection against risks to 
the supply chain affecting National Security Systems (NSS). The legal 
basis for this final rule is section 806 of the National Defense 
Authorization Act (NDAA) for Fiscal Year (FY) of 2011 (Pub. L. 
111.383), as amended by section 806 of the NDAA for FY 2013 (Pub. L. 
112-239). Congress has recognized a growing concern for risks to the 
supply chain for technology contracts supporting the Department of 
Defense (DoD). Congress has defined supply chain risk as the risk that 
an adversary may sabotage, maliciously introduce unwanted function, or 
otherwise subvert the design, integrity, manufacturing, production, 
distribution, installation, operation, or maintenance of a covered 
system so as to surveil, deny, disrupt, or otherwise degrade the 
function, use, or operation of such system (see 806(e)(4) of Pub. L. 
111-383).
    This final rule calls for contractors providing information 
technology to DoD, whether as a service or as a supply, that is a 
covered system, is a part of a covered system, or is in support of a 
covered system, to mitigate supply chain risk to the supplies and 
services being provided to the Government. It also enables agencies to 
exclude sources identified as having a supply chain risk from 
consideration for award of a covered contract, in order to minimize the 
potential risk for supplies and services purchased by DoD to 
maliciously degrade the integrity and operation of sensitive 
information technology systems. Ultimately, DoD anticipates significant 
savings to taxpayers by reducing the risk of unsafe products entering 
our supply chain, which pose serious threats or risks to sensitive 
government information technology systems.
    No comments were received in response to the initial regulatory 
flexibility analysis.
    This rule applies to contractors providing the Government with 
information technology that qualifies as a covered system or covered 
item of supply. This includes purchases of commercial items, including 
commercial off-the-shelf items, and contracts not greater than the 
simplified acquisition threshold. While it is not possible to estimate 
the number of small businesses impacted, DoD does not expect this final 
rule to have a significant economic impact on a substantial number of 
contractors, since (1) the rule applies only when acquiring information 
technology that is part of a covered system or in support of a covered 
system and (2) the authority provided by the rule is expected to be 
invoked very infrequently.
    This rule does not require any specific reporting, recordkeeping or 
compliance requirements.
    No significant economic impact on small businesses is anticipated; 
however, the final rule does have a modified applicability for the 
provision and clause created by the rule. Instead of being prescribed 
for all information technology acquisitions the provision and clause 
will only apply to acquisitions for information technology that is a 
covered system or covered item of supply. This will significantly 
reduce the number of acquisitions to which the provision and clause 
will apply.

VI. Paperwork Reduction Act

    The rule does not contain any information collection requirements 
that require the approval of the Office of Management and Budget under 
the Paperwork Reduction Act (44 U.S.C. chapter 35).

List of Subjects in 48 CFR Parts 202, 208, 212, 213, 214, 215, 233, 
239, 244, and 252

    Government procurement.

Jennifer L. Hawes,
Editor, Defense Acquisition Regulations System.
    Accordingly, DoD adopts as final the interim rule published at 78 
FR 69268 on November 18, 2013, with the following changes:

0
1. The authority citation for 48 CFR parts 202, 208, 212, 213, 214, 
215, 239, 244, and 252 continues to read as follows:

    Authority: 41 U.S.C. 1303 and 48 CFR chapter 1.

PART 202--DEFINITIONS OF WORDS AND TERMS

0
2. Amend section 202.101 by adding, in alphabetical order, a definition 
for ``Information technology'' to read as follows:


202.101  Definitions.

* * * * *
    Information technology (see 40 U.S.C. 11101(6)) means, in lieu of 
the definition at FAR 2.1, any equipment, or interconnected system(s) 
or subsystem(s) of equipment, that is used in the automatic 
acquisition, storage, analysis, evaluation, manipulation, management, 
movement, control, display, switching, interchange, transmission, or 
reception of data or information by the agency.
    (1) For purposes of this definition, equipment is used by an agency 
if the equipment is used by the agency directly or is used by a 
contractor under

[[Page 67251]]

a contract with the agency that requires--
    (i) Its use; or
    (ii) To a significant extent, its use in the performance of a 
service or the furnishing of a product.
    (2) The term ``information technology'' includes computers, 
ancillary equipment (including imaging peripherals, input, output, and 
storage devices necessary for security and surveillance), peripheral 
equipment designed to be controlled by the central processing unit of a 
computer, software, firmware and similar procedures, services 
(including support services), and related resources.
    (3) The term ``information technology'' does not include any 
equipment acquired by a contractor incidental to a contract.
* * * * *

PART 208--REQUIRED SOURCES OF SUPPLIES AND SERVICES

0
3. Revise section 208.405 to read as follows:


208.405  Ordering procedures for Federal Supply Schedules.

    Include an evaluation factor regarding supply chain risk (see 
subpart 239.73) when acquiring information technology, whether as a 
service or as a supply, that is a covered system, is a part of a 
covered system, or is in support of a covered system, as defined in 
239.7301.

0
4. In section 208.7402, revise paragraph (2) to read as follows:


208.7402  General.

* * * * *
    (2) Include an evaluation factor regarding supply chain risk (see 
subpart 239.73) when acquiring information technology, whether as a 
service or as a supply, that is a covered system, is a part of a 
covered system, or is in support of a covered system, as defined in 
239.7301.

PART 212--ACQUISITION OF COMMERCIAL ITEMS

0
5. Amend section 212.301 by--
0
a. Adding paragraph (c); and
0
b. Revising paragraphs (f)(xv)(C) and (D).
    The addition and revisions read as follows:


212.301  Solicitation provisions and contract clauses for acquisition 
of commercial items.

    (c) Include an evaluation factor regarding supply chain risk (see 
subpart 239.73) when acquiring information technology, whether as a 
service or as a supply, that is a covered system, is a part of a 
covered system, or is in support of a covered system, as defined in 
239.7301.
    (f) * * *
    (xv) * * *
    (C) Use the provision at 252.239-7017, Notice of Supply Chain Risk, 
as prescribed in 239.7306(a), to comply with section 806 of Public Law 
111-383.
    (D) Use the clause at 252.239-7018, Supply Chain Risk, as 
prescribed in 239.7306(b), to comply with section 806 of Public Law 
111-383.
* * * * *

PART 213--SIMPLIFIED ACQUISITION PROCEDURES

0
6. Add section 213.106-1 to read as follows:


213.106-1  Soliciting competition.

    (a)(2) Include an evaluation factor regarding supply chain risk 
(see subpart 239.73) when acquiring information technology, whether as 
a service or as a supply, that is a covered system, is a part of a 
covered system, or is in support of a covered system, as defined in 
239.7301.

PART 214--SEALED BIDDING

0
7. Add section 214.201-5 to read as follows:


214.201-5  Part IV--Representations and instructions.

    (c) Include an evaluation factor regarding supply chain risk (see 
subpart 239.73) when acquiring information technology, whether as a 
service or as a supply, that is a covered system, is a part of a 
covered system, or is in support of a covered system, as defined in 
239.7301.

0
8. Add subpart 214.5 to read as follows:
Subpart 214.5 Two-Step Sealed Bidding
Sec.
214.503 Procedures.
214.503-1 Step one.

Subpart 214.5 Two-Step Sealed Bidding


214.503  Procedures.


214.503-1  Step one.

    (a)(4) Include an evaluation factor regarding supply chain risk 
(see subpart 239.73) when acquiring information technology, whether as 
a service or as a supply, that is a covered system, is a part of a 
covered system, or is in support of a covered system, as defined in 
239.7301.

PART 215--CONTRACTING BY NEGOTIATION

0
9. In section 215.304, revise paragraph (c)(v) to read as follows:


215.304  Evaluation factors and significant subfactors.

    (c) * * *
    (v) Include an evaluation factor regarding supply chain risk (see 
subpart 239.73) when acquiring information technology, whether as a 
service or as a supply, that is a covered system, is a part of a 
covered system, or is in support of a covered system, as defined in 
239.7301. For additional guidance see PGI 215.304(c)(v).

PART 239--ACQUISITION OF INFORMATION TECHNOLOGY

0
10. Add section 239.001 to read as follows:


239.001  Applicability.

    Notwithstanding FAR 39.001, this part applies to acquisitions of 
information technology, including national security systems.


239.7301 and 239.7302  [Redesignated as 239.7302 and 239.7301]

0
11. Redesignate sections 239.7301 and 239.7302 as sections 239.7302 and 
239.7301, respectively.

0
12. Amend newly redesignated 239.7301 by--
0
a. In the definition of ``Covered item'', removing ``Covered item'' and 
adding ``Covered item of supply'' in its place;
0
b. Removing the definition of ``Information technology''; and
0
c. Adding, in alphabetical order, a definition for ``Supply chain 
risk''.
    The addition reads as follows:


239.7301  Definitions.

* * * * *
    Supply chain risk means the risk that an adversary may sabotage, 
maliciously introduce unwanted function, or otherwise subvert the 
design, integrity, manufacturing, production, distribution, 
installation, operation, or maintenance of a national security system 
(as that term is defined at 44 U.S.C. 3542(b)) so as to surveil, deny, 
disrupt, or otherwise degrade the function, use, or operation of such 
system.


239.7302  [Amended]

0
13. Amend newly redesignated 239.7302 by removing ``covered item'' 
everywhere it appears and adding ``covered item of supply'' in its 
place.


239.7304  [Amended]

0
14. Amend section 239.7304 by--
0
a. In paragraph (b)(1), removing ``239.7305(a)(b) or (c)'' and adding

[[Page 67252]]

``239.7305(a), (b), or (c)'' in its place; and
0
b. In paragraph (c)(2)(ii) and (iii) removing ``paragraph (a)'' and 
adding ``paragraph (a) of this section'' in both places.

0
15. Amend section 239.7305 by--
0
a. Revising the introductory text; and
0
b. Revising paragraph (d)(2)(i).
    The revisions read as follows:


239.7305  Exclusion and limitation on disclosure.

    Subject to 239.7304, the individuals authorized in 239.7303 may, in 
the course of procuring information technology, whether as a service or 
as a supply, that is a covered system, is a part of a covered system, 
or is in support of a covered system--
* * * * *
    (d) * * *
    (2) * * *
    (i) Notify appropriate parties of action taken under paragraphs (a) 
through (d) of this section and the basis for such action only to the 
extent necessary to effectuate the action;
* * * * *

0
16. Revise section 239.7306 to read as follows:


239.7306  Solicitation provision and contract clause.

    (a) Insert the provision at 252.239-7017, Notice of Supply Chain 
Risk, in solicitations, including solicitations using FAR part 12 
procedures for the acquisition of commercial items, for information 
technology, whether acquired as a service or as a supply, that is a 
covered system, is a part of a covered system, or is in support of a 
covered system, as defined at 239.7301.
    (b) Insert the clause at 252.239-7018, Supply Chain Risk, in 
solicitations and contracts, including solicitations and contracts 
using FAR part 12 procedures for the acquisition of commercial items, 
for information technology, whether acquired as a service or as a 
supply, that is a covered system, is a part of a covered system, or is 
in support of a covered system, as defined at 239.7301.

PART 244--SUBCONTRACTING POLICIES AND PROCEDURES

0
17. Revise section 244.201-1 to read as follows:


244.201-1  Consent requirements.

    In solicitations and contracts for information technology, whether 
acquired as a service or as a supply, that is a covered system or 
covered item of supply as those terms are defined at 239.7301, consider 
the need for a consent to subcontract requirement regarding supply 
chain risk (see subpart 239.73). For additional guidance see PGI 
244.201-1.

PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES


252.239-7018  [Amended]

0
18. Amend section 252.239-7018 by--
0
a. Removing the clause date ``(NOV 2013)'' and adding ``(OCT 2015)'' in 
its place;
0
b. Amending paragraph (b) by removing ``shall maintain controls'' and 
adding ``shall mitigate supply chain risk'' in its place, and removing 
the phrase ``to minimize supply chain risk'' before the period; and
0
c. Removing paragraph (e).

[FR Doc. 2015-27463 Filed 10-29-15; 8:45 am]
BILLING CODE 5001-06-P