Defense Federal Acquisition Regulation Supplement: Requirements Relating to Supply Chain Risk (DFARS Case 2012-D050), 67243-67252 [2015-27463]

Download as PDF Vol. 80 Friday, No. 210 October 30, 2015 Part VII Department of Defense tkelley on DSK3SPTVN1PROD with RULES5 Defense Acquisition Regulations System 48 CFR Parts 201, 202, 206, et al. Defense Federal Acquisition Regulation Supplements; Final Rules VerDate Sep<11>2014 19:59 Oct 29, 2015 Jkt 238001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\30OCR5.SGM 30OCR5 67244 Federal Register / Vol. 80, No. 210 / Friday, October 30, 2015 / Rules and Regulations DEPARTMENT OF DEFENSE Defense Acquisition Regulations System 48 CFR Parts 202, 208, 212, 213, 214, 215, 233, 239, 244, and 252 [Docket No. DARS 2013–0052] RIN 0750–AH96 Defense Federal Acquisition Regulation Supplement: Requirements Relating to Supply Chain Risk (DFARS Case 2012–D050) Defense Acquisition Regulations System, Department of Defense (DoD). ACTION: Final rule. AGENCY: DoD has adopted as final, with changes, an interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a section of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2011, as amended by the NDAA for FY 2013. This final rule allows DoD to consider the impact of supply chain risk in specified types of procurements related to national security systems. DATES: Effective October 30, 2015. FOR FURTHER INFORMATION CONTACT: Mr. Dustin Pitsch, telephone 571–372–6090. SUPPLEMENTARY INFORMATION: SUMMARY: I. Background tkelley on DSK3SPTVN1PROD with RULES5 DoD published an interim rule in the Federal Register at 78 FR 69268 on November 18, 2013, to implement section 806 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2011 (Pub. L. 111–383), entitled ‘‘Requirements for Information Relating to Supply Chain Risk,’’ as amended by section 806 of the NDAA for FY 2013 (Pub. L. 112–239). This rule is part of DoD’s retrospective plan, completed in August 2011, under Executive Order 13563, Improving Regulation and Regulatory Review. DoD’s full plan and updates can be accessed at: http://www.regulations.gov/ #!docketDetail;D=DOD-2011-OS-0036. Eight respondents submitted public comments in response to the interim rule. II. Discussion and Analysis DoD reviewed the public comments in the development of the final rule. A discussion of the comments and the changes made to the rule as a result of those comments is provided, as follows: VerDate Sep<11>2014 19:59 Oct 29, 2015 Jkt 238001 A. Significant Changes From the Interim Rule 1. Language is added to the rule to clarify that section 806 authority is only applicable when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, including clarification of the prescriptions for DFARS provision 252.239–7017, Notice of Supply Chain Risk, and DFARS clause 252.239–7018, Supply Chain Risk. 2. Guidance on the use of an evaluation factor regarding supply chain risk is modified to require the inclusion of the evaluation factor when acquiring information technology, whether as a service or as a supply that is a covered system, is a part of a covered system, or is in support of a covered system. Additional text regarding an evaluation factor has been added at DFARS 212.301, 213.106–1, 214.201–5, and 214.503–1. 3. DFARS clause 252.239–7018, Supply Chain Risk, is changed as follows— a. Paragraph (b), is modified to state that the contractor shall mitigate supply chain risk in the provision of supplies and services to the Government; and b. Paragraph (c) is removed as the clause will no longer contain a requirement to flow down the clause to subcontractors. B. Analysis of Public Comments 1. Interim Rule Should Be Reissued as a Proposed Rule Comment: Numerous respondents urged DoD to rescind the interim rule and reissue the rule as a proposed rule. One respondent suggested that the new rule authorizes the exclusion of businesses from the defense industrial base and that such authority should not be exercised without first hearing the views of and gathering all relevant information from the parties that will be directly impacted by this rule. One respondent commented that the rule could prevent suppliers from addressing and mitigating supply chain security risks, and that a public comment period would have allowed industry to suggest alternative approaches that could allow for risk mitigation. Another respondent commented that the interim rule denies industry and other critical stakeholders ample time, opportunity to shape, and ultimately collaborate with the DoD to design a complex program that addresses multiple risks and complexities. One respondent added that without a standard notice-andcomment rulemaking process, industry PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 has no opportunity to comment on areas of concern before the rule takes effect whereby industry must incur costs and move towards compliance without guidance through the rulemaking process. Response: DoD issued an interim rule because of the need to protect national security systems (NSS) and the integrity of its supply chains. The rule implements the specific authorities provided in the statute. The pilot authority provided for by the statute will expire September 30, 2018. It is in DoD’s interest to initiate the pilot program and begin gathering feedback for its report to Congress. DoD considered all public comments received during the public comment period in the formation of this final rule. 2. Definitions a. ‘‘Covered Item’’/‘‘Covered System’’ Comment: Several respondents objected to the broad definitions of ‘‘covered system’’ and ‘‘covered item.’’ One respondent questioned why the Council chose to use the term ‘‘covered item’’ versus ‘‘covered item of supply,’’ which is the term used in section 806. Response: The definitions in the rule are taken directly from the statute. In the final rule, the term ‘‘covered item’’ has been replaced by the term ‘‘covered item of supply,’’ thereby conforming to the statute. b. Information Technology Comment: The same respondent commented that the definition of ‘‘information technology’’ is defined even more expansively than in Federal Acquisition Regulation (FAR) subpart 2.1, covering information systems ranging from systems used for intelligence activities to information systems used for the ‘‘direct fulfillment of military or intelligence missions.’’ Response: The definition of ‘‘information technology’’ in the rule is the same as in the statute (40 U.S.C. 11101(6)). c. Supply Chain Risk Comment: One respondent requested that DoD clarify the definition of ‘‘supply chain risk,’’ stating that DoD should clarify the phrase ‘‘maliciously introduce unwanted function’’ to clearly explain if this is a hardware or software concern or both, and recognize that threats posed maliciously are just one class of threat. Response: The definition of ‘‘supply chain risk’’ is taken directly from the statute. It addresses both hardware and software concerns and is the only class of threat to which section 806 and the rule apply. E:\FR\FM\30OCR5.SGM 30OCR5 Federal Register / Vol. 80, No. 210 / Friday, October 30, 2015 / Rules and Regulations 3. Scope and Applicability tkelley on DSK3SPTVN1PROD with RULES5 a. Prescription Comment: Three respondents commented that the scope is overly broad, recommending that DoD should include the rule’s provisions and clauses in NSS solicitations and contracts only. One of these respondents commented that the rule should be narrowly scoped to reflect the intent of Congress, suggesting that DoD should include the rule’s provisions and clauses in solicitations and contracts for information technology NSS rather than all information technology solicitations and contract, i.e., only in ‘‘covered procurements.’’ Another respondent commented that DoD should establish an independent, special review council to evaluate issues such as: (1) ‘‘covered’’ systems, technologies, items, procurements, and contracts; and (2) circumstances where the clause needs to be included and where information will be withheld under DFARS 239.7305(d), thus providing an independent check to ensure that this authority is being used in a manner consistent with section 806 of the FY 2011 NDAA and the underlying policy. This respondent also suggested that successful offerors be provided information that their contracts are covered by the clause. One respondent suggested that DoD should provide offerors sufficient notice that the goods or services they offer are to be used in a covered procurement. Response: The final rule limits use of the solicitation provision and contract clause to solicitations and contracts for information technology, whether acquired as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as that term is defined at 239.7301. b. NSS Classifications Comment: One respondent commented that mundane systems will be over classified by program managers as NSS and that NSS classifications should be reserved to an appropriate level above program manager. This respondent further stated that DoD should take steps to clearly designate systems as ‘‘NSS’’ and limit the NSS classification. Another respondent stated that because the interim rule incorporates the definition in 44 U.S.C. 3542(b) for ‘‘National Security System’’, the rule’s approach to include the clause in all DoD contracts seems contrary to the legislative intent to limit application to ‘‘covered procurements’’ as defined in section 806(e)(3) of the FY 2011 NDAA. This respondent further suggested that DoD more narrowly VerDate Sep<11>2014 19:59 Oct 29, 2015 Jkt 238001 define when contracting officers should include and use this clause (e.g., what types of programs) and create some independent review of contracting activities’ decisions to apply the interim rule. Response: In the final rule, the use of the provision and clause is only required when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined at DFARS 252.239–7302. In accordance with DoD Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), the requiring activity/program office will designate systems as NSS when it registers them in the DoD Component registry (e.g., DoD Information Technology Portfolio Repository (DITPR)). c. Flowdown Comment: One respondent suggested that because the clause is written to require flowdown to subcontractors regardless of tier, the Government intends to have the right to direct a supplier at any tier to be excluded for a contract. The respondent further stated that this could lead to even greater disruption of a program’s supply chain since the loss of a supplier at a remote tier can have ripple effects on all higher-tier contractors and that the potential costs for the delay, disruption, and potential workarounds required to address the situation could be enormous. Failing to address the effects of exclusion of subcontractors almost guarantees that implementation of this rule will result in claims and disputes. Response: The requirement to include the substance of DFARS clause 252.239– 7018 in subcontracts has been removed from this final rule. d. Other Applications Comment: One respondent commented that DoD should clarify whether or not the rule applies to embedded processing, whether the rule applies to cloud computing acquisitions, and whether cloud computing acquisitions are covered procurement actions as a class, since these types of acquisitions are not directly addressed in the interim rule. Response: The rule applies when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system. This includes embedded processing and cloud computing acquisitions if they are NSS. PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 67245 4. Managing Supply Chain Risk a. General Comment: Three respondents commented that the final rule should encourage industry to better manage supply chain risk, require that robust supply chain risk management principles be applied throughout procurement practices, or at the very least require that contracting officers apply supply chain risk management to contracts. One of these respondents further commented that the final rule should include language that reinforces the stated objective in the definition of supply chain risk, stating, ‘‘This rule, by itself, does not require contractors to deploy additional supply chain risk protections, but leaves it up to individual contractors to take the steps necessary. . .to protect their supply chain.’’ Another of these respondents suggested that, if the provisions of section 806 are to be implemented as intended, the rule must require robust supply chain analyses. One respondent suggested that the interim rule should provide that in all critical information technology acquisitions, supply chain security must be applied by the relevant Government procurement managers, both at the direct contract and supervisorial levels as a mandatory matter. Response: This rule has as its sole purpose the implementation of section 806. DoD has provided, and will continue to provide, additional guidance for the management and mitigation of supply chain risk. b. Evaluation Factor Comment: Three respondents commented that the interim rule should provide guidance on evaluation factors. One of these respondents commented that the rule creates uncertainty by failing to describe how supply chain risk will be used as an evaluation factor and suggests that the Government must realize that when managing risk, the steps necessary to exhaustively test all software to eliminate all potential unwanted functions is unaffordable. One respondent commented that the new requirement at DFARS 215.304 for departments and agencies to consider ‘‘the need for an evaluation factor regarding supply chain risk’’ provides insufficient guidance as to the type of supply chain risk evaluation factors to be utilized, further stating that while they would expect that such risk evaluations would be conducted on a case-by-case basis, guidance should be provided as to which evaluation factors should be used and when. One respondent suggested that the statement E:\FR\FM\30OCR5.SGM 30OCR5 67246 Federal Register / Vol. 80, No. 210 / Friday, October 30, 2015 / Rules and Regulations tkelley on DSK3SPTVN1PROD with RULES5 ‘‘Consider the need for an evaluation factor. . .’’ appears to give the contracting activity the discretion to determine whether an evaluation factor for supply chain risk is needed but does not provide guidance as to when the conditions which necessitate such a factor have been met. Response: In the final rule, guidance on the use of an evaluation factor regarding supply chain risk is modified to require the inclusion of the evaluation factor when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system. Risk levels, risk tolerance, and appropriate risk management measures must be determined at the local level. Evaluation factors are specified at the individual acquisition level and not in the DFARS. DoD is issuing DFARS Procedures, Guidance, and Information for the contracting workforce on developing and using supply chain risk evaluation factors. c. Information Sharing Comment: Three respondents commented on the disclosure of information regarding supply chain risk to offerors and contractors. One of these respondents urged the DoD to use its discretion in sharing information concerning threats sufficient to allow suppliers to alter product designs and change components on devices to overcome known vulnerabilities. Another respondent suggested that a requirement to report identified supply chain risks and issues would assure that immediate remediation could be undertaken if problems arose. One respondent commented that DoD should consider revising the rule to promote disclosure of information regarding supply chain risks to offerors and contractors whenever possible. Whenever such notice may be accomplished ‘‘consistent with the requirements of national security,’’ DoD should provide notification to the offeror or contractor of perceived supply chain risks early in the procurement process in accordance with standard Government procurement rules (e.g., during discussions in a negotiated procurement), so that the contractor has the opportunity to mitigate or eliminate the risk. Contractors are less able to mitigate supply chain risk if the Government fails or declines to share with them risk information it has developed internally. Response: The DoD intends to share information about supply chain risk with its contractors to the extent possible, consistent with the VerDate Sep<11>2014 19:59 Oct 29, 2015 Jkt 238001 requirements of national security. The provisions of the rule and section 806 that limit disclosure are concerned with risk information that, for national security reasons, cannot be shared despite the transparency that is normally present in procurement activities. d. Mitigation/Less Intrusive Measures Comment: Several respondents commented on the need for DoD to focus on mitigation plans and less intrusive measures. One of these respondents commented that DoD should create a mechanism for vendors to file supply chain risk mitigation plans with DoD. DoD could take these plans into consideration when assessing supply chain risk for any particular procurement activity. By viewing filed mitigation plans from multiple vendors, DoD could gain greater insight into commercially viable supply chain mitigation practices. This respondent further stated that DoD should approach supply chain risk with an eye toward encouraging mitigation rather than simply disqualifying vendors, suggesting that DoD can and should implement robust supply chain security practices. One respondent suggested that DoD should clarify what it believes are less intrusive measures under section 239.7304(b)(1)(2), recommending that in order to prevent the interim rule from impeding the use of commercial technology (including commercially available off-the-shelf items) in NSS, which ultimately benefits DoD, the Department should provide wide discretion to the judgment of manufacturers in their use of industry standards and internal processes to meet its supply chain risk goals. This respondent further commented that while DFARS section 239.7304 of the rule provides that an exclusion under DFARS 239.7305 may occur when it is determined that, among other factors, ‘‘less intrusive measures are not reasonably available to reduce such supply chain risk,’’ at no point in the rule is clarity provided on what this language is defined as or what an authorized individual should refer to in order to gauge what ‘‘less intrusive measures’’ are and whether they are ‘‘not reasonably available.’’ Another of these respondents suggested that the opportunity to mitigate or eliminate the noticed risk from the supply chain would avoid significant costs that would be passed along to DoD. One respondent suggested that DoD modify the interim rule to clarify that the exercise of the authorities under DFARS 239.7305 should be a ‘‘last resort,’’ invoked only after other methods of PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 mitigating supply chain risk have been considered or attempted. Response: Section 806(b)(2) requires that ‘‘less intrusive measures are not reasonably available to reduce supply chain risk’’ to use its authority. Whenever it is appropriate, DoD will work with its offerors to mitigate supply chain risk using less intrusive measures than exclusion based on section 806 authorities. In the notification to congressional committees when exercising section 806 authority, a summary of the mitigation analysis evaluating reasonably available mitigations will be documented. In most cases, DoD expects these mitigations will sufficiently mitigate the risks so that exclusion will not be necessary. e. Standards and Controls Comment: Several respondents commented on the need for the rule to specify relevant supply chain risk management (SCRM) standards, controls, etc. One respondent stated that while it does not suggest DoD explicitly endorse one set of controls over another, industry does need some guidance beyond ‘‘maintain controls.’’ There must be consistency in the call out of the relevant SCRM standards and ratings in solicitations so as not to create an unnecessary administrative burden for contractors to select suppliers and subcontractors based on a moving target of standards and ratings. Notwithstanding making a reference to the Regulatory Flexibility Act on page 69269 in the narrative of the Federal Register document that the rule ‘‘recognizes the need for information technology contractors to implement appropriate safeguards and countermeasures to minimize supply chain risk,’’ one respondent commented that the interim rule does not provide any guidance about what metric will be applied to its products, services, and business models. The respondent further stated that the rule requires contractors to ‘‘maintain controls in the provision of supplies and services to the Government to minimize supply chain risk’’ but does not provide any guidance to contractors or Government contracting officers as to the type of controls to be maintained to meet this requirement, recommending that DoD issue additional guidance that uses existing and proposed global, consensus-based standards. One respondent commented that the absence of what standard DoD will use to evaluate supply chain risks is likely to increase the time and cost of pursuing and performing Government contracts. Response: The final rule removes the language requiring contractors to E:\FR\FM\30OCR5.SGM 30OCR5 Federal Register / Vol. 80, No. 210 / Friday, October 30, 2015 / Rules and Regulations ‘‘maintain controls’’ and now states that the contractor shall mitigate supply chain risk in the provision of supplies and services to the Government. This change was made because the DFARS cannot identify specific standards or controls as this would be up to each requiring activity to identify if any standards or controls are necessary particular to the risks and risk tolerance that would apply to each procurement. DoD continues to work with industry to identify risk management best practices and promulgate best practice documents for consideration. f. Verification/Inspection Comment: One respondent commented that suppliers should meet the requirement to provide supply chain security verification by documentation, suggesting that all levels of the supply chain—Government, prime contractors, subcontractors, and parts suppliers— should be in compliance with supply chain integrity requirements and have records and production locations available for inspection if necessary. Response: The practices, documentation, and information suggested in the comment are important tools in protecting against supply chain risk. However, these suggestions do not comply with the legislative requirements to implement section 806. 5. Process tkelley on DSK3SPTVN1PROD with RULES5 a. General Comment: Two respondents commented that the interim rule could deprive potential contractors and subcontractors of due process and that by improving due process, DoD can better secure the supply chain. One of these respondents urged DoD to do more to guarantee due process to its suppliers under this rule, stating that notice, dialogue, and resolution, (i.e., due process) serve to identify root causes of supply chain risk and allow suppliers to clear their names when falsely accused. One respondent commented that implementation of the provision for a particular procurement or contract action may result in non-reviewable decisions that deprive actual or potential contractors and subcontractors of their property rights, including their right to fairly compete for procurements and subcontracts, suggesting that these non-reviewable exclusions may violate the due process clause and could negatively affect the procurement community. This respondent suggested that DoD modify the interim rule to clarify that the exercise of the authorities under DFARS 239.7305 should be a ‘‘last resort,’’ invoked only VerDate Sep<11>2014 19:59 Oct 29, 2015 Jkt 238001 after other methods of mitigating supply chain risk have been considered or attempted. Response: Risk will be evaluated on a case-by-case basis, and any exclusion will be for a particular source selection and not a blanket exclusion. Contractors are eligible to compete for future solicitations even after application of the section 806 authority has excluded them from a particular source selection. b. Notice/Appropriate Parties Comment: Four respondents commented on the need for timely notification to organizations of pre- and post-exclusion status, and/or the need to clarify or define the ‘‘appropriate parties’’ in DFARS 239.7305(d)(2)(i). Two of these respondents commented that providing notice to the vendor in advance of any procurement action would permit appropriate response to the risk and allow offerors to rectify instances of unacceptable risk before DoD makes a determination based on incorrect or insufficient information, ensuring fairness to the offeror and benefitting DoD by enhancing fairness in competition for contracts. The opportunity to mitigate or eliminate the noticed risk from the supply chain would avoid significant costs that would be passed along to the DoD. Three of these respondents commented on the need for notification to excluded offerors of their postexclusion status. One respondent commented that notification to excluded offerors of their post-exclusion status and the reasons for exclusion will allow them to take steps to remedy those flaws before future opportunities. One respondent suggested that if a determination is made that ‘‘less intrusive measures are not reasonably available [short of exclusion] to reduce such supply chain risk,’’ the rule should require that the notion of providing notice to the offeror has been explicitly considered and deemed unreasonable before a decision to exclude has been finalized. Another respondent suggested that DFARS 215.503 and 215.506 should be clarified to ensure that unsuccessful offerors are provided information demonstrating that DOD complied with the requirements of section 806(b) and (c) in making the determination to limit the disclosure of information relating to the basis for carrying out a covered procurement action. One of these respondents commented that clarification/definition of the term ‘‘appropriate parties’’ as encompassing the impacted offeror/bidder/contractor would ensure that the impacted offeror/ bidder/contractor is advised, at a minimum, that it has been impacted by PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 67247 a supply chain risk determination under this DFARS section, and that any information that can be shared about the ‘‘basis for carrying out’’ the decision ‘‘consistent with the requirements of national security’’ will be shared with that entity. Another respondent commented that while the rule requires notice by the authorized individual to ‘‘appropriate parties’’ to the extent needed to execute a covered procurement action and to DoD and other Federal agencies, it makes no provision to provide notice to other Federal contractors that might be impacted by the exclusion. Response: The written determination detailed in DFARS 239.7304 will detail any limitations on disclosure of information related to a section 806 exclusion. ‘‘Appropriate parties’’ would be determined on a case-by-case basis. c. Exclusion Process Comment: Two respondents commented on the exclusions process itself. One respondent commented that the exclusion process is seriously flawed because it does not connect the acts conducted by those at higher levels in DoD with the actions of the contracting officers in any rational time phased application that would help offerors understand the proposal and business risk involved in any given source selection process. This respondent further commented that it is fundamentally unclear whether an exclusion will be made on a case-bycase basis or be a blanket exclusion of a contractor or subcontractor, and that it is unclear at what point in the acquisition process such exclusions may be authorized or executed. Under the new rule’s language, a source could be excluded before, during, and/or after a contract award (whether as prime or subcontractor). One respondent suggests that its concerns that DoD can reject or modify acquisitions based upon concerns about supply chain integrity could be addressed by having any sensitive finding subject to review, and recommendation for approval or disapproval to the Secretary of Defense, by the DoD General Counsel, or a committee appointed by the Secretary of Defense charged with assuring the validity of such concerns and their sensitivity for release to suppliers. Response: Suppliers are expected to manage supply chain risk in their offerings. Under section 806 and the rule, exclusion of a source may occur during source selection before award (using an evaluation factor) or after award (by withholding consent to a subcontract). Exclusion of a source would be on a case-by-case basis, as the E:\FR\FM\30OCR5.SGM 30OCR5 67248 Federal Register / Vol. 80, No. 210 / Friday, October 30, 2015 / Rules and Regulations risk tolerance is not the same for all procurement actions. The authorization and recommendation mechanisms and participants described in the rule are mandated by the statute. tkelley on DSK3SPTVN1PROD with RULES5 d. Dispute Mechanism Comment: Two respondents commented on the need for an impartial process for addressing concerns. One respondent urged that the interim rule reinforce the need for a fair opportunity pre- and post-exclusion for concerns to be addressed by the contractor or vendor at issue. One respondent commented that neither section 806 of the NDAA for FY 2011 nor the interim rule provide for any procedures for proposed contractors or subcontractors to challenge a possible exclusion determination where DoD decides to limit the disclosure of information. This respondent further stated that DoD should provide some dispute mechanism for exclusion in protest and claim matters, whereby counsel for offerors, contractors, and proposed subcontractors can represent their clients and obtain access to information under protective order or clearance to assure that the required process was followed and proper grounds for invocation of the exclusion exist. Response: Exclusions using the authority of section 806 will be based generally on classified intelligence information. A dispute resolution mechanism is not appropriate under those circumstances. e. Remediation Comment: Two respondents commented on the need to provide equitable adjustments, a means of remedy, and/or a pathway to reinstatement once a supplier is excluded. One of the respondents commented that while DFARS 239.7305 allows DoD to exclude sources, it does not provide a pathway to reinstatement or for inclusion once a supplier is excluded, proposing that DoD establish a separate rulemaking and coordinate a unified policy with an industryGovernment working group to gain insight into how remediation and rejoining the defense industrial base can be accomplished in a responsible manner. This respondent further commented that DoD should provide equitable adjustments and other remedies for prime contractors whose subcontractors are excluded, stating that the new regulations fail to provide relief for prime contractors who must exclude a source through no fault of its own. Another respondent suggested that a periodic review of excluded contractors should be required for ongoing contracts VerDate Sep<11>2014 19:59 Oct 29, 2015 Jkt 238001 with new task orders, adding that if a vendor has been excluded without notice, the interim rule should require the agency to review that decision on no less than an annual basis for as long as the contract is in place. This respondent also commented that the regulation should specifically afford remedies, including equitable adjustments, whenever the authority at DFARS 239.7305(c) is exercised and a prime must exclude a subcontractor. Response: Risk will be evaluated on case-by-case basis, and any exclusion will be for a particular source selection and not a blanket exclusion. Offerors are eligible to compete for future solicitations even after section 806 has excluded them from a particular source selection. Consistent with national security, i.e., with proper clearances and in a manner that will not put the warfighter, the system, or intelligence operations at risk, DoD will discuss risks to the trust of critical systems or components with its industrial base as well as potential remedies. This is particularly true in the system integration context where the program office and the prime contractors are more likely to have the time and clearances to develop tailored mitigations. Where appropriate, DoD will partner with its contractors to mitigate supply chain risk in lieu of executing section 806 authorities. In most cases, non-806 mitigations will sufficiently manage the risk; when that is not the case and exclusion of a source is required, DoD does not intend to provide equitable adjustments or other remedies. 6. Impact of Rule a. Economic/Cost Impact Comment: Numerous respondents commented that the estimates by DoD of the costs and economic impact of this rule are inadequate. One of these respondents commented that the rule creates costs beyond the supply chain risk management a responsible company would undertake in the course of ordinary business. Further, the scope of application of the interim rule, which requires compliance at all levels of the DoD supply chain, would require significant, costly, additional investments in supplier management and compliance mechanisms by industry. Another respondent suggested that absent a public comment period before implementation of the rule, industry has no opportunity to provide input regarding the costs and benefits of the approach DoD has taken. One respondent commented that the cumulative economic effect of the PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 exclusion of any one company from any one contract would result in reductions in both Government and commercial business, and the loss of employment at the excluded company and the corresponding loss of payroll. Other losses would be incurred as a result of the ripple effect on primes, subcontractors, or suppliers to the excluded company, which will lose that source of supply and must then incur the expense of identifying and vetting new sources. One respondent commented that by not advising what standard DoD will use to evaluate supply chain risks, the interim rule is likely to increase the time and cost of pursuing and performing Government contracts. Response: DoD does not expect the rule to have a significant economic impact on a substantial number of entities. Companies have an existing interest in having a supply chain that they can rely on to provide it with material and supplies that allow the contractor to ultimately supply its customers with products that are safe and that do not impose threats or risks to Government information systems. The rule does not require contractors to deploy additional supply chain risk protections. Section 806 authority applies to a specific contract, task order, or delivery order only. b. Small Business Comment: One respondent commented that the rule will drive up costs for smaller businesses by requiring significant increase in investments in compliance. Another respondent commented that the rule could prompt prime contractors to exclude new or small businesses in order to improve the evaluation of their supply chain risk profile. Response: The rule does not require contractors to deploy additional supply chain risk protections. c. Barriers to the Federal Market Comment: Two respondents commented that the rule creates significant new barriers to the Federal market, further suggesting that the interim regulation poses significant burdens for existing companies in the market and will only further dissuade new and innovative companies from entering the market. Response: Since section 806 decisions rely on intelligence information, the operation of the rule presents no barrier to participation in the DoD market for either existing participants or new entrants. E:\FR\FM\30OCR5.SGM 30OCR5 Federal Register / Vol. 80, No. 210 / Friday, October 30, 2015 / Rules and Regulations d. De Facto Debarment/Suspension Comment: Several respondents stated that the exercise of the exclusionary authority in the rule could result in a de facto debarment or suspension without any due process for the affected offeror. Response: Risk will be evaluated on case-by-case basis, and any exclusion will be for a particular source selection and not a blanket exclusion. Offerors are eligible to compete for future solicitations even after section 806 has excluded them from a particular source selection. e. Security Comment: One respondent commented that the rule could unintentionally but negatively impact the Federal Government’s security because it prevents DoD from informing suppliers about supply chain risks that DoD believes exist and prevents any consultation with offerors. Response: This will be taken into consideration in any instance that the section 806 authority is utilized. tkelley on DSK3SPTVN1PROD with RULES5 7. Qualification standard Comment: Three respondents commented that the interim rule should provide more guidance regarding the qualification standard(s) that may be established to reduce supply chain risk. One respondent urged DoD to develop the systems and data security requirements for covered procurements and issue them to potential offerors during the procurement process as a requirement for bid eligibility. This approach would focus the use of this clause to procurements for covered systems or covered items of supply and would increase competition by limiting unnecessary disqualification of offerors (and contractors and subcontractors/ suppliers) that could meet the Government’s requirements. Another respondent commented that the rule should be amended to provide more specificity as to the type of ‘‘qualification standards’’ that may be established ‘‘for the purposes of reducing supply chain risk in the acquisition of covered systems.’’ Response: DoD has no present plans to use section 806 authority to exclude a source based on failure to meet a qualification standard to reduce supply chain risk. To use this authority DoD must first develop qualification standards in accordance with the requirements of 10 U.S.C. 2319, which include providing the qualification requirements to potential offerors. VerDate Sep<11>2014 19:59 Oct 29, 2015 Jkt 238001 8. Synchronize/Harmonize With Related Rules/Initiatives Comment: Five respondents requested that DoD harmonize the requirements of the rule with industry- and Government-led supply chain risk management regimes and initiatives in order to avoid inconsistencies. One respondent encouraged DoD to harmonize the requirements of the rule with the guidance issued by the Secretary of Defense memorandum dated October 10, 2013, entitled ‘‘Safeguarding Unclassified Controlled Technical Information;’’ the Office of Management and Budget’s circular M– 14–13 dated November 18, 2013, entitled ‘‘Enhancing the Security of Federal Information and Information Systems;’’ and other Departmental requirements. This respondent further recommends that the final rule include a statement that ‘‘the rule complements rather than conflicts with other related requirements.’’ Another respondent further encouraged DoD to avoid the creation of unneeded duplication of certifications of these important assurance efforts, by affirming that the interim rule shall not impact the duties of contractors and vendors in assessing relevant procurements related to NSS. Response: DoD is involved in a myriad of efforts to address supply chain risks, specifically, as well as cybersecurity broadly. All of these policies and strategic efforts aim to improve the overall risk posture of the Federal Government’s information systems and those of its industry partners. A patchwork of policies and regulations is sometimes necessary to address the variabilities of the system ownership and operation, and the risk tolerance of the mission. The rule is specific to DoD and narrowly scoped to NSS, which often have a lower risk tolerance due to the criticality of missions utilizing such systems. 9. Tracking Comment: One respondent commented that DoD should catalog the number of source exclusions executed under the section 806 authority between 2013 and 2018. Response: DoD is required to submit a report on January 1, 2017, on the effectiveness of section 806 authorities, to include how frequently DoD exercises the authority. PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 67249 III. Applicability to Acquisitions Not Greater Than the Simplified Acquisition Threshold (SAT) and Commercial Items, Including Commercially Available Off-the-Shelf (COTS) Items Consistent with 41 U.S.C. 1905, 1906, and 1907, the Director Defense Procurement and Acquisition Policy (DPAP), determined that it would not be in the best interest of the United States to exempt acquisitions not greater than the SAT and acquisitions of commercials items, including COTS items, from the applicability of section 806 of the NDAA for FY 2011 as amended by section 806 of the NDAA for FY 2013. A. Applicability to Contracts at or Below the SAT 41 U.S.C. 1905 governs the applicability of laws to contracts or subcontracts in amounts not greater than the SAT. It is intended to limit the applicability of laws to such contracts or subcontracts. 41 U.S.C. 1905 provides that if a provision of law contains criminal or civil penalties, or if the FAR Council makes a written determination that it is not in the best interest of the Federal Government to exempt contracts or subcontracts at or below the SAT, the law will apply to them. The Director, DPAP, is the appropriate authority to make comparable determinations for regulations to be published in the DFARS, which is part of the FAR system of regulations. DoD has made that determination, therefore this rule does apply below the SAT. Given that the requirements of section 806 of the NDAA for FY 2011 and section 806 of the NDAA for FY 2013 were enacted to protect the supply chain, which in turn protects NSS from malicious actions, DoD has determined that it is in the best interest of the Federal Government to apply the rule to contracts below the SAT, as defined at FAR 2.101. An exception for contracts for the acquisition below the SAT would exclude contracts intended to be covered by the law, thereby undermining the overarching public policy purpose of the law. B. Applicability to Contracts for the Acquisition of Commercial Items, Including COTS Items 41 U.S.C. 1906 governs the applicability of laws to contracts for the acquisition of commercial items, and is intended to limit the applicability of laws to contracts for the acquisition of commercial items. 41 U.S.C. 1906 provides that if a provision of law contains criminal or civil penalties, or if E:\FR\FM\30OCR5.SGM 30OCR5 67250 Federal Register / Vol. 80, No. 210 / Friday, October 30, 2015 / Rules and Regulations the FAR Council makes a written determination that it is not in the best interest of the Federal Government to exempt commercial item contracts, the provision of law will apply to contracts for the acquisition of commercial items. Likewise, 41 U.S.C. 1907 governs the applicability of laws to COTS items, with the Administrator for Federal Procurement Policy the decision authority to determine that it is in the best interest of the Government to apply a provision of law to acquisitions of COTS items in the FAR. The Director, DPAP, is the appropriate authority to make comparable determinations for regulations to be published in the DFARS, which is part of the FAR system of regulations. Given that the requirements of section 806 of the NDAA for FY 2011 and section 806 of the NDAA for FY 2013 were enacted to protect the supply chain, which in turn protects NSS from malicious actions, DoD has determined that it is in the best interest of the Federal Government to apply the rule to contracts for the acquisition of commercial items, including COTS items, as defined at FAR 2.101. An exception for contracts for the acquisition of commercial items, including COTS items, would exclude contracts intended to be covered by the law, thereby undermining the overarching public policy purpose of the law. tkelley on DSK3SPTVN1PROD with RULES5 IV. Executive Orders 12866 and 13563 Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804. V. Regulatory Flexibility Act A final regulatory flexibility analysis has been prepared consistent with the Regulatory Flexibility Act, 5 U.S.C. 601, et seq., and is summarized as follows: The objective of this final rule is to implement in the Defense Federal Acquisition Regulation Supplement protection against risks to the supply VerDate Sep<11>2014 19:59 Oct 29, 2015 Jkt 238001 chain affecting National Security Systems (NSS). The legal basis for this final rule is section 806 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) of 2011 (Pub. L. 111.383), as amended by section 806 of the NDAA for FY 2013 (Pub. L. 112– 239). Congress has recognized a growing concern for risks to the supply chain for technology contracts supporting the Department of Defense (DoD). Congress has defined supply chain risk as the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system (see 806(e)(4) of Pub. L. 111–383). This final rule calls for contractors providing information technology to DoD, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, to mitigate supply chain risk to the supplies and services being provided to the Government. It also enables agencies to exclude sources identified as having a supply chain risk from consideration for award of a covered contract, in order to minimize the potential risk for supplies and services purchased by DoD to maliciously degrade the integrity and operation of sensitive information technology systems. Ultimately, DoD anticipates significant savings to taxpayers by reducing the risk of unsafe products entering our supply chain, which pose serious threats or risks to sensitive government information technology systems. No comments were received in response to the initial regulatory flexibility analysis. This rule applies to contractors providing the Government with information technology that qualifies as a covered system or covered item of supply. This includes purchases of commercial items, including commercial off-the-shelf items, and contracts not greater than the simplified acquisition threshold. While it is not possible to estimate the number of small businesses impacted, DoD does not expect this final rule to have a significant economic impact on a substantial number of contractors, since (1) the rule applies only when acquiring information technology that is part of a covered system or in support of a covered system and (2) the authority provided by the rule is expected to be invoked very infrequently. PO 00000 Frm 00008 Fmt 4701 Sfmt 4700 This rule does not require any specific reporting, recordkeeping or compliance requirements. No significant economic impact on small businesses is anticipated; however, the final rule does have a modified applicability for the provision and clause created by the rule. Instead of being prescribed for all information technology acquisitions the provision and clause will only apply to acquisitions for information technology that is a covered system or covered item of supply. This will significantly reduce the number of acquisitions to which the provision and clause will apply. VI. Paperwork Reduction Act The rule does not contain any information collection requirements that require the approval of the Office of Management and Budget under the Paperwork Reduction Act (44 U.S.C. chapter 35). List of Subjects in 48 CFR Parts 202, 208, 212, 213, 214, 215, 233, 239, 244, and 252 Government procurement. Jennifer L. Hawes, Editor, Defense Acquisition Regulations System. Accordingly, DoD adopts as final the interim rule published at 78 FR 69268 on November 18, 2013, with the following changes: ■ 1. The authority citation for 48 CFR parts 202, 208, 212, 213, 214, 215, 239, 244, and 252 continues to read as follows: Authority: 41 U.S.C. 1303 and 48 CFR chapter 1. PART 202—DEFINITIONS OF WORDS AND TERMS 2. Amend section 202.101 by adding, in alphabetical order, a definition for ‘‘Information technology’’ to read as follows: ■ 202.101 Definitions. * * * * * Information technology (see 40 U.S.C. 11101(6)) means, in lieu of the definition at FAR 2.1, any equipment, or interconnected system(s) or subsystem(s) of equipment, that is used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency. (1) For purposes of this definition, equipment is used by an agency if the equipment is used by the agency directly or is used by a contractor under E:\FR\FM\30OCR5.SGM 30OCR5 Federal Register / Vol. 80, No. 210 / Friday, October 30, 2015 / Rules and Regulations a contract with the agency that requires— (i) Its use; or (ii) To a significant extent, its use in the performance of a service or the furnishing of a product. (2) The term ‘‘information technology’’ includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources. (3) The term ‘‘information technology’’ does not include any equipment acquired by a contractor incidental to a contract. * * * * * PART 208—REQUIRED SOURCES OF SUPPLIES AND SERVICES 3. Revise section 208.405 to read as follows: ■ 208.405 Ordering procedures for Federal Supply Schedules. Include an evaluation factor regarding supply chain risk (see subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in 239.7301. ■ 4. In section 208.7402, revise paragraph (2) to read as follows: 208.7402 General. * * * * * (2) Include an evaluation factor regarding supply chain risk (see subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in 239.7301. PART 212—ACQUISITION OF COMMERCIAL ITEMS 5. Amend section 212.301 by— a. Adding paragraph (c); and b. Revising paragraphs (f)(xv)(C) and (D). The addition and revisions read as follows: tkelley on DSK3SPTVN1PROD with RULES5 ■ ■ ■ 212.301 Solicitation provisions and contract clauses for acquisition of commercial items. (c) Include an evaluation factor regarding supply chain risk (see subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a VerDate Sep<11>2014 19:59 Oct 29, 2015 Jkt 238001 part of a covered system, or is in support of a covered system, as defined in 239.7301. (f) * * * (xv) * * * (C) Use the provision at 252.239– 7017, Notice of Supply Chain Risk, as prescribed in 239.7306(a), to comply with section 806 of Public Law 111–383. (D) Use the clause at 252.239–7018, Supply Chain Risk, as prescribed in 239.7306(b), to comply with section 806 of Public Law 111–383. * * * * * PART 213—SIMPLIFIED ACQUISITION PROCEDURES 6. Add section 213.106–1 to read as follows: ■ 213.106–1 Soliciting competition. (a)(2) Include an evaluation factor regarding supply chain risk (see subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in 239.7301. PART 214—SEALED BIDDING 7. Add section 214.201–5 to read as follows: ■ 214.201–5 Part IV—Representations and instructions. (c) Include an evaluation factor regarding supply chain risk (see subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in 239.7301. 8. Add subpart 214.5 to read as follows: ■ Subpart 214.5 Two-Step Sealed Bidding Sec. 214.503 Procedures. 214.503–1 Step one. Subpart 214.5 Two-Step Sealed Bidding 214.503 Procedures. 214.503–1 Frm 00009 Fmt 4701 9. In section 215.304, revise paragraph (c)(v) to read as follows: ■ 215.304 Evaluation factors and significant subfactors. (c) * * * (v) Include an evaluation factor regarding supply chain risk (see subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in 239.7301. For additional guidance see PGI 215.304(c)(v). PART 239—ACQUISITION OF INFORMATION TECHNOLOGY 10. Add section 239.001 to read as follows: ■ 239.001 Applicability. Notwithstanding FAR 39.001, this part applies to acquisitions of information technology, including national security systems. 239.7301 and 239.7302 [Redesignated as 239.7302 and 239.7301] 11. Redesignate sections 239.7301 and 239.7302 as sections 239.7302 and 239.7301, respectively. ■ 12. Amend newly redesignated 239.7301 by— ■ a. In the definition of ‘‘Covered item’’, removing ‘‘Covered item’’ and adding ‘‘Covered item of supply’’ in its place; ■ b. Removing the definition of ‘‘Information technology’’; and ■ c. Adding, in alphabetical order, a definition for ‘‘Supply chain risk’’. The addition reads as follows: ■ 239.7301 Definitions. * * * * * Supply chain risk means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a national security system (as that term is defined at 44 U.S.C. 3542(b)) so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system. [Amended] 13. Amend newly redesignated 239.7302 by removing ‘‘covered item’’ everywhere it appears and adding ‘‘covered item of supply’’ in its place. ■ (a)(4) Include an evaluation factor regarding supply chain risk (see subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in 239.7301. PO 00000 PART 215—CONTRACTING BY NEGOTIATION 239.7302 Step one. 67251 Sfmt 4700 239.7304 [Amended] 14. Amend section 239.7304 by— a. In paragraph (b)(1), removing ‘‘239.7305(a)(b) or (c)’’ and adding ■ ■ E:\FR\FM\30OCR5.SGM 30OCR5 67252 Federal Register / Vol. 80, No. 210 / Friday, October 30, 2015 / Rules and Regulations ‘‘239.7305(a), (b), or (c)’’ in its place; and ■ b. In paragraph (c)(2)(ii) and (iii) removing ‘‘paragraph (a)’’ and adding ‘‘paragraph (a) of this section’’ in both places. ■ 15. Amend section 239.7305 by— ■ a. Revising the introductory text; and ■ b. Revising paragraph (d)(2)(i). The revisions read as follows: 239.7305 Exclusion and limitation on disclosure. Subject to 239.7304, the individuals authorized in 239.7303 may, in the course of procuring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system— * * * * * (d) * * * (2) * * * (i) Notify appropriate parties of action taken under paragraphs (a) through (d) of this section and the basis for such action only to the extent necessary to effectuate the action; * * * * * ■ 16. Revise section 239.7306 to read as follows: 239.7306 Solicitation provision and contract clause. (a) Insert the provision at 252.239– 7017, Notice of Supply Chain Risk, in solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial items, for information technology, whether acquired as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined at 239.7301. (b) Insert the clause at 252.239–7018, Supply Chain Risk, in solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, for information technology, whether acquired as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined at 239.7301. PART 244—SUBCONTRACTING POLICIES AND PROCEDURES tkelley on DSK3SPTVN1PROD with RULES5 Consent requirements. In solicitations and contracts for information technology, whether acquired as a service or as a supply, that is a covered system or covered item of supply as those terms are defined at 239.7301, consider the need for a consent to subcontract requirement VerDate Sep<11>2014 19:59 Oct 29, 2015 Jkt 238001 PART 252—SOLICITATION PROVISIONS AND CONTRACT CLAUSES 252.239–7018 [Amended] 18. Amend section 252.239–7018 by— a. Removing the clause date ‘‘(NOV 2013)’’ and adding ‘‘(OCT 2015)’’ in its place; ■ b. Amending paragraph (b) by removing ‘‘shall maintain controls’’ and adding ‘‘shall mitigate supply chain risk’’ in its place, and removing the phrase ‘‘to minimize supply chain risk’’ before the period; and ■ c. Removing paragraph (e). ■ ■ [FR Doc. 2015–27463 Filed 10–29–15; 8:45 am] BILLING CODE 5001–06–P DEPARTMENT OF DEFENSE Defense Acquisition Regulations System 48 CFR Part 252 RIN 0750–AI67 Defense Federal Acquisition Regulation Supplement: Removal of Cuba From the List of State Sponsors of Terrorism (DFARS 2015–D032) Defense Acquisition Regulations System, Department of Defense (DoD). ACTION: Final rule. AGENCY: DoD is issuing a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to remove Cuba from the definition of ‘‘state sponsor of terrorism’’ in two DFARS clauses. This rule implements the Department of Department of State Public Notice: 9162, Rescission of Determination Regarding Cuba. SUMMARY: DATES: Effective October 30, 2015. Ms. Kyoung Lee, telephone 571–372–6093. SUPPLEMENTARY INFORMATION: FOR FURTHER INFORMATION CONTACT: I. Background 17. Revise section 244.201–1 to read as follows: ■ 244.201–1 regarding supply chain risk (see subpart 239.73). For additional guidance see PGI 244.201–1. This final rule amends DFARS clause 252.225–7049, Prohibition on Acquisition of Commercial Satellite Services from Certain Foreign Entities— Representations, and clause 252.225– 7050, Disclosure of Ownership or Control by the Government of a Country that is a State Sponsor of Terrorism, by removing Cuba from the definition of ‘‘state sponsor of terrorism’’ in these PO 00000 Frm 00010 Fmt 4701 Sfmt 4700 clauses. This rule implements the Department of State Public Notice: 9162, Rescission of Determination Regarding Cuba, announcing removal of Cuba from the U.S. list of state sponsors of terrorism, effective May 29, 2015. This action was based upon the Presidential Report of April 14, 2015, to Congress, indicating the Administration’s intent to rescind the designation of Cuba as a state sponsor of terrorism, including the certification that Cuba has not provided any support for international terrorism during the previous six months, and that Cuba has provided assurance that it will not support acts of international terrorism in the future. II. Publication of This Final Rule for Public Comment is Not Required by Statute The statute that applies to the publication of the Federal Acquisition Regulation (FAR) is 41 U.S.C. 1707, Publication of Proposed Regulations. Paragraph (a)(1) of the statute requires that a procurement policy, regulation, procedure or form (including an amendment or modification thereof) must be published for public comment if it has either a significant effect beyond the internal operating procedures of the agency issuing the policy, regulation, procedure or form, or has a significant cost or administrative impact on contractors or offerors. This final rule is not required to be published for public comment, because it is only implementing the Department of State Public Notice: 9162, Rescission of Determination Regarding Cuba, announced on June 4, 2015, and, as such, the rule does not have a significant cost or administrative impact on contractors or offerors. III. Executive Orders 12866 and 13563 Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is not a significant regulatory action and, therefore, was not subject to review under section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804. E:\FR\FM\30OCR5.SGM 30OCR5

Agencies

[Federal Register Volume 80, Number 210 (Friday, October 30, 2015)]
[Rules and Regulations]
[Pages 67243-67252]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-27463]



[[Page 67243]]

Vol. 80

Friday,

No. 210

October 30, 2015

Part VII





Department of Defense





-----------------------------------------------------------------------





Defense Acquisition Regulations System





-----------------------------------------------------------------------





48 CFR Parts 201, 202, 206, et al.





Defense Federal Acquisition Regulation Supplements; Final Rules

Federal Register / Vol. 80 , No. 210 / Friday, October 30, 2015 / 
Rules and Regulations

[[Page 67244]]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Defense Acquisition Regulations System

48 CFR Parts 202, 208, 212, 213, 214, 215, 233, 239, 244, and 252

[Docket No. DARS 2013-0052]
RIN 0750-AH96


Defense Federal Acquisition Regulation Supplement: Requirements 
Relating to Supply Chain Risk (DFARS Case 2012-D050)

AGENCY: Defense Acquisition Regulations System, Department of Defense 
(DoD).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: DoD has adopted as final, with changes, an interim rule 
amending the Defense Federal Acquisition Regulation Supplement (DFARS) 
to implement a section of the National Defense Authorization Act (NDAA) 
for Fiscal Year (FY) 2011, as amended by the NDAA for FY 2013. This 
final rule allows DoD to consider the impact of supply chain risk in 
specified types of procurements related to national security systems.

DATES: Effective October 30, 2015.

FOR FURTHER INFORMATION CONTACT: Mr. Dustin Pitsch, telephone 571-372-
6090.

SUPPLEMENTARY INFORMATION:

I. Background

    DoD published an interim rule in the Federal Register at 78 FR 
69268 on November 18, 2013, to implement section 806 of the National 
Defense Authorization Act (NDAA) for Fiscal Year (FY) 2011 (Pub. L. 
111-383), entitled ``Requirements for Information Relating to Supply 
Chain Risk,'' as amended by section 806 of the NDAA for FY 2013 (Pub. 
L. 112-239). This rule is part of DoD's retrospective plan, completed 
in August 2011, under Executive Order 13563, Improving Regulation and 
Regulatory Review. DoD's full plan and updates can be accessed at: 
http://www.regulations.gov/#!docketDetail;D=DOD-2011-OS-0036.
    Eight respondents submitted public comments in response to the 
interim rule.

II. Discussion and Analysis

    DoD reviewed the public comments in the development of the final 
rule. A discussion of the comments and the changes made to the rule as 
a result of those comments is provided, as follows:

A. Significant Changes From the Interim Rule

    1. Language is added to the rule to clarify that section 806 
authority is only applicable when acquiring information technology, 
whether as a service or as a supply, that is a covered system, is a 
part of a covered system, or is in support of a covered system, 
including clarification of the prescriptions for DFARS provision 
252.239-7017, Notice of Supply Chain Risk, and DFARS clause 252.239-
7018, Supply Chain Risk.
    2. Guidance on the use of an evaluation factor regarding supply 
chain risk is modified to require the inclusion of the evaluation 
factor when acquiring information technology, whether as a service or 
as a supply that is a covered system, is a part of a covered system, or 
is in support of a covered system. Additional text regarding an 
evaluation factor has been added at DFARS 212.301, 213.106-1, 214.201-
5, and 214.503-1.
    3. DFARS clause 252.239-7018, Supply Chain Risk, is changed as 
follows--
    a. Paragraph (b), is modified to state that the contractor shall 
mitigate supply chain risk in the provision of supplies and services to 
the Government; and
    b. Paragraph (c) is removed as the clause will no longer contain a 
requirement to flow down the clause to subcontractors.

B. Analysis of Public Comments

1. Interim Rule Should Be Reissued as a Proposed Rule
    Comment: Numerous respondents urged DoD to rescind the interim rule 
and reissue the rule as a proposed rule. One respondent suggested that 
the new rule authorizes the exclusion of businesses from the defense 
industrial base and that such authority should not be exercised without 
first hearing the views of and gathering all relevant information from 
the parties that will be directly impacted by this rule. One respondent 
commented that the rule could prevent suppliers from addressing and 
mitigating supply chain security risks, and that a public comment 
period would have allowed industry to suggest alternative approaches 
that could allow for risk mitigation. Another respondent commented that 
the interim rule denies industry and other critical stakeholders ample 
time, opportunity to shape, and ultimately collaborate with the DoD to 
design a complex program that addresses multiple risks and 
complexities. One respondent added that without a standard notice-and-
comment rulemaking process, industry has no opportunity to comment on 
areas of concern before the rule takes effect whereby industry must 
incur costs and move towards compliance without guidance through the 
rulemaking process.
    Response: DoD issued an interim rule because of the need to protect 
national security systems (NSS) and the integrity of its supply chains. 
The rule implements the specific authorities provided in the statute. 
The pilot authority provided for by the statute will expire September 
30, 2018. It is in DoD's interest to initiate the pilot program and 
begin gathering feedback for its report to Congress. DoD considered all 
public comments received during the public comment period in the 
formation of this final rule.
2. Definitions
a. ``Covered Item''/``Covered System''
    Comment: Several respondents objected to the broad definitions of 
``covered system'' and ``covered item.'' One respondent questioned why 
the Council chose to use the term ``covered item'' versus ``covered 
item of supply,'' which is the term used in section 806.
    Response: The definitions in the rule are taken directly from the 
statute. In the final rule, the term ``covered item'' has been replaced 
by the term ``covered item of supply,'' thereby conforming to the 
statute.
b. Information Technology
    Comment: The same respondent commented that the definition of 
``information technology'' is defined even more expansively than in 
Federal Acquisition Regulation (FAR) subpart 2.1, covering information 
systems ranging from systems used for intelligence activities to 
information systems used for the ``direct fulfillment of military or 
intelligence missions.''
    Response: The definition of ``information technology'' in the rule 
is the same as in the statute (40 U.S.C. 11101(6)).
c. Supply Chain Risk
    Comment: One respondent requested that DoD clarify the definition 
of ``supply chain risk,'' stating that DoD should clarify the phrase 
``maliciously introduce unwanted function'' to clearly explain if this 
is a hardware or software concern or both, and recognize that threats 
posed maliciously are just one class of threat.
    Response: The definition of ``supply chain risk'' is taken directly 
from the statute. It addresses both hardware and software concerns and 
is the only class of threat to which section 806 and the rule apply.

[[Page 67245]]

3. Scope and Applicability
a. Prescription
    Comment: Three respondents commented that the scope is overly 
broad, recommending that DoD should include the rule's provisions and 
clauses in NSS solicitations and contracts only. One of these 
respondents commented that the rule should be narrowly scoped to 
reflect the intent of Congress, suggesting that DoD should include the 
rule's provisions and clauses in solicitations and contracts for 
information technology NSS rather than all information technology 
solicitations and contract, i.e., only in ``covered procurements.'' 
Another respondent commented that DoD should establish an independent, 
special review council to evaluate issues such as: (1) ``covered'' 
systems, technologies, items, procurements, and contracts; and (2) 
circumstances where the clause needs to be included and where 
information will be withheld under DFARS 239.7305(d), thus providing an 
independent check to ensure that this authority is being used in a 
manner consistent with section 806 of the FY 2011 NDAA and the 
underlying policy. This respondent also suggested that successful 
offerors be provided information that their contracts are covered by 
the clause. One respondent suggested that DoD should provide offerors 
sufficient notice that the goods or services they offer are to be used 
in a covered procurement.
    Response: The final rule limits use of the solicitation provision 
and contract clause to solicitations and contracts for information 
technology, whether acquired as a service or as a supply, that is a 
covered system, is a part of a covered system, or is in support of a 
covered system, as that term is defined at 239.7301.
b. NSS Classifications
    Comment: One respondent commented that mundane systems will be over 
classified by program managers as NSS and that NSS classifications 
should be reserved to an appropriate level above program manager. This 
respondent further stated that DoD should take steps to clearly 
designate systems as ``NSS'' and limit the NSS classification. Another 
respondent stated that because the interim rule incorporates the 
definition in 44 U.S.C. 3542(b) for ``National Security System'', the 
rule's approach to include the clause in all DoD contracts seems 
contrary to the legislative intent to limit application to ``covered 
procurements'' as defined in section 806(e)(3) of the FY 2011 NDAA. 
This respondent further suggested that DoD more narrowly define when 
contracting officers should include and use this clause (e.g., what 
types of programs) and create some independent review of contracting 
activities' decisions to apply the interim rule.
    Response: In the final rule, the use of the provision and clause is 
only required when acquiring information technology, whether as a 
service or as a supply, that is a covered system, is a part of a 
covered system, or is in support of a covered system, as defined at 
DFARS 252.239-7302. In accordance with DoD Instruction 8510.01, Risk 
Management Framework (RMF) for DoD Information Technology (IT), the 
requiring activity/program office will designate systems as NSS when it 
registers them in the DoD Component registry (e.g., DoD Information 
Technology Portfolio Repository (DITPR)).
c. Flowdown
    Comment: One respondent suggested that because the clause is 
written to require flowdown to subcontractors regardless of tier, the 
Government intends to have the right to direct a supplier at any tier 
to be excluded for a contract. The respondent further stated that this 
could lead to even greater disruption of a program's supply chain since 
the loss of a supplier at a remote tier can have ripple effects on all 
higher-tier contractors and that the potential costs for the delay, 
disruption, and potential workarounds required to address the situation 
could be enormous. Failing to address the effects of exclusion of 
subcontractors almost guarantees that implementation of this rule will 
result in claims and disputes.
    Response: The requirement to include the substance of DFARS clause 
252.239-7018 in subcontracts has been removed from this final rule.
    d. Other Applications
    Comment: One respondent commented that DoD should clarify whether 
or not the rule applies to embedded processing, whether the rule 
applies to cloud computing acquisitions, and whether cloud computing 
acquisitions are covered procurement actions as a class, since these 
types of acquisitions are not directly addressed in the interim rule.
    Response: The rule applies when acquiring information technology, 
whether as a service or as a supply, that is a covered system, is a 
part of a covered system, or is in support of a covered system. This 
includes embedded processing and cloud computing acquisitions if they 
are NSS.
4. Managing Supply Chain Risk
a. General
    Comment: Three respondents commented that the final rule should 
encourage industry to better manage supply chain risk, require that 
robust supply chain risk management principles be applied throughout 
procurement practices, or at the very least require that contracting 
officers apply supply chain risk management to contracts. One of these 
respondents further commented that the final rule should include 
language that reinforces the stated objective in the definition of 
supply chain risk, stating, ``This rule, by itself, does not require 
contractors to deploy additional supply chain risk protections, but 
leaves it up to individual contractors to take the steps necessary. . 
.to protect their supply chain.'' Another of these respondents 
suggested that, if the provisions of section 806 are to be implemented 
as intended, the rule must require robust supply chain analyses. One 
respondent suggested that the interim rule should provide that in all 
critical information technology acquisitions, supply chain security 
must be applied by the relevant Government procurement managers, both 
at the direct contract and supervisorial levels as a mandatory matter.
    Response: This rule has as its sole purpose the implementation of 
section 806. DoD has provided, and will continue to provide, additional 
guidance for the management and mitigation of supply chain risk.
b. Evaluation Factor
    Comment: Three respondents commented that the interim rule should 
provide guidance on evaluation factors. One of these respondents 
commented that the rule creates uncertainty by failing to describe how 
supply chain risk will be used as an evaluation factor and suggests 
that the Government must realize that when managing risk, the steps 
necessary to exhaustively test all software to eliminate all potential 
unwanted functions is unaffordable. One respondent commented that the 
new requirement at DFARS 215.304 for departments and agencies to 
consider ``the need for an evaluation factor regarding supply chain 
risk'' provides insufficient guidance as to the type of supply chain 
risk evaluation factors to be utilized, further stating that while they 
would expect that such risk evaluations would be conducted on a case-
by-case basis, guidance should be provided as to which evaluation 
factors should be used and when. One respondent suggested that the 
statement

[[Page 67246]]

``Consider the need for an evaluation factor. . .'' appears to give the 
contracting activity the discretion to determine whether an evaluation 
factor for supply chain risk is needed but does not provide guidance as 
to when the conditions which necessitate such a factor have been met.
    Response: In the final rule, guidance on the use of an evaluation 
factor regarding supply chain risk is modified to require the inclusion 
of the evaluation factor when acquiring information technology, whether 
as a service or as a supply, that is a covered system, is a part of a 
covered system, or is in support of a covered system. Risk levels, risk 
tolerance, and appropriate risk management measures must be determined 
at the local level. Evaluation factors are specified at the individual 
acquisition level and not in the DFARS. DoD is issuing DFARS 
Procedures, Guidance, and Information for the contracting workforce on 
developing and using supply chain risk evaluation factors.
c. Information Sharing
    Comment: Three respondents commented on the disclosure of 
information regarding supply chain risk to offerors and contractors. 
One of these respondents urged the DoD to use its discretion in sharing 
information concerning threats sufficient to allow suppliers to alter 
product designs and change components on devices to overcome known 
vulnerabilities. Another respondent suggested that a requirement to 
report identified supply chain risks and issues would assure that 
immediate remediation could be undertaken if problems arose. One 
respondent commented that DoD should consider revising the rule to 
promote disclosure of information regarding supply chain risks to 
offerors and contractors whenever possible. Whenever such notice may be 
accomplished ``consistent with the requirements of national security,'' 
DoD should provide notification to the offeror or contractor of 
perceived supply chain risks early in the procurement process in 
accordance with standard Government procurement rules (e.g., during 
discussions in a negotiated procurement), so that the contractor has 
the opportunity to mitigate or eliminate the risk. Contractors are less 
able to mitigate supply chain risk if the Government fails or declines 
to share with them risk information it has developed internally.
    Response: The DoD intends to share information about supply chain 
risk with its contractors to the extent possible, consistent with the 
requirements of national security. The provisions of the rule and 
section 806 that limit disclosure are concerned with risk information 
that, for national security reasons, cannot be shared despite the 
transparency that is normally present in procurement activities.
d. Mitigation/Less Intrusive Measures
    Comment: Several respondents commented on the need for DoD to focus 
on mitigation plans and less intrusive measures. One of these 
respondents commented that DoD should create a mechanism for vendors to 
file supply chain risk mitigation plans with DoD. DoD could take these 
plans into consideration when assessing supply chain risk for any 
particular procurement activity. By viewing filed mitigation plans from 
multiple vendors, DoD could gain greater insight into commercially 
viable supply chain mitigation practices. This respondent further 
stated that DoD should approach supply chain risk with an eye toward 
encouraging mitigation rather than simply disqualifying vendors, 
suggesting that DoD can and should implement robust supply chain 
security practices. One respondent suggested that DoD should clarify 
what it believes are less intrusive measures under section 
239.7304(b)(1)(2), recommending that in order to prevent the interim 
rule from impeding the use of commercial technology (including 
commercially available off-the-shelf items) in NSS, which ultimately 
benefits DoD, the Department should provide wide discretion to the 
judgment of manufacturers in their use of industry standards and 
internal processes to meet its supply chain risk goals. This respondent 
further commented that while DFARS section 239.7304 of the rule 
provides that an exclusion under DFARS 239.7305 may occur when it is 
determined that, among other factors, ``less intrusive measures are not 
reasonably available to reduce such supply chain risk,'' at no point in 
the rule is clarity provided on what this language is defined as or 
what an authorized individual should refer to in order to gauge what 
``less intrusive measures'' are and whether they are ``not reasonably 
available.'' Another of these respondents suggested that the 
opportunity to mitigate or eliminate the noticed risk from the supply 
chain would avoid significant costs that would be passed along to DoD. 
One respondent suggested that DoD modify the interim rule to clarify 
that the exercise of the authorities under DFARS 239.7305 should be a 
``last resort,'' invoked only after other methods of mitigating supply 
chain risk have been considered or attempted.
    Response: Section 806(b)(2) requires that ``less intrusive measures 
are not reasonably available to reduce supply chain risk'' to use its 
authority. Whenever it is appropriate, DoD will work with its offerors 
to mitigate supply chain risk using less intrusive measures than 
exclusion based on section 806 authorities. In the notification to 
congressional committees when exercising section 806 authority, a 
summary of the mitigation analysis evaluating reasonably available 
mitigations will be documented. In most cases, DoD expects these 
mitigations will sufficiently mitigate the risks so that exclusion will 
not be necessary.
e. Standards and Controls
    Comment: Several respondents commented on the need for the rule to 
specify relevant supply chain risk management (SCRM) standards, 
controls, etc. One respondent stated that while it does not suggest DoD 
explicitly endorse one set of controls over another, industry does need 
some guidance beyond ``maintain controls.'' There must be consistency 
in the call out of the relevant SCRM standards and ratings in 
solicitations so as not to create an unnecessary administrative burden 
for contractors to select suppliers and subcontractors based on a 
moving target of standards and ratings. Notwithstanding making a 
reference to the Regulatory Flexibility Act on page 69269 in the 
narrative of the Federal Register document that the rule ``recognizes 
the need for information technology contractors to implement 
appropriate safeguards and countermeasures to minimize supply chain 
risk,'' one respondent commented that the interim rule does not provide 
any guidance about what metric will be applied to its products, 
services, and business models. The respondent further stated that the 
rule requires contractors to ``maintain controls in the provision of 
supplies and services to the Government to minimize supply chain risk'' 
but does not provide any guidance to contractors or Government 
contracting officers as to the type of controls to be maintained to 
meet this requirement, recommending that DoD issue additional guidance 
that uses existing and proposed global, consensus-based standards. One 
respondent commented that the absence of what standard DoD will use to 
evaluate supply chain risks is likely to increase the time and cost of 
pursuing and performing Government contracts.
    Response: The final rule removes the language requiring contractors 
to

[[Page 67247]]

``maintain controls'' and now states that the contractor shall mitigate 
supply chain risk in the provision of supplies and services to the 
Government. This change was made because the DFARS cannot identify 
specific standards or controls as this would be up to each requiring 
activity to identify if any standards or controls are necessary 
particular to the risks and risk tolerance that would apply to each 
procurement. DoD continues to work with industry to identify risk 
management best practices and promulgate best practice documents for 
consideration.
f. Verification/Inspection
    Comment: One respondent commented that suppliers should meet the 
requirement to provide supply chain security verification by 
documentation, suggesting that all levels of the supply chain--
Government, prime contractors, subcontractors, and parts suppliers--
should be in compliance with supply chain integrity requirements and 
have records and production locations available for inspection if 
necessary.
    Response: The practices, documentation, and information suggested 
in the comment are important tools in protecting against supply chain 
risk. However, these suggestions do not comply with the legislative 
requirements to implement section 806.
5. Process
a. General
    Comment: Two respondents commented that the interim rule could 
deprive potential contractors and subcontractors of due process and 
that by improving due process, DoD can better secure the supply chain. 
One of these respondents urged DoD to do more to guarantee due process 
to its suppliers under this rule, stating that notice, dialogue, and 
resolution, (i.e., due process) serve to identify root causes of supply 
chain risk and allow suppliers to clear their names when falsely 
accused. One respondent commented that implementation of the provision 
for a particular procurement or contract action may result in non-
reviewable decisions that deprive actual or potential contractors and 
subcontractors of their property rights, including their right to 
fairly compete for procurements and subcontracts, suggesting that these 
non-reviewable exclusions may violate the due process clause and could 
negatively affect the procurement community. This respondent suggested 
that DoD modify the interim rule to clarify that the exercise of the 
authorities under DFARS 239.7305 should be a ``last resort,'' invoked 
only after other methods of mitigating supply chain risk have been 
considered or attempted.
    Response: Risk will be evaluated on a case-by-case basis, and any 
exclusion will be for a particular source selection and not a blanket 
exclusion. Contractors are eligible to compete for future solicitations 
even after application of the section 806 authority has excluded them 
from a particular source selection.
b. Notice/Appropriate Parties
    Comment: Four respondents commented on the need for timely 
notification to organizations of pre- and post-exclusion status, and/or 
the need to clarify or define the ``appropriate parties'' in DFARS 
239.7305(d)(2)(i). Two of these respondents commented that providing 
notice to the vendor in advance of any procurement action would permit 
appropriate response to the risk and allow offerors to rectify 
instances of unacceptable risk before DoD makes a determination based 
on incorrect or insufficient information, ensuring fairness to the 
offeror and benefitting DoD by enhancing fairness in competition for 
contracts. The opportunity to mitigate or eliminate the noticed risk 
from the supply chain would avoid significant costs that would be 
passed along to the DoD.
    Three of these respondents commented on the need for notification 
to excluded offerors of their post-exclusion status. One respondent 
commented that notification to excluded offerors of their post-
exclusion status and the reasons for exclusion will allow them to take 
steps to remedy those flaws before future opportunities. One respondent 
suggested that if a determination is made that ``less intrusive 
measures are not reasonably available [short of exclusion] to reduce 
such supply chain risk,'' the rule should require that the notion of 
providing notice to the offeror has been explicitly considered and 
deemed unreasonable before a decision to exclude has been finalized. 
Another respondent suggested that DFARS 215.503 and 215.506 should be 
clarified to ensure that unsuccessful offerors are provided information 
demonstrating that DOD complied with the requirements of section 806(b) 
and (c) in making the determination to limit the disclosure of 
information relating to the basis for carrying out a covered 
procurement action.
    One of these respondents commented that clarification/definition of 
the term ``appropriate parties'' as encompassing the impacted offeror/
bidder/contractor would ensure that the impacted offeror/bidder/
contractor is advised, at a minimum, that it has been impacted by a 
supply chain risk determination under this DFARS section, and that any 
information that can be shared about the ``basis for carrying out'' the 
decision ``consistent with the requirements of national security'' will 
be shared with that entity. Another respondent commented that while the 
rule requires notice by the authorized individual to ``appropriate 
parties'' to the extent needed to execute a covered procurement action 
and to DoD and other Federal agencies, it makes no provision to provide 
notice to other Federal contractors that might be impacted by the 
exclusion.
    Response: The written determination detailed in DFARS 239.7304 will 
detail any limitations on disclosure of information related to a 
section 806 exclusion. ``Appropriate parties'' would be determined on a 
case-by-case basis.
c. Exclusion Process
    Comment: Two respondents commented on the exclusions process 
itself. One respondent commented that the exclusion process is 
seriously flawed because it does not connect the acts conducted by 
those at higher levels in DoD with the actions of the contracting 
officers in any rational time phased application that would help 
offerors understand the proposal and business risk involved in any 
given source selection process. This respondent further commented that 
it is fundamentally unclear whether an exclusion will be made on a 
case-by-case basis or be a blanket exclusion of a contractor or 
subcontractor, and that it is unclear at what point in the acquisition 
process such exclusions may be authorized or executed. Under the new 
rule's language, a source could be excluded before, during, and/or 
after a contract award (whether as prime or subcontractor). One 
respondent suggests that its concerns that DoD can reject or modify 
acquisitions based upon concerns about supply chain integrity could be 
addressed by having any sensitive finding subject to review, and 
recommendation for approval or disapproval to the Secretary of Defense, 
by the DoD General Counsel, or a committee appointed by the Secretary 
of Defense charged with assuring the validity of such concerns and 
their sensitivity for release to suppliers.
    Response: Suppliers are expected to manage supply chain risk in 
their offerings. Under section 806 and the rule, exclusion of a source 
may occur during source selection before award (using an evaluation 
factor) or after award (by withholding consent to a subcontract). 
Exclusion of a source would be on a case-by-case basis, as the

[[Page 67248]]

risk tolerance is not the same for all procurement actions. The 
authorization and recommendation mechanisms and participants described 
in the rule are mandated by the statute.
d. Dispute Mechanism
    Comment: Two respondents commented on the need for an impartial 
process for addressing concerns. One respondent urged that the interim 
rule reinforce the need for a fair opportunity pre- and post-exclusion 
for concerns to be addressed by the contractor or vendor at issue. One 
respondent commented that neither section 806 of the NDAA for FY 2011 
nor the interim rule provide for any procedures for proposed 
contractors or subcontractors to challenge a possible exclusion 
determination where DoD decides to limit the disclosure of information. 
This respondent further stated that DoD should provide some dispute 
mechanism for exclusion in protest and claim matters, whereby counsel 
for offerors, contractors, and proposed subcontractors can represent 
their clients and obtain access to information under protective order 
or clearance to assure that the required process was followed and 
proper grounds for invocation of the exclusion exist.
    Response: Exclusions using the authority of section 806 will be 
based generally on classified intelligence information. A dispute 
resolution mechanism is not appropriate under those circumstances.
e. Remediation
    Comment: Two respondents commented on the need to provide equitable 
adjustments, a means of remedy, and/or a pathway to reinstatement once 
a supplier is excluded. One of the respondents commented that while 
DFARS 239.7305 allows DoD to exclude sources, it does not provide a 
pathway to reinstatement or for inclusion once a supplier is excluded, 
proposing that DoD establish a separate rulemaking and coordinate a 
unified policy with an industry-Government working group to gain 
insight into how remediation and rejoining the defense industrial base 
can be accomplished in a responsible manner. This respondent further 
commented that DoD should provide equitable adjustments and other 
remedies for prime contractors whose subcontractors are excluded, 
stating that the new regulations fail to provide relief for prime 
contractors who must exclude a source through no fault of its own. 
Another respondent suggested that a periodic review of excluded 
contractors should be required for ongoing contracts with new task 
orders, adding that if a vendor has been excluded without notice, the 
interim rule should require the agency to review that decision on no 
less than an annual basis for as long as the contract is in place. This 
respondent also commented that the regulation should specifically 
afford remedies, including equitable adjustments, whenever the 
authority at DFARS 239.7305(c) is exercised and a prime must exclude a 
subcontractor.
    Response: Risk will be evaluated on case-by-case basis, and any 
exclusion will be for a particular source selection and not a blanket 
exclusion. Offerors are eligible to compete for future solicitations 
even after section 806 has excluded them from a particular source 
selection. Consistent with national security, i.e., with proper 
clearances and in a manner that will not put the warfighter, the 
system, or intelligence operations at risk, DoD will discuss risks to 
the trust of critical systems or components with its industrial base as 
well as potential remedies. This is particularly true in the system 
integration context where the program office and the prime contractors 
are more likely to have the time and clearances to develop tailored 
mitigations. Where appropriate, DoD will partner with its contractors 
to mitigate supply chain risk in lieu of executing section 806 
authorities. In most cases, non-806 mitigations will sufficiently 
manage the risk; when that is not the case and exclusion of a source is 
required, DoD does not intend to provide equitable adjustments or other 
remedies.
6. Impact of Rule
a. Economic/Cost Impact
    Comment: Numerous respondents commented that the estimates by DoD 
of the costs and economic impact of this rule are inadequate. One of 
these respondents commented that the rule creates costs beyond the 
supply chain risk management a responsible company would undertake in 
the course of ordinary business. Further, the scope of application of 
the interim rule, which requires compliance at all levels of the DoD 
supply chain, would require significant, costly, additional investments 
in supplier management and compliance mechanisms by industry. Another 
respondent suggested that absent a public comment period before 
implementation of the rule, industry has no opportunity to provide 
input regarding the costs and benefits of the approach DoD has taken. 
One respondent commented that the cumulative economic effect of the 
exclusion of any one company from any one contract would result in 
reductions in both Government and commercial business, and the loss of 
employment at the excluded company and the corresponding loss of 
payroll. Other losses would be incurred as a result of the ripple 
effect on primes, subcontractors, or suppliers to the excluded company, 
which will lose that source of supply and must then incur the expense 
of identifying and vetting new sources. One respondent commented that 
by not advising what standard DoD will use to evaluate supply chain 
risks, the interim rule is likely to increase the time and cost of 
pursuing and performing Government contracts.
    Response: DoD does not expect the rule to have a significant 
economic impact on a substantial number of entities. Companies have an 
existing interest in having a supply chain that they can rely on to 
provide it with material and supplies that allow the contractor to 
ultimately supply its customers with products that are safe and that do 
not impose threats or risks to Government information systems. The rule 
does not require contractors to deploy additional supply chain risk 
protections. Section 806 authority applies to a specific contract, task 
order, or delivery order only.
b. Small Business
    Comment: One respondent commented that the rule will drive up costs 
for smaller businesses by requiring significant increase in investments 
in compliance. Another respondent commented that the rule could prompt 
prime contractors to exclude new or small businesses in order to 
improve the evaluation of their supply chain risk profile.
    Response: The rule does not require contractors to deploy 
additional supply chain risk protections.
c. Barriers to the Federal Market
    Comment: Two respondents commented that the rule creates 
significant new barriers to the Federal market, further suggesting that 
the interim regulation poses significant burdens for existing companies 
in the market and will only further dissuade new and innovative 
companies from entering the market.
    Response: Since section 806 decisions rely on intelligence 
information, the operation of the rule presents no barrier to 
participation in the DoD market for either existing participants or new 
entrants.

[[Page 67249]]

d. De Facto Debarment/Suspension
    Comment: Several respondents stated that the exercise of the 
exclusionary authority in the rule could result in a de facto debarment 
or suspension without any due process for the affected offeror.
    Response: Risk will be evaluated on case-by-case basis, and any 
exclusion will be for a particular source selection and not a blanket 
exclusion. Offerors are eligible to compete for future solicitations 
even after section 806 has excluded them from a particular source 
selection.
e. Security
    Comment: One respondent commented that the rule could 
unintentionally but negatively impact the Federal Government's security 
because it prevents DoD from informing suppliers about supply chain 
risks that DoD believes exist and prevents any consultation with 
offerors.
    Response: This will be taken into consideration in any instance 
that the section 806 authority is utilized.
7. Qualification standard
    Comment: Three respondents commented that the interim rule should 
provide more guidance regarding the qualification standard(s) that may 
be established to reduce supply chain risk. One respondent urged DoD to 
develop the systems and data security requirements for covered 
procurements and issue them to potential offerors during the 
procurement process as a requirement for bid eligibility. This approach 
would focus the use of this clause to procurements for covered systems 
or covered items of supply and would increase competition by limiting 
unnecessary disqualification of offerors (and contractors and 
subcontractors/suppliers) that could meet the Government's 
requirements. Another respondent commented that the rule should be 
amended to provide more specificity as to the type of ``qualification 
standards'' that may be established ``for the purposes of reducing 
supply chain risk in the acquisition of covered systems.''
    Response: DoD has no present plans to use section 806 authority to 
exclude a source based on failure to meet a qualification standard to 
reduce supply chain risk. To use this authority DoD must first develop 
qualification standards in accordance with the requirements of 10 
U.S.C. 2319, which include providing the qualification requirements to 
potential offerors.
8. Synchronize/Harmonize With Related Rules/Initiatives
    Comment: Five respondents requested that DoD harmonize the 
requirements of the rule with industry- and Government-led supply chain 
risk management regimes and initiatives in order to avoid 
inconsistencies. One respondent encouraged DoD to harmonize the 
requirements of the rule with the guidance issued by the Secretary of 
Defense memorandum dated October 10, 2013, entitled ``Safeguarding 
Unclassified Controlled Technical Information;'' the Office of 
Management and Budget's circular M-14-13 dated November 18, 2013, 
entitled ``Enhancing the Security of Federal Information and 
Information Systems;'' and other Departmental requirements. This 
respondent further recommends that the final rule include a statement 
that ``the rule complements rather than conflicts with other related 
requirements.'' Another respondent further encouraged DoD to avoid the 
creation of unneeded duplication of certifications of these important 
assurance efforts, by affirming that the interim rule shall not impact 
the duties of contractors and vendors in assessing relevant 
procurements related to NSS.
    Response: DoD is involved in a myriad of efforts to address supply 
chain risks, specifically, as well as cybersecurity broadly. All of 
these policies and strategic efforts aim to improve the overall risk 
posture of the Federal Government's information systems and those of 
its industry partners. A patchwork of policies and regulations is 
sometimes necessary to address the variabilities of the system 
ownership and operation, and the risk tolerance of the mission. The 
rule is specific to DoD and narrowly scoped to NSS, which often have a 
lower risk tolerance due to the criticality of missions utilizing such 
systems.
9. Tracking
    Comment: One respondent commented that DoD should catalog the 
number of source exclusions executed under the section 806 authority 
between 2013 and 2018.
    Response: DoD is required to submit a report on January 1, 2017, on 
the effectiveness of section 806 authorities, to include how frequently 
DoD exercises the authority.

III. Applicability to Acquisitions Not Greater Than the Simplified 
Acquisition Threshold (SAT) and Commercial Items, Including 
Commercially Available Off-the-Shelf (COTS) Items

    Consistent with 41 U.S.C. 1905, 1906, and 1907, the Director 
Defense Procurement and Acquisition Policy (DPAP), determined that it 
would not be in the best interest of the United States to exempt 
acquisitions not greater than the SAT and acquisitions of commercials 
items, including COTS items, from the applicability of section 806 of 
the NDAA for FY 2011 as amended by section 806 of the NDAA for FY 2013.

A. Applicability to Contracts at or Below the SAT

    41 U.S.C. 1905 governs the applicability of laws to contracts or 
subcontracts in amounts not greater than the SAT. It is intended to 
limit the applicability of laws to such contracts or subcontracts. 41 
U.S.C. 1905 provides that if a provision of law contains criminal or 
civil penalties, or if the FAR Council makes a written determination 
that it is not in the best interest of the Federal Government to exempt 
contracts or subcontracts at or below the SAT, the law will apply to 
them. The Director, DPAP, is the appropriate authority to make 
comparable determinations for regulations to be published in the DFARS, 
which is part of the FAR system of regulations. DoD has made that 
determination, therefore this rule does apply below the SAT.
    Given that the requirements of section 806 of the NDAA for FY 2011 
and section 806 of the NDAA for FY 2013 were enacted to protect the 
supply chain, which in turn protects NSS from malicious actions, DoD 
has determined that it is in the best interest of the Federal 
Government to apply the rule to contracts below the SAT, as defined at 
FAR 2.101. An exception for contracts for the acquisition below the SAT 
would exclude contracts intended to be covered by the law, thereby 
undermining the overarching public policy purpose of the law.

B. Applicability to Contracts for the Acquisition of Commercial Items, 
Including COTS Items

    41 U.S.C. 1906 governs the applicability of laws to contracts for 
the acquisition of commercial items, and is intended to limit the 
applicability of laws to contracts for the acquisition of commercial 
items. 41 U.S.C. 1906 provides that if a provision of law contains 
criminal or civil penalties, or if

[[Page 67250]]

the FAR Council makes a written determination that it is not in the 
best interest of the Federal Government to exempt commercial item 
contracts, the provision of law will apply to contracts for the 
acquisition of commercial items. Likewise, 41 U.S.C. 1907 governs the 
applicability of laws to COTS items, with the Administrator for Federal 
Procurement Policy the decision authority to determine that it is in 
the best interest of the Government to apply a provision of law to 
acquisitions of COTS items in the FAR. The Director, DPAP, is the 
appropriate authority to make comparable determinations for regulations 
to be published in the DFARS, which is part of the FAR system of 
regulations.
    Given that the requirements of section 806 of the NDAA for FY 2011 
and section 806 of the NDAA for FY 2013 were enacted to protect the 
supply chain, which in turn protects NSS from malicious actions, DoD 
has determined that it is in the best interest of the Federal 
Government to apply the rule to contracts for the acquisition of 
commercial items, including COTS items, as defined at FAR 2.101. An 
exception for contracts for the acquisition of commercial items, 
including COTS items, would exclude contracts intended to be covered by 
the law, thereby undermining the overarching public policy purpose of 
the law.

IV. Executive Orders 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). E.O. 
13563 emphasizes the importance of quantifying both costs and benefits, 
of reducing costs, of harmonizing rules, and of promoting flexibility. 
This is a significant regulatory action and, therefore, was subject to 
review under section 6(b) of E.O. 12866, Regulatory Planning and 
Review, dated September 30, 1993. This rule is not a major rule under 5 
U.S.C. 804.

V. Regulatory Flexibility Act

    A final regulatory flexibility analysis has been prepared 
consistent with the Regulatory Flexibility Act, 5 U.S.C. 601, et seq., 
and is summarized as follows:
    The objective of this final rule is to implement in the Defense 
Federal Acquisition Regulation Supplement protection against risks to 
the supply chain affecting National Security Systems (NSS). The legal 
basis for this final rule is section 806 of the National Defense 
Authorization Act (NDAA) for Fiscal Year (FY) of 2011 (Pub. L. 
111.383), as amended by section 806 of the NDAA for FY 2013 (Pub. L. 
112-239). Congress has recognized a growing concern for risks to the 
supply chain for technology contracts supporting the Department of 
Defense (DoD). Congress has defined supply chain risk as the risk that 
an adversary may sabotage, maliciously introduce unwanted function, or 
otherwise subvert the design, integrity, manufacturing, production, 
distribution, installation, operation, or maintenance of a covered 
system so as to surveil, deny, disrupt, or otherwise degrade the 
function, use, or operation of such system (see 806(e)(4) of Pub. L. 
111-383).
    This final rule calls for contractors providing information 
technology to DoD, whether as a service or as a supply, that is a 
covered system, is a part of a covered system, or is in support of a 
covered system, to mitigate supply chain risk to the supplies and 
services being provided to the Government. It also enables agencies to 
exclude sources identified as having a supply chain risk from 
consideration for award of a covered contract, in order to minimize the 
potential risk for supplies and services purchased by DoD to 
maliciously degrade the integrity and operation of sensitive 
information technology systems. Ultimately, DoD anticipates significant 
savings to taxpayers by reducing the risk of unsafe products entering 
our supply chain, which pose serious threats or risks to sensitive 
government information technology systems.
    No comments were received in response to the initial regulatory 
flexibility analysis.
    This rule applies to contractors providing the Government with 
information technology that qualifies as a covered system or covered 
item of supply. This includes purchases of commercial items, including 
commercial off-the-shelf items, and contracts not greater than the 
simplified acquisition threshold. While it is not possible to estimate 
the number of small businesses impacted, DoD does not expect this final 
rule to have a significant economic impact on a substantial number of 
contractors, since (1) the rule applies only when acquiring information 
technology that is part of a covered system or in support of a covered 
system and (2) the authority provided by the rule is expected to be 
invoked very infrequently.
    This rule does not require any specific reporting, recordkeeping or 
compliance requirements.
    No significant economic impact on small businesses is anticipated; 
however, the final rule does have a modified applicability for the 
provision and clause created by the rule. Instead of being prescribed 
for all information technology acquisitions the provision and clause 
will only apply to acquisitions for information technology that is a 
covered system or covered item of supply. This will significantly 
reduce the number of acquisitions to which the provision and clause 
will apply.

VI. Paperwork Reduction Act

    The rule does not contain any information collection requirements 
that require the approval of the Office of Management and Budget under 
the Paperwork Reduction Act (44 U.S.C. chapter 35).

List of Subjects in 48 CFR Parts 202, 208, 212, 213, 214, 215, 233, 
239, 244, and 252

    Government procurement.

Jennifer L. Hawes,
Editor, Defense Acquisition Regulations System.
    Accordingly, DoD adopts as final the interim rule published at 78 
FR 69268 on November 18, 2013, with the following changes:

0
1. The authority citation for 48 CFR parts 202, 208, 212, 213, 214, 
215, 239, 244, and 252 continues to read as follows:

    Authority: 41 U.S.C. 1303 and 48 CFR chapter 1.

PART 202--DEFINITIONS OF WORDS AND TERMS

0
2. Amend section 202.101 by adding, in alphabetical order, a definition 
for ``Information technology'' to read as follows:


202.101  Definitions.

* * * * *
    Information technology (see 40 U.S.C. 11101(6)) means, in lieu of 
the definition at FAR 2.1, any equipment, or interconnected system(s) 
or subsystem(s) of equipment, that is used in the automatic 
acquisition, storage, analysis, evaluation, manipulation, management, 
movement, control, display, switching, interchange, transmission, or 
reception of data or information by the agency.
    (1) For purposes of this definition, equipment is used by an agency 
if the equipment is used by the agency directly or is used by a 
contractor under

[[Page 67251]]

a contract with the agency that requires--
    (i) Its use; or
    (ii) To a significant extent, its use in the performance of a 
service or the furnishing of a product.
    (2) The term ``information technology'' includes computers, 
ancillary equipment (including imaging peripherals, input, output, and 
storage devices necessary for security and surveillance), peripheral 
equipment designed to be controlled by the central processing unit of a 
computer, software, firmware and similar procedures, services 
(including support services), and related resources.
    (3) The term ``information technology'' does not include any 
equipment acquired by a contractor incidental to a contract.
* * * * *

PART 208--REQUIRED SOURCES OF SUPPLIES AND SERVICES

0
3. Revise section 208.405 to read as follows:


208.405  Ordering procedures for Federal Supply Schedules.

    Include an evaluation factor regarding supply chain risk (see 
subpart 239.73) when acquiring information technology, whether as a 
service or as a supply, that is a covered system, is a part of a 
covered system, or is in support of a covered system, as defined in 
239.7301.

0
4. In section 208.7402, revise paragraph (2) to read as follows:


208.7402  General.

* * * * *
    (2) Include an evaluation factor regarding supply chain risk (see 
subpart 239.73) when acquiring information technology, whether as a 
service or as a supply, that is a covered system, is a part of a 
covered system, or is in support of a covered system, as defined in 
239.7301.

PART 212--ACQUISITION OF COMMERCIAL ITEMS

0
5. Amend section 212.301 by--
0
a. Adding paragraph (c); and
0
b. Revising paragraphs (f)(xv)(C) and (D).
    The addition and revisions read as follows:


212.301  Solicitation provisions and contract clauses for acquisition 
of commercial items.

    (c) Include an evaluation factor regarding supply chain risk (see 
subpart 239.73) when acquiring information technology, whether as a 
service or as a supply, that is a covered system, is a part of a 
covered system, or is in support of a covered system, as defined in 
239.7301.
    (f) * * *
    (xv) * * *
    (C) Use the provision at 252.239-7017, Notice of Supply Chain Risk, 
as prescribed in 239.7306(a), to comply with section 806 of Public Law 
111-383.
    (D) Use the clause at 252.239-7018, Supply Chain Risk, as 
prescribed in 239.7306(b), to comply with section 806 of Public Law 
111-383.
* * * * *

PART 213--SIMPLIFIED ACQUISITION PROCEDURES

0
6. Add section 213.106-1 to read as follows:


213.106-1  Soliciting competition.

    (a)(2) Include an evaluation factor regarding supply chain risk 
(see subpart 239.73) when acquiring information technology, whether as 
a service or as a supply, that is a covered system, is a part of a 
covered system, or is in support of a covered system, as defined in 
239.7301.

PART 214--SEALED BIDDING

0
7. Add section 214.201-5 to read as follows:


214.201-5  Part IV--Representations and instructions.

    (c) Include an evaluation factor regarding supply chain risk (see 
subpart 239.73) when acquiring information technology, whether as a 
service or as a supply, that is a covered system, is a part of a 
covered system, or is in support of a covered system, as defined in 
239.7301.

0
8. Add subpart 214.5 to read as follows:
Subpart 214.5 Two-Step Sealed Bidding
Sec.
214.503 Procedures.
214.503-1 Step one.

Subpart 214.5 Two-Step Sealed Bidding


214.503  Procedures.


214.503-1  Step one.

    (a)(4) Include an evaluation factor regarding supply chain risk 
(see subpart 239.73) when acquiring information technology, whether as 
a service or as a supply, that is a covered system, is a part of a 
covered system, or is in support of a covered system, as defined in 
239.7301.

PART 215--CONTRACTING BY NEGOTIATION

0
9. In section 215.304, revise paragraph (c)(v) to read as follows:


215.304  Evaluation factors and significant subfactors.

    (c) * * *
    (v) Include an evaluation factor regarding supply chain risk (see 
subpart 239.73) when acquiring information technology, whether as a 
service or as a supply, that is a covered system, is a part of a 
covered system, or is in support of a covered system, as defined in 
239.7301. For additional guidance see PGI 215.304(c)(v).

PART 239--ACQUISITION OF INFORMATION TECHNOLOGY

0
10. Add section 239.001 to read as follows:


239.001  Applicability.

    Notwithstanding FAR 39.001, this part applies to acquisitions of 
information technology, including national security systems.


239.7301 and 239.7302  [Redesignated as 239.7302 and 239.7301]

0
11. Redesignate sections 239.7301 and 239.7302 as sections 239.7302 and 
239.7301, respectively.

0
12. Amend newly redesignated 239.7301 by--
0
a. In the definition of ``Covered item'', removing ``Covered item'' and 
adding ``Covered item of supply'' in its place;
0
b. Removing the definition of ``Information technology''; and
0
c. Adding, in alphabetical order, a definition for ``Supply chain 
risk''.
    The addition reads as follows:


239.7301  Definitions.

* * * * *
    Supply chain risk means the risk that an adversary may sabotage, 
maliciously introduce unwanted function, or otherwise subvert the 
design, integrity, manufacturing, production, distribution, 
installation, operation, or maintenance of a national security system 
(as that term is defined at 44 U.S.C. 3542(b)) so as to surveil, deny, 
disrupt, or otherwise degrade the function, use, or operation of such 
system.


239.7302  [Amended]

0
13. Amend newly redesignated 239.7302 by removing ``covered item'' 
everywhere it appears and adding ``covered item of supply'' in its 
place.


239.7304  [Amended]

0
14. Amend section 239.7304 by--
0
a. In paragraph (b)(1), removing ``239.7305(a)(b) or (c)'' and adding

[[Page 67252]]

``239.7305(a), (b), or (c)'' in its place; and
0
b. In paragraph (c)(2)(ii) and (iii) removing ``paragraph (a)'' and 
adding ``paragraph (a) of this section'' in both places.

0
15. Amend section 239.7305 by--
0
a. Revising the introductory text; and
0
b. Revising paragraph (d)(2)(i).
    The revisions read as follows:


239.7305  Exclusion and limitation on disclosure.

    Subject to 239.7304, the individuals authorized in 239.7303 may, in 
the course of procuring information technology, whether as a service or 
as a supply, that is a covered system, is a part of a covered system, 
or is in support of a covered system--
* * * * *
    (d) * * *
    (2) * * *
    (i) Notify appropriate parties of action taken under paragraphs (a) 
through (d) of this section and the basis for such action only to the 
extent necessary to effectuate the action;
* * * * *

0
16. Revise section 239.7306 to read as follows:


239.7306  Solicitation provision and contract clause.

    (a) Insert the provision at 252.239-7017, Notice of Supply Chain 
Risk, in solicitations, including solicitations using FAR part 12 
procedures for the acquisition of commercial items, for information 
technology, whether acquired as a service or as a supply, that is a 
covered system, is a part of a covered system, or is in support of a 
covered system, as defined at 239.7301.
    (b) Insert the clause at 252.239-7018, Supply Chain Risk, in 
solicitations and contracts, including solicitations and contracts 
using FAR part 12 procedures for the acquisition of commercial items, 
for information technology, whether acquired as a service or as a 
supply, that is a covered system, is a part of a covered system, or is 
in support of a covered system, as defined at 239.7301.

PART 244--SUBCONTRACTING POLICIES AND PROCEDURES

0
17. Revise section 244.201-1 to read as follows:


244.201-1  Consent requirements.

    In solicitations and contracts for information technology, whether 
acquired as a service or as a supply, that is a covered system or 
covered item of supply as those terms are defined at 239.7301, consider 
the need for a consent to subcontract requirement regarding supply 
chain risk (see subpart 239.73). For additional guidance see PGI 
244.201-1.

PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES


252.239-7018  [Amended]

0
18. Amend section 252.239-7018 by--
0
a. Removing the clause date ``(NOV 2013)'' and adding ``(OCT 2015)'' in 
its place;
0
b. Amending paragraph (b) by removing ``shall maintain controls'' and 
adding ``shall mitigate supply chain risk'' in its place, and removing 
the phrase ``to minimize supply chain risk'' before the period; and
0
c. Removing paragraph (e).

[FR Doc. 2015-27463 Filed 10-29-15; 8:45 am]
BILLING CODE 5001-06-P