Federal Acquisition Regulation; Use of Products and Services of Kaspersky Lab, 28141-28145 [2018-12847]

Download as PDF Federal Register / Vol. 83, No. 116 / Friday, June 15, 2018 / Rules and Regulations DEPARTMENT OF DEFENSE GENERAL SERVICES ADMINISTRATION NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 48 CFR Parts 1, 4, 13, 39, and 52 [FAC 2005–99; FAR Case 2018–010; Item I; Docket 2018–0010, Sequence 1] RIN 9000–AN64 Federal Acquisition Regulation; Use of Products and Services of Kaspersky Lab Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). ACTION: Interim rule. AGENCY: DoD, GSA, and NASA are issuing an interim rule amending the Federal Acquisition Regulation (FAR) to implement a section of the National Defense Authorization Act for Fiscal Year 2018. DATES: Effective Date: July 16, 2018. Applicability Dates: • Contracting officers shall include the clause at FAR 52.204–23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab or Other Covered Entities— • In solicitations issued on or after July 16, 2018, and resultant contracts; and • In solicitations issued before July 16, 2018, provided award of the resulting contract(s) occurs on or after July 16, 2018. • Contracting officers shall modify, in accordance with FAR 1.108(d)(3), existing indefinite-delivery contracts to include the FAR clause for future orders, prior to placing any further orders on or after July 16, 2018. • If modifying an existing contract to extend the period of performance by more than 6 months, contracting officers should include the clause in accordance with 1.108(d). Comment Date: Interested parties should submit written comments to the Regulatory Secretariat on or before August 14, 2018 to be considered in the formulation of a final rule. ADDRESSES: Submit comments identified by FAC 2005–99, FAR Case 2018–010, by any of the following methods: • Regulations.gov: https:// www.regulations.gov. Submit comments via the Federal eRulemaking portal by sradovich on DSK3GMQ082PROD with RULES2 SUMMARY: VerDate Sep<11>2014 18:39 Jun 14, 2018 Jkt 244001 searching for ‘‘FAR Case 2018–010’’. Select the link ‘‘Submit a Comment’’ that corresponds with ‘‘FAR Case 2018– 010.’’ Follow the instructions provided at the ‘‘Submit a Comment’’ screen. Please include your name, company name (if any), and ‘‘FAR Case 2018– 010’’ on your attached document. • Mail: General Services Administration, Regulatory Secretariat (MVCB), ATTN: Lois Mandell, 1800 F Street NW, 2nd Floor, Washington, DC 20405–0001. Instructions: Please submit comments only and cite FAC 2005–99, FAR Case 2018–010, in all correspondence related to this case. All comments received will be posted without change to https:// www.regulations.gov, including any personal and/or business confidential information provided. FOR FURTHER INFORMATION CONTACT: Ms. Camara Francis, Procurement Analyst, at 202–550–0935, for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat at 202–501– 4755. Please cite FAC 2005–99, FAR Case 2018–010. SUPPLEMENTARY INFORMATION: I. Background This interim rule revises the FAR to implement section 1634 of Division A of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2018 (Pub. L. 115–91). Section 1634 of this law prohibits the use of hardware, software, and services of Kaspersky Lab and its related entities by the Federal Government on or after October 1, 2018. Implementation of this rule in the FAR should not impact or impair any other planned or ongoing efforts agencies may undertake to implement section 1634 of Division A of the NDAA for FY 2018, including consideration by agencies of the presence of hardware, software, or services developed or provided by Kaspersky Lab as a technical evaluation factor in the source selection process. II. Discussion and Analysis This rule amends FAR part 4, adding a new subpart 4.20, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab, with a corresponding new contract clause at 52.204–23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities. The rule also adds text in subpart 13.2, Actions at or Below the Micro-Purchase Threshold, to address section 1634 with regard to micro-purchases. PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 28141 To implement section 1634, the clause at 52.204–23 prohibits contractors from providing any hardware, software, or services developed or provided by Kaspersky Lab or its related entities, or using any such hardware, software, or services in the development of data or deliverables first produced in the performance of the contract. The contractor must also report any such hardware, software, or services discovered during contract performance; this requirement flows down to subcontractors. For clarity, the rule defines ‘‘covered entity’’ and ‘‘covered article.’’ A covered entity includes the entities described in section 1634. A covered article includes hardware, software, or services that the Federal Government will use on or after October 1, 2018. As the Government considers additional actions to implement section 1634, DoD, GSA, and NASA especially welcome input on steps that the Government could take to better identify and reduce the burden on contractors related to identifying covered articles. For example: • Is the prohibition scoped appropriately to protect the Government by including situations in which covered articles may be used in the development of data or deliverables first produced during contract performance, for example, under a systems development contract? • Are the Government’s analysis and estimates in sections VI and VII, including the estimate that 5 percent of contractors would be required to submit reports in accordance with the clause, reasonable? How could these estimates be improved? • If the Government were to consider establishing a list to publicly share information regarding products identified as meeting the definition of a covered article (i.e., excluded products), including those offered by third parties: • What protocols should the Government apply prior to placing a product on the excluded list (e.g., who should be reaching out, and to whom)? • Should different protocols apply depending on whether the product is made by the original equipment manufacturer, sold by a reseller, or customized by a firm? • When is it appropriate to leave a product on the excluded list indefinitely (e.g., to provide notice for those who have previously acquired the product)? • Are there steps that the Government can take to avoid inappropriately affecting the producer’s interests (e.g., allowing the firm to demonstrate that there is a new version E:\FR\FM\15JNR2.SGM 15JNR2 28142 Federal Register / Vol. 83, No. 116 / Friday, June 15, 2018 / Rules and Regulations of the product that is free from concern and annotating the list accordingly)? III. Applicability to Contracts at or Below the Simplified Acquisition Threshold and for Commercial Items, Including Commercially Available Offthe-Shelf Items This rule adds a new contract clause at 52.204–23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities, in order to implement section 1634 of the NDAA for FY 2018. Section 1634 of this law prohibits the use of hardware, software, and services developed or provided by Kaspersky Lab and related entities by the Federal Government on or after October 1, 2018. sradovich on DSK3GMQ082PROD with RULES2 A. Applicability to Contracts at or Below the Simplified Acquisition Threshold 41 U.S.C. 1905 governs the applicability of laws to acquisitions at or below the simplified acquisition threshold (SAT). Section 1905 generally limits the applicability of new laws when agencies are making acquisitions at or below the SAT, but provides that such acquisitions will not be exempt from a provision of law if: (i) The law contains criminal or civil penalties; (ii) the law specifically refers to 41 U.S.C. 1905 and states that the law applies to contracts and subcontracts in amounts not greater than the SAT; or (iii) the FAR Council makes a written determination and finding that it would not be in the best interest of the Federal Government to exempt contracts and subcontracts in amounts not greater than the SAT from the provision of law. B. Applicability to Contracts for the Acquisition of Commercial Items, Including Commercially Available Offthe-Shelf Items 41 U.S.C. 1906 governs the applicability of laws to contracts for the acquisition of commercial items, and is intended to limit the applicability of laws to contracts for the acquisition of commercial items. Section 1906 provides that if a provision of law contains criminal or civil penalties, or if the FAR Council makes a written determination that it is not in the best interest of the Federal Government to exempt commercial item contracts, the provision of law will apply to contracts for the acquisition of commercial items. Finally, 41 U.S.C. 1907 states that acquisitions of commercially available off-the-shelf (COTS) items will be exempt from a provision of law unless the law (i) contains criminal or civil penalties; (ii) specifically refers to 41 U.S.C. 1907 and states that the law VerDate Sep<11>2014 18:39 Jun 14, 2018 Jkt 244001 applies to acquisitions of COTS items; (iii) concerns authorities or responsibilities under the Small Business Act (15 U.S.C. 644) or bid protest procedures developed under the authority of 31 U.S.C. 3551 et seq., 10 U.S.C. 2305(e) and (f), or 41 U.S.C. 3706 and 3707; or (iv) the Administrator for Federal Procurement Policy makes a written determination and finding that it would not be in the best interest of the Federal Government to exempt contracts for the procurement of COTS items from the provision of law. C. Determinations The FAR Council has determined that it is in the best interest of the Government to apply the rule to contracts at or below the SAT and for the acquisition of commercial items. The Administrator for Federal Procurement Policy has determined that it is in the best interest of the Government to apply this rule to contracts for the acquisition of COTS items. While the law does not specifically address acquisitions of commercial items, including COTS items, there is an unacceptable level of risk for the Government in buying hardware, software, or services developed or provided in whole or in part by Kaspersky Lab. This level of risk is not alleviated by the fact that the item being acquired has been sold or offered for sale to the general public, either in the same form or a modified form as sold to the Government (i.e., that it is a commercial item or COTS item), nor by the small size of the purchase (i.e., at or below the SAT). As a result, agencies may face increased exposure for violating the law and unknowingly acquiring a covered article absent coverage of these types of acquisitions by this rule. IV. Executive Orders 12866 and 13563 Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This rule has been designated a ‘‘significant regulatory action’’ under Executive Order 12866. Accordingly, the Office of Management and Budget (OMB) has reviewed this PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 rule. This rule is not a major rule under 5 U.S.C. 804. V. Executive Order 13771 This rule is not subject to the requirements of E.O. 13771 because the rule is issued with respect to a national security function of the United States. VI. Regulatory Flexibility Act The change may have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act 5 U.S.C. 601 et seq. The Initial Regulatory Flexibility Analysis (IRFA) is summarized as follows: The objective of the rule is to prescribe appropriate policies and procedures to enable agencies to determine and ensure that they are not purchasing products and services of Kaspersky Lab and its related entities for use by the Government on or after October 1, 2018. The legal basis for the rule is section 1634 of the NDAA for FY 2018, which prohibits Government use of such products on or after that date. Data from the Federal Procurement Data System (FPDS) for FY 2017 has been used as the basis for estimating the number of contractors that may be affected by this rule. Approximately 97,632 unique entities received new awards in Fiscal Year (FY) 2017. Of these entities, 72,447 (74 percent) unique small entities received awards during 2017. It is estimated that the reports required by this rule will be submitted by 5 percent of contractors, or 3,623 small entities. The rule requires contractors and subcontractors that are subject to the clause to report to the contracting officer, or for DoD, to the website listed in the clause, any discovery of a covered article during the course of contract performance. The rule does not duplicate, overlap, or conflict with any other Federal rules. Because of the nature of the prohibition enacted by section 1634, it is not possible to establish different compliance or reporting requirements or timetables that take into account the resources available to small entities or to exempt small entities from coverage of the rule, or any part thereof. DoD, GSA, and NASA were unable to identify any alternatives that would reduce the burden on small entities and still meet the objectives of section 1634. The Regulatory Secretariat has submitted a copy of the IRFA to the Chief Counsel for Advocacy of the Small Business Administration. A copy of the IRFA may be obtained from the Regulatory Secretariat. DoD, GSA, and NASA invite comments from small business concerns and other interested parties on the expected impact of this rule on small entities. DoD, GSA, and NASA will also consider comments from small entities concerning the existing regulations in subparts affected by this rule in accordance with 5 U.S.C. 610. Interested E:\FR\FM\15JNR2.SGM 15JNR2 Federal Register / Vol. 83, No. 116 / Friday, June 15, 2018 / Rules and Regulations parties must submit such comments separately and should cite 5 U.S.C. 610 (FAR Case 2018–010) in correspondence. sradovich on DSK3GMQ082PROD with RULES2 VII. Paperwork Reduction Act The Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) (PRA) provides that an agency generally cannot conduct or sponsor a collection of information, and no person is required to respond to nor be subject to a penalty for failure to comply with a collection of information, unless that collection has obtained Office of Management and Budget (OMB) approval and displays a currently valid OMB Control Number. DoD, GSA, and NASA requested and OMB authorized emergency processing of an information collection involved in this rule, as OMB Control Number 9000–0197, consistent with 5 CFR 1320.13. DoD, GSA, and NASA have determined the following conditions have been met: a. The collection of information is needed prior to the expiration of time periods normally associated with a routine submission for review under the provisions of the Paperwork Reduction Act, in view of the deadline for this provision of the NDAA which was signed into law in December 2017 and requires action before the prohibition goes into effect on October 1, 2018. b. The collection of information is essential to the mission of the agencies to ensure the Federal Government does not purchase prohibited articles, and can respond appropriately if any such articles are not identified until after delivery or use. c. The use of normal clearance procedures would prevent the collection of information from contractors, for national security purposes, as discussed in section VIII of this preamble. Passage of the omnibus appropriations bill and the availability of additional funding for FY 18 has increased agency purchasing activity, and the information to be collected is necessary to ensure that this purchasing is done responsibly and consistent with national security. Moreover, DoD, GSA, and NASA cannot comply with the normal clearance procedures because public harm is reasonably likely to result if current clearance procedures are followed. Not only would agencies be more likely to purchase and install prohibited items, but even if such items were identified prior to the October 1 date, agencies would incur substantial additional costs replacing such items, as well as additional administrative costs for reprocurement. VerDate Sep<11>2014 18:39 Jun 14, 2018 Jkt 244001 DoD, GSA, and NASA intend to provide separate 60-day notice in the Federal Register requesting public comment on the information collection contained within this rule. Agency: DoD, GSA, and NASA. Type of Information Collection: New Collection. Title of Collection: Use of Products and Services of Kaspersky Lab. Affected Public: Private Sector— Business. Total Estimated Number of Respondents: 4,882. Average Responses per Respondents: 5. Total Estimated Number of Responses: 24,410. Average Time per Response: 1.5 hour. Total Annual Time Burden: 36,615. OMB Control Number: 9000–0197. The public reporting burden for this collection of information consists of reports of identified covered articles during contract performance as required by 52.204–23. Reports are estimated to average 1.5 hour per response, including the time for reviewing definitions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the report. The subsequent 60-day notice published by DoD, GSA, and NASA will invite public comments. VIII. Determination To Issue an Interim Rule A determination has been made under the authority of the Secretary of Defense (DoD), Administrator of General Services (GSA), and the Administrator of the National Aeronautics and Space Administration (NASA) that urgent and compelling reasons exist to promulgate this interim rule without prior opportunity for public comment. It is critical that the FAR is immediately revised to include the requirements of the law, which prohibits the Federal Government from using hardware, software, or services of Kaspersky Lab and its related entities on or after October 1, 2018. Although this prohibition does not apply until October 1, 2018, agencies and contractors must begin to take steps immediately to meet this deadline. In this regard, covered articles include hardware, software, and services acquired before October 1, 2018, that the Federal Government will use on or after October 1, 2018. Because so many IT products and services are used for more than a few months, it is critical that contractors be placed on notice as soon as possible of this prohibition so that agencies can ensure that they comply with the law and avoid acquisitions of PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 28143 covered articles that the Government will continue to use on or after October 1, 2018. Pursuant to 41 U.S.C. 1707 and FAR 1.501–3(b), DoD, GSA, and NASA will consider public comments received in response to this interim rule in the formation of the final rule. List of Subject in 48 CFR Parts 1, 4, 13, 39, and 52 Government procurement. Dated: June 7, 2018. William F. Clark, Director, Office of Governmentwide Acquisition Policy, Office of Acquisition Policy, Office of Governmentwide Policy. Therefore, DoD, GSA, and NASA amend 48 CFR parts 1, 4, 13, 39, and 52 as set forth below: ■ 1. The authority citation for 48 CFR parts 1, 4, 13, 39, and 52 continues to read as follows: Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 51 U.S.C. 20113. PART 1—FEDERAL ACQUISITION REGULATIONS SYSTEM 1.106 [Amended] 2. Amend section 1.106 by adding to the table, in numerical sequence, FAR segment ‘‘52.204–23’’ and its corresponding OMB control number ‘‘9000–0197’’. ■ PART 4—ADMINISTRATIVE MATTERS ■ 3. Add subpart 4.20 to read as follows: SUBPART 4.20—PROHIBITION ON CONTRACTING FOR HARDWARE, SOFTWARE, AND SERVICES DEVELOPED OR PROVIDED BY KASPERSKY LAB Sec. 4.2001 4.2002 4.2003 4.2004 Definitions. Prohibition. Notification. Contract clause. SUBPART 4.20—PROHIBITION ON CONTRACTING FOR HARDWARE, SOFTWARE, AND SERVICES DEVELOPED OR PROVIDED BY KASPERSKY LAB 4.2001 Definitions As used in this subpart— Covered article means any hardware, software, or service that— (1) Is developed or provided by a covered entity; (2) Includes any hardware, software, or service developed or provided in whole or in part by a covered entity; or (3) Contains components using any hardware or software developed in whole or in part by a covered entity. Covered entity means— E:\FR\FM\15JNR2.SGM 15JNR2 28144 Federal Register / Vol. 83, No. 116 / Friday, June 15, 2018 / Rules and Regulations (1) Kaspersky Lab; (2) Any successor entity to Kaspersky Lab; (3) Any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or (4) Any entity of which Kaspersky Lab has a majority ownership. 4.2002 Prohibition. Section 1634 of Division A of the National Defense Authorization Act for Fiscal Year 2018 (Pub. L. 115–91) prohibits Government use on or after October 1, 2018, of any hardware, software, or services developed or provided, in whole or in part, by a covered entity. Contractors are prohibited from— (a) Providing any covered article that the Government will use on or after October 1, 2018; and (b) Using any covered article on or after October 1, 2018, in the development of data or deliverables first produced in the performance of the contract. 4.2003 Notification. When a contractor provides notification pursuant to 52.204–23, follow agency procedures. 4.2004 Contract clause. The contracting officer shall insert the clause at 52.204–23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities, in all solicitations and contracts. PART 13—SIMPLIFIED ACQUISITION PROCEDURES 4. Amend section 13.201 by adding paragraph (i) to read as follows: ■ 13.201 General. * * * * * (i) Do not purchase any hardware, software, or services developed or provided by Kaspersky Lab that the Government will use on or after October 1, 2018. (See 4.2002.) PART 39—ACQUISITION OF INFORMATION TECHNOLOGY 5. Amend section 39.101 by adding paragraph (e) to read as follows: sradovich on DSK3GMQ082PROD with RULES2 ■ 39.101 Policy. * * * * * (e) Contracting officers shall not purchase any hardware, software, or services developed or provided by Kaspersky Lab that the Government will use on or after October 1, 2018. (See 4.2002.) VerDate Sep<11>2014 18:39 Jun 14, 2018 Jkt 244001 PART 52—SOLICITATION PROVISIONS AND CONTRACT CLAUSES 6. Add section 52.204–23 to read as follows: ■ 52.204–23 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities. As prescribed in 4.2004, insert the following clause: Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities (Jul 2018) (a) Definitions. As used in this clause— Covered article means any hardware, software, or service that— (1) Is developed or provided by a covered entity; (2) Includes any hardware, software, or service developed or provided in whole or in part by a covered entity; or (3) Contains components using any hardware or software developed in whole or in part by a covered entity. Covered entity means— (1) Kaspersky Lab; (2) Any successor entity to Kaspersky Lab; (3) Any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or (4) Any entity of which Kaspersky Lab has a majority ownership. (b) Prohibition. Section 1634 of Division A of the National Defense Authorization Act for Fiscal Year 2018 (Pub. L. 115–91) prohibits Government use of any covered article. The Contractor is prohibited from— (1) Providing any covered article that the Government will use on or after October 1, 2018; and (2) Using any covered article on or after October 1, 2018, in the development of data or deliverables first produced in the performance of the contract. (c) Reporting requirement. (1) In the event the Contractor identifies a covered article provided to the Government during contract performance, or the Contractor is notified of such by a subcontractor at any tier or any other source, the Contractor shall report, in writing, to the Contracting Officer or, in the case of the Department of Defense, to the website at https://dibnet.dod.mil. For indefinite delivery contracts, the Contractor shall report to the Contracting Officer for the indefinite delivery contract and the Contracting Officer(s) for any affected order or, in the case of the Department of Defense, identify both the indefinite delivery contract and any affected orders in the report provided at https://dibnet.dod.mil. (2) The Contractor shall report the following information pursuant to paragraph (c)(1) of this clause: (i) Within 1 business day from the date of such identification or notification: The contract number; the order number(s), if applicable; supplier name; brand; model number (Original Equipment Manufacturer (OEM) number, manufacturer part number, or PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 wholesaler number); item description; and any readily available information about mitigation actions undertaken or recommended. (ii) Within 10 business days of submitting the report pursuant to paragraph (c)(1) of this clause: Any further available information about mitigation actions undertaken or recommended. In addition, the Contractor shall describe the efforts it undertook to prevent use or submission of a covered article, any reasons that led to the use or submission of the covered article, and any additional efforts that will be incorporated to prevent future use or submission of covered articles. (d) Subcontracts. The Contractor shall insert the substance of this clause, including this paragraph (d), in all subcontracts, including subcontracts for the acquisition of commercial items. (End of clause) ■ 7. Amend section 52.212–5 by— ■ a. Revising the date of the clause; ■ b. Redesignating paragraphs (a)(2) through (4) as paragraphs (a)(3) through (5), respectively, and adding a new paragraph (a)(2); ■ c. Redesignating paragraphs (e)(1)(iii) through (xxi) as paragraphs (e)(1)(iv) through (xxii), respectively, and adding a new paragraph (e)(1)(iii); and ■ d. In Alternate II: ■ i. Revising the date of the alternate; and ■ ii. Redesignating paragraphs (e)(1)(ii)(C) through (S) as paragraphs (e)(1)(ii)(D) through (T), respectively, and adding a new paragraph (e)(1)(ii)(C). The revisions and additions read as follows: 52.212–5 Contract Terms and Conditions Required To Implement Statutes or Executive Orders—Commercial Items. * * * * * Contract Terms and Conditions Required To Implement Statutes or Executive Orders—Commercial Items (Jul 2018) * * * * * (a) * * * ____ (2) 52.204–23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities (Jul 2018) (Section 1634 of Pub. L. 115–91). * * * * * (e)(1) * * * (iii) 52.204–23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities (Jul 2018) (Section 1634 of Pub. L. 115–91). * * * * * Alternate II (Jul 2018). * * * * * * * * (e)(1) * * * (ii) * * * (C) 52.204–23, Prohibition on Contracting for Hardware, Software, and Services E:\FR\FM\15JNR2.SGM 15JNR2 Federal Register / Vol. 83, No. 116 / Friday, June 15, 2018 / Rules and Regulations Developed or Provided by Kaspersky Lab and Other Covered Entities (Jul 2018) (Section 1634 of Pub. L. 115–91). * * * * * ■ 8. Amend section 52.213–4 by— ■ a. Revising the date of the clause; and ■ b. Redesignating paragraphs (a)(1)(ii) through (vii) as paragraphs (a)(1)(iii) through (viii), respectively, and adding a new paragraph (a)(1)(ii). The revision and addition read as follows: 52.213–4 Terms and Conditions— Simplified Acquisitions (Other Than Commercial Items). * * * * * * * * * * 9. Amend section 52.244–6 by— ■ a. Revising the date of the clause; ■ b. Redesignating paragraphs (c)(1)(iv) through (xviii) as paragraphs (c)(1)(v) through (xix), respectively, and adding a new paragraph (c)(1)(iv). The revision and addition read as follows: ■ * Subcontracts for Commercial * * * Subcontracts for Commercial Items (Jul 2018) * * * * * (c)(1) * * * (iv) 52.204–23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities (Jul 2018) (Section 1634 of Pub. L. 115–91). * * * * * [FR Doc. 2018–12847 Filed 6–14–18; 8:45 am] sradovich on DSK3GMQ082PROD with RULES2 BILLING CODE 6820–EP–P VerDate Sep<11>2014 18:39 Jun 14, 2018 NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 48 CFR Parts 1, 9, 12, 13, and 52 [FAC 2005–99; FAR Case 2017–018; Item II; Docket No. 2017–0018, Sequence No. 1] RIN 9000–AN57 Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). ACTION: Interim rule. AGENCY: (a) * * * (1) * * * (ii) 52.204–23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities (Jul 2018) (Section 1634 of Pub. L. 115–91). * GENERAL SERVICES ADMINISTRATION Federal Acquisition Regulation: Violations of Arms Control Treaties or Agreements With the United States Terms and Conditions—Simplified Acquisitions (Other than Commercial Items) (Jul 2018) 52.244–6 Items. DEPARTMENT OF DEFENSE Jkt 244001 DoD, GSA, and NASA are issuing an interim rule amending the Federal Acquisition Regulation (FAR) to implement a section of the National Defense Authorization Act for Fiscal Year 2017 that addresses measures against persons involved in activities that violate arms control treaties or agreements with the United States. DATES: Effective: June 15, 2018. Comment Date: Interested parties should submit written comments to the Regulatory Secretariat Division at one of the addresses shown below on or before August 14, 2018 to be considered in the formation of the final rule. ADDRESSES: Submit comments in response to FAC 2005–99, FAR Case 2017–018, by any of the following methods: • Regulations.gov: https:// www.regulations.gov. Submit comments via the Federal eRulemaking portal by searching for ‘‘FAR Case 2017–018.’’ Select the link ‘‘Comment Now’’ that corresponds with ‘‘FAR Case 2017– 018.’’ Follow the instructions provided on the screen. Please include your name, company name (if any), and ‘‘FAR Case 2017–018’’ on your attached document. • Mail: General Services Administration, Regulatory Secretariat Division (MVCB), ATTN: Ms. Lois Mandell, 1800 F Street NW, 2nd Floor, Washington, DC 20405. Instructions: Please submit comments only and cite FAC 2005–99, FAR Case 2017–018, in all correspondence related to this case. All comments received will be posted without change to https:// www.regulations.gov, including any personal and/or business confidential SUMMARY: PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 28145 information provided. To confirm receipt of your comment(s), please check www.regulations.gov, approximately two to three days after submission to verify posting (except allow 30 days for posting of comments submitted by mail). FOR FURTHER INFORMATION CONTACT: Ms. Cecelia L. Davis, Procurement Analyst, at 202–219–0202 for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat Division at 202–501–4755. Please cite FAC 2005– 99, FAR Case 2017–018. SUPPLEMENTARY INFORMATION: I. Background This interim rule amends the FAR to implement a section of the National Defense Authorization Act (NDAA) for Fiscal Year 2017 that addresses measures against persons involved in activities that violate arms control treaties or agreements with the United States. This rule amends FAR part 9, Contractor Qualifications, and adds a provision at FAR 52.209–13 to implement section 1290 of the National Defense Authorization Act for Fiscal Year 2017 (Pub. L. 114–328), codified at 22 U.S.C. 2593e. The President submits annually to Congress a report prepared by the Secretary of State with the concurrence of the Director of Central Intelligence and in consultation with the Secretary of Defense, the Secretary of Energy, and the Chairman of the Joint Chiefs of Staff, on the status of United States policy and actions with respect to arms control, nonproliferation, and disarmament, pursuant to section 403 of the Arms Control and Disarmament Act (22 U.S.C. 2593a). In this report, the Secretary of State assesses adherence to and compliance with arms control, nonproliferation, and disarmament agreements and commitments by the United States and other countries. This report is submitted in unclassified form, with classified annexes, as appropriate. The Department of State’s most recent unclassified report submitted in April 2018 to Congress is available at https:// www.state.gov/t/avc/rls/rpt/. The Secretary of the Treasury is required to submit to the appropriate Congressional committees a report, consistent with the protection of intelligence sources and methods, identifying every person with respect to whom there is credible information indicating that the person is— • An individual who is a citizen, national, or permanent resident of, or an entity organized under the laws of, a noncompliant country; and E:\FR\FM\15JNR2.SGM 15JNR2

Agencies

[Federal Register Volume 83, Number 116 (Friday, June 15, 2018)]
[Rules and Regulations]
[Pages 28141-28145]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-12847]



[[Page 28141]]

-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 1, 4, 13, 39, and 52

[FAC 2005-99; FAR Case 2018-010; Item I; Docket 2018-0010, Sequence 1]
RIN 9000-AN64


Federal Acquisition Regulation; Use of Products and Services of 
Kaspersky Lab

AGENCY: Department of Defense (DoD), General Services Administration 
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Interim rule.

-----------------------------------------------------------------------

SUMMARY: DoD, GSA, and NASA are issuing an interim rule amending the 
Federal Acquisition Regulation (FAR) to implement a section of the 
National Defense Authorization Act for Fiscal Year 2018.

DATES: 
    Effective Date: July 16, 2018.
    Applicability Dates:
      Contracting officers shall include the clause at FAR 
52.204-23, Prohibition on Contracting for Hardware, Software, and 
Services Developed or Provided by Kaspersky Lab or Other Covered 
Entities--
      In solicitations issued on or after July 16, 2018, and 
resultant contracts; and
      In solicitations issued before July 16, 2018, provided 
award of the resulting contract(s) occurs on or after July 16, 2018.
     Contracting officers shall modify, in accordance with FAR 
1.108(d)(3), existing indefinite-delivery contracts to include the FAR 
clause for future orders, prior to placing any further orders on or 
after July 16, 2018.
     If modifying an existing contract to extend the period of 
performance by more than 6 months, contracting officers should include 
the clause in accordance with 1.108(d).
    Comment Date: Interested parties should submit written comments to 
the Regulatory Secretariat on or before August 14, 2018 to be 
considered in the formulation of a final rule.

ADDRESSES: Submit comments identified by FAC 2005-99, FAR Case 2018-
010, by any of the following methods:
     Regulations.gov: https://www.regulations.gov. Submit 
comments via the Federal eRulemaking portal by searching for ``FAR Case 
2018-010''. Select the link ``Submit a Comment'' that corresponds with 
``FAR Case 2018-010.'' Follow the instructions provided at the ``Submit 
a Comment'' screen. Please include your name, company name (if any), 
and ``FAR Case 2018-010'' on your attached document.
     Mail: General Services Administration, Regulatory 
Secretariat (MVCB), ATTN: Lois Mandell, 1800 F Street NW, 2nd Floor, 
Washington, DC 20405-0001.
    Instructions: Please submit comments only and cite FAC 2005-99, FAR 
Case 2018-010, in all correspondence related to this case. All comments 
received will be posted without change to https://www.regulations.gov, 
including any personal and/or business confidential information 
provided.

FOR FURTHER INFORMATION CONTACT: Ms. Camara Francis, Procurement 
Analyst, at 202-550-0935, for clarification of content. For information 
pertaining to status or publication schedules, contact the Regulatory 
Secretariat at 202-501-4755. Please cite FAC 2005-99, FAR Case 2018-
010.

SUPPLEMENTARY INFORMATION: 

I. Background

    This interim rule revises the FAR to implement section 1634 of 
Division A of the National Defense Authorization Act (NDAA) for Fiscal 
Year (FY) 2018 (Pub. L. 115-91). Section 1634 of this law prohibits the 
use of hardware, software, and services of Kaspersky Lab and its 
related entities by the Federal Government on or after October 1, 2018.
    Implementation of this rule in the FAR should not impact or impair 
any other planned or ongoing efforts agencies may undertake to 
implement section 1634 of Division A of the NDAA for FY 2018, including 
consideration by agencies of the presence of hardware, software, or 
services developed or provided by Kaspersky Lab as a technical 
evaluation factor in the source selection process.

II. Discussion and Analysis

    This rule amends FAR part 4, adding a new subpart 4.20, Prohibition 
on Contracting for Hardware, Software, and Services Developed or 
Provided by Kaspersky Lab, with a corresponding new contract clause at 
52.204-23, Prohibition on Contracting for Hardware, Software, and 
Services Developed or Provided by Kaspersky Lab and Other Covered 
Entities. The rule also adds text in subpart 13.2, Actions at or Below 
the Micro-Purchase Threshold, to address section 1634 with regard to 
micro-purchases.
    To implement section 1634, the clause at 52.204-23 prohibits 
contractors from providing any hardware, software, or services 
developed or provided by Kaspersky Lab or its related entities, or 
using any such hardware, software, or services in the development of 
data or deliverables first produced in the performance of the contract. 
The contractor must also report any such hardware, software, or 
services discovered during contract performance; this requirement flows 
down to subcontractors. For clarity, the rule defines ``covered 
entity'' and ``covered article.'' A covered entity includes the 
entities described in section 1634. A covered article includes 
hardware, software, or services that the Federal Government will use on 
or after October 1, 2018.
    As the Government considers additional actions to implement section 
1634, DoD, GSA, and NASA especially welcome input on steps that the 
Government could take to better identify and reduce the burden on 
contractors related to identifying covered articles. For example:
     Is the prohibition scoped appropriately to protect the 
Government by including situations in which covered articles may be 
used in the development of data or deliverables first produced during 
contract performance, for example, under a systems development 
contract?
     Are the Government's analysis and estimates in sections VI 
and VII, including the estimate that 5 percent of contractors would be 
required to submit reports in accordance with the clause, reasonable? 
How could these estimates be improved?
     If the Government were to consider establishing a list to 
publicly share information regarding products identified as meeting the 
definition of a covered article (i.e., excluded products), including 
those offered by third parties:

      What protocols should the Government apply prior to 
placing a product on the excluded list (e.g., who should be reaching 
out, and to whom)?
      Should different protocols apply depending on whether the 
product is made by the original equipment manufacturer, sold by a 
reseller, or customized by a firm?
      When is it appropriate to leave a product on the excluded 
list indefinitely (e.g., to provide notice for those who have 
previously acquired the product)?
      Are there steps that the Government can take to avoid 
inappropriately affecting the producer's interests (e.g., allowing the 
firm to demonstrate that there is a new version

[[Page 28142]]

of the product that is free from concern and annotating the list 
accordingly)?

III. Applicability to Contracts at or Below the Simplified Acquisition 
Threshold and for Commercial Items, Including Commercially Available 
Off-the-Shelf Items

    This rule adds a new contract clause at 52.204-23, Prohibition on 
Contracting for Hardware, Software, and Services Developed or Provided 
by Kaspersky Lab and Other Covered Entities, in order to implement 
section 1634 of the NDAA for FY 2018. Section 1634 of this law 
prohibits the use of hardware, software, and services developed or 
provided by Kaspersky Lab and related entities by the Federal 
Government on or after October 1, 2018.

A. Applicability to Contracts at or Below the Simplified Acquisition 
Threshold

    41 U.S.C. 1905 governs the applicability of laws to acquisitions at 
or below the simplified acquisition threshold (SAT). Section 1905 
generally limits the applicability of new laws when agencies are making 
acquisitions at or below the SAT, but provides that such acquisitions 
will not be exempt from a provision of law if: (i) The law contains 
criminal or civil penalties; (ii) the law specifically refers to 41 
U.S.C. 1905 and states that the law applies to contracts and 
subcontracts in amounts not greater than the SAT; or (iii) the FAR 
Council makes a written determination and finding that it would not be 
in the best interest of the Federal Government to exempt contracts and 
subcontracts in amounts not greater than the SAT from the provision of 
law.

B. Applicability to Contracts for the Acquisition of Commercial Items, 
Including Commercially Available Off-the-Shelf Items

    41 U.S.C. 1906 governs the applicability of laws to contracts for 
the acquisition of commercial items, and is intended to limit the 
applicability of laws to contracts for the acquisition of commercial 
items. Section 1906 provides that if a provision of law contains 
criminal or civil penalties, or if the FAR Council makes a written 
determination that it is not in the best interest of the Federal 
Government to exempt commercial item contracts, the provision of law 
will apply to contracts for the acquisition of commercial items.
    Finally, 41 U.S.C. 1907 states that acquisitions of commercially 
available off-the-shelf (COTS) items will be exempt from a provision of 
law unless the law (i) contains criminal or civil penalties; (ii) 
specifically refers to 41 U.S.C. 1907 and states that the law applies 
to acquisitions of COTS items; (iii) concerns authorities or 
responsibilities under the Small Business Act (15 U.S.C. 644) or bid 
protest procedures developed under the authority of 31 U.S.C. 3551 et 
seq., 10 U.S.C. 2305(e) and (f), or 41 U.S.C. 3706 and 3707; or (iv) 
the Administrator for Federal Procurement Policy makes a written 
determination and finding that it would not be in the best interest of 
the Federal Government to exempt contracts for the procurement of COTS 
items from the provision of law.

C. Determinations

    The FAR Council has determined that it is in the best interest of 
the Government to apply the rule to contracts at or below the SAT and 
for the acquisition of commercial items. The Administrator for Federal 
Procurement Policy has determined that it is in the best interest of 
the Government to apply this rule to contracts for the acquisition of 
COTS items.
    While the law does not specifically address acquisitions of 
commercial items, including COTS items, there is an unacceptable level 
of risk for the Government in buying hardware, software, or services 
developed or provided in whole or in part by Kaspersky Lab. This level 
of risk is not alleviated by the fact that the item being acquired has 
been sold or offered for sale to the general public, either in the same 
form or a modified form as sold to the Government (i.e., that it is a 
commercial item or COTS item), nor by the small size of the purchase 
(i.e., at or below the SAT). As a result, agencies may face increased 
exposure for violating the law and unknowingly acquiring a covered 
article absent coverage of these types of acquisitions by this rule.

IV. Executive Orders 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). E.O. 
13563 emphasizes the importance of quantifying both costs and benefits, 
of reducing costs, of harmonizing rules, and of promoting flexibility. 
This rule has been designated a ``significant regulatory action'' under 
Executive Order 12866. Accordingly, the Office of Management and Budget 
(OMB) has reviewed this rule. This rule is not a major rule under 5 
U.S.C. 804.

V. Executive Order 13771

    This rule is not subject to the requirements of E.O. 13771 because 
the rule is issued with respect to a national security function of the 
United States.

VI. Regulatory Flexibility Act

    The change may have a significant economic impact on a substantial 
number of small entities within the meaning of the Regulatory 
Flexibility Act 5 U.S.C. 601 et seq. The Initial Regulatory Flexibility 
Analysis (IRFA) is summarized as follows:

    The objective of the rule is to prescribe appropriate policies 
and procedures to enable agencies to determine and ensure that they 
are not purchasing products and services of Kaspersky Lab and its 
related entities for use by the Government on or after October 1, 
2018. The legal basis for the rule is section 1634 of the NDAA for 
FY 2018, which prohibits Government use of such products on or after 
that date.
    Data from the Federal Procurement Data System (FPDS) for FY 2017 
has been used as the basis for estimating the number of contractors 
that may be affected by this rule. Approximately 97,632 unique 
entities received new awards in Fiscal Year (FY) 2017. Of these 
entities, 72,447 (74 percent) unique small entities received awards 
during 2017. It is estimated that the reports required by this rule 
will be submitted by 5 percent of contractors, or 3,623 small 
entities.
    The rule requires contractors and subcontractors that are 
subject to the clause to report to the contracting officer, or for 
DoD, to the website listed in the clause, any discovery of a covered 
article during the course of contract performance.
    The rule does not duplicate, overlap, or conflict with any other 
Federal rules.
    Because of the nature of the prohibition enacted by section 
1634, it is not possible to establish different compliance or 
reporting requirements or timetables that take into account the 
resources available to small entities or to exempt small entities 
from coverage of the rule, or any part thereof. DoD, GSA, and NASA 
were unable to identify any alternatives that would reduce the 
burden on small entities and still meet the objectives of section 
1634.

    The Regulatory Secretariat has submitted a copy of the IRFA to the 
Chief Counsel for Advocacy of the Small Business Administration. A copy 
of the IRFA may be obtained from the Regulatory Secretariat. DoD, GSA, 
and NASA invite comments from small business concerns and other 
interested parties on the expected impact of this rule on small 
entities.
    DoD, GSA, and NASA will also consider comments from small entities 
concerning the existing regulations in subparts affected by this rule 
in accordance with 5 U.S.C. 610. Interested

[[Page 28143]]

parties must submit such comments separately and should cite 5 U.S.C. 
610 (FAR Case 2018-010) in correspondence.

VII. Paperwork Reduction Act

    The Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) (PRA) 
provides that an agency generally cannot conduct or sponsor a 
collection of information, and no person is required to respond to nor 
be subject to a penalty for failure to comply with a collection of 
information, unless that collection has obtained Office of Management 
and Budget (OMB) approval and displays a currently valid OMB Control 
Number.
    DoD, GSA, and NASA requested and OMB authorized emergency 
processing of an information collection involved in this rule, as OMB 
Control Number 9000-0197, consistent with 5 CFR 1320.13. DoD, GSA, and 
NASA have determined the following conditions have been met:
    a. The collection of information is needed prior to the expiration 
of time periods normally associated with a routine submission for 
review under the provisions of the Paperwork Reduction Act, in view of 
the deadline for this provision of the NDAA which was signed into law 
in December 2017 and requires action before the prohibition goes into 
effect on October 1, 2018.
    b. The collection of information is essential to the mission of the 
agencies to ensure the Federal Government does not purchase prohibited 
articles, and can respond appropriately if any such articles are not 
identified until after delivery or use.
    c. The use of normal clearance procedures would prevent the 
collection of information from contractors, for national security 
purposes, as discussed in section VIII of this preamble.
    Passage of the omnibus appropriations bill and the availability of 
additional funding for FY 18 has increased agency purchasing activity, 
and the information to be collected is necessary to ensure that this 
purchasing is done responsibly and consistent with national security.
    Moreover, DoD, GSA, and NASA cannot comply with the normal 
clearance procedures because public harm is reasonably likely to result 
if current clearance procedures are followed. Not only would agencies 
be more likely to purchase and install prohibited items, but even if 
such items were identified prior to the October 1 date, agencies would 
incur substantial additional costs replacing such items, as well as 
additional administrative costs for reprocurement.
    DoD, GSA, and NASA intend to provide separate 60-day notice in the 
Federal Register requesting public comment on the information 
collection contained within this rule.
    Agency: DoD, GSA, and NASA.
    Type of Information Collection: New Collection.
    Title of Collection: Use of Products and Services of Kaspersky Lab.
    Affected Public: Private Sector--Business.
    Total Estimated Number of Respondents: 4,882.
    Average Responses per Respondents: 5.
    Total Estimated Number of Responses: 24,410.
    Average Time per Response: 1.5 hour.
    Total Annual Time Burden: 36,615.
    OMB Control Number: 9000-0197.
    The public reporting burden for this collection of information 
consists of reports of identified covered articles during contract 
performance as required by 52.204-23. Reports are estimated to average 
1.5 hour per response, including the time for reviewing definitions, 
searching existing data sources, gathering and maintaining the data 
needed, and completing and reviewing the report.
    The subsequent 60-day notice published by DoD, GSA, and NASA will 
invite public comments.

VIII. Determination To Issue an Interim Rule

    A determination has been made under the authority of the Secretary 
of Defense (DoD), Administrator of General Services (GSA), and the 
Administrator of the National Aeronautics and Space Administration 
(NASA) that urgent and compelling reasons exist to promulgate this 
interim rule without prior opportunity for public comment. It is 
critical that the FAR is immediately revised to include the 
requirements of the law, which prohibits the Federal Government from 
using hardware, software, or services of Kaspersky Lab and its related 
entities on or after October 1, 2018.
    Although this prohibition does not apply until October 1, 2018, 
agencies and contractors must begin to take steps immediately to meet 
this deadline. In this regard, covered articles include hardware, 
software, and services acquired before October 1, 2018, that the 
Federal Government will use on or after October 1, 2018. Because so 
many IT products and services are used for more than a few months, it 
is critical that contractors be placed on notice as soon as possible of 
this prohibition so that agencies can ensure that they comply with the 
law and avoid acquisitions of covered articles that the Government will 
continue to use on or after October 1, 2018. Pursuant to 41 U.S.C. 1707 
and FAR 1.501-3(b), DoD, GSA, and NASA will consider public comments 
received in response to this interim rule in the formation of the final 
rule.

List of Subject in 48 CFR Parts 1, 4, 13, 39, and 52

    Government procurement.

    Dated: June 7, 2018.
William F. Clark,
Director, Office of Governmentwide Acquisition Policy, Office of 
Acquisition Policy, Office of Governmentwide Policy.

    Therefore, DoD, GSA, and NASA amend 48 CFR parts 1, 4, 13, 39, and 
52 as set forth below:

0
1. The authority citation for 48 CFR parts 1, 4, 13, 39, and 52 
continues to read as follows:

    Authority:  40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 51 
U.S.C. 20113.

PART 1--FEDERAL ACQUISITION REGULATIONS SYSTEM


1.106   [Amended]

0
2. Amend section 1.106 by adding to the table, in numerical sequence, 
FAR segment ``52.204-23'' and its corresponding OMB control number 
``9000-0197''.

PART 4--ADMINISTRATIVE MATTERS

0
3. Add subpart 4.20 to read as follows:

SUBPART 4.20--PROHIBITION ON CONTRACTING FOR HARDWARE, SOFTWARE, 
AND SERVICES DEVELOPED OR PROVIDED BY KASPERSKY LAB

Sec.
4.2001 Definitions.
4.2002 Prohibition.
4.2003 Notification.
4.2004 Contract clause.

SUBPART 4.20--PROHIBITION ON CONTRACTING FOR HARDWARE, SOFTWARE, 
AND SERVICES DEVELOPED OR PROVIDED BY KASPERSKY LAB


4.2001  Definitions

    As used in this subpart--
    Covered article means any hardware, software, or service that--
    (1) Is developed or provided by a covered entity;
    (2) Includes any hardware, software, or service developed or 
provided in whole or in part by a covered entity; or
    (3) Contains components using any hardware or software developed in 
whole or in part by a covered entity.
    Covered entity means--

[[Page 28144]]

    (1) Kaspersky Lab;
    (2) Any successor entity to Kaspersky Lab;
    (3) Any entity that controls, is controlled by, or is under common 
control with Kaspersky Lab; or
    (4) Any entity of which Kaspersky Lab has a majority ownership.


4.2002  Prohibition.

    Section 1634 of Division A of the National Defense Authorization 
Act for Fiscal Year 2018 (Pub. L. 115-91) prohibits Government use on 
or after October 1, 2018, of any hardware, software, or services 
developed or provided, in whole or in part, by a covered entity. 
Contractors are prohibited from--
    (a) Providing any covered article that the Government will use on 
or after October 1, 2018; and
    (b) Using any covered article on or after October 1, 2018, in the 
development of data or deliverables first produced in the performance 
of the contract.


4.2003  Notification.

    When a contractor provides notification pursuant to 52.204-23, 
follow agency procedures.


4.2004  Contract clause.

    The contracting officer shall insert the clause at 52.204-23, 
Prohibition on Contracting for Hardware, Software, and Services 
Developed or Provided by Kaspersky Lab and Other Covered Entities, in 
all solicitations and contracts.

PART 13--SIMPLIFIED ACQUISITION PROCEDURES

0
4. Amend section 13.201 by adding paragraph (i) to read as follows:


13.201  General.

* * * * *
    (i) Do not purchase any hardware, software, or services developed 
or provided by Kaspersky Lab that the Government will use on or after 
October 1, 2018. (See 4.2002.)

PART 39--ACQUISITION OF INFORMATION TECHNOLOGY

0
5. Amend section 39.101 by adding paragraph (e) to read as follows:


39.101  Policy.

* * * * *
    (e) Contracting officers shall not purchase any hardware, software, 
or services developed or provided by Kaspersky Lab that the Government 
will use on or after October 1, 2018. (See 4.2002.)

PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0
6. Add section 52.204-23 to read as follows:


52.204-23   Prohibition on Contracting for Hardware, Software, and 
Services Developed or Provided by Kaspersky Lab and Other Covered 
Entities.

    As prescribed in 4.2004, insert the following clause:

Prohibition on Contracting for Hardware, Software, and Services 
Developed or Provided by Kaspersky Lab and Other Covered Entities (Jul 
2018)

    (a) Definitions. As used in this clause--
    Covered article means any hardware, software, or service that--
    (1) Is developed or provided by a covered entity;
    (2) Includes any hardware, software, or service developed or 
provided in whole or in part by a covered entity; or
    (3) Contains components using any hardware or software developed 
in whole or in part by a covered entity.
    Covered entity means--
    (1) Kaspersky Lab;
    (2) Any successor entity to Kaspersky Lab;
    (3) Any entity that controls, is controlled by, or is under 
common control with Kaspersky Lab; or
    (4) Any entity of which Kaspersky Lab has a majority ownership.
    (b) Prohibition. Section 1634 of Division A of the National 
Defense Authorization Act for Fiscal Year 2018 (Pub. L. 115-91) 
prohibits Government use of any covered article. The Contractor is 
prohibited from--
    (1) Providing any covered article that the Government will use 
on or after October 1, 2018; and
    (2) Using any covered article on or after October 1, 2018, in 
the development of data or deliverables first produced in the 
performance of the contract.
    (c) Reporting requirement. (1) In the event the Contractor 
identifies a covered article provided to the Government during 
contract performance, or the Contractor is notified of such by a 
subcontractor at any tier or any other source, the Contractor shall 
report, in writing, to the Contracting Officer or, in the case of 
the Department of Defense, to the website at https://dibnet.dod.mil. 
For indefinite delivery contracts, the Contractor shall report to 
the Contracting Officer for the indefinite delivery contract and the 
Contracting Officer(s) for any affected order or, in the case of the 
Department of Defense, identify both the indefinite delivery 
contract and any affected orders in the report provided at https://dibnet.dod.mil.
    (2) The Contractor shall report the following information 
pursuant to paragraph (c)(1) of this clause:
    (i) Within 1 business day from the date of such identification 
or notification: The contract number; the order number(s), if 
applicable; supplier name; brand; model number (Original Equipment 
Manufacturer (OEM) number, manufacturer part number, or wholesaler 
number); item description; and any readily available information 
about mitigation actions undertaken or recommended.
    (ii) Within 10 business days of submitting the report pursuant 
to paragraph (c)(1) of this clause: Any further available 
information about mitigation actions undertaken or recommended. In 
addition, the Contractor shall describe the efforts it undertook to 
prevent use or submission of a covered article, any reasons that led 
to the use or submission of the covered article, and any additional 
efforts that will be incorporated to prevent future use or 
submission of covered articles.
    (d) Subcontracts. The Contractor shall insert the substance of 
this clause, including this paragraph (d), in all subcontracts, 
including subcontracts for the acquisition of commercial items.

(End of clause)

0
7. Amend section 52.212-5 by--
0
a. Revising the date of the clause;
0
b. Redesignating paragraphs (a)(2) through (4) as paragraphs (a)(3) 
through (5), respectively, and adding a new paragraph (a)(2);
0
c. Redesignating paragraphs (e)(1)(iii) through (xxi) as paragraphs 
(e)(1)(iv) through (xxii), respectively, and adding a new paragraph 
(e)(1)(iii); and
0
d. In Alternate II:
0
i. Revising the date of the alternate; and
0
ii. Redesignating paragraphs (e)(1)(ii)(C) through (S) as paragraphs 
(e)(1)(ii)(D) through (T), respectively, and adding a new paragraph 
(e)(1)(ii)(C).
    The revisions and additions read as follows:


52.212-5   Contract Terms and Conditions Required To Implement Statutes 
or Executive Orders--Commercial Items.

* * * * *

Contract Terms and Conditions Required To Implement Statutes or 
Executive Orders--Commercial Items (Jul 2018)

* * * * *
    (a) * * *
    ____ (2) 52.204-23, Prohibition on Contracting for Hardware, 
Software, and Services Developed or Provided by Kaspersky Lab and 
Other Covered Entities (Jul 2018) (Section 1634 of Pub. L. 115-91).
* * * * *
    (e)(1) * * *
    (iii) 52.204-23, Prohibition on Contracting for Hardware, 
Software, and Services Developed or Provided by Kaspersky Lab and 
Other Covered Entities (Jul 2018) (Section 1634 of Pub. L. 115-91).
* * * * *
    Alternate II (Jul 2018). * * *
* * * * *
    (e)(1) * * *
    (ii) * * *
    (C) 52.204-23, Prohibition on Contracting for Hardware, 
Software, and Services

[[Page 28145]]

Developed or Provided by Kaspersky Lab and Other Covered Entities 
(Jul 2018) (Section 1634 of Pub. L. 115-91).
* * * * *

0
8. Amend section 52.213-4 by--
0
a. Revising the date of the clause; and
0
b. Redesignating paragraphs (a)(1)(ii) through (vii) as paragraphs 
(a)(1)(iii) through (viii), respectively, and adding a new paragraph 
(a)(1)(ii).
    The revision and addition read as follows:


52.213-4   Terms and Conditions--Simplified Acquisitions (Other Than 
Commercial Items).

* * * * *

Terms and Conditions--Simplified Acquisitions (Other than Commercial 
Items) (Jul 2018)

    (a) * * *
    (1) * * *
    (ii) 52.204-23, Prohibition on Contracting for Hardware, 
Software, and Services Developed or Provided by Kaspersky Lab and 
Other Covered Entities (Jul 2018) (Section 1634 of Pub. L. 115-91).
* * * * *

0
9. Amend section 52.244-6 by--
0
a. Revising the date of the clause;
0
b. Redesignating paragraphs (c)(1)(iv) through (xviii) as paragraphs 
(c)(1)(v) through (xix), respectively, and adding a new paragraph 
(c)(1)(iv).
    The revision and addition read as follows:


52.244-6  Subcontracts for Commercial Items.

* * * * *

Subcontracts for Commercial Items (Jul 2018)

* * * * *
    (c)(1) * * *
    (iv) 52.204-23, Prohibition on Contracting for Hardware, 
Software, and Services Developed or Provided by Kaspersky Lab and 
Other Covered Entities (Jul 2018) (Section 1634 of Pub. L. 115-91).
* * * * *
[FR Doc. 2018-12847 Filed 6-14-18; 8:45 am]
 BILLING CODE 6820-EP-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.