Federal Acquisition Regulation: Use of Products and Services of Kaspersky Lab, 47861-47862 [2019-19360]

Agencies

• DEPARTMENT OF DEFENSE
• General Services Administration
• National Aeronautics and Space Administration

[Federal Register Volume 84, Number 175 (Tuesday, September 10, 2019)]
[Rules and Regulations]
[Pages 47861-47862]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-19360]



[[Page 47861]]

-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 1, 4, 13, 39, and 52

[FAC 2019-06; FAR Case 2018-010; Item I; Docket No. FAR-2018-0010, 
Sequence No. 1]
RIN 9000-AN64


Federal Acquisition Regulation: Use of Products and Services of 
Kaspersky Lab

AGENCY: Department of Defense (DoD), General Services Administration 
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: DoD, GSA, and NASA are adopting as final, without change, an 
interim rule amending the Federal Acquisition Regulation (FAR) to 
implement a section of the National Defense Authorization Act (NDAA) 
for Fiscal Year (FY) 2018.

DATES: Effective September 10, 2019.

FOR FURTHER INFORMATION CONTACT: Ms. Camara Francis, Procurement 
Analyst, at 202-550-0935 for clarification of content. For information 
pertaining to status or publication schedules, contact the Regulatory 
Secretariat Division at 202-501-4755. Please cite FAC 2019-06, FAR Case 
2018-010.

SUPPLEMENTARY INFORMATION: 

I. Background

    DoD, GSA, and NASA published an interim rule in the Federal 
Register at 83 FR 28141 on June 15, 2018, to revise the FAR to 
implement section 1634 of Division A of the NDAA for FY 2018 (Pub. L. 
115-91). Section 1634 of this law prohibits the use of products or 
services of Kaspersky Lab and its related entities by the Federal 
Government on or after October 1, 2018.
    The interim rule amended FAR part 4, adding a new subpart 4.20, 
Prohibition on Contracting for Hardware, Software, and Services 
Developed or Provided by Kaspersky Lab, with a corresponding new 
contract clause at 52.204-23, Prohibition on Contracting for Hardware, 
Software, and Services Developed or Provided by Kaspersky Lab and Other 
Covered Entities. The interim rule also added text in subpart 13.2, 
Actions at or Below the Micro-Purchase Threshold, to address section 
1634 with regard to micro-purchases. To implement section 1634, the 
clause at 52.204-23 prohibits contractors from providing any hardware, 
software, or services developed or provided by Kaspersky Lab or its 
related entities, or using any such hardware, software, or services in 
the development of data or deliverables first produced in the 
performance of the contract. The contractor must also report any such 
hardware, software, or services discovered during contract performance; 
this requirement flows down to subcontractors. For clarity, the rule 
defines ``covered entity'' and ``covered article''. A covered entity 
includes the entities described in section 1634. A covered article 
includes hardware, software, or services that the Federal Government 
will use on or after October 1, 2018. The public comment period ended 
August 14, 2018.

II. Discussion and Analysis

    Three respondents submitted public comments, one of which was 
outside the scope of the rule. There are no changes made to the final 
rule as a result of the public comments. Responses to comments received 
follow below.
    Comment: A respondent stated, ``To reduce burden on contractors, a 
specific list or definition around `covered article' or `covered 
entity' are requested. It is also requested to share how and when an 
entity or article would be added to this list and incorporated into 
this clause.''
    Response: The rule defines ``covered article'' and ``covered 
entity'' in FAR 4.2001, Definitions. With respect to use of a products 
list, the preamble to the interim rule included a series of detailed 
questions designed to elicit feedback on how a list might be developed 
and maintained, as well as other steps that might be taken to reduce 
burden, but no public input was offered. Due to the continually 
evolving nature of technological product and service offerings, 
including third-party products that may either add or eliminate 
inclusion of elements such as Kaspersky Lab software, and the lack of 
suggestions for how this challenge might be managed, DoD, GSA, and NASA 
have concluded that providing a definitive list of hardware, software, 
or services subject to the definition of ``covered article'' is 
impractical, particularly in regulation. Similar challenges regarding 
the shifting nature of ownership, affiliate and subsidiary 
relationships also apply to the definition of ``covered entity.'' DoD, 
GSA, and NASA intend to confer with the Federal Acquisition Security 
Council staff as it considers issues related to the appropriate sharing 
of information to support management decisions associated with supply 
chain risk management.
    Comment: A respondent indicated that the prohibition should be 
effective immediately to prevent continued use and additional risk to 
the Government. The respondent had similar concerns that existing 
contracts would not be modified to incorporate the clause unless the 
period of performance was being extended for six or more months.
    Response: The statutory prohibition in section 1634 took effect on 
October 1, 2018, and the interim rule was published in advance of the 
effective date in order to provide sufficient time for both Government 
and industry to identify any current use or planned procurements of 
covered articles from covered entities. Publication of the FAR rule was 
one tool to help agencies in their implementation of section 1634, but 
the rule did not impact or impair any other planned or ongoing efforts 
agencies undertook to address the presence of covered articles.

III. Applicability to Contracts at or Below the Simplified Acquisition 
Threshold (SAT) and for Commercial Items, Including Commercially 
Available Off-the-Shelf (COTS) Items

    This rule applies the requirements of section 1634 of the NDAA for 
FY 2018 to contracts at or below the SAT, to include contracts for the 
acquisition of commercial items, including COTS items.

A. Applicability to Contracts at or Below the Simplified Acquisition 
Threshold

    41 U.S.C. 1905 governs the applicability of laws to acquisitions at 
or below the simplified acquisition threshold (SAT). Section 1905 
generally limits the applicability of new laws when agencies are making 
acquisitions at or below the SAT, but provides that such acquisitions 
will not be exempt from a provision of law if: (i) the law contains 
criminal or civil penalties; (ii) the law specifically refers to 41 
U.S.C. 1905 and states that the law applies to contracts and 
subcontracts in amounts not greater than the SAT; or (iii) the FAR 
Council makes a written determination and finding that it would not be 
in the best interest of the Federal Government to exempt contracts and 
subcontracts in amounts not greater than the SAT from the provision of 
law.

B. Applicability to Contracts for the Acquisition of Commercial Items, 
Including COTS Items

    41 U.S.C. 1906 governs the applicability of laws to contracts for 
the acquisition of commercial items, and is

[[Page 47862]]

intended to limit the applicability of laws to contracts for the 
acquisition of commercial items. Section 1906 provides that if a 
provision of law contains criminal or civil penalties, or if the FAR 
Council makes a written determination that it is not in the best 
interest of the Federal Government to exempt commercial item contracts, 
the provision of law will apply to contracts for the acquisition of 
commercial items.
    Finally, 41 U.S.C. 1907 states that acquisitions of COTS items will 
be exempt from a provision of law unless the law (i) contains criminal 
or civil penalties; (ii) specifically refers to 41 U.S.C. 1907 and 
states that the law applies to acquisitions of COTS items; (iii) 
concerns authorities or responsibilities under the Small Business Act 
(15 U.S.C. 644) or bid protest procedures developed under the authority 
of 31 U.S.C. 3551 et seq., 10 U.S.C. 2305(e) and (f), or 41 U.S.C. 3706 
and 3707; or (iv) the Administrator for Federal Procurement Policy 
makes a written determination and finding that would not be in the best 
interest of the Federal Government to exempt contracts for the 
procurement of COTS items from the provision of law.

C. Determinations

    With the publication of the interim rule the FAR Council has 
determined it was in the best interest of the Government to apply the 
rule to contracts at or below the SAT and for the acquisition of 
commercial items. Likewise, the Administrator for Federal Procurement 
Policy determined it was in the best interest of the Government to 
apply this rule to contracts for the acquisition of COTS items.
    While the law does not specifically address acquisitions of 
commercial items, including COTS items, there is an unacceptable level 
of risk for the Government in buying hardware, software, or services 
developed or provided in whole or in part by Kaspersky Lab. This level 
of risk is not alleviated by the fact that the item being acquired has 
been sold or offered for sale to the general public, either in the same 
form or a modified form as sold to the Government (i.e., that it is a 
commercial item or COTS item), nor by the small size of the purchase 
(i.e., at or below the SAT). As a result, agencies may face increased 
exposure for violating the law and unknowingly acquiring a covered 
article absent coverage of these types of acquisitions by this rule.

IV. Executive Orders 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). E.O. 
13563 emphasizes the importance of quantifying both costs and benefits, 
of reducing costs, of harmonizing rules, and of promoting flexibility. 
This is not a significant regulatory action and, therefore, was not 
subject to review under section 6(b) of E.O. 12866, Regulatory Planning 
and Review, dated September 30, 1993. This rule is not a major rule 
under 5 U.S.C. 804.

V. Executive Order 13771

    This rule is not subject to E.O. 13771, because this rule is not a 
significant regulatory action under E.O. 12866.

VI. Regulatory Flexibility Act

    A final Regulatory Flexibility Analysis (FRFA) consistent with the 
Regulatory Flexibility Act, 5 U.S.C. 601, et seq. was prepared. The 
FRFA is summarized below.

    This final rule implements section 1634 of Division A of the 
National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2018 
(Pub. L. 115-91). The objective of the rule is to prescribe 
appropriate policies and procedures to enable agencies to determine 
that they are not purchasing articles that section 1634 prohibits 
for use by the Government on or after October 1, 2018.
    There were no significant issues raised by the public in 
response to the Initial Regulatory Flexibility Analysis provided in 
the interim rule.
    The rule applies to all contractors and subcontractors, 
regardless of size. Data from the Federal Procurement Data System 
(FPDS) indicates that the Government awarded contracts to an average 
of 93,792 unique entities in FY 2017 and FY 2018, of which an 
average of 68,778 (73 percent) were small entities. It is estimated 
that reports will be submitted by 5 percent of contractors, or 3,439 
small entities.
    The rule requires contractors and subcontractors that are 
subject to the clause to report to the contracting officer, or for 
DoD, to the website listed in the clause, any discovery of a covered 
article during the course of contract performance.
    Because of the nature of the prohibition enacted by section 
1634, it is not possible to establish different compliance or 
reporting requirements or timetables that take into account the 
resources available to small entities or to exempt small entities 
from coverage of the rule, or any part thereof. DoD, GSA, and NASA 
were unable to identify any alternatives that would reduce the 
burden on small entities and still meet the objectives of section 
1634.

    Interested parties may obtain a copy of the FRFA from the 
Regulatory Secretariat Division. The Regulatory Secretariat Division 
has submitted a copy of the FRFA to the Chief Counsel for Advocacy of 
the Small Business Administration.

VII. Paperwork Reduction Act

    This rule contains information collection requirements that have 
been approved by the Office of Management and Budget under the 
Paperwork Reduction Act (44 U.S.C. chapter 35). This information 
collection requirement has been assigned OMB Control Number 9000-0197, 
entitled ``Use of Products and Services of Kaspersky Lab''.

List of Subjects in 48 CFR Parts 1, 4, 13, 39, and 52

    Government procurement.

William F. Clark,
Director, Office of Government-wide Acquisition Policy, Office of 
Acquisition Policy, Office of Government-wide Policy.

Interim Rule Adopted as Final Without Change

    Accordingly, the interim rule amending 48 CFR parts 1, 4, 13, 39, 
and 52 which was published in the Federal Register at 83 FR 28141 on 
June 15, 2018, is adopted as a final rule without change.

[FR Doc. 2019-19360 Filed 9-9-19; 8:45 am]
 BILLING CODE 6820-EP-P