Federal Acquisition Regulation: Implementation of Federal Acquisition Supply Chain Security Act (FASCSA) Orders, 69503-69517 [2023-21320]

Agencies

• DEPARTMENT OF DEFENSE
• General Services Administration
• National Aeronautics and Space Administration

[Federal Register Volume 88, Number 192 (Thursday, October 5, 2023)]
[Rules and Regulations]
[Pages 69503-69517]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-21320]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 1, 4, 9, 13, 39, and 52

[FAC 2023-06; FAR Case 2020-011; Item I; Docket No. FAR-2020-0011, 
Sequence No. 1]
RIN 9000-AO13


Federal Acquisition Regulation: Implementation of Federal 
Acquisition Supply Chain Security Act (FASCSA) Orders

AGENCY: Department of Defense (DoD), General Services Administration 
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Interim rule.

-----------------------------------------------------------------------

SUMMARY: DoD, GSA, and NASA are issuing an interim rule amending the 
Federal Acquisition Regulation (FAR) to implement supply chain risk 
information sharing and exclusion or removal orders consistent with the 
Federal Acquisition Supply Chain Security Act of 2018 and a final rule 
issued by the Federal Acquisition Security Council.

DATES: 
    Effective date: December 4, 2023.
    Applicability: The FAR changes apply to solicitations issued on or 
after December 4, 2023 in accordance with FAR 1.108(d).
    For existing indefinite delivery contracts only, contracting 
officers shall modify them, in accordance with FAR 1.108(d), to include 
the FAR clause at 52.204-30, Federal Acquisition Supply Chain Security 
Act Orders-Prohibition (including any applicable alternate) within 6 
months of December 4, 2023, to apply to future orders. However, for 
Federal Supply Schedules, Governmentwide Acquisition Contracts, and 
Multi-Agency Contracts, if the FASCSA orders are going to be applied at 
the order level, then FAR clause 52.204-28 should be included instead, 
within 6 months of December 4, 2023.
    If exercising an option or modifying an existing contract or task 
or delivery order to extend the period of performance, contracting 
officers shall include the FAR clause at 52.204-30, Federal Acquisition 
Supply Chain Security Act Orders-Prohibition (including any applicable 
alternate). When exercising an option, agencies should consider 
modifying the existing contract to add the clause in a sufficient 
amount of time to both provide notice for exercising the option and to 
provide contractors with adequate time to comply with the clause.
    Comment date: Interested parties should submit written comments to 
the Regulatory Secretariat Division at the address shown below on or 
before December 4, 2023 to be considered in the formation of the final 
rule.

ADDRESSES: Submit comments in response to FAC 2023-06, FAR Case 2020-
011 to the Federal eRulemaking portal at https://www.regulations.gov by 
searching for ``FAR Case 2020-011''. Select the link ``Comment Now'' 
that corresponds with FAR Case 2020-011. Follow the instructions 
provided on the ``Comment Now'' screen. Please include your name, 
company name (if any), and ``FAR Case 2020-011'' on your attached 
document. If your comment cannot be submitted using https://www.regulations.gov, call or email the points of contact in the FOR 
FURTHER INFORMATION CONTACT section of this document for alternate 
instructions.
    Instructions: Please submit comments only and cite ``FAR Case 2020-
011'' in all correspondence related to this case. Comments received 
generally will be posted without change to https://www.regulations.gov, 
including any personal and/or business confidential information 
provided. Public comments may be submitted as an individual, as an 
organization, or anonymously (see frequently asked questions at https://www.regulations.gov/faq). To confirm receipt of your comment(s), 
please check https://www.regulations.gov, approximately two to three 
days after submission to verify posting.

FOR FURTHER INFORMATION CONTACT: For clarification of content, contact 
Ms. Marissa Ryba, Procurement Analyst, at 314-586-1280 or by email at 
[email protected]. For information pertaining to status, publication 
schedules, or alternate instructions for submitting comments if https://www.regulations.gov cannot be used, contact the Regulatory Secretariat 
Division at 202-501-4755 or [email protected]. Please cite FAC 2023-06, 
FAR Case 2020-011.

SUPPLEMENTARY INFORMATION: 

I. Background

    This interim rule revises the FAR to implement section 202 of the 
Federal Acquisition Supply Chain Security Act of 2018 (Title II of the 
SECURE Technology Act, Pub. L. 115-390, Dec. 21, 2018), and a final 
rule issued by the Federal Acquisition Security Council (FASC) (August 
26, 2021, 86 FR 47581, effective September 27, 2021).
    Foreign adversaries are increasingly creating and exploiting 
vulnerabilities in information and communications technology to commit 
malicious cyber-enabled actions, including economic and industrial 
espionage against the United States and its citizens. Vulnerabilities 
may be introduced during any phase of the product or service life 
cycle, including: design, development and production, distribution, 
acquisition and deployment, maintenance, and disposal. These 
vulnerabilities can include the incorporation of malicious software, 
hardware, and counterfeit components; flawed product designs; and poor 
manufacturing processes and maintenance procedures.
    The U.S. Government's efforts to evaluate threats to and 
vulnerabilities in supply chains have historically been undertaken by 
individual or small groups of agencies to address specific supply chain 
security risks. Because of the scale of supply chain risks faced by 
Government agencies, and the need for better coordination among a 
broader group of agencies, there was an organized effort within the 
Executive

[[Page 69504]]

branch to support Congressional efforts in 2018 to pass new legislation 
to improve Executive branch coordination, supply chain information 
sharing, and actions to address supply chain risks.
    Title II of the SECURE Technology Act, also referred to as the 
Federal Acquisition Supply Chain Security Act of 2018, established the 
Federal Acquisition Security Council (FASC) and authorized it to 
perform a variety of functions, including making recommendations for 
orders that would require the removal of covered articles from 
executive agency information systems or the exclusion of sources or 
covered articles from executive agency procurement actions. The FASC is 
an Executive branch interagency council, which is chaired by a senior-
level official from the Office of Management and Budget (OMB). The FASC 
includes representatives from GSA; Department of Homeland Security 
(DHS); Office of the Director of National Intelligence; DoD; Department 
of Justice (DOJ); and Department of Commerce (Commerce).
    The FASC issued a final rule adding 41 CFR part 201-1, which 
implements the Federal Acquisition Supply Chain Security Act of 2018 
requirements. The FASC final rule establishes procedures that govern 
the operation of the FASC, the sharing of supply chain risk 
information, the exercise of its authorities to recommend issuance of 
orders requiring removal of covered articles from information systems 
(removal orders), and orders excluding sources or covered articles from 
future procurements (exclusion orders) that pose a risk to our nation's 
supply chain. This rule refers to both exclusion and removal orders as 
``FASCSA orders''.
    Under the FASC final rule, the FASC will evaluate sources and/or 
covered articles by addressing a common set of non-exclusive factors 
that are listed in the FASC final rule. Initiation of the process can 
begin either by referral of the FASC or any member of the FASC; upon 
the written request of any U.S. Government body; or based on 
information submitted to the FASC by any individual or non-Federal 
entity that the FASC determines to be credible.
    The FASC will conduct appropriate due diligence regarding the 
information that it is considering. If the FASC does not find that 
recommending a removal or exclusion order is warranted, risk 
information received and analyzed by the FASC may be shared, as 
appropriate, in accordance with the FASC final rule. If the FASC 
decides to issue a recommendation, that recommendation will provide 
relevant information and analysis for the Secretary of Homeland 
Security, the Secretary of Defense, and/or the Director of National 
Intelligence (DNI), as appropriate, to consider when deciding whether 
to issue a FASCSA order.
    Executive agencies must share relevant supply chain risk 
information. DHS, acting primarily through the Cybersecurity and 
Infrastructure Security Agency (CISA), is the information sharing 
agency (ISA), which will share and disseminate information within the 
FASC, and other Federal and non-Federal entities, as appropriate.
    Collectively, the information sharing requirements and 
implementation of FASCSA orders will address risks in supply chains by 
reducing or removing threats and vulnerabilities that may lead to data 
and intellectual property theft, damage to critical infrastructure, 
harm to Federal information systems, and otherwise degrade our national 
security. This rule will also help make Government supply chains and 
information systems more resilient and less subject to disruptions that 
could impact Government operations.

II. Discussion and Analysis

A. Overview of Rule

    This interim rule implements within the FAR the requirements of the 
Federal Acquisition Supply Chain Security Act of 2018 and the Federal 
Acquisition Security Council (FASC) final rule for complying with 
exclusion or removal orders and sharing certain supply chain risk 
information. Once an order recommended by the FASC is issued by the 
Secretary of Homeland Security, the Secretary of Defense, and/or the 
Director of National Intelligence, affected Executive agencies are 
required to implement the order.
    As referred to in this rule, the term FASCSA order may refer to 
either an exclusion order or removal order. An exclusion order is 
applicable during the process for awarding a new contract or task or 
delivery order, as it excludes from the offered supplies or services 
any products or services subject to a FASCSA order. A removal order 
requires removal of any products or services from an executive agency 
information system subject to a FASCSA order. In some instances, a 
contracting officer may incorporate a contract term to require 
compliance with a FASCSA order issued after award via a modification 
that incorporates FAR clause 52.204-28, Federal Acquisition Supply 
Chain Security Act Orders-Federal Supply Schedules, Governmentwide 
Acquisition Contracts, and Multi-Agency Contracts, or FAR clause 
52.204-30, Federal Acquisition Supply Chain Security Act Orders-
Prohibition.
    As a result of this interim rule, contracting officers will now 
have established procedures to implement FASCSA orders in existing and 
new Federal contracts and to share relevant information on potential 
supply chain risk. These procedures reduce exploitations of 
vulnerabilities, in turn making the supply chain more resilient.
    Contractors and offerors will also play a key role in this process 
by remaining current on FASCSA orders identified in the solicitation 
and contract. When an offeror submits a new offer in response to a 
contract solicitation containing the new requirement, the offeror will 
represent, after conducting a reasonable inquiry, that the offeror does 
not propose to provide or use any prohibited covered articles or 
products or services subject to a FASCSA order. These measures are 
necessary to build resilience in Government supply chains. Further 
procedures allow an offeror to disclose where they cannot comply with a 
FASCSA order. The purpose for this disclosure is so that the Government 
may decide whether to pursue a waiver.
    Throughout contract performance, contractors will be required to 
report to the contracting officer once they become aware that a covered 
article or product or service subject to a FASCSA order has been 
delivered to the Government or used in performance of the contract. 
This reporting requirement applies not just to FASCSA orders 
incorporated into the contract, but also to new FASCSA orders issued 
after contract award or added to the contract through modification. 
Reporting this information to the contracting officer will provide the 
Government the needed information to assess the risk and make a 
determination on how to proceed.

B. Part 1 Updates

    The OMB control number for the new information collection required 
by this interim rule is being added to FAR 1.106.

C. Part 4 Updates

    A new FAR subpart 4.23 titled Federal Acquisition Security Council 
is being added to implement requirements for FASCSA orders and supply 
chain risk information sharing.
    FAR 4.2301 provides definitions in accordance with the FASC final 
rule.
    FAR 4.2302 requires the contracting officer to work with the 
cognizant program office or requiring activity in accordance with 
agency procedures to share relevant supply chain risk information with 
the FASC if there is a reasonable basis to conclude there exists

[[Page 69505]]

a substantial supply chain risk associated with a source or covered 
article.
    FAR 4.2303 identifies the requirements for Executive agencies to 
implement FASCSA orders when they are issued by the Secretary of 
Homeland Security, the Secretary of Defense, or the Director of 
National Intelligence. FASCSA orders for sources or covered articles 
will be searchable within the System for Award Management (SAM) to make 
it easier for contractors and Government to identify the products and 
services subject to a FASCSA order; however, in rare cases additional 
FASCSA orders, not identified in SAM, will be identified in the 
solicitation.
    If a covered article or the source is subject to a Governmentwide 
FASCSA order, this section directs Executive agencies responsible for 
management of the Federal Supply Schedules, Governmentwide acquisition 
contracts, and multi-agency contracts to remove the covered articles or 
sources identified in the FASCSA order from such contracts.
    FAR 4.2304 provides the procedures for a contracting officer to 
follow when completing the clause at FAR 52.204-30 identifying 
applicable FASCSA orders and when a solicitation or contract may be 
updated to incorporate additional FASCSA orders. In the rare case when 
a FASCSA order is identified outside of SAM, Executive agencies must 
follow agency procedures.
    Additional specific procedures are outlined for Federal Supply 
Schedules, Governmentwide acquisition contracts, multi-agency contracts 
or any other procurement instrument intended for use by multiple 
agencies. An agency awarding this type of vehicle may decide to apply 
FASCSA orders in the basic contract or the task order or delivery 
order.
    This section further provides the contracting officer with 
procedures to determine whether to pursue a waiver, how to identify a 
full or partial waiver in the solicitation, and who to work with when a 
contractor submits a report identifying covered articles or sources 
subject to a FASCSA order.
    FAR 4.2305 identifies the procedures for an agency to submit a 
waiver request that includes all necessary information for the official 
who issued the FASCSA order (issuing official) to review and evaluate 
the request, including alternative mitigations to the risks addressed 
by the order and the ability of an agency to fulfill its mission 
critical functions. Agencies may reasonably choose not to pursue a 
waiver and to make award to an offeror that does not require a waiver 
in accordance with the procedures at 4.2304.
    FAR 4.2306 prescribes new provision at FAR 52.204-29, Federal 
Acquisition Supply Chain Security Act Orders-Representation and 
Disclosures, and two new clauses, FAR 52.204-28, Federal Acquisition 
Supply Chain Security Act Orders-Federal Supply Schedules, 
Governmentwide Acquisition Contracts, and Multi-Agency Contracts, and 
FAR 52.204-30, Federal Acquisition Supply Chain Security Act Orders-
Prohibition.
    The terms ``covered article'' and ``covered entity'' in FAR 4.2001 
and the clause at FAR 52.204-23 are updated to ``Kaspersky Lab covered 
article'' and ``Kaspersky Lab covered entity'' to avoid confusion with 
the definition of a covered article excluded or removed under the 
authority of an issuing official. The definition of ``Kaspersky Lab 
covered entity'' was updated to reference the recently adopted name 
Kaspersky.

D. Part 9 Updates

    Clarification is added at FAR 9.400 that FASCSA orders are covered 
at FAR subpart 4.23. FAR subpart 9.4 covers debarment and suspension, 
and exclusions.

E. Part 13 Updates

    FAR 13.201 is updated to include the prohibition on covered 
articles and sources subject to a FASCSA order for micro-purchases.

F. Part 39 Updates

    The prohibition is being added to FAR 39.101 to ensure members of 
the acquisition workforce working on information technology 
procurements are aware of the prohibition.

G. Part 52 Updates

    In addition to the name changes discussed in Part 4, the clause at 
FAR 52.204-23 is updated to change the reporting time frame for the 
initial report from 1 business day to 3 business days to align with the 
reporting time frame at FAR 52.204-30(c)(4) and provide sufficient time 
for contractors to submit a report.
    The new provision at FAR 52.204-29, Federal Acquisition Supply 
Chain Security Act Orders-Representation and Disclosures, is added 
prohibiting contractors from providing any covered article, or any 
products or services produced or provided by a source, including 
contractor use of covered articles or sources, if the covered article 
or the source is subject to an applicable FASCSA order identified in 
the clause at FAR 52.204-30(b)(1). Contractors must search for FASCSA 
orders in SAM. To locate the FASCSA orders in SAM, contractors can 
search by entity information using the search term ``FASCSA order'' to 
locate all FASCSA orders or only those that apply to the solicitation. 
Details about the FASCSA orders will be in the additional comments 
field. FASCSA orders issued after the date of solicitation are not 
effective unless the solicitation is amended. In rare cases, a FASCSA 
order may be identified in the solicitation, and not in SAM.
    By submitting an offer, an offeror is representing that it has 
conducted a reasonable inquiry and is not providing any covered 
article, or any products or services subject to an applicable FASCSA 
order identified in the solicitation at FAR 52.204-30(b)(1). If an 
offeror cannot represent compliance with the prohibition, then the 
offeror must disclose this and provide the required information in 
accordance with 52.204-29(e). The Government will use this information 
to determine whether to seek a waiver or may choose to make an award to 
an offeror that does not require a waiver.
    The new clause at FAR 52.204-28, Federal Acquisition Supply Chain 
Security Act Orders-Federal Supply Schedules, Governmentwide 
Acquisition Contracts, and Multi-Agency Contracts, provides contractors 
with notice that FASCSA orders will be identified in the request for 
quote or in the notice of intent to place an order. Contractors will be 
able to identify applicable FASCSA orders in paragraph (b)(1) of FAR 
52.204-30, Federal Acquisition Supply Chain Security Act Orders-
Prohibition with its Alternate II. Contractors will also be required to 
remove from the basic contract any covered article or any product or 
service produced or provided by a source subject to a FASCSA order 
issued collectively by DHS, DoD, and DNI.
    The new clause at FAR 52.204-30, Federal Acquisition Supply Chain 
Security Act Orders-Prohibition, prohibits contractors from providing 
any covered article, or any products or services produced or provided 
by a source, if the covered article or the source is subject to an 
applicable FASCSA order identified in paragraph (b). In most cases, for 
solicitations and contracts awarded by DoD, DoD FASCSA orders will 
apply; and for all other solicitations and contracts, DHS FASCSA orders 
will apply. The clause, when used with its Alternate I, identifies a 
different construct for paragraph (b) allowing the contracting officer 
to select the applicable FASCSA orders (i.e. DoD FASCSA order, DHS

[[Page 69506]]

FASCSA order, DNI FASCSA order). The clause at FAR 52.204-30 also 
requires the contractor to review SAM at least once every three months 
or as advised by the contracting officer, and provide a report in the 
event the contractor identifies that a covered article, or product or 
service produced or provided by a source, that is subject to a FASCSA 
order, was provided to the Government or used during contract 
performance; or the contractor is notified of such by a subcontractor 
at any tier or by any other means. The clause, when used with its 
Alternate II is for Federal Supply Schedules, Governmentwide 
acquisition contracts and multi-agency contracts when FASCSA orders are 
applied at the order level.
    FAR 52.212-5, Contract Terms and Conditions Required to Implement 
Statutes or Executive Orders-Commercial Products and Commercial 
Services, FAR 52.213-4, Terms and Conditions-Simplified Acquisitions 
(Other Than Commercial Products and Commercial Services), and FAR 
52.244-6, Subcontracts for Commercial Products and Commercial Services 
are updated to add the requirements of FAR 52.204-30, Federal 
Acquisition Supply Chain Security Act Orders-Prohibition.

III. Specific Questions For Comment

    DoD, GSA, and NASA welcome input on the following questions 
regarding anticipated impact on affected parties.
     What additional information or guidance do you view as 
necessary to effectively comply with this interim rule?
     What challenges do you anticipate facing in effectively 
complying with this interim rule?

IV. Applicability to Contracts at or Below the Simplified Acquisition 
Threshold (SAT) and for Commercial Products, (Including Commercially 
Available Off-the-Shelf (COTS) Items), or for Commercial Services

    This interim rule adds a new contract clause at FAR 52.204-28, 
Federal Acquisition Supply Chain Security Act Orders-Federal Supply 
Schedules, Governmentwide Acquisition Contracts, and Multi-Agency 
Contracts. The clause is prescribed at FAR 4.2306(a) and is required in 
the basic solicitation and resultant contract for all Federal Supply 
Schedules, Governmentwide acquisition contracts, and multi-agency 
contracts when FASCSA orders are contemplated to be applied at the task 
or delivery order level. The clause will apply to acquisitions valued 
at or below the SAT; acquisitions of commercial products, including 
COTS items; and acquisition of commercial services.
    This interim rule adds a new provision at FAR 52.204-29, Federal 
Acquisition Supply Chain Security Act Orders-Representation and 
Disclosures. The provision is prescribed at FAR 4.2306(b) and is for 
use in all solicitations for contracts, except that for Federal Supply 
Schedules, Governmentwide acquisition contracts and multi-agency 
contracts the clause will be inserted in all solicitations for 
contracts if FASCSA orders apply at the contract level. The provision 
will apply to acquisitions valued at or below the SAT; acquisitions of 
commercial products, including COTS items; and acquisition of 
commercial services.
    This interim rule adds a new contract clause at FAR 52.204-30, 
Federal Acquisition Supply Chain Security Act Orders-Prohibition, 
including the clause with its Alternate I and Alternate II. The clause 
is prescribed at FAR 4.2306(c) for use in all solicitations and 
contracts, except that for Federal Supply Schedules, Governmentwide 
acquisition contracts, and multi-agency contracts where FASCSA orders 
are applied at the contract level, the clause must be used with its 
Alternate I in all solicitations and resultant contracts; or, if FASCSA 
orders are applied at the order level, the clause shall be used with 
its Alternate II in all requests for quotations, or in all notices of 
intent to place an order. The clause will apply to acquisitions valued 
at or below the SAT; acquisitions of commercial products, including 
COTS items; and acquisition of commercial services. The above provision 
and clauses are necessary to implement FASCSA orders authorized by the 
Federal Acquisition Supply Chain Security Act of 2018 and the Federal 
Acquisition Supply Chain Security Act final rule.

A. Applicability to Contracts at or Below the Simplified Acquisition 
Threshold

    41 U.S.C. 1905 governs the applicability of laws to acquisitions at 
or below the SAT. Section 1905 generally limits the applicability of 
new laws when agencies are making acquisitions at or below the SAT, but 
provides that such acquisitions will not be exempt from a provision of 
law under certain circumstances, including when the Federal Acquisition 
Regulatory Council (FAR Council) makes a written determination and 
finding that it would not be in the best interest of the Federal 
Government to exempt contracts and subcontracts in amounts not greater 
than the SAT from the provision of law. The FAR Council has made a 
determination to apply this statute to acquisitions at or below the 
SAT.

B. Applicability to Contracts for the Acquisition of Commercial 
Products and Commercial Services, Including Commercially Available Off-
the-Shelf (COTS) Items

    41 U.S.C. 1906 governs the applicability of laws to contracts for 
the acquisition of commercial products and commercial services and is 
intended to limit the applicability of laws to contracts for the 
acquisition of commercial products and commercial services. Section 
1906 provides that if the FAR Council makes a written determination 
that it is not in the best interest of the Federal Government to exempt 
commercial products and commercial services contracts the provision of 
law will apply to contracts for the acquisition of commercial products 
and commercial services.
    41 U.S.C. 1907 states that acquisitions of COTS items will be 
exempt from certain provisions of law unless the Administrator for 
Federal Procurement Policy makes a written determination and finds that 
it would not be in the best interest of the Federal Government to 
exempt contracts for the procurement of COTS items.
    The FAR Council has made a determination to apply this statute to 
acquisitions for commercial products and commercial services. The 
Administrator for Federal Procurement Policy has made a determination 
to apply this statute to acquisitions for COTS items.

C. Determinations

    While the law does not specifically address acquisitions at or 
below the SAT, or acquisitions of commercial products or commercial 
services, including COTS items, there is an unacceptable level of risk 
for the Government in buying products or services subject to a FASCSA 
order. This level of risk is not alleviated by the fact that the 
product or service being acquired has been sold or offered for sale to 
the general public, either in the same form or a modified form as sold 
to the Government (i.e., that it is a commercial product or commercial 
service or COTS item), nor by the small size of the purchase (i.e., at 
or below the SAT). As a result, agencies may face increased exposure 
for violating the law and unknowingly acquiring products or services 
subject to a FASCSA order absent coverage of these types of 
acquisitions by this interim rule.

[[Page 69507]]

V. Expected Impact of the Rule

    Foreign adversaries are increasingly creating and exploiting 
vulnerabilities in information and communications technology to commit 
malicious cyber-enabled attacks, including economic and industrial 
espionage against the United States and its citizens. Vulnerabilities 
may be introduced during any phase of the product or service life 
cycle: design, development and production, distribution, acquisition 
and deployment, maintenance, and disposal. These vulnerabilities can 
include the incorporation of malicious software, hardware, and 
counterfeit components; flawed product designs; and poor manufacturing 
processes and maintenance procedures.
    This rule helps mitigate these supply chain risks by ensuring 
agencies and contractors are implementing supply chain risk information 
sharing and FASCSA orders for covered articles as required by the FASC 
final rule.
    Information sharing by Federal agencies with the FASC will ensure 
that substantial supply chain risks are communicated with impacted 
parties across the Government so agencies can promptly address the 
risks. Implementation of FASCSA orders will ensure Federal agencies are 
not sourcing products or services determined to have a significant 
supply chain risk (i.e. subject to a FASCSA order).
    DoD, GSA, and NASA have performed a regulatory impact analysis 
(RIA) on this interim rule. The total estimated public costs associated 
with this FAR rule in millions of dollars calculated over a ten-year 
period (calculated at a 3-percent and 7-percent discount rate) are as 
follows:

------------------------------------------------------------------------
                                            3% Discount     7% Discount
             Estimated costs              rate (million)  rate (million)
------------------------------------------------------------------------
Present Value...........................            $745            $903
Annualized..............................             106             105
------------------------------------------------------------------------

    The following is a summary from the RIA of the specific compliance 
requirements and the estimated costs of compliance. The RIA includes a 
detailed discussion and explanation about the assumptions and 
methodology used to estimate the cost of this regulatory action, 
including the specific impact and costs for small businesses. It is 
available at https://www.regulations.gov (search for ``FAR Case 2020-
011'' click ``Open Docket,'' and view ``Supporting Documents'').
    The following is a summary of specific compliance requirements that 
are considered new for Federal offerors, contractors, and 
subcontractors (hereinafter collectively referred to as 
``contractors''), as applicable:

 Regulatory familiarization
 Review the System for Award Management (SAM) for FASCSA orders
 Submission of disclosure information
 Review SAM for covered articles/sources subject to a FASCSA 
order
 Review of supply chain for covered articles/source subject to 
FASCSA orders
 Submit reporting information identifying covered articles/
sources subject to FASCSA orders

    Note, at this time no issuing official has issued any FASCSA 
orders; therefore, the assumptions made below are based on other 
similar cases where a contractor must review their supply chain and 
provide alternative sources.

Regulatory Familiarization

    It is expected that all contractors will be required to become 
familiar with these new compliance requirements in the FAR and will be 
required to update policies and procedures to ensure compliance with 
FASCSA orders and train their contracts, program, and supply chain 
personnel on the requirements. While this is a new requirement, 
restrictions on particular sources or articles are not new to the FAR. 
This should reduce the impact on contractors from having to establish 
entirely new processes and procedures, but rather update current ones 
to add covered articles subject to new FASCSA orders, or any products 
or services produced or provided by an excluded source. Regulatory 
familiarization is only expected to have a regulatory impact during the 
first year of implementation.

Review the System for Award Management (SAM) for FASCSA Orders

    In accordance with 52.204-29, offerors must search SAM for any 
covered articles, or any products or services produced or provided by a 
source subject to a FASCSA order, as identified in the solicitation.
    All offerors will need to review SAM for any applicable FASCSA 
orders using the search term ``FASCSA order''. Offerors and contractors 
are familiar with SAM and searching for other exclusions such as 
telecommunications equipment and services established under Section 889 
of the John S. McCain National Defense Authorization Act for Fiscal 
Year 2019, Public Law 115-232. The frequency of which an offeror will 
search SAM will likely be based on the number of contracts and orders 
that they manage. Some offerors may choose to regularly review SAM for 
new FASCSA orders on a corporate level and notify applicable personnel 
when a new order is issued, while others may choose to review SAM with 
each proposal, likely at least once when the solicitation comes out and 
once prior to submitting the proposal to ensure compliance with the 
representation before submission. The frequency with which offerors 
review SAM will also be based on the number and frequency that FASCSA 
orders are issued; however at this time no FASCSA orders have been 
issued.

Submission of Disclosure Information

    Once the offeror reviews SAM, they must identify if they cannot 
represent compliance and intend to propose any covered article or any 
products or services produced or provided by a source subject to a 
FASCSA order, in response to the solicitation. If the offeror 
identifies such items, they must disclose the following information to 
the Government:
    (1) Name of the product or service provided to the Government;
    (2) Name of the covered article or source subject to a FASCSA 
order;
    (3) If applicable, name of the vendor, including the Commercial and 
Government Entity code and unique entity identifier (if known), that 
supplied the covered article or the product or service to the Offeror;
    (4) Brand;
    (5) Model number (original equipment manufacturer number, 
manufacturer part number, or wholesaler number);
    (6) Item description;
    (7) Reason why the applicable covered article or the product or 
service is being provided or used.
    Depending on the issuing agency, FASCSA orders will only affect 
some companies and some contracts.

[[Page 69508]]

Reviewing SAM for Excluded Articles/Sources

    In accordance with FAR 52.204-30, contractors must review SAM, at 
least once every three months or as advised by the contracting officer, 
for any covered articles, or any products or services produced or 
provided by a source subject to a FASCSA order issued after the date of 
solicitation. The need to review SAM can also be completed when 
contractors review SAM as part of their normal business dealings 
including this rule, which requires review during the solicitation 
phase. Therefore, the cost impact is already accounted for in this 
rule; however, the cost impact of submitting a report once a new FASCSA 
order is identified is accounted for separately below.

Review of Supply Chain for Covered Articles/Source for FASCSA Orders

    In accordance with FAR 52.204-30, when a contractor identifies that 
a covered article or product or service produced or provided by a 
source is subject to a new FASCSA order, contractors will have to 
evaluate their supply chain to determine whether it was provided to the 
Government or used during contract performance.

Submit Reporting Information Identifying Excluded Articles/Sources

    In accordance with paragraph (c) of FAR 52.204-30, when a 
contractor identifies that a covered article or product or service 
produced or provided by a source is subject to a new FASCSA order and 
was provided to the Government or used during contract performance, 
then the contractor must notify the Government within 3 business days 
and provide the following information:

 Contract number
 Order number(s), if applicable
 Name of the product or service provided to the Government or 
used during contract performance
 Name of the covered article or source subject to a FASCSA 
order
 If applicable, name of the vendor, including the Commercial 
and Government Entity code and unique entity identifier (if known), 
that supplied the covered article or the product or service to the 
Contractor
 Brand
 Model number (original equipment manufacturer number, 
manufacturer part number, or wholesaler number)
 Item description
 Any readily available information about mitigation actions 
undertaken or recommended.

    Within 10 business days of submitting the previous information, the 
contractor must provide information on mitigation actions taken and 
actions taken to prevent future submissions of or use of covered 
articles or sources.

VI. Executive Orders 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). E.O. 
13563 emphasizes the importance of quantifying both costs and benefits, 
of reducing costs, of harmonizing rules, and of promoting flexibility. 
This rule is a significant regulatory action and, therefore was subject 
to review under Section 6(b) of E.O. 12866, Regulatory Planning and 
Review, dated September 30, 1993.

VII. Congressional Review Act

    As required by the Congressional Review Act (5 U.S.C. 801-808), 
DoD, GSA, and NASA will send the rule and the ``Submission of Federal 
Rules Under the Congressional Review Act'' form to each House of the 
Congress and to the Comptroller General of the United States. A rule 
that qualifies under the definition in 5 U.S.C. 804(2) cannot take 
effect until 60 days after it is published in the Federal Register. The 
Office of Information and Regulatory Affairs (OIRA) in the Office of 
Management and Budget has determined that this rule qualifies under the 
definition in 5 U.S.C. 804(2).

VIII. Regulatory Flexibility Act

    DoD, GSA, and NASA expect that this rule may have a significant 
economic impact on a substantial number of small entities within the 
meaning of the Regulatory Flexibility Act, 5 U.S.C. 601-612. An Initial 
Regulatory Flexibility Analysis (IRFA) has been performed, and is 
summarized as follows:

    DoD, GSA, and NASA are issuing an interim rule amending the FAR 
to implement supply chain risk information sharing requirements and 
exclusion or removal orders consistent with the Federal Acquisition 
Supply Chain Security Act of 2018 and a final rule issued by the 
Federal Acquisition Security Council (FASC).
    The objective of this interim rule is to implement supply chain 
risk information sharing and FASCSA orders.
    The legal basis for the rule is the Federal Acquisition Supply 
Chain Security Act of 2018 (title II of the SECURE Technology Act, 
Pub. L. 115-390, Dec. 21, 2018), and the final rule issued by the 
Federal Acquisition Security Council (August 26, 2021, 86 FR 47581, 
effective September 27, 2021). Promulgation of the FAR is authorized 
by 40 U.S.C. 121(c); 10 U.S.C. chapter 4 and 10 U.S.C. chapter 137 
legacy provisions (see 10 U.S.C. 3016); and 51 U.S.C. 20113.
    The interim rule will impact all small entities that are prime 
contractors and all small entities that are subcontractors. Data 
from the Federal Procurement Data System (FPDS) for fiscal years 
(FYs) 2019 through 2021 was used. On average per year the Government 
awards contracts and orders for supplies and services to 94,035 
unique contractors, of which approximately 65 percent or 61,797 are 
small businesses.
    This interim rule will require small entities to: (1) become 
familiar with the new regulatory requirements; (2) review the System 
for Award Management (SAM) for FASCSA orders; (3) submit disclosure 
information; (4) review SAM for excluded articles or sources; (5) 
review their supply chain for covered articles or sources prohibited 
by a FASCSA order; and (6) submit a report identifying if a 
prohibited article or source was delivered to the government in the 
performance of the contract.
    To comply with the new regulatory requirements, it is expected 
that all small entities, or 61,797 will need to become familiar with 
FASCSA orders. Additionally, this regulatory familiarization may 
also include updating policies and procedures to ensure compliance. 
However, exclusions are not new to the FAR making the impact less.
    Once a small entity intends to respond to a solicitation, they 
will need to review the solicitation to identify which FASCSA orders 
apply to the current solicitation and subsequent contract, and 
search SAM for more information on applicable FASCSA orders. It is 
estimated that all small entities, 61,797, will review SAM for 
FASCSA orders when responding to a solicitation.
    It is estimated that a small number of small entities, 10 
percent or 3,090, will not be able to represent compliance with the 
prohibition and therefore must disclose to the Government that they 
intend to propose a covered article or source prohibited by an 
applicable FASCSA order. Failure to comply with the prohibition 
poses risk for the contractor in not being awarded a contract if a 
waiver from the requirement is not obtained.
    Small entities will be required to review SAM for any covered 
articles or any products or services produced or provided by a 
source, including contractor use of covered articles or sources, 
subject to a FASCSA order during the performance of the contract. 
This is not expected to create any additional impact because small 
entities are already searching SAM as part of this rule when 
responding to a solicitation.
    When a new FASCSA order is issued, small entities may have to 
review their supply chain to determine whether a covered article or 
any products or services produced or provided by a source subject to 
a FASCSA order were used or provided to the Government during the 
performance of the contract. This is estimated to impact 
approximately half of small entities, 30,899

[[Page 69509]]

because not all FASCSA orders will apply to every contract or 
contractor.
    It is estimated that a very small subset of small entities, 3 
percent or 927, may identify a covered article or any products or 
services produced or provided by a source subject to a FASCSA order 
that were delivered during the performance of the contract, and be 
required to submit a report to the Government.
    The rule does not duplicate, overlap, or conflict with any other 
Federal rules.
    It was contemplated during the development of this rule to 
create a representation requirement in SAM for contractors to 
complete annually and then update on a solicitation-by-solicitation 
basis, if necessary. The current process reduces the impact by 
replacing the SAM representation with a representation by submission 
of the offer. There are no other available alternatives to the 
proposed rule to accomplish the desired objective of the statute.

    The Regulatory Secretariat Division has submitted a copy of the 
IRFA to the Chief Counsel for Advocacy of the Small Business 
Administration. A copy of the IRFA may be obtained from the Regulatory 
Secretariat Division. DoD, GSA, and NASA invite comments from small 
business concerns and other interested parties on the expected impact 
of this rule on small entities.
    DoD, GSA, and NASA will also consider comments from small entities 
concerning the existing regulations in subparts affected by the rule in 
accordance with 5 U.S.C. 610. Interested parties must submit such 
comments separately and should cite 5 U.S.C. 610 (FAR Case 2020-011), 
in correspondence.

IX. Paperwork Reduction Act

    The Paperwork Reduction Act (PRA) of 1995 (44 U.S.C. 3501-3521) 
applies. The rule contains information collection requirements. The PRA 
provides that an agency generally cannot conduct or sponsor a 
collection of information, and no person is required to respond to nor 
be subject to a penalty for failure to comply with a collection of 
information, unless that collection has obtained OMB approval and 
displays a currently valid OMB Control Number.
    DoD, GSA, and NASA are requesting emergency processing of the 
collection of information involved in this rule, consistent with 5 CFR 
1320.13. DoD, GSA, and NASA have determined the following conditions 
have been met:
    a. The collection of information is needed prior to the expiration 
of time periods normally associated with a routine submission for 
review under the provisions of the PRA, because agencies subject to the 
FAR would not have a mechanism to implement any FASCSA orders issued by 
the FASC.
    b. The collection of information is essential to the mission of the 
agencies to protect the Government supply chain from vulnerabilities 
posed by acquiring products or services that violate a FASCSA order 
issued under the authority of the Federal Acquisition Supply Chain 
Security Act of 2018 and the final rule issued by the FASC.
    c. Moreover, DoD, GSA, and NASA cannot comply with the normal 
clearance procedures because public harm is reasonably likely to result 
if current clearance procedures are followed. Authorizing collection of 
this information will ensure that agencies have a mechanism to 
implement FASCSA orders and address vulnerabilities in supply chains 
that can enable data and intellectual property theft, loss of 
confidence in integrity, or exploitation that causes system and network 
failure.
    DoD, GSA, and NASA will publish a separate 30-day notice in the 
Federal Register requesting public comment on the proposed emergency 
information collections contained within this rule under OMB Control 
Number 9000-0205, Implementation of Federal Acquisition Supply Chain 
Security Act (FASCSA) Orders.

Public Reporting Burden

    Public reporting burden for this collection of information is 
estimated to average 2 hours per response, including the time for 
reviewing instructions, searching existing data sources, gathering and 
maintaining the data needed, and completing and reviewing the 
collection of information.
    The annual reporting burden is estimated as follows:
    Respondents: 6,113.
    Total Annual Responses: 6,113.
    Total Burden Hours: 12,226.

X. Determination To Issue an Interim Rule

    Pursuant to 41 U.S.C. 1707(d), a determination has been made under 
the authority of the Secretary of Defense, the Administrator of General 
Services, and the Administrator of the National Aeronautics and Space 
Administration that urgent and compelling reasons exist to promulgate 
this interim rule without prior opportunity for public comment. It is 
critical that the FAR is revised promptly to reflect the current 
requirements of the law, which prohibits the Federal Government from 
acquiring products or services that violate the prohibition of an 
exclusion or removal order issued pursuant to the Federal Acquisition 
Supply Chain Security Act (FASCSA) of 2018 and the final rule issued by 
the FASC.
    The Secretary of Homeland Security, the Secretary of Defense, and 
the Director of National Intelligence may issue a FASCSA order at any 
time. For this reason, this FAR rule must take effect without awaiting 
the delay associated with solicitation, review, and response to public 
comments to ensure agencies and contractors are able to promptly 
implement supply chain risk information sharing and FASCSA orders. If a 
FASCSA order is issued agencies are required to implement that order. 
In the absence of issuing this FAR rule immediately, agencies will be 
forced to issue individual agency policies and procedures including 
drafting contract provisions for inclusion in all agency contracts. Due 
to the complexity of this novel requirement, it has taken several years 
to draft and develop the framework of this FAR rule and involved many 
Government agencies in the process. Each agency would now be required 
to start this process over and develop their own agency policies and 
procedures, further delaying the implementation of FASCSA orders and 
likely resulting in inconsistent contract terms and implementation 
across multiple agencies and gaps in compliance.
    Failure to implement FASCSA orders uniformly across the Government 
would adversely impact national security making it critical to 
implement this FAR rule without delay. Vulnerabilities in supply chains 
for covered articles can enable data and intellectual property theft, 
loss of confidence in integrity, or exploitation to cause system and 
network failure. The cost to our nation comes not only in lost 
innovation, jobs, and economic advantage, but also in reduced military 
strength. Delaying implementation of this interim rule would increase 
national security risks to the Government posed by covered articles 
subject to a FASCSA order. Therefore, a Governmentwide FAR rule is the 
best tool available now to provide a consistent and reliable 
implementation across agencies.
    Consistent with the Congressional Review Act (CRA) (5 U.S.C. 801-
808), this rule will not take effect until 60 days after it is 
published in the Federal Register, allowing Congress time to review 
this interim rule. This short delay in the effective date is beneficial 
to both contracting agencies and industry to provide the necessary time 
to assess and prepare to implement the new requirements. Both 
contracting agencies and industry will need to develop and implement 
new policies and procedures, notify and train their workforce on the 
new requirements, and update contract writing systems to

[[Page 69510]]

incorporate the new provisions and clause. This 60-day delay associated 
with the CRA is significantly shorter than the delay associated with 
issuing a proposed rule, and thus avoids the risks associated with 
extended delay highlighted above.
    Pursuant to 41 U.S.C. 1707 and FAR 1.501-3(b), the Department of 
Defense, General Services Administration, and National Aeronautics and 
Space Administration will consider public comments received in response 
to this interim rule in the formation of the final rule.

List of Subjects in 48 CFR Parts 1, 4, 9, 13, 39, and 52

    Government procurement.

William F. Clark,
Director, Office of Government-wide Acquisition Policy, Office of 
Acquisition Policy, Office of Government-wide Policy.

    Therefore, DoD, GSA, and NASA amend 48 CFR parts 1, 4, 9, 13, 39, 
and 52 as set forth below:

0
1. The authority citation for 48 CFR parts 1, 4, 9, 13, 39, and 52 
continues to read as follows:

    Authority:  40 U.S.C. 121(c); 10 U.S.C. chapter 4 and 10 U.S.C. 
chapter 137 legacy provisions (see 10 U.S.C. 3016); and 51 U.S.C. 
20113.

PART 1--FEDERAL ACQUISITION REGULATIONS SYSTEM

0
2. In section 1.106, amend the table by adding in numerical order 
entries for 4.23, 52.204-29, and 52.204-30 to read as follows:


1.106  OMB approval under the Paperwork Reduction Act.

* * * * *

------------------------------------------------------------------------
                                                            OMB control
                       FAR segment                              No.
------------------------------------------------------------------------
 
                                * * * * *
4.23....................................................       9000-0205
 
                                * * * * *
52.204-29...............................................       9000-0205
52.204-30...............................................       9000-0205
 
                                * * * * *
------------------------------------------------------------------------

PART 4--ADMINISTRATIVE AND INFORMATION MATTERS

0
3. Revise section 4.2001 to read as follows:


4.2001  Definitions.

    As used in this subpart--
    Kaspersky Lab covered article means any hardware, software, or 
service that--
    (1) Is developed or provided by a Kaspersky Lab covered entity;
    (2) Includes any hardware, software, or service developed or 
provided in whole or in part by a Kaspersky Lab covered entity; or
    (3) Contains components using any hardware or software developed in 
whole or in part by a Kaspersky Lab covered entity.
    Kaspersky Lab covered entity means--
    (1) Kaspersky Lab;
    (2) Any successor entity to Kaspersky Lab, including any change in 
name, e.g., ``Kaspersky'';
    (3) Any entity that controls, is controlled by, or is under common 
control with Kaspersky Lab; or
    (4) Any entity of which Kaspersky Lab has a majority ownership.


4.2002  [Amended]

0
4. Amend section 4.2002 by removing from paragraphs (a) and (b) the 
word ``covered'' and adding ``Kaspersky Lab covered'' in its place.


4.2004  [Amended]

0
5. Amend section 4.2004 by removing ``Kaspersky Lab and Other Covered'' 
and adding ``Kaspersky Lab Covered'' in its place.

0
6. Add subpart 4.23 to read as follows:

Subpart 4.23--Federal Acquisition Security Council

Sec.
4.2300 Scope of subpart.
2301 Definitions.
4.2302 Sharing supply chain risk information.
4.2303 FASCSA orders.
4.2304 Procedures.
4.2305 Waivers.
4.2306 Solicitation provision and contract clauses.

Subpart 4.23--Federal Acquisition Security Council


4.2300  Scope of subpart.

    This subpart implements the Federal Acquisition Supply Chain 
Security Act of 2018 (title II of Pub. L. 115-390) and the Federal 
Acquisition Security Council (FASC) regulation at 41 CFR part 201-1. 
The authority provided in this subpart expires on December 31, 2033 
(see 41 U.S.C. 1328).


4.2301  Definitions.

    As used in this subpart--
    Covered article, as defined in 41 U.S.C. 4713(k), means--
    (1) Information technology, as defined in 40 U.S.C. 11101, 
including cloud computing services of all types;
    (2) Telecommunications equipment or telecommunications service, as 
those terms are defined in section 3 of the Communications Act of 1934 
(47 U.S.C. 153);
    (3) The processing of information on a Federal or non-Federal 
information system, subject to the requirements of the Controlled 
Unclassified Information program (see 32 CFR part 2002); or
    (4) Hardware, systems, devices, software, or services that include 
embedded or incidental information technology.
    FASCSA order means any of the following orders issued under the 
Federal Acquisition Supply Chain Security Act (FASCSA) requiring the 
removal of covered articles from executive agency information systems 
or the exclusion of one or more named sources or named covered articles 
from executive agency procurement actions, as described in 41 CFR 201-
1.303(d) and (e):
    (1) The Secretary of Homeland Security may issue FASCSA orders 
applicable to civilian agencies, to the extent not covered by paragraph 
(2) or (3) of this definition. This type of FASCSA order may be 
referred to as a Department of Homeland Security (DHS) FASCSA order.
    (2) The Secretary of Defense may issue FASCSA orders applicable to 
the Department of Defense (DoD) and national security systems other 
than sensitive compartmented information systems. This type of FASCSA 
order may be referred to as a DoD FASCSA order.
    (3) The Director of National Intelligence (DNI) may issue FASCSA 
orders applicable to the intelligence community and sensitive 
compartmented information systems, to the extent not covered by 
paragraph (2) of this definition. This type of FASCSA order may be 
referred to as a DNI FASCSA order.
    Federal Acquisition Security Council (FASC) means the Council 
established pursuant to 41 U.S.C. 1322(a).
    Intelligence community, as defined by 50 U.S.C. 3003(4), means the 
following--
    (1) The Office of the Director of National Intelligence;
    (2) The Central Intelligence Agency;
    (3) The National Security Agency;
    (4) The Defense Intelligence Agency;
    (5) The National Geospatial-Intelligence Agency;
    (6) The National Reconnaissance Office;
    (7) Other offices within the Department of Defense for the 
collection of specialized national intelligence through reconnaissance 
programs;
    (8) The intelligence elements of the Army, the Navy, the Air Force, 
the Marine Corps, the Coast Guard, the

[[Page 69511]]

Federal Bureau of Investigation, the Drug Enforcement Administration, 
and the Department of Energy;
    (9) The Bureau of Intelligence and Research of the Department of 
State;
    (10) The Office of Intelligence and Analysis of the Department of 
the Treasury;
    (11) The Office of Intelligence and Analysis of the Department of 
Homeland Security; or
    (12) Such other elements of any department or agency as may be 
designated by the President, or designated jointly by the Director of 
National Intelligence and the head of the department or agency 
concerned, as an element of the intelligence community.
    National security system, as defined in 44 U.S.C. 3552, means any 
information system (including any telecommunications system) used or 
operated by an agency or by a contractor of an agency, or other 
organization on behalf of an agency--
    (1) The function, operation, or use of which involves intelligence 
activities; involves cryptologic activities related to national 
security; involves command and control of military forces; involves 
equipment that is an integral part of a weapon or weapons system; or is 
critical to the direct fulfillment of military or intelligence 
missions, but does not include a system that is to be used for routine 
administrative and business applications (including payroll, finance, 
logistics, and personnel management applications); or
    (2) Is protected at all times by procedures established for 
information that have been specifically authorized under criteria 
established by an Executive order or an Act of Congress to be kept 
classified in the interest of national defense or foreign policy.
    Reasonable inquiry means an inquiry designed to uncover any 
information in the entity's possession about the identity of any 
covered articles, or any products or services produced or provided by a 
source. This applies when the covered article or the source is subject 
to an applicable FASCSA order. A reasonable inquiry excludes the need 
to include an internal or third-party audit.
    Sensitive compartmented information means classified information 
concerning or derived from intelligence sources, methods, or analytical 
processes, which is required to be handled within formal access control 
systems established by the Director of National Intelligence.
    Sensitive compartmented information system means a national 
security system authorized to process or store sensitive compartmented 
information.
    Source means a non-Federal supplier, or potential supplier, of 
products or services, at any tier.
    Supply chain risk, as defined in 41 U.S.C. 4713(k), means the risk 
that any person may sabotage, maliciously introduce unwanted 
functionality, extract data, or otherwise manipulate the design, 
integrity, manufacturing, production, distribution, installation, 
operation, maintenance, disposition, or retirement of covered articles 
so as to surveil, deny, disrupt, or otherwise manipulate the function, 
use, or operation of the covered articles or information stored or 
transmitted on the covered articles.
    Supply chain risk information includes, but is not limited to, 
information that describes or identifies:
    (1) Functionality and features of covered articles, including 
access to data and information system privileges;
    (2) The user environment where a covered article is used or 
installed;
    (3) The ability of a source to produce and deliver covered articles 
as expected;
    (4) Foreign control of, or influence over, a source or covered 
article (e.g., foreign ownership, personal and professional ties 
between a source and any foreign entity, legal regime of any foreign 
country in which a source is headquartered or conducts operations);
    (5) Implications to government mission(s) or assets, national 
security, homeland security, or critical functions associated with use 
of a covered source or covered article;
    (6) Vulnerability of Federal systems, programs, or facilities;
    (7) Market alternatives to the covered source;
    (8) Potential impact or harm caused by the possible loss, damage, 
or compromise of a product, material, or service to an organization's 
operations or mission; and
    (9) Likelihood of a potential impact or harm, or the exploitability 
of a system;
    (10) Security, authenticity, and integrity of covered articles and 
their supply and compilation chain;
    (11) Capacity to mitigate risks identified;
    (12) Factors that may reflect upon the reliability of other supply 
chain risk information; and
    (13) Any other considerations that would factor into an analysis of 
the security, integrity, resilience, quality, trustworthiness, or 
authenticity of covered articles or sources.


4.2302  Sharing supply chain risk information.

    (a) Executive agencies are required to share relevant supply chain 
risk information with the FASC if the executive agency has determined 
there is a reasonable basis to conclude a substantial supply chain risk 
associated with a source or covered article exists (see 41 CFR 201-
1.201).
    (b) In support of information sharing described in paragraph (a) of 
this section, the contracting officer shall work with the program 
office or requiring activity in accordance with agency procedures 
regarding the sharing of relevant information on actual or potential 
supply chain risk determined to exist during the procurement process.


4.2303  FASCSA orders.

    (a) Executive agencies are prohibited from procuring or obtaining, 
or extending or renewing a contract to procure or obtain, any covered 
article, or any products or services produced or provided by a source, 
including contractor use of covered articles or sources, if that 
prohibition is established by an applicable FASCSA order issued by the 
Director of National Intelligence, Secretary of Defense, or Secretary 
of Homeland Security (the ``issuing official'')(see 41 CFR 201-
1.304(a)).
    (b) If a covered article or the source is subject to an applicable 
Governmentwide FASCSA order issued collectively by the Director of 
National Intelligence, Secretary of Defense, and Secretary of Homeland 
Security, executive agencies responsible for management of the Federal 
Supply Schedules, Governmentwide acquisition contracts, and multi-
agency contracts shall facilitate implementation of a collective FASCSA 
order by removing the covered articles or sources identified in the 
FASCSA order from such contracts (see 41 CFR 201-1.303(g)).
    (c)(1) FASCSA orders regarding sources or covered articles will be 
found in the System for Award Management (SAM), by searching for the 
phrase ``FASCSA order''. SAM may be updated as new FASCSA orders are 
issued.
    (2) Some FASCSA orders will not be identified in SAM and will need 
to be identified in the solicitation to be effective for that 
acquisition. The requiring activity or program office will identify 
these FASCSA orders to the contracting officer (see 4.2304(d)).
    (3) The contracting officer shall work with the program office or 
requiring activity to identify which FASCSA orders apply to the 
acquisition.


4.2304  Procedures.

    (a) Identifying applicable FASCSA orders. The applicability of 
FASCSA orders to a particular acquisition depends on the contracting 
office's agency, the scope of the FASCSA order,

[[Page 69512]]

the funding, and whether the requirement involves certain types of 
information systems (see the definition of FASCSA order at 4.2301). The 
contracting officer shall coordinate with the program office or 
requiring activity to identify the FASCSA order(s) that apply to the 
acquisition as follows:
    (1) Unless the program office or requiring activity instructs the 
contracting officer otherwise, FASCSA orders apply as follows: 
contracts awarded by civilian agencies will be subject to DHS FASCSA 
orders, and contracts awarded by the Department of Defense will be 
subject to DoD FASCSA orders. See paragraph (b) of 52.204-30, Federal 
Acquisition Supply Chain Security Act Orders-Prohibition.
    (2) For acquisitions where the program office or the requiring 
activity instructs the contracting officer to select specific FASCSA 
orders, the contracting officer must select ``yes'' or ``no'' for each 
applicable type of FASCSA order (i.e., ``DHS FASCSA Order'' ``DoD 
FASCSA Order'' or ``DNI FASCSA Order''). See paragraph (b)(1) of 
52.204-30, Federal Acquisition Supply Chain Security Act Orders--
Prohibition, with its Alternate I.
    (b) Federal Supply Schedules, Governmentwide acquisition contracts, 
multi-agency contracts specific procedures--(1) Applying FASCSA orders. 
An agency awarding this type of contract may choose to apply FASCSA 
orders in accordance with agency policy as follows:
    (i) Application at the contract level. The agency awarding the 
basic contract may choose to apply FASCSA orders to the basic contract 
award. This is the preferred method, especially if small value orders 
or orders without a request for quotation (RFQ) are expected. Ordering 
activity contracting officers may use this contract vehicle without 
taking further steps to identify applicable FASCSA orders in the order. 
The contracting officer awarding the basic contract would select 
``yes'' for all FASCSA orders (i.e., ``DHS FASCSA Order'' ``DoD FASCSA 
Order'' and ``DNI FASCSA Order'') (see paragraph (b)(1) of 52.204-30, 
Federal Acquisition Supply Chain Security Act Orders--Prohibition, with 
its Alternate I). If the contracting officer becomes aware of a newly 
issued applicable FASCSA order, then the agency awarding the basic 
contract shall modify the basic contract to remove any covered article, 
or any products or services produced or provided by a source, 
prohibited by the newly issued FASCSA order.
    (ii) Application at the order level. The agency awarding the basic 
contract may choose to apply FASCSA orders at the order level, as 
implemented by the ordering activity contracting officer.
    (2) Collective FASCSA orders. If a new FASCSA order is issued 
collectively by the Secretary of Homeland Security, Secretary of 
Defense, and Director of National Intelligence, then the contracting 
officer shall modify the basic contract based upon the requirements of 
the order, removing any covered article, or any products or services 
produced or provided by a source (see 4.2303(b)).
    (3) Interagency acquisitions. For an interagency acquisition (see 
subpart 17.5) where the funding agency differs from the awarding 
agency, the funding agency shall determine the applicable FASCSA 
orders.
    (4) Inconsistencies. If any inconsistency is identified between the 
basic contract and the order, then the FASCSA orders identified in the 
order will take precedence.
    (c) Updating the solicitation or contract for new FASCSA orders. 
The contracting officer shall update a solicitation or contract if the 
program office or requiring activity determines it is necessary to:
    (1) Amend the solicitation to incorporate FASCSA orders in effect 
after the date the solicitation was issued but prior to contract award; 
or
    (2) Modify the contract to incorporate FASCSA orders issued after 
the date of contract award.
    (i) Any such modification should take place within a reasonable 
amount of time, but no later than 6 months from the determination of 
the program office or requiring activity.
    (ii) If the contract is not modified within the time specified in 
paragraph (c)(2)(i) of this section, then the contract file shall be 
documented providing rationale why the contract could not be modified 
within this timeframe.
    (d) Agency specific procedures. The contracting officer shall 
follow agency procedures for implementing FASCSA orders not identified 
in SAM (see 4.2303(c)(2)).
    (e) Disclosures. If an offeror provides a disclosure pursuant to 
paragraph (e) of 52.204-29, Federal Acquisition Supply Chain Security 
Act Orders--Representation and Disclosures, the contracting officer 
shall engage with the program office or requiring activity to determine 
whether to pursue a waiver, if available, in accordance with 4.2305 and 
agency procedures or not award to that offeror. For FASCSA orders 
handled at the order level, the disclosures language is found at 
paragraph (b)(5) of 52.204-30, Federal Acquisition Supply Chain 
Security Act Orders--Prohibition, with its Alternate II.
    (f) Waiver. An acquisition may be either fully or partially covered 
by a waiver. Partial waiver coverage occurs when only portions of the 
products or services being procured or provided by a source are covered 
by an applicable waiver. If the requiring activity notifies the 
contracting officer that the acquisition is partially covered by an 
approved individual waiver or class waiver under 4.2305, then the 
contracting officer shall work with the program office or requiring 
activity to identify in the solicitation, RFQ, or order, the covered 
articles or services produced by or provided by a source that are 
subject to the waiver (see 41 CFR 201-1.304(b)).
    (g) Reporting. If a contractor provides a report pursuant to 
paragraph (c) of 52.204-30, Federal Acquisition Supply Chain Security 
Act Orders--Prohibition, the contracting officer shall engage with the 
agency supply chain risk management program in accordance with agency 
procedures.


4.2305  Waivers.

    (a) An executive agency required to comply with a FASCSA order may 
submit a request that the order or some of its provisions not apply 
to--
    (1) The agency;
    (2) Specific actions of the agency or a specific class of 
acquisitions;
    (3) Actions of the agency for a period of time before compliance 
with the order is practicable; or
    (4) Other activities, as appropriate, that the requesting agency 
identifies.
    (b) A request for waiver shall be submitted by the executive agency 
in writing to the official that issued the order, unless other 
instructions for submission are provided by the applicable FASCSA 
order.
    (c) The request for waiver shall provide the following information 
for the issuing official to review and evaluate the request, 
including--
    (1) Identification of the applicable FASCSA order;
    (2) A description of the exception sought, including, if limited to 
only a portion of the order, a description of the order provisions from 
which an exception is sought;
    (3) The name or a description sufficient to identify the covered 
article or the product or service provided by a source that is subject 
to the order from which an exception is sought;
    (4) Compelling justification for why an exception should be 
granted, such as the impact of the order on the agency's ability to 
fulfill its mission-critical functions, or considerations related to

[[Page 69513]]

the national interest, including national security reviews, national 
security investigations, or national security agreements;
    (5) Any alternative mitigations to be undertaken to reduce the 
risks addressed by the FASCSA order; and
    (6) Any other information requested by the issuing official.
    (d) The contracting officer, in accordance with agency procedures 
and working with the program office or requiring activity, shall decide 
whether to pursue a waiver or to make award to an offeror that does not 
require a waiver in accordance with the procedures at 4.2304(f). If a 
waiver is being pursued, then the contracting officer may not make an 
award until written approval is obtained that the waiver has been 
granted.


4.2306  Solicitation provision and contract clauses.

    (a) In all Federal Supply Schedules, Governmentwide acquisition 
contracts, and multi-agency contracts where FASCSA orders are applied 
at the order level, the contracting officer shall insert the clause at 
52.204-28, Federal Acquisition Supply Chain Security Act Orders--
Federal Supply Schedules, Governmentwide Acquisition Contracts, and 
Multi-Agency Contracts, in the basic contract solicitation and 
resultant contract (see 4.2304(b)(1)(ii)).
    (b) The contracting officer shall insert the provision at 52.204-
29, Federal Acquisition Supply Chain Security Act Orders--
Representation and Disclosures--
    (1) In all solicitations, except for Federal Supply Schedules, 
Governmentwide acquisition contracts, and multi-agency contracts.
    (2) In all solicitations for Federal Supply Schedules, 
Governmentwide acquisition contracts, and multi-agency contracts, if 
FASCSA orders are applied at the contract level (see 4.2304(b)(1)(i)).
    (c) The contracting officer shall insert the clause at 52.204-30, 
Federal Acquisition Supply Chain Security Act Orders--Prohibition--
    (1) In solicitations and contracts if the conditions specified at 
4.2304(a)(1) apply, except for Federal Supply Schedules, Governmentwide 
acquisition contracts, and multi-agency contracts. For acquisitions 
where conditions specified at 4.2304(a)(2) apply, then the contracting 
officer shall use the clause with its Alternate I.
    (2) In Federal Supply Schedules, Governmentwide acquisition 
contracts, and multi-agency contracts--
    (i) Where FASCSA orders are applied at the contract level, with its 
Alternate I in all solicitations and resultant contracts. See 
4.2304(b)(1)(i).
    (ii) Where FASCSA orders are applied at the order level, with its 
Alternate II in all RFQs, or in all notices of intent to place an 
order. See 4.2304(b)(1)(ii).

PART 9--CONTRACTOR QUALIFICATIONS

0
7. Amend section 9.400 by adding paragraph (c) to read as follows:


9.400  Scope of subpart.

* * * * *
    (c) For Federal Acquisition Supply Chain Security Act (FASCSA) 
orders, see subpart 4.23.

PART 13--SIMPLIFIED ACQUISITION PROCEDURES

0
8. Amend section 13.201 by adding paragraph (l) to read as follows:


13.201  General.

* * * * *
    (l) Do not procure or obtain, or extend or renew a contract to 
procure or obtain, any covered article, or any products or services 
produced or provided by a source, including contractor use of covered 
articles or sources, if prohibited from doing so by an applicable 
Federal Acquisition Supply Chain Security Act (FASCSA) order issued by 
the Director of National Intelligence, Secretary of Defense, or 
Secretary of Homeland Security (see 4.2303).

PART 39--ACQUISITION OF INFORMATION TECHNOLOGY

0
9. Amend section 39.101 by adding paragraph (h) to read as follows:


39.101  Policy.

* * * * *
    (h) Executive agencies are prohibited from procuring or obtaining, 
or extending or renewing a contract to procure or obtain, any covered 
article, or any products or services produced or provided by a source, 
including contractor use of covered articles or sources, if prohibited 
from doing so by an applicable FASCSA order issued by the Director of 
National Intelligence, Secretary of Defense, or Secretary of Homeland 
Security (see 4.2303).

PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0
10. Amend section 52.204-23 by--
0
a. Revising the section heading, clause heading, and the date of the 
clause;
0
b. In paragraph (a):
0
i. Removing the definition ``Covered article'' and adding the 
definition of ``Kaspersky Lab covered article'' in its place; and
0
ii. Removing the definition ``Covered entity'' and adding the 
definition ``Kaspersky Lab covered entity'' in its place;
0
c. In paragraph (b) removing ``covered article'' wherever it appears 
and adding ``Kaspersky Lab covered article'' in its place, 
respectively;
0
d. Removing from the first sentence in paragraph (c)(1) ``identifies a 
covered article'' and adding ``identifies a Kaspersky Lab covered 
article'' in its place;
0
e. Removing from paragraph (c)(2)(i) ``1 business day'' and adding ``3 
business days'' in its place; and
0
f. Removing from paragraph (c)(2)(ii) ``covered article'' wherever it 
appears and adding ``Kaspersky Lab covered article'' in its place and 
removing from the end of the paragraph ``covered articles'' and adding 
``Kaspersky Lab covered articles'' in its place.
    The revisions and additions read as follows:


52.204-23  Prohibition on Contracting for Hardware, Software, and 
Services Developed or Provided by Kaspersky Lab Covered Entities.

* * * * *

Prohibition on Contracting for Hardware, Software, and Services 
Developed or Provided by Kaspersky Lab Covered Entities (DEC 2023)

    (a) * * *
    Kaspersky Lab covered article means any hardware, software, or 
service that--
    (1) Is developed or provided by a Kaspersky Lab covered entity;
    (2) Includes any hardware, software, or service developed or 
provided in whole or in part by a Kaspersky Lab covered entity; or
    (3) Contains components using any hardware or software developed 
in whole or in part by a Kaspersky Lab covered entity.
    Kaspersky Lab covered entity means--
    (1) Kaspersky Lab;
    (2) Any successor entity to Kaspersky Lab, including any change 
in name, e.g., ``Kaspersky'';
    (3) Any entity that controls, is controlled by, or is under 
common control with Kaspersky Lab; or
    (4) Any entity of which Kaspersky Lab has a majority ownership.
* * * * *

0
11. Add sections 52.204-28, 52.204-29, and 52.204-30 to read as 
follows:
Sec.
* * * * *
52.204-28 Federal Acquisition Supply Chain Security Act Orders--
Federal Supply Schedules, Governmentwide Acquisition Contracts, and 
Multi-Agency Contracts.
52.204-29 Federal Acquisition Supply Chain Security Act Orders--
Representation and Disclosures.

[[Page 69514]]

52.204-30 Federal Acquisition Supply Chain Security Act Orders--
Prohibition.
* * * * *


52.204-28  Federal Acquisition Supply Chain Security Act Orders--
Federal Supply Schedules, Governmentwide Acquisition Contracts, and 
Multi-Agency Contracts.

    As prescribed in 4.2306(a), insert the following clause:

Federal Acquisition Supply Chain Security Act Orders--Federal Supply 
Schedules, Governmentwide Acquisition Contracts, and Multi-Agency 
Contracts (DEC 2023)

    (a) Definitions. As used in this clause--
    Covered article, as defined in 41 U.S.C. 4713(k), means--
    (1) Information technology, as defined in 40 U.S.C. 11101, 
including cloud computing services of all types;
    (2) Telecommunications equipment or telecommunications service, 
as those terms are defined in section 3 of the Communications Act of 
1934 (47 U.S.C. 153);
    (3) The processing of information on a Federal or non-Federal 
information system, subject to the requirements of the Controlled 
Unclassified Information program (see 32 CFR part 2002); or
    (4) Hardware, systems, devices, software, or services that 
include embedded or incidental information technology.
    FASCSA order means any of the following orders issued under the 
Federal Acquisition Supply Chain Security Act (FASCSA) requiring the 
removal of covered articles from executive agency information 
systems or the exclusion of one or more named sources or named 
covered articles from executive agency procurement actions, as 
described in 41 CFR 201-1.303(d) and (e):
    (1) The Secretary of Homeland Security may issue FASCSA orders 
applicable to civilian agencies, to the extent not covered by 
paragraph (2) or (3) of this definition. This type of FASCSA order 
may be referred to as a Department of Homeland Security (DHS) FASCSA 
order.
    (2) The Secretary of Defense may issue FASCSA orders applicable 
to the Department of Defense (DoD) and national security systems 
other than sensitive compartmented information systems. This type of 
FASCSA order may be referred to as a DoD FASCSA order.
    (3) The Director of National Intelligence (DNI) may issue FASCSA 
orders applicable to the intelligence community and sensitive 
compartmented information systems, to the extent not covered by 
paragraph (2) of this definition. This type of FASCSA order may be 
referred to as a DNI FASCSA order.
    Intelligence community, as defined by 50 U.S.C. 3003(4), means 
the following--
    (1) The Office of the Director of National Intelligence;
    (2) The Central Intelligence Agency;
    (3) The National Security Agency;
    (4) The Defense Intelligence Agency;
    (5) The National Geospatial-Intelligence Agency;
    (6) The National Reconnaissance Office;
    (7) Other offices within the Department of Defense for the 
collection of specialized national intelligence through 
reconnaissance programs;
    (8) The intelligence elements of the Army, the Navy, the Air 
Force, the Marine Corps, the Coast Guard, the Federal Bureau of 
Investigation, the Drug Enforcement Administration, and the 
Department of Energy;
    (9) The Bureau of Intelligence and Research of the Department of 
State;
    (10) The Office of Intelligence and Analysis of the Department 
of the Treasury;
    (11) The Office of Intelligence and Analysis of the Department 
of Homeland Security; or
    (12) Such other elements of any department or agency as may be 
designated by the President, or designated jointly by the Director 
of National Intelligence and the head of the department or agency 
concerned, as an element of the intelligence community.
    National security system, as defined in 44 U.S.C. 3552, means 
any information system (including any telecommunications system) 
used or operated by an agency or by a contractor of an agency, or 
other organization on behalf of an agency--
    (1) The function, operation, or use of which involves 
intelligence activities; involves cryptologic activities related to 
national security; involves command and control of military forces; 
involves equipment that is an integral part of a weapon or weapons 
system; or is critical to the direct fulfillment of military or 
intelligence missions, but does not include a system that is to be 
used for routine administrative and business applications (including 
payroll, finance, logistics, and personnel management applications); 
or
    (2) Is protected at all times by procedures established for 
information that have been specifically authorized under criteria 
established by an Executive order or an Act of Congress to be kept 
classified in the interest of national defense or foreign policy.
    Sensitive compartmented information means classified information 
concerning or derived from intelligence sources, methods, or 
analytical processes, which is required to be handled within formal 
access control systems established by the Director of National 
Intelligence.
    Sensitive compartmented information system means a national 
security system authorized to process or store sensitive 
compartmented information.
    Source means a non-Federal supplier, or potential supplier, of 
products or services, at any tier.
    (b) Notice. During contract performance, the Contractor shall be 
required to comply with any of the following that apply: DHS FASCSA 
orders, DoD FASCSA orders, or DNI FASCSA orders. The applicable 
FASCSA order(s) will be identified in the request for quotation (see 
8.405-2), or in the notice of intent to place an order (see 
16.505(b)). FASCSA orders will be identified in paragraph (b)(1) of 
FAR 52.204-30, Federal Acquisition Supply Chain Security Act 
Orders--Prohibition, with its Alternate II.
    (c) Removal. Upon notification from the contracting officer, 
during the performance of the contract, the Contractor shall 
promptly make any necessary changes or modifications to remove any 
covered article or any product or service produced or provided by a 
source that is subject to an applicable Governmentwide FASCSA order 
(see FAR 4.2303(b)).


(End of clause)


52.204-29  Federal Acquisition Supply Chain Security Act Orders--
Representation and Disclosures.

    As prescribed in 4.2306(b), insert the following provision:

Federal Acquisition Supply Chain Security Act Orders--Representation 
and Disclosures (DEC 2023)

    (a) Definitions. As used in this provision, Covered article, 
FASCSA order, Intelligence community, National security system, 
Reasonable inquiry, Sensitive compartmented information, Sensitive 
compartmented information system, and Source have the meaning 
provided in the clause 52.204-30, Federal Acquisition Supply Chain 
Security Act Orders--Prohibition.
    (b) Prohibition. Contractors are prohibited from providing or 
using as part of the performance of the contract any covered 
article, or any products or services produced or provided by a 
source, if the prohibition is set out in an applicable Federal 
Acquisition Supply Chain Security Act (FASCSA) order, as described 
in paragraph (b)(1) of FAR 52.204-30, Federal Acquisition Supply 
Chain Security Act Orders--Prohibition.
    (c) Procedures. (1) The Offeror shall search for the phrase 
``FASCSA order'' in the System for Award Management (SAM)(https://www.sam.gov) for any covered article, or any products or services 
produced or provided by a source, if there is an applicable FASCSA 
order described in paragraph (b)(1) of FAR 52.204-30, Federal 
Acquisition Supply Chain Security Act Orders--Prohibition.
    (2) The Offeror shall review the solicitation for any FASCSA 
orders that are not in SAM, but are effective and do apply to the 
solicitation and resultant contract (see FAR 4.2303(c)(2)).
    (3) FASCSA orders issued after the date of solicitation do not 
apply unless added by an amendment to the solicitation.
    (d) Representation. By submission of this offer, the offeror 
represents that it has conducted a reasonable inquiry, and that the 
offeror does not propose to provide or use in response to this 
solicitation any covered article, or any products or services 
produced or provided by a source, if the covered article or the 
source is prohibited by an applicable FASCSA order in effect on the 
date the solicitation was issued, except as waived by the 
solicitation, or as disclosed in paragraph (e).
    (e) Disclosures. The purpose for this disclosure is so the 
Government may decide whether to issue a waiver. For any covered 
article, or any products or services produced or provided by a 
source, if the covered article or the source is subject to an 
applicable FASCSA order, and the Offeror is unable to represent 
compliance, then the Offeror shall provide the following information 
as part of the offer:

[[Page 69515]]

    (1) Name of the product or service provided to the Government;
    (2) Name of the covered article or source subject to a FASCSA 
order;
    (3) If applicable, name of the vendor, including the Commercial 
and Government Entity code and unique entity identifier (if known), 
that supplied the covered article or the product or service to the 
Offeror;
    (4) Brand;
    (5) Model number (original equipment manufacturer number, 
manufacturer part number, or wholesaler number);
    (6) Item description;
    (7) Reason why the applicable covered article or the product or 
service is being provided or used;
    (f) Executive agency review of disclosures. The contracting 
officer will review disclosures provided in paragraph (e) to 
determine if any waiver may be sought. A contracting officer may 
choose not to pursue a waiver for covered articles or sources 
otherwise subject to a FASCSA order and may instead make an award to 
an offeror that does not require a waiver.


(End of provision)


52.204-30  Federal Acquisition Supply Chain Security Act Orders--
Prohibition.

    As prescribed in 4.2306(c), insert the following clause:

Federal Acquisition Supply Chain Security Act Orders--Prohibition (DEC 
2023)

    (a) Definitions. As used in this clause--
    Covered article, as defined in 41 U.S.C. 4713(k), means--
    (1) Information technology, as defined in 40 U.S.C. 11101, 
including cloud computing services of all types;
    (2) Telecommunications equipment or telecommunications service, 
as those terms are defined in section 3 of the Communications Act of 
1934 (47 U.S.C. 153);
    (3) The processing of information on a Federal or non-Federal 
information system, subject to the requirements of the Controlled 
Unclassified Information program (see 32 CFR part 2002); or
    (4) Hardware, systems, devices, software, or services that 
include embedded or incidental information technology.
    FASCSA order means any of the following orders issued under the 
Federal Acquisition Supply Chain Security Act (FASCSA) requiring the 
removal of covered articles from executive agency information 
systems or the exclusion of one or more named sources or named 
covered articles from executive agency procurement actions, as 
described in 41 CFR 201-1.303(d) and (e):
    (1) The Secretary of Homeland Security may issue FASCSA orders 
applicable to civilian agencies, to the extent not covered by 
paragraph (2) or (3) of this definition. This type of FASCSA order 
may be referred to as a Department of Homeland Security (DHS) FASCSA 
order.
    (2) The Secretary of Defense may issue FASCSA orders applicable 
to the Department of Defense (DoD) and national security systems 
other than sensitive compartmented information systems. This type of 
FASCSA order may be referred to as a DoD FASCSA order.
    (3) The Director of National Intelligence (DNI) may issue FASCSA 
orders applicable to the intelligence community and sensitive 
compartmented information systems, to the extent not covered by 
paragraph (2) of this definition. This type of FASCSA order may be 
referred to as a DNI FASCSA order.
    Intelligence community, as defined by 50 U.S.C. 3003(4), means 
the following--
    (1) The Office of the Director of National Intelligence;
    (2) The Central Intelligence Agency;
    (3) The National Security Agency;
    (4) The Defense Intelligence Agency;
    (5) The National Geospatial-Intelligence Agency;
    (6) The National Reconnaissance Office;
    (7) Other offices within the Department of Defense for the 
collection of specialized national intelligence through 
reconnaissance programs;
    (8) The intelligence elements of the Army, the Navy, the Air 
Force, the Marine Corps, the Coast Guard, the Federal Bureau of 
Investigation, the Drug Enforcement Administration, and the 
Department of Energy;
    (9) The Bureau of Intelligence and Research of the Department of 
State;
    (10) The Office of Intelligence and Analysis of the Department 
of the Treasury;
    (11) The Office of Intelligence and Analysis of the Department 
of Homeland Security; or
    (12) Such other elements of any department or agency as may be 
designated by the President, or designated jointly by the Director 
of National Intelligence and the head of the department or agency 
concerned, as an element of the intelligence community.
    National security system, as defined in 44 U.S.C. 3552, means 
any information system (including any telecommunications system) 
used or operated by an agency or by a contractor of an agency, or 
other organization on behalf of an agency--
    (1) The function, operation, or use of which involves 
intelligence activities; involves cryptologic activities related to 
national security; involves command and control of military forces; 
involves equipment that is an integral part of a weapon or weapons 
system; or is critical to the direct fulfillment of military or 
intelligence missions, but does not include a system that is to be 
used for routine administrative and business applications (including 
payroll, finance, logistics, and personnel management applications); 
or
    (2) Is protected at all times by procedures established for 
information that have been specifically authorized under criteria 
established by an Executive order or an Act of Congress to be kept 
classified in the interest of national defense or foreign policy.
    Reasonable inquiry means an inquiry designed to uncover any 
information in the entity's possession about the identity of any 
covered articles, or any products or services produced or provided 
by a source. This applies when the covered article or the source is 
subject to an applicable FASCSA order. A reasonable inquiry excludes 
the need to include an internal or third-party audit.
    Sensitive compartmented information means classified information 
concerning or derived from intelligence sources, methods, or 
analytical processes, which is required to be handled within formal 
access control systems established by the Director of National 
Intelligence.
    Sensitive compartmented information system means a national 
security system authorized to process or store sensitive 
compartmented information.
    Source means a non-Federal supplier, or potential supplier, of 
products or services, at any tier.
    (b) Prohibition. (1) Unless an applicable waiver has been issued 
by the issuing official, Contractors shall not provide or use as 
part of the performance of the contract any covered article, or any 
products or services produced or provided by a source, if the 
covered article or the source is prohibited by an applicable FASCSA 
orders as follows:
    (i) For solicitations and contracts awarded by a Department of 
Defense contracting office, DoD FASCSA orders apply.
    (ii) For all other solicitations and contracts DHS FASCSA orders 
apply.
    (2) The Contractor shall search for the phrase ``FASCSA order'' 
in the System for Award Management (SAM) at https://www.sam.gov to 
locate applicable FASCSA orders identified in paragraph (b)(1).
    (3) The Government may identify in the solicitation additional 
FASCSA orders that are not in SAM, which are effective and apply to 
the solicitation and resultant contract.
    (4) A FASCSA order issued after the date of solicitation applies 
to this contract only if added by an amendment to the solicitation 
or modification to the contract (see FAR 4.2304(c)). However, see 
paragraph (c) of this clause.
    (5)(i) If the contractor wishes to ask for a waiver of the 
requirements of a new FASCSA order being applied through 
modification, then the Contractor shall disclose the following:
    (A) Name of the product or service provided to the Government;
    (B) Name of the covered article or source subject to a FASCSA 
order;
    (C) If applicable, name of the vendor, including the Commercial 
and Government Entity code and unique entity identifier (if known), 
that supplied or supplies the covered article or the product or 
service to the Offeror;
    (D) Brand;
    (E) Model number (original equipment manufacturer number, 
manufacturer part number, or wholesaler number);
    (F) Item description;
    (G) Reason why the applicable covered article or the product or 
service is being provided or used;
    (ii) Executive agency review of disclosures. The contracting 
officer will review disclosures provided in paragraph (b)(5)(i) to 
determine if any waiver is warranted. A contracting officer may 
choose not to pursue a waiver for covered articles or sources 
otherwise covered by a FASCSA order and to instead pursue other 
appropriate action.
    (c) Notice and reporting requirement. (1) During contract 
performance, the Contractor

[[Page 69516]]

shall review SAM.gov at least once every three months, or as advised 
by the Contracting Officer, to check for covered articles subject to 
FASCSA order(s), or for products or services produced by a source 
subject to FASCSA order(s) not currently identified under paragraph 
(b) of this clause.
    (2) If the Contractor identifies a new FASCSA order(s) that 
could impact their supply chain, then the Contractor shall conduct a 
reasonable inquiry to identify whether a covered article or product 
or service produced or provided by a source subject to the FASCSA 
order(s) was provided to the Government or used during contract 
performance.
    (3)(i) The Contractor shall submit a report to the contracting 
office as identified in paragraph (c)(3)(ii) of this clause, if the 
Contractor identifies, including through any notification by a 
subcontractor at any tier, that a covered article or product or 
service produced or provided by a source was provided to the 
Government or used during contract performance and is subject to a 
FASCSA order(s) identified in paragraph (b) of this clause, or a new 
FASCSA order identified in paragraph (c)(2) of this clause. For 
indefinite delivery contracts, the Contractor shall report to both 
the contracting office for the indefinite delivery contract and the 
contracting office for any affected order.
    (ii) If a report is required to be submitted to a contracting 
office under (c)(3)(i) of this clause, the Contractor shall submit 
the report as follows:
    (A) If a Department of Defense contracting office, the 
Contractor shall report to the website at https://dibnet.dod.mil.
    (B) For all other contracting offices, the Contractor shall 
report to the Contracting Officer.
    (4) The Contractor shall report the following information for 
each covered article or each product or service produced or provided 
by a source, where the covered article or source is subject to a 
FASCSA order, pursuant to paragraph (c)(3)(i) of this clause:
    (i) Within 3 business days from the date of such identification 
or notification:
    (A) Contract number;
    (B) Order number(s), if applicable;
    (C) Name of the product or service provided to the Government or 
used during performance of the contract;
    (D) Name of the covered article or source subject to a FASCSA 
order;
    (E) If applicable, name of the vendor, including the Commercial 
and Government Entity code and unique entity identifier (if known), 
that supplied the covered article or the product or service to the 
Contractor;
    (F) Brand;
    (G) Model number (original equipment manufacturer number, 
manufacturer part number, or wholesaler number);
    (H) Item description; and
    (I) Any readily available information about mitigation actions 
undertaken or recommended.
    (ii) Within 10 business days of submitting the information in 
paragraph (c)(4)(i) of this clause:
    (A) Any further available information about mitigation actions 
undertaken or recommended.
    (B) In addition, the Contractor shall describe the efforts it 
undertook to prevent submission or use of the covered article or the 
product or service produced or provided by a source subject to an 
applicable FASCSA order, and any additional efforts that will be 
incorporated to prevent future submission or use of the covered 
article or the product or service produced or provided by a source 
that is subject to an applicable FASCSA order.
    (d) Removal. For Federal Supply Schedules, Governmentwide 
acquisition contracts, multi-agency contracts or any other 
procurement instrument intended for use by multiple agencies, upon 
notification from the Contracting Officer, during the performance of 
the contract, the Contractor shall promptly make any necessary 
changes or modifications to remove any product or service produced 
or provided by a source that is subject to an applicable FASCSA 
order.
    (e) Subcontracts. (1) The Contractor shall insert the substance 
of this clause, including this paragraph (e) and excluding paragraph 
(c)(1) of this clause, in all subcontracts and other contractual 
instruments, including subcontracts for the acquisition of 
commercial products and commercial services.
    (2) The Government may identify in the solicitation additional 
FASCSA orders that are not in SAM, which are effective and apply to 
the contract and any subcontracts and other contractual instruments 
under the contract. The Contractor or higher-tier subcontractor 
shall notify their subcontractors, and suppliers under other 
contractual instruments, that the FASCSA orders in the solicitation 
that are not in SAM apply to the contract and all subcontracts.
    Alternate I (DEC 2023). As prescribed in 4.2306(c), substitute 
the following paragraph (b)(1) for paragraph (b)(1) of the basic 
clause:
    (b) Prohibition. (1) Contractors are prohibited from providing 
or using as part of the performance of the contract any covered 
article, or any products or services produced or provided by a 
source, if the covered article or the source is prohibited by any 
applicable FASCSA orders identified by the checkbox(es) in this 
paragraph (b)(1).

[Contracting Officer must select either ``yes'' or ``no'' for each 
of the following types of FASCSA orders:]
    Yes [ballot] No [ballot] DHS FASCSA Order
    Yes [ballot] No [ballot] DoD FASCSA Order
    Yes [ballot] No [ballot] DNI FASCSA Order

    Alternate II (DEC 2023). As prescribed in 4.2306(c)(2)(ii), 
substitute the following paragraph (b) in place of paragraph (b) of 
the basic clause. This clause applies to each order as identified by 
the Contracting Officer.
    (b) Prohibition. (1) Contractors are prohibited from providing 
or using as part of the performance of the contract any covered 
article, or any products or services produced or provided by a 
source, if the covered article or the source is prohibited by any 
applicable FASCSA orders identified by the checkbox(es) in this 
paragraph (b)(1).

[Contracting Officer must select either ``yes'' or ``no'' for each 
of the following types of FASCSA orders:]
    Yes [ballot] No [ballot] DHS FASCSA order
    Yes [ballot] No [ballot] DoD FASCSA order
    Yes [ballot] No [ballot] DNI FASCSA order

    (2) The Contractor shall search for the phrase ``FASCSA order'' 
in the System for Award Management (SAM) at https://www.sam.gov to 
locate applicable FASCSA orders identified in paragraph (b)(1) of 
this clause.
    (3) The Government may identify in the request for quotation 
(RFQ) or in the notice of intent to place an order additional FASCSA 
orders that are not in SAM, but are effective and apply to the 
order.
    (4) A FASCSA order issued after the date of the RFQ or the 
notice of intent to place an order applies to this contract only if 
added by an amendment to the RFQ or in the notice of intent to place 
an order or added by modification to the order (see FAR 4.2304(c)). 
However, see paragraph (c) of this clause.
    (5)(i) If the contractor wishes to ask for a waiver, the 
Contractor shall disclose the following:
    (A) Name of the product or service provided to the Government;
    (B) Name of the covered article or source subject to a FASCSA 
order;
    (C) If applicable, name of the vendor, including the Commercial 
and Government Entity code and unique entity identifier (if known), 
that supplied the covered article or the product or service to the 
Offeror;
    (D) Brand;
    (E) Model number (original equipment manufacturer number, 
manufacturer part number, or wholesaler number);
    (F) Item description;
    (G) Reason why the applicable covered article or the product or 
service is being provided or used;
    (ii) Executive agency review of disclosures. The contracting 
officer will review disclosures provided in paragraph (b)(5)(i) of 
this clause to determine if any waiver may be sought. A contracting 
officer may choose not to pursue a waiver for covered articles or 
sources otherwise covered by a FASCSA order and may instead make 
award to an offeror that does not require a waiver.


(End of clause)
0
12. Amend section 52.212-5 by--
0
a. Revising the date of the clause;
0
b. Removing from paragraph (a)(2) ``Lab and Other Covered Entities (NOV 
2021)'' and adding ``Lab Covered Entities (DEC 2023)'' in its place;
0
c. Redesignating paragraphs (b)(9) through (64) as paragraphs (b)(11) 
through (66) and adding new paragraphs (b)(9) and (10);
0
d. Removing from paragraph (e)(1)(iii) ``Lab and Other Covered Entities 
(NOV 2021)'' and adding ``Lab Covered Entities (DEC 2023)'' in its 
place;
0
e. Redesignating paragraphs (e)(1)(vi) through (xxiv) as paragraphs 
(e)(1)(vii) through (xxv) and adding a new paragraph (e)(1)(vi); and
0
f. In Alternate II--

[[Page 69517]]

0
i. Revising the date of the alternate;
0
ii. Removing from paragraph (e)(1)(ii)(C) ``Lab and Other Covered 
Entities (NOV 2021)'' and adding ``Lab Covered Entities (DEC 2023)'' in 
its place; and
0
iii. Redesignating paragraphs (e)(1)(ii)(F) through (W) as paragraphs 
(e)(1)(ii)(G) through (X) and adding a new paragraph (e)(1)(ii)(F).
    The revisions and additions read as follows:


52.212-5  Contract Terms and Conditions Required To Implement Statutes 
or Executive Orders--Commercial Products and Commercial Services.

* * * * *

Contract Terms and Conditions Required To Implement Statutes or 
Executive Orders--Commercial Products and Commercial Services (DEC 
2023)

    (b) * * *
    __(9) 52.204-28, Federal Acquisition Supply Chain Security Act 
Orders--Federal Supply Schedules, Governmentwide Acquisition 
Contracts, and Multi-Agency Contracts. (DEC 2023) (Pub. L. 115-390, 
title II).
    __(10)(i) 52.204-30, Federal Acquisition Supply Chain Security 
Act Orders--Prohibition. (DEC 2023) (Pub. L. 115-390, title II).
    __(ii) Alternate I (DEC 2023) of 52.204-30.
* * * * *
    (e)(1) * * *
    (vi)(A) 52.204-30, Federal Acquisition Supply Chain Security Act 
Orders--Prohibition. (DEC 2023) (Pub. L. 115-390, title II).
    (B) Alternate I (DEC 2023) of 52.204-30.
* * * * *
    Alternate II. (DEC 2023) * * *
    (e)(1) * * *
    (ii) * * *
    (F)(1) 52.204-30, Federal Acquisition Supply Chain Security Act 
Orders--Prohibition. (DEC 2023) (Pub. L. 115-390, title II).
    (2) Alternate I (DEC 2023) of 52.204-30.
* * * * *

0
13. Amend section 52.213-4 by--
0
a. Revising the date of the clause;
0
b. Removing from paragraph (a)(1)(ii) ``Lab and Other Covered Entities 
(NOV 2021)'' and adding ``Lab Covered Entities (DEC 2023)'' in its 
place;
0
c. Redesignating paragraphs (a)(1)(v) through (xi) as paragraphs 
(a)(1)(vi) through (xii) and adding a new paragraph (a)(1)(v); and
0
d. Removing from paragraph (a)(2)(vii) ``(SEP 2023)'' and adding ``(DEC 
2023)'' in its place.
    The revision and addition read as follows:


52.213-4  Terms and Conditions-Simplified Acquisitions (Other Than 
Commercial Products and Commercial Services).

* * * * *

Terms and Conditions-Simplified Acquisitions (Other Than Commercial 
Products and Commercial Services) (DEC 2023)

* * * * *
    (a) * * *
    (1) * * *
    (v) 52.204-30, Federal Acquisition Supply Chain Security Act 
Orders--Prohibition. (DEC 2023) (Pub. L. 115-390, title II).
* * * * *

0
14. Amend section 52.244-6 by--
0
a. Revising the date of the clause;
0
b. Removing from paragraph (c)(1)(v) ``Lab and Other Covered Entities 
(NOV 2021)'' and adding ``Lab Covered Entities (Dec 2023) in its place; 
and
0
c. Redesignating paragraphs (c)(1)(viii) through (xxi) as paragraphs 
(c)(1)(ix) through (xxii) and adding a new paragraph (c)(1)(viii) in 
its place.
    The revision and addition read as follows:


52.244-6  Subcontracts for Commercial Products and Commercial Services.

* * * * *

Subcontracts for Commercial Products and Commercial Services (DEC 2023)

* * * * *
    (c)(1) * * *
    (viii)(A) 52.204-30, Federal Acquisition Supply Chain Security 
Act Orders--Prohibition. (DEC 2023) (Pub. L. 115-390, title II).
    (B) Alternate I (DEC 2023) of 52.204-30.
* * * * *
[FR Doc. 2023-21320 Filed 10-4-23; 8:45 am]
BILLING CODE 6820-14-P