Federal Acquisition Regulation: FAR Part 40, Information Security and Supply Chain Security; Request for Information, 25268-25269 [2024-07535]
Download as PDF
<![CDATA[
ddrumheller on DSK120RN23PROD with NOTICES1
25268
Federal Register / Vol. 89, No. 70 / Wednesday, April 10, 2024 / Notices
www.regulations.gov, you are solely
responsible for making sure that your
comment does not include any sensitive
or confidential information. In
particular, your comment should not
include any sensitive personal
information, such as your or anyone
else’s Social Security number; date of
birth; driver’s license number or other
state identification number, or foreign
country equivalent; passport number;
financial account number; or credit or
debit card number. You are also solely
responsible for making sure that your
comment does not include any sensitive
health information, such as medical
records or other individually
identifiable health information. In
addition, your comment should not
include any ‘‘trade secret or any
commercial or financial information
which . . . is privileged or
confidential’’—as provided by Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and
FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—
including, in particular, competitively
sensitive information, such as costs,
sales statistics, inventories, formulas,
patterns, devices, manufacturing
processes, or customer names.
Comments containing material for
which confidential treatment is
requested must (1) be filed in paper
form, (2) be clearly labeled
‘‘Confidential,’’ and (3) comply with
FTC Rule 4.9(c). In particular, the
written request for confidential
treatment that accompanies the
comment must include the factual and
legal basis for the request, and must
identify the specific portions of the
comment to be withheld from the public
record. See FTC Rule 4.9(c). Your
comment will be kept confidential only
if the General Counsel grants your
request in accordance with the law and
the public interest. Once your comment
has been posted publicly at
www.regulations.gov, we cannot redact
or remove your comment unless you
submit a confidentiality request that
meets the requirements for such
treatment under FTC Rule 4.9(c), and
the General Counsel grants that request.
The FTC Act and other laws that the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. The Commission will
consider all timely and responsive
public comments that it receives on or
before June 10, 2024. For information on
the Commission’s privacy policy,
including routine uses permitted by the
VerDate Sep<11>2014
18:10 Apr 09, 2024
Jkt 262001
Privacy Act, see https://www.ftc.gov/
site-information/privacy-policy.
Josephine Liu,
Assistant General Counsel for Legal Counsel.
[FR Doc. 2024–07569 Filed 4–9–24; 8:45 am]
BILLING CODE 6750–01–P
DEPARTMENT OF DEFENSE
GENERAL SERVICES
ADMINISTRATION
NATIONAL AERONAUTICS AND
SPACE ADMINISTRATION
[Docket No. 2024–0054; Sequence No. 1]
Federal Acquisition Regulation: FAR
Part 40, Information Security and
Supply Chain Security; Request for
Information
Department of Defense (DoD),
General Services Administration (GSA),
and National Aeronautics and Space
Administration (NASA).
ACTION: Notice of request for
information (RFI).
AGENCY:
DoD, GSA, and NASA
recently established Federal Acquisition
Regulation (FAR) part 40, Information
Security and Supply Chain Security.
The intent of this RFI is to solicit
feedback from the general public on the
scope and organization of FAR part 40.
DATES: Interested parties should submit
written comments to the Regulatory
Secretariat Division at the address
shown below on or before June 10, 2024
to be considered in the formation of the
changes to FAR part 40.
ADDRESSES: Submit comments in
response to this RFI to the Federal
eRulemaking portal at https://
www.regulations.gov by searching for
‘‘RFI FAR part 40’’. Select the link
‘‘Comment Now’’ that corresponds with
‘‘RFI FAR part 40’’. Follow the
instructions provided on the ‘‘Comment
Now’’ screen. Please include your name,
company name (if any), and ‘‘RFI FAR
part 40’’ on your attached document. If
your comment cannot be submitted
using https://www.regulations.gov, call
or email the points of contact in the FOR
FURTHER INFORMATION CONTACT section of
this document for alternate instructions.
Instructions: Response to this RFI is
voluntary. Respondents may answer as
many or as few questions as they wish.
Each individual or entity is requested to
submit only one response to this RFI.
Please identify your answers by
responding to a specific question or
topic if possible. Please submit
responses only and cite ‘‘RFI FAR part
40’’ in all correspondence related to this
SUMMARY:
PO 00000
Frm 00039
Fmt 4703
Sfmt 4703
RFI. Comments received generally will
be posted without change to https://
www.regulations.gov, including any
personal and/or business confidential
information provided. Public comments
may be submitted as an individual, as
an organization, or anonymously (see
frequently asked questions at https://
www.regulations.gov/faq). To confirm
receipt of your comment(s), please
check https://www.regulations.gov,
approximately two-to-three days after
submission to verify posting.
FOR FURTHER INFORMATION CONTACT: For
clarification of content, contact Ms.
Malissa Jones, Procurement Analyst, at
571–882–4687 or by email at
malissa.jones@gsa.gov. For information
pertaining to status, publication
schedules, or alternate instructions for
submitting comments if https://
www.regulations.gov cannot be used,
contact the Regulatory Secretariat
Division at 202–501–4755 or
GSARegSec@gsa.gov. Please cite FAR
Case 2023–008.
SUPPLEMENTARY INFORMATION: The final
FAR rule 2022–010, Establishing FAR
part 40, amended the FAR to establish
a framework for a new information
security and supply chain security FAR
part, FAR part 40. The final rule does
not implement any of the information
security and supply chain security
policies or procedures; it simply
established FAR part 40. The final FAR
rule was published in the Federal
Register at 89 FR 22604, on April 1,
2024. Relocation of existing
requirements and placement of new
requirements into FAR part 40 will be
done through separate rulemakings.
Currently, the policies and procedures
for prohibitions, exclusions, supply
chain risk information sharing, and
safeguarding information that address
security objectives are dispersed across
multiple parts of the FAR, which makes
it difficult for the acquisition workforce
and the general public to understand
and implement applicable requirements.
FAR part 40 will provide the acquisition
team with a single, consolidated
location in the FAR that addresses their
role in implementing requirements
related to managing information
security and supply chain security
when acquiring products and services.
The new FAR part 40 provides a
location to cover broad security
requirements that apply across
acquisitions. These security
requirements include requirements
designed to bolster national security
through the management of existing or
potential adversary-based supply chain
risks across technological, intent-based,
or economic means (e.g., cybersecurity
E:\FR\FM\10APN1.SGM
10APN1
Federal Register / Vol. 89, No. 70 / Wednesday, April 10, 2024 / Notices
supply chain risks, foreign-based risks,
emerging technology risks). The intent
is to structure FAR part 40 based on the
objectives of the regulatory requirement
(similar to how environmental
objectives are covered in FAR part 23,
and labor objectives are addressed in
FAR part 22). Security-related
requirements that include and go
beyond information and
communications technology (ICT) will
be covered under FAR part 40. An
example of products and services that
include and go beyond ICT are
cybersecurity supply chain risk
management requirements such as
requirements related to section 889 of
the John S. McCain National Defense
Authorization Act for Fiscal Year 2019
(Pub. L. 115–232). Security-related
requirements that only apply to ICT
acquisitions will continue to be covered
in FAR part 39. The test for whether
existing regulations would be in FAR
part 40 would be based on the following
questions:
• Question 1: Is the regulation or FAR
case addressing security objectives?
Æ If yes, move to question 2
Æ If no, the regulation would be
located in another part of the FAR.
• Question 2: Is the scope of the
requirements limited to ICT?
Æ If yes, the regulation would be
located in FAR part 39
Æ If no, the regulation would be
located FAR part 40.
The following are examples of the
FAR subparts and regulations that are
under consideration and could
potentially be located in, or relocated to,
FAR part 40:
ddrumheller on DSK120RN23PROD with NOTICES1
Part 40—Information Security and
Supply Chain Security
40.000 Scope of part.
Æ General Policy Statements
Æ Cross reference to updated FAR
part 39 scoped to ICT
Subpart 40.1—Processing Supply Chain
Risk Information
Æ FAR 4.2302, sharing supply chain
risk information
Æ Cross reference to counterfeit and
nonconforming parts (FAR 46.317)
Æ Cross reference to cyber threat and
incident reporting and information
sharing (FAR case 2021–017)
Subpart 40.2—Security Prohibitions and
Exclusions
Æ FAR subpart 4.20, Prohibition on
Contracting for Hardware, Software,
and Services Developed or Provided
by Kaspersky Lab
Æ FAR subpart 4.21, Prohibition on
Contracting for Certain
Telecommunications and Video
Surveillance Services or Equipment
VerDate Sep<11>2014
18:10 Apr 09, 2024
Jkt 262001
Æ FAR subpart 4.22, Prohibition on a
ByteDance Covered Application,
which covers the TikTok
application, from FAR case 2023–
010
Æ Prohibition on Certain
Semiconductor Products and
Services (FAR case 2023–008)
Æ FAR subpart 4.23, Federal
Acquisition Security Council,
except section 4.2302
Æ Covered Procurement Action/
agency specific exclusion orders
(FAR case 2019–018)
Æ FAR subpart 25.7, Prohibited
Sources
Æ Prohibition on Operation of
Covered Unmanned Aircraft
Systems from Covered Foreign
Entities (FAR case 2024–002)
Subpart 40.3—Safeguarding Information
Æ FAR subpart 4.4, Safeguarding
Classified Information Within
Industry
Æ Controlled Unclassified
Information (CUI) (FAR case 2017–
016)
Æ FAR subpart 4.19, Basic
Safeguarding of Covered Contractor
Information Systems
In this notice, DoD, GSA, and NASA
are providing an opportunity for
members of the public to provide
comments on the proposed scope of
FAR part 40. Feedback provided should
support the goal of providing a single
location to cover broad security
requirements that apply across
acquisitions. Providing the acquisition
team with a single, consolidated
location in the FAR that addresses their
role in implementing requirements
related to managing information
security and supply chain security
when acquiring products and services
will enable the acquisition workforce to
understand and implement applicable
requirements more easily.
DoD, GSA, and NASA seek responses
to any or all the questions that follow
this paragraph. Where possible, include
specific examples of how your
organization is or would be impacted
negatively or positively by the
recommended scope and subparts; if
applicable, provide rationale supporting
your position. If you believe the
proposed scope and subparts should be
revised, suggest an alternative (which
may include not providing guidance at
all) and include an explanation,
analysis, or both, of how the alternative
might meet the same objective or be
more effective. Comments on the
economic effects including quantitative
and qualitative data are especially
helpful. In addition to the FAR parts
and subparts proposed for relocation to
FAR part 40, let us know:
PO 00000
Frm 00040
Fmt 4703
Sfmt 4703
25269
1. What specific section(s) of the FAR
would benefit from inclusion in FAR
part 40?
2. What specific suggestions do you
have for otherwise improving the
proposed scope or subparts of FAR part
40?
William F. Clark,
Director, Office of Government-wide
Acquisition Policy, Office of Acquisition
Policy, Office of Government-wide Policy.
[FR Doc. 2024–07535 Filed 4–9–24; 8:45 am]
BILLING CODE 6820–EP–P
DEPARTMENT OF DEFENSE
GENERAL SERVICES
ADMINISTRATION
NATIONAL AERONAUTICS AND
SPACE ADMINISTRATION
[OMB Control No. 9000–0163; Docket No.
2024–0053; Sequence No. 3]
Submission for OMB Review; Small
Business Size Rerepresentation
Department of Defense (DOD),
General Services Administration (GSA),
and National Aeronautics and Space
Administration (NASA).
ACTION: Notice.
AGENCY:
Under the provisions of the
Paperwork Reduction Act, the
Regulatory Secretariat Division has
submitted to the Office of Management
and Budget (OMB) a request to review
and approve an extension of a
previously approved information
collection requirement regarding small
business size rerepresentation.
DATES: Submit comments on or before
May 10, 2024.
ADDRESSES: Written comments and
recommendations for this information
collection should be sent within 30 days
of publication of this notice to
www.reginfo.gov/public/do/PRAMain.
Find this particular information
collection by selecting ‘‘Currently under
Review—Open for Public Comments’’ or
by using the search function.
FOR FURTHER INFORMATION CONTACT:
Zenaida Delgado, Procurement Analyst,
at telephone 202–969–7207, or
zenaida.delgado@gsa.gov.
SUPPLEMENTARY INFORMATION:
SUMMARY:
A. OMB Control Number, Title, and
Any Associated Form(s)
OMB Control No. 9000–0163, Small
Business Size Rerepresentation.
B. Need and Uses
This clearance covers the information
that contractors must submit to comply
E:\FR\FM\10APN1.SGM
10APN1
]]>Agencies
[Federal Register Volume 89, Number 70 (Wednesday, April 10, 2024)]
[Notices]
[Pages 25268-25269]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-07535]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
[Docket No. 2024-0054; Sequence No. 1]
Federal Acquisition Regulation: FAR Part 40, Information Security
and Supply Chain Security; Request for Information
AGENCY: Department of Defense (DoD), General Services Administration
(GSA), and National Aeronautics and Space Administration (NASA).
ACTION: Notice of request for information (RFI).
-----------------------------------------------------------------------
SUMMARY: DoD, GSA, and NASA recently established Federal Acquisition
Regulation (FAR) part 40, Information Security and Supply Chain
Security. The intent of this RFI is to solicit feedback from the
general public on the scope and organization of FAR part 40.
DATES: Interested parties should submit written comments to the
Regulatory Secretariat Division at the address shown below on or before
June 10, 2024 to be considered in the formation of the changes to FAR
part 40.
ADDRESSES: Submit comments in response to this RFI to the Federal
eRulemaking portal at https://www.regulations.gov by searching for
``RFI FAR part 40''. Select the link ``Comment Now'' that corresponds
with ``RFI FAR part 40''. Follow the instructions provided on the
``Comment Now'' screen. Please include your name, company name (if
any), and ``RFI FAR part 40'' on your attached document. If your
comment cannot be submitted using https://www.regulations.gov, call or
email the points of contact in the FOR FURTHER INFORMATION CONTACT
section of this document for alternate instructions.
Instructions: Response to this RFI is voluntary. Respondents may
answer as many or as few questions as they wish. Each individual or
entity is requested to submit only one response to this RFI. Please
identify your answers by responding to a specific question or topic if
possible. Please submit responses only and cite ``RFI FAR part 40'' in
all correspondence related to this RFI. Comments received generally
will be posted without change to https://www.regulations.gov, including
any personal and/or business confidential information provided. Public
comments may be submitted as an individual, as an organization, or
anonymously (see frequently asked questions at https://www.regulations.gov/faq). To confirm receipt of your comment(s), please
check https://www.regulations.gov, approximately two-to-three days
after submission to verify posting.
FOR FURTHER INFORMATION CONTACT: For clarification of content, contact
Ms. Malissa Jones, Procurement Analyst, at 571-882-4687 or by email at
[email protected]. For information pertaining to status,
publication schedules, or alternate instructions for submitting
comments if https://www.regulations.gov cannot be used, contact the
Regulatory Secretariat Division at 202-501-4755 or [email protected].
Please cite FAR Case 2023-008.
SUPPLEMENTARY INFORMATION: The final FAR rule 2022-010, Establishing
FAR part 40, amended the FAR to establish a framework for a new
information security and supply chain security FAR part, FAR part 40.
The final rule does not implement any of the information security and
supply chain security policies or procedures; it simply established FAR
part 40. The final FAR rule was published in the Federal Register at 89
FR 22604, on April 1, 2024. Relocation of existing requirements and
placement of new requirements into FAR part 40 will be done through
separate rulemakings.
Currently, the policies and procedures for prohibitions,
exclusions, supply chain risk information sharing, and safeguarding
information that address security objectives are dispersed across
multiple parts of the FAR, which makes it difficult for the acquisition
workforce and the general public to understand and implement applicable
requirements. FAR part 40 will provide the acquisition team with a
single, consolidated location in the FAR that addresses their role in
implementing requirements related to managing information security and
supply chain security when acquiring products and services.
The new FAR part 40 provides a location to cover broad security
requirements that apply across acquisitions. These security
requirements include requirements designed to bolster national security
through the management of existing or potential adversary-based supply
chain risks across technological, intent-based, or economic means
(e.g., cybersecurity
[[Page 25269]]
supply chain risks, foreign-based risks, emerging technology risks).
The intent is to structure FAR part 40 based on the objectives of the
regulatory requirement (similar to how environmental objectives are
covered in FAR part 23, and labor objectives are addressed in FAR part
22). Security-related requirements that include and go beyond
information and communications technology (ICT) will be covered under
FAR part 40. An example of products and services that include and go
beyond ICT are cybersecurity supply chain risk management requirements
such as requirements related to section 889 of the John S. McCain
National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115-
232). Security-related requirements that only apply to ICT acquisitions
will continue to be covered in FAR part 39. The test for whether
existing regulations would be in FAR part 40 would be based on the
following questions:
Question 1: Is the regulation or FAR case addressing security
objectives?
[cir] If yes, move to question 2
[cir] If no, the regulation would be located in another part of the
FAR.
Question 2: Is the scope of the requirements limited to ICT?
[cir] If yes, the regulation would be located in FAR part 39
[cir] If no, the regulation would be located FAR part 40.
The following are examples of the FAR subparts and regulations that
are under consideration and could potentially be located in, or
relocated to, FAR part 40:
Part 40--Information Security and Supply Chain Security
40.000 Scope of part.
[cir] General Policy Statements
[cir] Cross reference to updated FAR part 39 scoped to ICT
Subpart 40.1--Processing Supply Chain Risk Information
[cir] FAR 4.2302, sharing supply chain risk information
[cir] Cross reference to counterfeit and nonconforming parts (FAR
46.317)
[cir] Cross reference to cyber threat and incident reporting and
information sharing (FAR case 2021-017)
Subpart 40.2--Security Prohibitions and Exclusions
[cir] FAR subpart 4.20, Prohibition on Contracting for Hardware,
Software, and Services Developed or Provided by Kaspersky Lab
[cir] FAR subpart 4.21, Prohibition on Contracting for Certain
Telecommunications and Video Surveillance Services or Equipment
[cir] FAR subpart 4.22, Prohibition on a ByteDance Covered
Application, which covers the TikTok application, from FAR case 2023-
010
[cir] Prohibition on Certain Semiconductor Products and Services
(FAR case 2023-008)
[cir] FAR subpart 4.23, Federal Acquisition Security Council,
except section 4.2302
[cir] Covered Procurement Action/agency specific exclusion orders
(FAR case 2019-018)
[cir] FAR subpart 25.7, Prohibited Sources
[cir] Prohibition on Operation of Covered Unmanned Aircraft Systems
from Covered Foreign Entities (FAR case 2024-002)
Subpart 40.3--Safeguarding Information
[cir] FAR subpart 4.4, Safeguarding Classified Information Within
Industry
[cir] Controlled Unclassified Information (CUI) (FAR case 2017-016)
[cir] FAR subpart 4.19, Basic Safeguarding of Covered Contractor
Information Systems
In this notice, DoD, GSA, and NASA are providing an opportunity for
members of the public to provide comments on the proposed scope of FAR
part 40. Feedback provided should support the goal of providing a
single location to cover broad security requirements that apply across
acquisitions. Providing the acquisition team with a single,
consolidated location in the FAR that addresses their role in
implementing requirements related to managing information security and
supply chain security when acquiring products and services will enable
the acquisition workforce to understand and implement applicable
requirements more easily.
DoD, GSA, and NASA seek responses to any or all the questions that
follow this paragraph. Where possible, include specific examples of how
your organization is or would be impacted negatively or positively by
the recommended scope and subparts; if applicable, provide rationale
supporting your position. If you believe the proposed scope and
subparts should be revised, suggest an alternative (which may include
not providing guidance at all) and include an explanation, analysis, or
both, of how the alternative might meet the same objective or be more
effective. Comments on the economic effects including quantitative and
qualitative data are especially helpful. In addition to the FAR parts
and subparts proposed for relocation to FAR part 40, let us know:
1. What specific section(s) of the FAR would benefit from inclusion
in FAR part 40?
2. What specific suggestions do you have for otherwise improving
the proposed scope or subparts of FAR part 40?
William F. Clark,
Director, Office of Government-wide Acquisition Policy, Office of
Acquisition Policy, Office of Government-wide Policy.
[FR Doc. 2024-07535 Filed 4-9-24; 8:45 am]
BILLING CODE 6820-EP-P
