Defense Federal Acquisition Regulation Supplement: Disclosure of Information Regarding Foreign Obligations (DFARS Case 2018-D064), 90254-90259 [2024-26058]
Download as PDF
90254
Federal Register / Vol. 89, No. 221 / Friday, November 15, 2024 / Proposed Rules
khammond on DSKJM1Z7X2PROD with PROPOSALS
be due to permanent and enforceable
measures. Therefore, the designation
status of the Washington Area will
remain nonattainment for the 2015 8hour ozone NAAQS until such time as
DC, MD, and VA submit a request for
redesignation pursuant to 107(d)(3) of
the CAA and the EPA determines that
the area meets the CAA requirements for
redesignation to attainment and takes
action to redesignate the area.
The EPA also proposes to take final
agency action on an exceptional events
request submitted by DC on March 20,
2024, and concurred on by the EPA on
July 17, 2024.
The EPA is soliciting public
comments on the issues discussed in
this document. These comments will be
considered before taking final action.
The EPA previously received comments
on the 2023 CDD Proposal (88 FR 6688,
February 1, 2023). In re-proposing the
CDD, the EPA will consider all
comments received on the 2023 CDD
Proposal as the Agency moves forward
with the current rulemaking.
Accordingly, commenters need not
submit duplicate comments on the
current proposal.24 However, the EPA
welcomes comments providing
additional information not previously
submitted to the Agency.
V. Statutory and Executive Order
Reviews
This rulemaking proposes to make an
attainment determination based on air
quality data and would, if finalized,
result in the suspension of certain
Federal requirements and would not
impose any additional requirements.
For that reason, this proposed action:
• Is not a ‘‘significant regulatory
action’’ subject to review by the Office
of Management and Budget under
Executive Orders 12866 (58 FR 51735,
October 4, 1993) and 13563 (76 FR 3821,
January 21, 2011);
• Does not impose an information
collection burden under the provisions
of the Paperwork Reduction Act (44
U.S.C. 3501 et seq.);
• Is certified as not having a
significant economic impact on a
substantial number of small entities
under the Regulatory Flexibility Act (5
U.S.C. 601 et seq.);
• Does not contain any unfunded
mandate or significantly or uniquely
affect small governments, as described
in the Unfunded Mandates Reform Act
of 1995 (Pub. L. 104–4);
• Does not have federalism
implications as specified in Executive
24 Comments received on the 2023 Proposal are
contained in the same docket as the current
proposal: Docket ID No. EPA–R03–OAR–2022–
0987.
VerDate Sep<11>2014
15:49 Nov 14, 2024
Jkt 265001
Order 13132 (64 FR 43255, August 10,
1999);
• Is not an economically significant
regulatory action based on health or
safety risks subject to Executive Order
13045 (62 FR 19885, April 23, 1997);
• Is not a significant regulatory action
subject to Executive Order 13211 (66 FR
28355, May 22, 2001); and
• Is not subject to requirements of
section 12(d) of the National
Technology Transfer and Advancement
Act of 1995 (15 U.S.C. 272 note) because
application of those requirements would
be inconsistent with the CAA.
Executive Order 12898 (Federal
Actions to Address Environmental
Justice in Minority Populations and
Low-Income Populations, 59 FR 7629,
February 16, 1994) directs Federal
agencies to identify and address
‘‘disproportionately high and adverse
human health or environmental effects’’
of their actions on minority populations
and low-income populations to the
greatest extent practicable and
permitted by law. The EPA defines
environmental justice (EJ) as ‘‘the fair
treatment and meaningful involvement
of all people regardless of race, color,
national origin, or income with respect
to the development, implementation,
and enforcement of environmental laws,
regulations, and policies.’’ The EPA
further defines the term fair treatment to
mean that ‘‘no group of people should
bear a disproportionate burden of
environmental harms and risks,
including those resulting from the
negative environmental consequences of
industrial, governmental, and
commercial operations or programs and
policies.’’
The EPA did not perform an EJ
analysis and did not consider EJ in this
action. Due to the nature of the action
being taken here, this action is expected
to have a neutral to positive impact on
the air quality of the affected area.
Consideration of EJ is not required as
part of this action, and there is no
information in the record inconsistent
with the stated goal of E.O. 12898 of
achieving environmental justice for
people of color, low-income population,
and Indigenous peoples.
In addition, this action for the
Washington Area does not have Tribal
implications as specified by Executive
Order 13175 (65 FR 67249, November 9,
2000), because this action is not
approved to apply in Indian country
located in the Washington Area, and the
EPA notes that it will not impose
substantial direct costs on Tribal
governments or preempt Tribal law.
PO 00000
Frm 00014
Fmt 4702
Sfmt 4702
List of Subjects in 40 CFR Part 52
Environmental protection, Air
pollution control, Incorporation by
reference, Ozone, Reporting and
recordkeeping requirements.
Adam Ortiz,
Regional Administrator, Region III.
[FR Doc. 2024–26423 Filed 11–14–24; 8:45 am]
BILLING CODE 6560–50–P
DEPARTMENT OF DEFENSE
Defense Acquisition Regulations
System
48 CFR Parts 212, 213, 217, 239, and
252
[Docket DARS–2024–0034]
RIN 0750–AK23
Defense Federal Acquisition
Regulation Supplement: Disclosure of
Information Regarding Foreign
Obligations (DFARS Case 2018–D064)
Defense Acquisition
Regulations System, Department of
Defense (DoD).
ACTION: Proposed rule.
AGENCY:
DoD is proposing to amend
the Defense Federal Acquisition
Regulation Supplement (DFARS) to
implement a section of the National
Defense Authorization Act for Fiscal
Year 2019, which prohibits DoD from
acquiring products, services, or systems
relating to information or operational
technology, cybersecurity, industrial
control systems, or weapon systems
through a contract unless the offeror or
contractor provides disclosures related
to sharing source code and computer
code with foreign governments.
DATES: Comments on the proposed rule
should be submitted in writing to the
address shown below on or before
January 14, 2025, to be considered in
the formation of a final rule.
ADDRESSES: Submit comments
identified by DFARS Case 2018–D064,
using either of the following methods:
Æ Federal eRulemaking Portal:
https://www.regulations.gov. Search for
DFARS Case 2018–D064. Select
‘‘Comment’’ and follow the instructions
to submit a comment. Please include
‘‘DFARS Case 2018–D064’’ on any
attached documents.
Æ Email: osd.dfars@mail.mil. Include
DFARS Case 2018–D064 in the subject
line of the message.
Comments received generally will be
posted without change to https://
www.regulations.gov, including any
personal information provided. To
SUMMARY:
E:\FR\FM\15NOP1.SGM
15NOP1
Federal Register / Vol. 89, No. 221 / Friday, November 15, 2024 / Proposed Rules
confirm receipt of your comment(s),
please check https://
www.regulations.gov, approximately
two to three days after submission to
verify posting.
FOR FURTHER INFORMATION CONTACT: Ms.
Heather Kitchens, telephone 571–296–
7152.
khammond on DSKJM1Z7X2PROD with PROPOSALS
SUPPLEMENTARY INFORMATION:
I. Background
DoD is proposing to revise the DFARS
to implement section 1655(a) and (c) of
the National Defense Authorization Act
(NDAA) for Fiscal Year (FY) 2019 (Pub.
L. 115–232). Section 1655(a) prohibits
DoD from acquiring products, services,
or systems relating to information or
operational technology, cybersecurity,
industrial control systems, or weapon
systems through a contract unless the
offeror or contractor provides
disclosures related to sharing source
code and computer code with foreign
governments. Section 1655(c) requires
contracts for those products, services, or
systems to include a clause requiring
the disclosures during the contract
period of performance if an entity
becomes aware of information requiring
disclosure.
The first part of the disclosure is
related to whether, after August 12,
2013, the entity making the disclosure
has allowed, or is under an obligation to
allow, a foreign government to review
the code of a noncommercial product,
system, or service developed for DoD.
The second part of the disclosure
pertains to whether, after August 12,
2013, the entity making the disclosure
has allowed, or is under an obligation to
allow, a foreign government in a list
required by section 1654 of the NDAA
for FY 2019 to review the source code
of a product, system, or service that DoD
is using or intends to use.
The third part of the disclosure is
related to whether the entity making the
disclosure holds or has sought a license
pursuant to the Export Administration
Regulations (15 CFR chapter VII,
subchapter C), the International Traffic
in Arms Regulations (22 CFR chapter I,
subchapter M), or successor regulations,
for information technology products,
components, software, or services that
contain code custom-developed for the
noncommercial product, system, or
service DoD is using or intends to use.
Once the disclosures are provided to
DoD, and if the Secretary of Defense
determines that the disclosure relating
to a product, system, or service entails
a risk to the national security
infrastructure or data of the United
States, or any national security system
under the control of DoD, section 1655
VerDate Sep<11>2014
15:49 Nov 14, 2024
Jkt 265001
requires the Secretary to take such
measures as the Secretary considers
appropriate to mitigate such risks. In
addition, as the Secretary considers
appropriate, the Secretary may
condition any agreement for the use,
procurement, or acquisition of the
product, system, or service on the
inclusion of enforceable conditions or
requirements that would mitigate such
risks.
II. Discussion and Analysis
This proposed rule includes a new
subpart, 239.7X, Disclosure of
Information Regarding Foreign
Obligations. Section 239.7X00 describes
the statutory requirement implemented
in the new subpart. Section 239.7X01
includes new definitions of computer
code, open source software, and source
code. The new subpart includes the
section 1655 prohibition at 239.7X02.
Section 239.7X03 clarifies that the
prohibition does not apply to open
source software.
A section on procedures was added at
239.7X04 to require contracting officers
to validate in the Catalog Data Standard
within the Electronic Data Access (EDA)
system (https://piee.eb.mil) that offerors
or contractors have completed all
foreign obligation disclosures prior to
awarding a contract or exercising an
option. Section 1655 prohibits DoD from
using a product, service, or system
procured or acquired under certain
awards unless foreign obligation
disclosures have been made. This
proposed rule requires completion of
the foreign obligation disclosures prior
to exercising an option to ensure DoD
complies with the statutory intent.
Section 239.7X05 provides
prescriptions for a new solicitation
provision and contract clause. The new
provision is prescribed for use in
solicitations that include the clause at
252.239–70ZZ, Postaward Disclosure of
Foreign Obligations. The new clause is
prescribed for use in solicitations and
contracts, task orders, or delivery
orders, for the acquisition of products,
services, or systems relating to
information or operational technology,
cybersecurity, industrial control
systems, or weapon systems, including
those using Federal Acquisition
Regulation (FAR) part 12 procedures for
the acquisition of commercial products
and commercial services.
The purpose of the provision at
252.239–70YY, Preaward Disclosure of
Foreign Obligations—Representation, is
to notify offerors that they will be
required to make disclosures within the
Catalog Data Standard in the Electronic
Data Access (EDA) system (https://
piee.eb.mil) in order to be eligible for
PO 00000
Frm 00015
Fmt 4702
Sfmt 4702
90255
award. While there are three distinct
disclosures, the provision identifies the
first and second disclosures in one
paragraph at 252.239–70YY, paragraph
(c)(1), for clarity. The third disclosure is
identified at paragraph (c)(2). This
provision includes a requirement for all
offerors to represent by submission of
the offer that the information on the
foreign disclosures the offeror has made
within the Catalog Data Standard in
EDA is current, accurate, and complete.
The purpose of the clause at 252.239–
70ZZ, Postaward Disclosure of Foreign
Obligations, is to require contractors to
maintain their disclosures in the Catalog
Data Standard within EDA and flow
down the requirement to maintain
disclosures in the Catalog Data Standard
within EDA to subcontractors. Similar
to the provision, while there are three
distinct disclosures, the clause
identifies the first and second
disclosures in one paragraph at
252.239–70XX, paragraph (b)(1), for
clarity. The third disclosure is identified
at paragraph (b)(2). The clause also
requires contractors to require their
subcontractors to complete foreign
obligation disclosures in the Catalog
Data Standard in EDA prior to awarding
the subcontract.
Language was added at part 212 to
apply the provision and clause to the
acquisition of commercial products and
commercial services. In part 213,
language was added to apply the
requirement to disclose foreign
obligations will be applied at or below
the micro-purchase threshold. Language
was also added at part 217 to instruct
the contracting officer exercise options
only after verifying in the Catalog Data
Standard in the EDA system (https://
piee.eb.mil) that all disclosures have
been completed.
III. Applicability to Contracts At or
Below the Simplified Acquisition
Threshold (SAT) and for Commercial
Services and Commercial Products,
Including Commercially Available Offthe-Shelf (COTS) Items
This proposed rule proposes a new
provision and clause to implement the
requirements of section 1655 of the
NDAA for FY 2019: (1) DFARS 252.239–
70YY, Preaward Disclosure of Foreign
Obligations-Representation; and (2)
DFARS 252.239–70ZZ, Postaward
Disclosure of Foreign Obligations. The
provision at DFARS 252.239–70YY is
prescribed at DFARS 239.7X05(a) for
use in solicitations that include the
clause at DFARS 252.239–70ZZ. The
clause at DFARS 252.239–70ZZ is
prescribed at DFARS 239.7X05(b) for
use in solicitations and contracts for the
acquisition of products, services, or
E:\FR\FM\15NOP1.SGM
15NOP1
90256
Federal Register / Vol. 89, No. 221 / Friday, November 15, 2024 / Proposed Rules
systems relating to information or
operational technology, cybersecurity,
industrial control systems, or weapon
systems, including those using FAR part
12 procedures for the acquisition of
commercial products and commercial
services. DoD does intend to apply the
proposed rule to contracts at or below
the SAT. DoD does intend to apply the
proposed rule to contracts for the
acquisition of commercial products
including COTS items and for the
acquisition of commercial services.
A. Applicability to Contracts At or
Below the Simplified Acquisition
Threshold
The statute at 41 U.S.C. 1905 governs
the applicability of laws to contracts or
subcontracts in amounts not greater
than the simplified acquisition
threshold. It is intended to limit the
applicability of laws to such contracts or
subcontracts. The statute at 41 U.S.C.
1905 provides that if a provision of law
contains criminal or civil penalties, or if
the Federal Acquisition Regulatory
Council makes a written determination
that it is not in the best interest of the
Federal Government to exempt contracts
or subcontracts at or below the SAT, the
law will apply to them. The Principal
Director, Defense Pricing, Contracting,
and Acquisition Policy (DPCAP), is the
appropriate authority to make
comparable determinations for
regulations to be published in the
DFARS, which is part of the FAR system
of regulations. DoD does intend to make
that determination. Therefore, this
proposed rule will apply at or below the
simplified acquisition threshold.
khammond on DSKJM1Z7X2PROD with PROPOSALS
B. Applicability to Contracts for the
Acquisition of Commercial Products
Including COTS Items and for the
Acquisition of Commercial Services
The statute at 10 U.S.C. 3452 exempts
contracts and subcontracts for the
acquisition of commercial products
including COTS items, and commercial
services from provisions of law enacted
after October 13, 1994, unless the Under
Secretary of Defense (Acquisition and
Sustainment) (USD(A&S)) makes a
written determination that it would not
be in the best interest of DoD to exempt
contracts for the procurement of
commercial products and commercial
services from the applicability of the
provision or contract requirement,
except for a provision of law that—
• Provides for criminal or civil
penalties;
• Requires that certain articles be
bought from American sources pursuant
to 10 U.S.C. 4862, or that strategic
materials critical to national security be
VerDate Sep<11>2014
15:49 Nov 14, 2024
Jkt 265001
bought from American sources pursuant
to 10 U.S.C. 4863; or
• Specifically refers to 10 U.S.C. 3452
and states that it shall apply to contracts
and subcontracts for the acquisition of
commercial products (including COTS
items) and commercial services.
The statute implemented in this
proposed rule does not impose criminal
or civil penalties, does not require
purchase pursuant to 10 U.S.C. 4862 or
4863, and does not refer to 10 U.S.C.
3452. Therefore, section 1655 of the
NDAA for FY 2019 will not apply to the
acquisition of commercial services or
commercial products including COTS
items unless a written determination is
made. Due to delegations of authority,
the Principal Director, DPCAP is the
appropriate authority to make this
determination. DoD intends to make
that determination to apply this statute
to the acquisition of commercial
products including COTS items and to
the acquisition of commercial services.
Therefore, this proposed rule will apply
to the acquisition of commercial
products including COTS items and to
the acquisition of commercial services.
C. Determinations
Given that the requirements of section
1655 of the NDAA for FY 2019 were
enacted to require disclosures of foreign
obligations by contractors for contracts
that include products, services, or
systems relating to information or
operational technology, cybersecurity,
industrial control systems, or weapon
systems and since products, services, or
systems related to information or
operational technology, cybersecurity,
industrial control systems or weapon
systems can include COTS items and
awards at or below the SAT, it is in the
best interest of the Federal Government
to apply the statute to contracts for the
acquisition of commercial services and
commercial products, including COTS
items, as defined at Federal Acquisition
Regulation 2.101 and awards that are at
or below the SAT. An exception for
contracts for the acquisition of
commercial services and commercial
products, including COTS items, or for
contracts or subcontracts valued at or
below the SAT, would exclude the
contracts intended to be covered by the
law, thereby undermining the
overarching public policy purpose of
the law.
IV. Expected Impact of the Rule
The proposed rule implements
section 1655 of the NDAA for FY 2019,
which prohibits DoD from acquiring
products, services, or systems relating to
information or operational technology,
cybersecurity, industrial control
PO 00000
Frm 00016
Fmt 4702
Sfmt 4702
systems, or weapon systems through a
contract unless the offeror or contractor
provides disclosures related to sharing
source code and computer code with
foreign governments. Based on data
from the Federal Procurement Data
System, DoD issued approximately
36,677 new awards for information
technology and weapon systems to
approximately 4,147 unique entities per
year on average from FY 2021 through
FY 2023. DoD assumes this number will
cover awardees for information or
operational technology, cybersecurity,
industrial control systems, and weapon
systems, as there is no way to track
individual awards for operational
technology, industrial control systems,
and cybersecurity. Of the 4,147 unique
entities, on average, that received
awards each year, an average of
approximately 17,100 awards were
made to 2,667 unique small entities
from FY 2021 through FY 2023. DoD
assumes that the clause will apply to the
estimated 4,147 unique entities,
including the 2,667 unique small
entities.
DoD does not have a way to track the
number of unique offerors per award, so
DoD estimates that the number of
offerors is the number of unique entities
that received awards (i.e., 4,147)
multiplied by a factor of three,
representing three offerors per award.
Therefore, the estimated number of
offerors is three times the average
number of entities that received
information technology and weapon
systems awards for FY 2021 through FY
2023 (4,147 entities × 3), or 12,441, of
which 8,002 are estimated to be small
entities.
The proposed changes will require
offerors for products, services, or
systems related to information or
operational technology, cybersecurity,
industrial control systems, or weapon
systems to make certain disclosures in
the Catalog Data Standard within EDA
(https://piee.eb.mil) regarding whether
they have shared certain source code
and computer code with foreign persons
or governments any time since August
12, 2013. During contract performance,
prior to the exercise of any option,
contractors will be required to update
their disclosures in the Catalog Data
Standard within EDA.
V. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and
13563 direct agencies to assess all costs
and benefits of available regulatory
alternatives and, if regulation is
necessary, to select regulatory
approaches that maximize net benefits
(including potential economic,
environmental, public health and safety
E:\FR\FM\15NOP1.SGM
15NOP1
Federal Register / Vol. 89, No. 221 / Friday, November 15, 2024 / Proposed Rules
effects, distributive impacts, and
equity). E.O. 13563 emphasizes the
importance of quantifying both costs
and benefits, of reducing costs, of
harmonizing rules, and of promoting
flexibility. This is not a significant
regulatory action and, therefore, was not
subject to review under section 6(b) of
E.O. 12866, Regulatory Planning and
Review, as amended.
khammond on DSKJM1Z7X2PROD with PROPOSALS
VI. Regulatory Flexibility Act
DoD does not expect this proposed
rule, when finalized, to have a
significant economic impact on a
substantial number of small entities
within the meaning of the Regulatory
Flexibility Act, 5 U.S.C. 601, et seq.,
because the rule is only applied to
awards for products, services, or
systems related to information or
operational technology, cybersecurity,
industrial control systems, or weapon
systems. However, an initial regulatory
flexibility analysis has been performed
and is summarized as follows:
This proposed rule is necessary to
implement section 1655 of the NDAA
for FY 2019. Section 1655 prohibits DoD
from using a product, service, or system
relating to information or operational
technology, cybersecurity, industrial
control systems, or weapon systems
provided by an entity unless that entity
makes certain disclosures. The
disclosures required by the statute have
three parts.
The first part of the disclosures is
related to whether, since August 12,
2013, the entity making the disclosure
has allowed, or is under an obligation to
allow, a foreign government to review
the code of an other than commercial
product, system, or service developed
for DoD. The second part of the
disclosure pertains to whether, since
August 12, 2013, the entity making the
disclosure has allowed, or is under an
obligation to allow, a foreign
government in the list required by
section 1654 of the NDAA for FY 2019
to review the source code of a product,
system, or service that DoD is using or
intends to use. The third part of the
disclosure is related to whether the
entity making the disclosure holds or
has sought a license pursuant to the
Export Administration Regulations (15
CFR chapter VII, subchapter C), the
International Traffic in Arms
Regulations (22 CFR chapter I,
subchapter M), or successor regulations,
for information technology products,
components, software, or services that
contain code custom-developed for the
other than commercial product, system,
or service DoD is using or intends to
use.
VerDate Sep<11>2014
15:49 Nov 14, 2024
Jkt 265001
Once the disclosures are provided to
DoD, and if the Secretary of Defense
determines that the disclosure relating
to a product, system, or service entails
a risk to the national security
infrastructure or data of the United
States, or any national security system
under the control of DoD, section 1655
requires the Secretary to take such
measures as the Secretary considers
appropriate to mitigate such risks.
The objective of this proposed rule is
to implement the statutory requirement
for offeror, contractor, and subcontractor
disclosures under section 1655 of the
NDAA for FY 2019 prior to award and
during contract performance. The legal
basis for the proposed rule is section
1655 of the NDAA for FY 2019.
The proposed rule applies to offerors,
contractors, and subcontractors for
information or operational technology,
cybersecurity, industrial control
systems, or weapon systems. Based on
data from the Federal Procurement Data
System, DoD issued approximately
36,677 awards to 4,147 entities, of
which 17,100 awards were made to
2,667 small entities, for information
technology and weapon systems, on
average, from FY 2021 through FY 2023.
DoD assumes these numbers will cover
small entities awarded contracts for
products, services, or systems relating to
information or operational technology,
cybersecurity, industrial control
systems, and weapon systems, as there
is no way to track individual awards for
operational technology, cybersecurity,
and industrial control systems. In order
to estimate the number of offerors for
information or operational technology,
cybersecurity, industrial control
systems, and weapon systems, DoD
assumes the number of offerors will be
the 4,147 awardees multiplied by a
factor of three, or 12,441 offerors, of
which 8,002 are estimated to be small
entities.
This proposed rule does impose new
reporting, recordkeeping, or other
compliance requirements for small
entities. These reporting requirements
would apply to any offerors that are
small entities for a contract for
information or operational technology,
cybersecurity, industrial control
systems, and weapon systems. These
small entities will be required to make
disclosures within the Catalog Data
Standard within the EDA system
(https://piee.eb.mil) in order to be
eligible for award and will be required
to represent that the disclosures are
current, accurate, and complete.
Contractors whose contracts contain the
clause 252.239–70ZZ, Postaward
Disclosure of Foreign Obligations, will
be required to maintain their disclosures
PO 00000
Frm 00017
Fmt 4702
Sfmt 4702
90257
in EDA and flow down the requirement
to maintain disclosures in EDA to
subcontracts and other contractual
instruments.
The proposed rule does not duplicate,
overlap, or conflict with any other
Federal rules.
There are no known alternatives that
would accomplish the stated objectives
of the applicable statute.
DoD invites comments from small
business concerns and other interested
parties on the expected impact of this
proposed rule on small entities.
DoD will also consider comments
from small entities concerning the
existing regulations in subparts affected
by this proposed rule in accordance
with 5 U.S.C. 610. Interested parties
must submit such comments separately
and should cite 5 U.S.C. 610 (DFARS
Case 2018–D064) in correspondence.
VII. Paperwork Reduction Act
This proposed rule contains
information collection requirements that
require the approval of the Office of
Management and Budget under the
Paperwork Reduction Act (44 U.S.C.
chapter 35). Accordingly, DoD has
submitted a request for approval of a
new information collection requirement
concerning DFARS Case 2018–D064,
Disclosure of Information Regarding
Foreign Obligations, to the Office of
Management and Budget.
A. Estimate of Public Burden
Public reporting burden for this
collection of information is estimated to
average 0.5 hour per response, including
the time for reviewing instructions,
searching existing data sources,
gathering and maintaining the data
needed, and completing and reviewing
the collection of information.
The annual reporting burden is
estimated as follows:
Respondents: 12,441.
Total annual responses: 14,515.
Total annual burden hours: 7,257.5.
B. Request for Comments Regarding
Paperwork Burden
Written comments and
recommendations on the proposed
information collection, including
suggestions for reducing this burden,
should be submitted using the Federal
eRulemaking Portal at https://
www.regulations.gov or by email to
osd.dfars@mail.mil. Comments can be
received up to 60 days after the date of
this notice.
Public comments are particularly
invited on: whether this collection of
information is necessary for the proper
performance of the functions of DoD,
including whether the information will
E:\FR\FM\15NOP1.SGM
15NOP1
90258
Federal Register / Vol. 89, No. 221 / Friday, November 15, 2024 / Proposed Rules
have practical utility; the accuracy of
DoD’s estimate of the burden of this
information collection; ways to enhance
the quality, utility, and clarity of the
information to be collected; and ways to
minimize the burden of the information
collection on respondents, including
through the use of automated collection
techniques or other forms of information
technology.
To obtain a copy of the supporting
statement and associated collection
instruments, please email osd.dfars@
mail.mil. Include DFARS Case 2018–
D064 in the subject line of the message.
List of Subjects in 48 CFR Parts 212,
213, 217, 239, and 252
217.207
Therefore, the Defense Acquisition
Regulations System proposes to amend
48 CFR parts 212, 213, 217, 239, and
252 as follows:
■ 1. The authority citation for parts 212,
213, 217, 239, and 252 continues to read
as follows:
Authority: 41 U.S.C. 1303 and 48 CFR
chapter 1.
2. Amend section 212.301 by adding
paragraphs (f)(xvi)(E) and (F) to read as
follows:
212.301 Solicitation provisions and
contract clauses for the acquisition of
commercial products and commercial
services.
*
*
*
*
*
(f) * * *
(xvi) * * *
(E) Use the provision at 252.239–
70YY, Preaward Disclosure of Foreign
Obligations—Representation, as
prescribed in 239.7X05(a), to comply
with section 1655 of the National
Defense Authorization Act for Fiscal
Year 2019 (Pub. L. 115–232).
(F) Use the clause at 252.239–70ZZ,
Postaward Disclosure of Foreign
Obligations, as prescribed at
239.7X05(b), to comply with section
1655 of the National Defense
Authorization Act for Fiscal Year 2019
(Pub. L. 115–232).
*
*
*
*
*
PART 213—SIMPLIFIED ACQUISITION
PROCEDURES
3. Add section 213.201–70 to read as
follows:
Jkt 265001
(c) * * *
(3) Verifying in the Catalog Data
Standard in the Electronic Data Access
system (https://piee.eb.mil) that all
foreign obligation disclosures are
completed (see 239.7X).
PART 239—ACQUISITION OF
INFORMATION TECHNOLOGY
5. Add subpart 239.7X to read as
follows:
■
■
Exercise of options.
■
PART 212—ACQUISITION OF
COMMERCIAL PRODUCTS AND
COMMERCIAL SERVICES
khammond on DSKJM1Z7X2PROD with PROPOSALS
PART 217—SPECIAL CONTRACTING
METHODS
4. Amend section 217.207 by adding
paragraph (c)(3) to read as follows:
Jennifer D. Johnson,
Editor/Publisher, Defense Acquisition
Regulations System.
15:49 Nov 14, 2024
Do not procure or obtain, or exercise
an option or otherwise extend a contract
relating to, information or operational
technology, cybersecurity, industrial
control systems, or weapon systems
from a contractor, including through a
subcontractor at any tier, unless the
contractor completes all foreign
obligation disclosures in the Catalog
Data Standard within the Electronic
Data Access system (https://piee.eb.mil).
See subpart 239.7X.
■
Government procurement.
VerDate Sep<11>2014
213.201–70 Additional general
requirements.
Subpart 239.7X—Disclosure of Information
Regarding Foreign Obligations
Sec.
239.7X00 Scope.
239.7X01 Definitions.
239.7X02 Prohibition.
239.7X03 Exception.
239.7X04 Procedures.
239.7X05 Solicitation provision and
contract clause.
SUBPART 239.7X—DISCLOSURE OF
INFORMATION REGARDING FOREIGN
OBLIGATIONS
239.7X00
Scope.
This section implements the foreign
obligation disclosure requirements of
section 1655(a) and (c) of the National
Defense Authorization Act for Fiscal
Year 2019 (Pub. L. 115–232).
239.7X01
Definitions.
As used in this subpart—
Computer code means a set of
instructions, rules, or routines recorded
in a form that is capable of causing a
computer to perform a specific
operation or series of operations. It
includes both source code and object
code.
Open source software means software
for which the human-readable source
code is available for use, study, reuse,
modification, enhancement, and
redistribution by the users of such
PO 00000
Frm 00018
Fmt 4702
Sfmt 4702
software (section 1655, Pub. L. 115–
232).
Source code means any collection of
code, with or without comments,
written using a human-readable
programming language, usually as plain
text. This code is later translated into
machine language by a compiler. The
translated code is referred to as object
code.
239.7X02
Prohibition.
(a) Contracting officers shall not
procure or obtain, or exercise an option
or otherwise extend a contract to
procure or obtain, any products,
services, or systems relating to
information or operational technology,
cybersecurity, industrial control
systems, or weapon systems through a
contract or subcontract at any tier from
a prospective contractor unless the
offeror or contractor makes the
disclosures required by section 1655 of
the NDAA for FY 2019.
(b) Contracting officers shall ensure
that they do not violate the prohibition
by using the provision at 252.239–70YY
and the clause at 252.239–70ZZ, as
prescribed. The provision requires
offerors to provide the required foreign
obligation disclosures, and the clause
ensures that contractors provide updates
to foreign obligation disclosures for the
life of the contract.
239.7X03
Exception.
The prohibition at 239.7X02 does not
apply to open source software.
239.7X04
Procedures.
(a) Contracting officers shall not
award a contract, task order, or delivery
order for information or operational
technology, cybersecurity, industrial
control systems, or weapon systems,
unless the prospective contractor has
completed all of the foreign obligation
disclosures in the Catalog Data Standard
within the Electronic Data Access (EDA)
system (https://piee.eb.mil) and those
disclosures are current, accurate, and
complete (see 239.7X02).
(b) Contracting officers shall not
exercise an option or extend the period
of performance on a contract, task order,
or delivery order for information or
operational technology, cybersecurity,
industrial control systems, or weapons
systems, unless the contractor has
completed all of the foreign obligation
disclosures in the Catalog Data Standard
within the EDA system (see 239.7X02).
(c) Contracting officers shall work
with the program office to validate that
the offeror has completed all of the
foreign obligation disclosures in the
Catalog Data Standard within the EDA
system.
E:\FR\FM\15NOP1.SGM
15NOP1
Federal Register / Vol. 89, No. 221 / Friday, November 15, 2024 / Proposed Rules
(d) Contracting officers shall follow
agency procedures, as applicable, in the
event that the program office notifies the
contracting officer that additional steps
must be taken prior to award based on
information disclosed in EDA.
239.7X05 Solicitation provision and
contract clause.
(a) Use the provision at 252.239–
70YY, Preaward Disclosure of Foreign
Obligations—Representation, in
solicitations that include the clause at
252.239–70ZZ.
(b) Use the clause at 252.239–70ZZ,
Postaward Disclosure of Foreign
Obligations, in solicitations and
contracts, task orders, or delivery
orders, including those using FAR part
12 procedures for the acquisition of
commercial products and commercial
services, for the acquisition of products,
services, or systems relating to
information or operational technology,
cybersecurity, industrial control
systems, or weapon systems.
PART 252—SOLICITATION
PROVISIONS AND CONTRACT
CLAUSES
(End of provision)
6. Add sections 252.239–70YY and
252.239–70ZZ to read as follows:
■
252.239–70ZZ Postaward Disclosure of
Foreign Obligations.
252.239–70YY Preaward Disclosure of
Foreign Obligations—Representation.
As prescribed in 239.7X05(a), use the
following provision:
khammond on DSKJM1Z7X2PROD with PROPOSALS
Preaward Disclosure of Foreign
Obligations—Representation (Date)
(a) Definitions. As used in this provision,
computer code, open source software, and
source code are defined in the Defense
Federal Acquisition Regulation Supplement
252.239–70ZZ, Postaward Disclosure of
Foreign Obligations, clause of this
solicitation.
(b) Prohibition on award. In accordance
with section 1655 of Public Law 115–232, no
contract for information or operational
technology, cybersecurity, industrial control
systems, or weapon systems may be awarded
to an offeror unless the offeror makes the
disclosures described in paragraph (c).
(c) Disclosures. The Offeror shall complete
the following foreign obligation disclosures
in the Catalog Data Standard in the Electronic
Data Access (EDA) system (https://
piee.eb.mil):
(1) Whether, and if so, when, at any time
after August 12, 2013, the Offeror—
(i) Has allowed a foreign person or foreign
government to review the source code for any
product, system, or service that DoD is using
or intends to use, or the computer code for
VerDate Sep<11>2014
15:49 Nov 14, 2024
Jkt 265001
any other than commercial product, system,
or service developed for DoD; or
(ii) Is under any obligation to allow a
foreign person or foreign government to
review, as a condition of entering into an
agreement for sale or other transaction with
a foreign government or with a foreign person
on behalf of such a government—
(A) The source code for any product,
system, or service that DoD is using or
intends to use; or
(B) The computer code for any other than
commercial product, system, or service
developed for DoD; and
(2) Whether or not the Offeror holds or has
sought a license pursuant to the Export
Administration Regulations (15 CFR chapter
VII, subchapter C) or the International Traffic
in Arms Regulations (22 CFR chapter I,
subchapter M) for information technology
products, components, software, or services
that contain computer code customdeveloped for the other than commercial
product, system, or service DoD is procuring.
(d) Exception. The prohibition in
paragraph (b) of this provision does not apply
to open source software.
(e) Representation. By submission of its
offer, the Offeror represents that it has
completed the foreign obligation disclosures
in EDA and the disclosures are current,
accurate, and complete.
As prescribed in 239.7X05(b), use the
following clause:
Postaward Disclosure of Foreign
Obligations (Date)
(a) Definitions. As used in this clause—
Computer code means a set of instructions,
rules, or routines recorded in a form that is
capable of causing a computer to perform a
specific operation or series of operations. It
includes both source code and object code.
Open source software means software for
which the human-readable source code is
available for use, study, reuse, modification,
enhancement, and redistribution by the users
of such software (section 1655, Pub. L. 115–
232).
Source code means any collection of code,
with or without comments, written using a
human-readable programming language,
usually as plain text. This code is later
translated into machine language by a
compiler. The translated code is referred to
as object code.
(b) Prohibition. The Contractor shall not
provide to DoD any products, services, or
systems relating to information or operational
technology, cybersecurity, industrial control
systems, or weapon systems through a
contract or subcontract at any tier unless the
Contractor makes the disclosures described
in paragraph (c).
PO 00000
Frm 00019
Fmt 4702
Sfmt 9990
90259
(c) Disclosures. The Contractor shall
complete the following foreign obligation
disclosures in the Catalog Data Standard in
the Electronic Data Access (EDA) system
(https://piee.eb.mil):
(1) Whether, and if so, when, at any time
after August 12, 2013, the Contractor—
(i) Has allowed a foreign person or foreign
government to review the source code for any
product, system, or service that DoD is using
or intends to use, or the computer code for
any other than commercial product, system,
or service developed for DoD;
(ii) Is under any obligation to allow a
foreign person or foreign government to
review, as a condition of entering into an
agreement for sale or other transaction with
a foreign government or with a foreign person
on behalf of such a government—
(A) The source code for any product,
system, or service that DoD is using or
intends to use; or
(B) The computer code for any other than
commercial product, system, or service
developed for DoD; and
(2) Whether or not the supplier holds or
has sought a license pursuant to the Export
Administration Regulations (15 CFR chapter
VII, subchapter C) or the International Traffic
in Arms Regulations (22 CFR chapter I,
subchapter M) for information technology
products, components, software, or services
that contain computer code customdeveloped for the other than commercial
product, system, or service DoD is using or
intends to use.
(d) Maintenance of disclosures. The
Contractor shall maintain its foreign
obligation disclosures in EDA for the life of
the contract.
(e) Identification of information requiring
disclosure. In the event the Contractor
identifies information requiring disclosure
during contract performance, or the
Contractor is notified of such by a
subcontractor at any tier or any other source,
the Contractor shall update its disclosures in
EDA and shall disclose any mitigation
measures taken or anticipated.
(f) Exception. The prohibition in paragraph
(b) does not apply to open source software.
(g) Subcontracts. The Contractor shall—
(1) Insert the substance of this clause,
including this paragraph (g), in subcontracts,
or other contractual instruments, for the
acquisition of products, services, or systems
relating to information or operational
technology, cybersecurity, industrial control
systems, or weapon systems, including those
for commercial products and commercial
services; and
(2) Require the subcontractor to complete
the foreign obligation disclosures in EDA
prior to awarding a subcontract.
(End of clause)
[FR Doc. 2024–26058 Filed 11–14–24; 8:45 am]
BILLING CODE 6001–FR–P
E:\FR\FM\15NOP1.SGM
15NOP1
Agencies
[Federal Register Volume 89, Number 221 (Friday, November 15, 2024)]
[Proposed Rules]
[Pages 90254-90259]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-26058]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Defense Acquisition Regulations System
48 CFR Parts 212, 213, 217, 239, and 252
[Docket DARS-2024-0034]
RIN 0750-AK23
Defense Federal Acquisition Regulation Supplement: Disclosure of
Information Regarding Foreign Obligations (DFARS Case 2018-D064)
AGENCY: Defense Acquisition Regulations System, Department of Defense
(DoD).
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: DoD is proposing to amend the Defense Federal Acquisition
Regulation Supplement (DFARS) to implement a section of the National
Defense Authorization Act for Fiscal Year 2019, which prohibits DoD
from acquiring products, services, or systems relating to information
or operational technology, cybersecurity, industrial control systems,
or weapon systems through a contract unless the offeror or contractor
provides disclosures related to sharing source code and computer code
with foreign governments.
DATES: Comments on the proposed rule should be submitted in writing to
the address shown below on or before January 14, 2025, to be considered
in the formation of a final rule.
ADDRESSES: Submit comments identified by DFARS Case 2018-D064, using
either of the following methods:
[cir] Federal eRulemaking Portal: https://www.regulations.gov.
Search for DFARS Case 2018-D064. Select ``Comment'' and follow the
instructions to submit a comment. Please include ``DFARS Case 2018-
D064'' on any attached documents.
[cir] Email: [email protected]. Include DFARS Case 2018-D064 in
the subject line of the message.
Comments received generally will be posted without change to
https://www.regulations.gov, including any personal information
provided. To
[[Page 90255]]
confirm receipt of your comment(s), please check https://www.regulations.gov, approximately two to three days after submission
to verify posting.
FOR FURTHER INFORMATION CONTACT: Ms. Heather Kitchens, telephone 571-
296-7152.
SUPPLEMENTARY INFORMATION:
I. Background
DoD is proposing to revise the DFARS to implement section 1655(a)
and (c) of the National Defense Authorization Act (NDAA) for Fiscal
Year (FY) 2019 (Pub. L. 115-232). Section 1655(a) prohibits DoD from
acquiring products, services, or systems relating to information or
operational technology, cybersecurity, industrial control systems, or
weapon systems through a contract unless the offeror or contractor
provides disclosures related to sharing source code and computer code
with foreign governments. Section 1655(c) requires contracts for those
products, services, or systems to include a clause requiring the
disclosures during the contract period of performance if an entity
becomes aware of information requiring disclosure.
The first part of the disclosure is related to whether, after
August 12, 2013, the entity making the disclosure has allowed, or is
under an obligation to allow, a foreign government to review the code
of a noncommercial product, system, or service developed for DoD. The
second part of the disclosure pertains to whether, after August 12,
2013, the entity making the disclosure has allowed, or is under an
obligation to allow, a foreign government in a list required by section
1654 of the NDAA for FY 2019 to review the source code of a product,
system, or service that DoD is using or intends to use.
The third part of the disclosure is related to whether the entity
making the disclosure holds or has sought a license pursuant to the
Export Administration Regulations (15 CFR chapter VII, subchapter C),
the International Traffic in Arms Regulations (22 CFR chapter I,
subchapter M), or successor regulations, for information technology
products, components, software, or services that contain code custom-
developed for the noncommercial product, system, or service DoD is
using or intends to use.
Once the disclosures are provided to DoD, and if the Secretary of
Defense determines that the disclosure relating to a product, system,
or service entails a risk to the national security infrastructure or
data of the United States, or any national security system under the
control of DoD, section 1655 requires the Secretary to take such
measures as the Secretary considers appropriate to mitigate such risks.
In addition, as the Secretary considers appropriate, the Secretary may
condition any agreement for the use, procurement, or acquisition of the
product, system, or service on the inclusion of enforceable conditions
or requirements that would mitigate such risks.
II. Discussion and Analysis
This proposed rule includes a new subpart, 239.7X, Disclosure of
Information Regarding Foreign Obligations. Section 239.7X00 describes
the statutory requirement implemented in the new subpart. Section
239.7X01 includes new definitions of computer code, open source
software, and source code. The new subpart includes the section 1655
prohibition at 239.7X02. Section 239.7X03 clarifies that the
prohibition does not apply to open source software.
A section on procedures was added at 239.7X04 to require
contracting officers to validate in the Catalog Data Standard within
the Electronic Data Access (EDA) system (https://piee.eb.mil) that
offerors or contractors have completed all foreign obligation
disclosures prior to awarding a contract or exercising an option.
Section 1655 prohibits DoD from using a product, service, or system
procured or acquired under certain awards unless foreign obligation
disclosures have been made. This proposed rule requires completion of
the foreign obligation disclosures prior to exercising an option to
ensure DoD complies with the statutory intent.
Section 239.7X05 provides prescriptions for a new solicitation
provision and contract clause. The new provision is prescribed for use
in solicitations that include the clause at 252.239-70ZZ, Postaward
Disclosure of Foreign Obligations. The new clause is prescribed for use
in solicitations and contracts, task orders, or delivery orders, for
the acquisition of products, services, or systems relating to
information or operational technology, cybersecurity, industrial
control systems, or weapon systems, including those using Federal
Acquisition Regulation (FAR) part 12 procedures for the acquisition of
commercial products and commercial services.
The purpose of the provision at 252.239-70YY, Preaward Disclosure
of Foreign Obligations--Representation, is to notify offerors that they
will be required to make disclosures within the Catalog Data Standard
in the Electronic Data Access (EDA) system (https://piee.eb.mil) in
order to be eligible for award. While there are three distinct
disclosures, the provision identifies the first and second disclosures
in one paragraph at 252.239-70YY, paragraph (c)(1), for clarity. The
third disclosure is identified at paragraph (c)(2). This provision
includes a requirement for all offerors to represent by submission of
the offer that the information on the foreign disclosures the offeror
has made within the Catalog Data Standard in EDA is current, accurate,
and complete.
The purpose of the clause at 252.239-70ZZ, Postaward Disclosure of
Foreign Obligations, is to require contractors to maintain their
disclosures in the Catalog Data Standard within EDA and flow down the
requirement to maintain disclosures in the Catalog Data Standard within
EDA to subcontractors. Similar to the provision, while there are three
distinct disclosures, the clause identifies the first and second
disclosures in one paragraph at 252.239-70XX, paragraph (b)(1), for
clarity. The third disclosure is identified at paragraph (b)(2). The
clause also requires contractors to require their subcontractors to
complete foreign obligation disclosures in the Catalog Data Standard in
EDA prior to awarding the subcontract.
Language was added at part 212 to apply the provision and clause to
the acquisition of commercial products and commercial services. In part
213, language was added to apply the requirement to disclose foreign
obligations will be applied at or below the micro-purchase threshold.
Language was also added at part 217 to instruct the contracting officer
exercise options only after verifying in the Catalog Data Standard in
the EDA system (https://piee.eb.mil) that all disclosures have been
completed.
III. Applicability to Contracts At or Below the Simplified Acquisition
Threshold (SAT) and for Commercial Services and Commercial Products,
Including Commercially Available Off-the-Shelf (COTS) Items
This proposed rule proposes a new provision and clause to implement
the requirements of section 1655 of the NDAA for FY 2019: (1) DFARS
252.239-70YY, Preaward Disclosure of Foreign Obligations-
Representation; and (2) DFARS 252.239-70ZZ, Postaward Disclosure of
Foreign Obligations. The provision at DFARS 252.239-70YY is prescribed
at DFARS 239.7X05(a) for use in solicitations that include the clause
at DFARS 252.239-70ZZ. The clause at DFARS 252.239-70ZZ is prescribed
at DFARS 239.7X05(b) for use in solicitations and contracts for the
acquisition of products, services, or
[[Page 90256]]
systems relating to information or operational technology,
cybersecurity, industrial control systems, or weapon systems, including
those using FAR part 12 procedures for the acquisition of commercial
products and commercial services. DoD does intend to apply the proposed
rule to contracts at or below the SAT. DoD does intend to apply the
proposed rule to contracts for the acquisition of commercial products
including COTS items and for the acquisition of commercial services.
A. Applicability to Contracts At or Below the Simplified Acquisition
Threshold
The statute at 41 U.S.C. 1905 governs the applicability of laws to
contracts or subcontracts in amounts not greater than the simplified
acquisition threshold. It is intended to limit the applicability of
laws to such contracts or subcontracts. The statute at 41 U.S.C. 1905
provides that if a provision of law contains criminal or civil
penalties, or if the Federal Acquisition Regulatory Council makes a
written determination that it is not in the best interest of the
Federal Government to exempt contracts or subcontracts at or below the
SAT, the law will apply to them. The Principal Director, Defense
Pricing, Contracting, and Acquisition Policy (DPCAP), is the
appropriate authority to make comparable determinations for regulations
to be published in the DFARS, which is part of the FAR system of
regulations. DoD does intend to make that determination. Therefore,
this proposed rule will apply at or below the simplified acquisition
threshold.
B. Applicability to Contracts for the Acquisition of Commercial
Products Including COTS Items and for the Acquisition of Commercial
Services
The statute at 10 U.S.C. 3452 exempts contracts and subcontracts
for the acquisition of commercial products including COTS items, and
commercial services from provisions of law enacted after October 13,
1994, unless the Under Secretary of Defense (Acquisition and
Sustainment) (USD(A&S)) makes a written determination that it would not
be in the best interest of DoD to exempt contracts for the procurement
of commercial products and commercial services from the applicability
of the provision or contract requirement, except for a provision of law
that--
Provides for criminal or civil penalties;
Requires that certain articles be bought from American
sources pursuant to 10 U.S.C. 4862, or that strategic materials
critical to national security be bought from American sources pursuant
to 10 U.S.C. 4863; or
Specifically refers to 10 U.S.C. 3452 and states that it
shall apply to contracts and subcontracts for the acquisition of
commercial products (including COTS items) and commercial services.
The statute implemented in this proposed rule does not impose
criminal or civil penalties, does not require purchase pursuant to 10
U.S.C. 4862 or 4863, and does not refer to 10 U.S.C. 3452. Therefore,
section 1655 of the NDAA for FY 2019 will not apply to the acquisition
of commercial services or commercial products including COTS items
unless a written determination is made. Due to delegations of
authority, the Principal Director, DPCAP is the appropriate authority
to make this determination. DoD intends to make that determination to
apply this statute to the acquisition of commercial products including
COTS items and to the acquisition of commercial services. Therefore,
this proposed rule will apply to the acquisition of commercial products
including COTS items and to the acquisition of commercial services.
C. Determinations
Given that the requirements of section 1655 of the NDAA for FY 2019
were enacted to require disclosures of foreign obligations by
contractors for contracts that include products, services, or systems
relating to information or operational technology, cybersecurity,
industrial control systems, or weapon systems and since products,
services, or systems related to information or operational technology,
cybersecurity, industrial control systems or weapon systems can include
COTS items and awards at or below the SAT, it is in the best interest
of the Federal Government to apply the statute to contracts for the
acquisition of commercial services and commercial products, including
COTS items, as defined at Federal Acquisition Regulation 2.101 and
awards that are at or below the SAT. An exception for contracts for the
acquisition of commercial services and commercial products, including
COTS items, or for contracts or subcontracts valued at or below the
SAT, would exclude the contracts intended to be covered by the law,
thereby undermining the overarching public policy purpose of the law.
IV. Expected Impact of the Rule
The proposed rule implements section 1655 of the NDAA for FY 2019,
which prohibits DoD from acquiring products, services, or systems
relating to information or operational technology, cybersecurity,
industrial control systems, or weapon systems through a contract unless
the offeror or contractor provides disclosures related to sharing
source code and computer code with foreign governments. Based on data
from the Federal Procurement Data System, DoD issued approximately
36,677 new awards for information technology and weapon systems to
approximately 4,147 unique entities per year on average from FY 2021
through FY 2023. DoD assumes this number will cover awardees for
information or operational technology, cybersecurity, industrial
control systems, and weapon systems, as there is no way to track
individual awards for operational technology, industrial control
systems, and cybersecurity. Of the 4,147 unique entities, on average,
that received awards each year, an average of approximately 17,100
awards were made to 2,667 unique small entities from FY 2021 through FY
2023. DoD assumes that the clause will apply to the estimated 4,147
unique entities, including the 2,667 unique small entities.
DoD does not have a way to track the number of unique offerors per
award, so DoD estimates that the number of offerors is the number of
unique entities that received awards (i.e., 4,147) multiplied by a
factor of three, representing three offerors per award. Therefore, the
estimated number of offerors is three times the average number of
entities that received information technology and weapon systems awards
for FY 2021 through FY 2023 (4,147 entities x 3), or 12,441, of which
8,002 are estimated to be small entities.
The proposed changes will require offerors for products, services,
or systems related to information or operational technology,
cybersecurity, industrial control systems, or weapon systems to make
certain disclosures in the Catalog Data Standard within EDA (https://piee.eb.mil) regarding whether they have shared certain source code and
computer code with foreign persons or governments any time since August
12, 2013. During contract performance, prior to the exercise of any
option, contractors will be required to update their disclosures in the
Catalog Data Standard within EDA.
V. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety
[[Page 90257]]
effects, distributive impacts, and equity). E.O. 13563 emphasizes the
importance of quantifying both costs and benefits, of reducing costs,
of harmonizing rules, and of promoting flexibility. This is not a
significant regulatory action and, therefore, was not subject to review
under section 6(b) of E.O. 12866, Regulatory Planning and Review, as
amended.
VI. Regulatory Flexibility Act
DoD does not expect this proposed rule, when finalized, to have a
significant economic impact on a substantial number of small entities
within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et
seq., because the rule is only applied to awards for products,
services, or systems related to information or operational technology,
cybersecurity, industrial control systems, or weapon systems. However,
an initial regulatory flexibility analysis has been performed and is
summarized as follows:
This proposed rule is necessary to implement section 1655 of the
NDAA for FY 2019. Section 1655 prohibits DoD from using a product,
service, or system relating to information or operational technology,
cybersecurity, industrial control systems, or weapon systems provided
by an entity unless that entity makes certain disclosures. The
disclosures required by the statute have three parts.
The first part of the disclosures is related to whether, since
August 12, 2013, the entity making the disclosure has allowed, or is
under an obligation to allow, a foreign government to review the code
of an other than commercial product, system, or service developed for
DoD. The second part of the disclosure pertains to whether, since
August 12, 2013, the entity making the disclosure has allowed, or is
under an obligation to allow, a foreign government in the list required
by section 1654 of the NDAA for FY 2019 to review the source code of a
product, system, or service that DoD is using or intends to use. The
third part of the disclosure is related to whether the entity making
the disclosure holds or has sought a license pursuant to the Export
Administration Regulations (15 CFR chapter VII, subchapter C), the
International Traffic in Arms Regulations (22 CFR chapter I, subchapter
M), or successor regulations, for information technology products,
components, software, or services that contain code custom-developed
for the other than commercial product, system, or service DoD is using
or intends to use.
Once the disclosures are provided to DoD, and if the Secretary of
Defense determines that the disclosure relating to a product, system,
or service entails a risk to the national security infrastructure or
data of the United States, or any national security system under the
control of DoD, section 1655 requires the Secretary to take such
measures as the Secretary considers appropriate to mitigate such risks.
The objective of this proposed rule is to implement the statutory
requirement for offeror, contractor, and subcontractor disclosures
under section 1655 of the NDAA for FY 2019 prior to award and during
contract performance. The legal basis for the proposed rule is section
1655 of the NDAA for FY 2019.
The proposed rule applies to offerors, contractors, and
subcontractors for information or operational technology,
cybersecurity, industrial control systems, or weapon systems. Based on
data from the Federal Procurement Data System, DoD issued approximately
36,677 awards to 4,147 entities, of which 17,100 awards were made to
2,667 small entities, for information technology and weapon systems, on
average, from FY 2021 through FY 2023. DoD assumes these numbers will
cover small entities awarded contracts for products, services, or
systems relating to information or operational technology,
cybersecurity, industrial control systems, and weapon systems, as there
is no way to track individual awards for operational technology,
cybersecurity, and industrial control systems. In order to estimate the
number of offerors for information or operational technology,
cybersecurity, industrial control systems, and weapon systems, DoD
assumes the number of offerors will be the 4,147 awardees multiplied by
a factor of three, or 12,441 offerors, of which 8,002 are estimated to
be small entities.
This proposed rule does impose new reporting, recordkeeping, or
other compliance requirements for small entities. These reporting
requirements would apply to any offerors that are small entities for a
contract for information or operational technology, cybersecurity,
industrial control systems, and weapon systems. These small entities
will be required to make disclosures within the Catalog Data Standard
within the EDA system (https://piee.eb.mil) in order to be eligible for
award and will be required to represent that the disclosures are
current, accurate, and complete. Contractors whose contracts contain
the clause 252.239-70ZZ, Postaward Disclosure of Foreign Obligations,
will be required to maintain their disclosures in EDA and flow down the
requirement to maintain disclosures in EDA to subcontracts and other
contractual instruments.
The proposed rule does not duplicate, overlap, or conflict with any
other Federal rules.
There are no known alternatives that would accomplish the stated
objectives of the applicable statute.
DoD invites comments from small business concerns and other
interested parties on the expected impact of this proposed rule on
small entities.
DoD will also consider comments from small entities concerning the
existing regulations in subparts affected by this proposed rule in
accordance with 5 U.S.C. 610. Interested parties must submit such
comments separately and should cite 5 U.S.C. 610 (DFARS Case 2018-D064)
in correspondence.
VII. Paperwork Reduction Act
This proposed rule contains information collection requirements
that require the approval of the Office of Management and Budget under
the Paperwork Reduction Act (44 U.S.C. chapter 35). Accordingly, DoD
has submitted a request for approval of a new information collection
requirement concerning DFARS Case 2018-D064, Disclosure of Information
Regarding Foreign Obligations, to the Office of Management and Budget.
A. Estimate of Public Burden
Public reporting burden for this collection of information is
estimated to average 0.5 hour per response, including the time for
reviewing instructions, searching existing data sources, gathering and
maintaining the data needed, and completing and reviewing the
collection of information.
The annual reporting burden is estimated as follows:
Respondents: 12,441.
Total annual responses: 14,515.
Total annual burden hours: 7,257.5.
B. Request for Comments Regarding Paperwork Burden
Written comments and recommendations on the proposed information
collection, including suggestions for reducing this burden, should be
submitted using the Federal eRulemaking Portal at https://www.regulations.gov or by email to [email protected]. Comments can be
received up to 60 days after the date of this notice.
Public comments are particularly invited on: whether this
collection of information is necessary for the proper performance of
the functions of DoD, including whether the information will
[[Page 90258]]
have practical utility; the accuracy of DoD's estimate of the burden of
this information collection; ways to enhance the quality, utility, and
clarity of the information to be collected; and ways to minimize the
burden of the information collection on respondents, including through
the use of automated collection techniques or other forms of
information technology.
To obtain a copy of the supporting statement and associated
collection instruments, please email [email protected]. Include DFARS
Case 2018-D064 in the subject line of the message.
List of Subjects in 48 CFR Parts 212, 213, 217, 239, and 252
Government procurement.
Jennifer D. Johnson,
Editor/Publisher, Defense Acquisition Regulations System.
Therefore, the Defense Acquisition Regulations System proposes to
amend 48 CFR parts 212, 213, 217, 239, and 252 as follows:
0
1. The authority citation for parts 212, 213, 217, 239, and 252
continues to read as follows:
Authority: 41 U.S.C. 1303 and 48 CFR chapter 1.
PART 212--ACQUISITION OF COMMERCIAL PRODUCTS AND COMMERCIAL
SERVICES
0
2. Amend section 212.301 by adding paragraphs (f)(xvi)(E) and (F) to
read as follows:
212.301 Solicitation provisions and contract clauses for the
acquisition of commercial products and commercial services.
* * * * *
(f) * * *
(xvi) * * *
(E) Use the provision at 252.239-70YY, Preaward Disclosure of
Foreign Obligations--Representation, as prescribed in 239.7X05(a), to
comply with section 1655 of the National Defense Authorization Act for
Fiscal Year 2019 (Pub. L. 115-232).
(F) Use the clause at 252.239-70ZZ, Postaward Disclosure of Foreign
Obligations, as prescribed at 239.7X05(b), to comply with section 1655
of the National Defense Authorization Act for Fiscal Year 2019 (Pub. L.
115-232).
* * * * *
PART 213--SIMPLIFIED ACQUISITION PROCEDURES
0
3. Add section 213.201-70 to read as follows:
213.201-70 Additional general requirements.
Do not procure or obtain, or exercise an option or otherwise extend
a contract relating to, information or operational technology,
cybersecurity, industrial control systems, or weapon systems from a
contractor, including through a subcontractor at any tier, unless the
contractor completes all foreign obligation disclosures in the Catalog
Data Standard within the Electronic Data Access system (https://piee.eb.mil). See subpart 239.7X.
PART 217--SPECIAL CONTRACTING METHODS
0
4. Amend section 217.207 by adding paragraph (c)(3) to read as follows:
217.207 Exercise of options.
(c) * * *
(3) Verifying in the Catalog Data Standard in the Electronic Data
Access system (https://piee.eb.mil) that all foreign obligation
disclosures are completed (see 239.7X).
PART 239--ACQUISITION OF INFORMATION TECHNOLOGY
0
5. Add subpart 239.7X to read as follows:
Subpart 239.7X--Disclosure of Information Regarding Foreign Obligations
Sec.
239.7X00 Scope.
239.7X01 Definitions.
239.7X02 Prohibition.
239.7X03 Exception.
239.7X04 Procedures.
239.7X05 Solicitation provision and contract clause.
SUBPART 239.7X--DISCLOSURE OF INFORMATION REGARDING FOREIGN
OBLIGATIONS
239.7X00 Scope.
This section implements the foreign obligation disclosure
requirements of section 1655(a) and (c) of the National Defense
Authorization Act for Fiscal Year 2019 (Pub. L. 115-232).
239.7X01 Definitions.
As used in this subpart--
Computer code means a set of instructions, rules, or routines
recorded in a form that is capable of causing a computer to perform a
specific operation or series of operations. It includes both source
code and object code.
Open source software means software for which the human-readable
source code is available for use, study, reuse, modification,
enhancement, and redistribution by the users of such software (section
1655, Pub. L. 115-232).
Source code means any collection of code, with or without comments,
written using a human-readable programming language, usually as plain
text. This code is later translated into machine language by a
compiler. The translated code is referred to as object code.
239.7X02 Prohibition.
(a) Contracting officers shall not procure or obtain, or exercise
an option or otherwise extend a contract to procure or obtain, any
products, services, or systems relating to information or operational
technology, cybersecurity, industrial control systems, or weapon
systems through a contract or subcontract at any tier from a
prospective contractor unless the offeror or contractor makes the
disclosures required by section 1655 of the NDAA for FY 2019.
(b) Contracting officers shall ensure that they do not violate the
prohibition by using the provision at 252.239-70YY and the clause at
252.239-70ZZ, as prescribed. The provision requires offerors to provide
the required foreign obligation disclosures, and the clause ensures
that contractors provide updates to foreign obligation disclosures for
the life of the contract.
239.7X03 Exception.
The prohibition at 239.7X02 does not apply to open source software.
239.7X04 Procedures.
(a) Contracting officers shall not award a contract, task order, or
delivery order for information or operational technology,
cybersecurity, industrial control systems, or weapon systems, unless
the prospective contractor has completed all of the foreign obligation
disclosures in the Catalog Data Standard within the Electronic Data
Access (EDA) system (https://piee.eb.mil) and those disclosures are
current, accurate, and complete (see 239.7X02).
(b) Contracting officers shall not exercise an option or extend the
period of performance on a contract, task order, or delivery order for
information or operational technology, cybersecurity, industrial
control systems, or weapons systems, unless the contractor has
completed all of the foreign obligation disclosures in the Catalog Data
Standard within the EDA system (see 239.7X02).
(c) Contracting officers shall work with the program office to
validate that the offeror has completed all of the foreign obligation
disclosures in the Catalog Data Standard within the EDA system.
[[Page 90259]]
(d) Contracting officers shall follow agency procedures, as
applicable, in the event that the program office notifies the
contracting officer that additional steps must be taken prior to award
based on information disclosed in EDA.
239.7X05 Solicitation provision and contract clause.
(a) Use the provision at 252.239-70YY, Preaward Disclosure of
Foreign Obligations--Representation, in solicitations that include the
clause at 252.239-70ZZ.
(b) Use the clause at 252.239-70ZZ, Postaward Disclosure of Foreign
Obligations, in solicitations and contracts, task orders, or delivery
orders, including those using FAR part 12 procedures for the
acquisition of commercial products and commercial services, for the
acquisition of products, services, or systems relating to information
or operational technology, cybersecurity, industrial control systems,
or weapon systems.
PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
6. Add sections 252.239-70YY and 252.239-70ZZ to read as follows:
252.239-70YY Preaward Disclosure of Foreign Obligations--
Representation.
As prescribed in 239.7X05(a), use the following provision:
Preaward Disclosure of Foreign Obligations--Representation (Date)
(a) Definitions. As used in this provision, computer code, open
source software, and source code are defined in the Defense Federal
Acquisition Regulation Supplement 252.239-70ZZ, Postaward Disclosure
of Foreign Obligations, clause of this solicitation.
(b) Prohibition on award. In accordance with section 1655 of
Public Law 115-232, no contract for information or operational
technology, cybersecurity, industrial control systems, or weapon
systems may be awarded to an offeror unless the offeror makes the
disclosures described in paragraph (c).
(c) Disclosures. The Offeror shall complete the following
foreign obligation disclosures in the Catalog Data Standard in the
Electronic Data Access (EDA) system (https://piee.eb.mil):
(1) Whether, and if so, when, at any time after August 12, 2013,
the Offeror--
(i) Has allowed a foreign person or foreign government to review
the source code for any product, system, or service that DoD is
using or intends to use, or the computer code for any other than
commercial product, system, or service developed for DoD; or
(ii) Is under any obligation to allow a foreign person or
foreign government to review, as a condition of entering into an
agreement for sale or other transaction with a foreign government or
with a foreign person on behalf of such a government--
(A) The source code for any product, system, or service that DoD
is using or intends to use; or
(B) The computer code for any other than commercial product,
system, or service developed for DoD; and
(2) Whether or not the Offeror holds or has sought a license
pursuant to the Export Administration Regulations (15 CFR chapter
VII, subchapter C) or the International Traffic in Arms Regulations
(22 CFR chapter I, subchapter M) for information technology
products, components, software, or services that contain computer
code custom-developed for the other than commercial product, system,
or service DoD is procuring.
(d) Exception. The prohibition in paragraph (b) of this
provision does not apply to open source software.
(e) Representation. By submission of its offer, the Offeror
represents that it has completed the foreign obligation disclosures
in EDA and the disclosures are current, accurate, and complete.
(End of provision)
252.239-70ZZ Postaward Disclosure of Foreign Obligations.
As prescribed in 239.7X05(b), use the following clause:
Postaward Disclosure of Foreign Obligations (Date)
(a) Definitions. As used in this clause--
Computer code means a set of instructions, rules, or routines
recorded in a form that is capable of causing a computer to perform
a specific operation or series of operations. It includes both
source code and object code.
Open source software means software for which the human-readable
source code is available for use, study, reuse, modification,
enhancement, and redistribution by the users of such software
(section 1655, Pub. L. 115-232).
Source code means any collection of code, with or without
comments, written using a human-readable programming language,
usually as plain text. This code is later translated into machine
language by a compiler. The translated code is referred to as object
code.
(b) Prohibition. The Contractor shall not provide to DoD any
products, services, or systems relating to information or
operational technology, cybersecurity, industrial control systems,
or weapon systems through a contract or subcontract at any tier
unless the Contractor makes the disclosures described in paragraph
(c).
(c) Disclosures. The Contractor shall complete the following
foreign obligation disclosures in the Catalog Data Standard in the
Electronic Data Access (EDA) system (https://piee.eb.mil):
(1) Whether, and if so, when, at any time after August 12, 2013,
the Contractor--
(i) Has allowed a foreign person or foreign government to review
the source code for any product, system, or service that DoD is
using or intends to use, or the computer code for any other than
commercial product, system, or service developed for DoD;
(ii) Is under any obligation to allow a foreign person or
foreign government to review, as a condition of entering into an
agreement for sale or other transaction with a foreign government or
with a foreign person on behalf of such a government--
(A) The source code for any product, system, or service that DoD
is using or intends to use; or
(B) The computer code for any other than commercial product,
system, or service developed for DoD; and
(2) Whether or not the supplier holds or has sought a license
pursuant to the Export Administration Regulations (15 CFR chapter
VII, subchapter C) or the International Traffic in Arms Regulations
(22 CFR chapter I, subchapter M) for information technology
products, components, software, or services that contain computer
code custom-developed for the other than commercial product, system,
or service DoD is using or intends to use.
(d) Maintenance of disclosures. The Contractor shall maintain
its foreign obligation disclosures in EDA for the life of the
contract.
(e) Identification of information requiring disclosure. In the
event the Contractor identifies information requiring disclosure
during contract performance, or the Contractor is notified of such
by a subcontractor at any tier or any other source, the Contractor
shall update its disclosures in EDA and shall disclose any
mitigation measures taken or anticipated.
(f) Exception. The prohibition in paragraph (b) does not apply
to open source software.
(g) Subcontracts. The Contractor shall--
(1) Insert the substance of this clause, including this
paragraph (g), in subcontracts, or other contractual instruments,
for the acquisition of products, services, or systems relating to
information or operational technology, cybersecurity, industrial
control systems, or weapon systems, including those for commercial
products and commercial services; and
(2) Require the subcontractor to complete the foreign obligation
disclosures in EDA prior to awarding a subcontract.
(End of clause)
[FR Doc. 2024-26058 Filed 11-14-24; 8:45 am]
BILLING CODE 6001-FR-P