Coming December 4: Do You Know Where Your Supply Chain Risks Are? FAR Council Issues Interim Rule Requiring Contractor Diligence for FASC Exclusion and Removal Orders

On October 5, 2023, the Federal Acquisition Regulation (FAR) Council published an interim rule to prohibit, in the performance of a government contract, the delivery or use of “covered articles” (which includes certain information technology and telecommunications equipment, hardware, systems, devices, software, and services) subject to a Federal Acquisition Supply Chain Security Act (FASCSA) exclusion or removal order.  The interim rule also imposes obligations for a related “reasonable inquiry” at the time of proposal submission and quarterly monitoring during contract performance.  These changes implement the FASCSA of 2018 (P.L. 115-390).  While the Federal Acquisition Security Council (FASC) and the order-issuing agencies (Department of Homeland Security (DHS), Department of Defense (DoD), and the Office of the Director for National Intelligence (ODNI)) have not yet issued any such FASCSA orders, those orders will be identified in the System for Award Management (SAM) or – in some cases – identified in and specific to the contract and any resulting subcontracts.

The new FAR clauses implementing these changes will apply to all contracts, including contracts below the simplified acquisition threshold (SAT), contracts or orders for commercial products or services (including commercial off-the-shelf (COTS) items), and orders under indefinite delivery, indefinite quantity contracting vehicles.  The interim rule goes into effect on December 4, 2023 and comments on the interim rule are due on December 4, 2023 as well.

FASCSA and the FASC

The interim rule is the latest step in implementing FASCSA.  A prior interim rule established the FASC as the repository for reports of supply chain risk.  The FASC uses that information to draft recommended orders, which DHS, DoD, and ODNI review for approval.  FASCSA orders apply as follows:

Table 1. FASCSA Order Applicability.

A FASCSA order may require the exclusion of covered sources or articles from federal procurement activities (as a prime contractor or subcontractor at any tier) and/or removal of covered articles from federal or contractor information systems. 

October 2023 Interim Rule Prohibits Delivery of Covered Articles and Requires At Least Quarterly Monitoring for Prohibited Covered Articles

Three new FAR clauses, FAR 52.204-28, -29, and -30, prohibit contractors from providing any named covered article, or any product or service from a named source, that is subject to an applicable FASCSA order.  These clauses are required to be included in all applicable solicitations or contracts, including those below the SAT, for commercial products or services, or COTS items, due to the “unacceptable level of risk for the Government in buying products or services subject to a FASCSA order.”

Key Definitions “Covered articles” include (1) information technology, including cloud services; (2) telecommunications equipment and services; (3) information processing on a federal or non-federal information system subject to Controlled Unclassified Information program requirements; and (4) “hardware, systems, devices, software, or services that include embedded or incidental information technology.” Information technology is defined by statute (rather than the standard definition at FAR 2.101) to include IT equipment when the contract requires the use of such equipment, or requires the use of such equipment “to a significant extent in the performance of a service or the furnishing of a product” but does not include “equipment acquired by a Federal contractor incidental to a Federal contract.” A “source” includes any non-federal actual or potential supplier of products or services, at any tier. A “FASCSA order” is an order issued under the FASCSA requiring the removal or exclusion of covered articles. A removal order requires the removal of covered articles from executive agency information systems, and an exclusion order requires the exclusion of named sources or named covered articles from executive agency procurement actions.  The DHS issues FASCSA orders to civilian agencies, the DoD issues FASCSA orders to defense agencies, and the DNI issues FASCSA orders to intelligence agencies.  See Table 1. A “reasonable inquiry” is one designed to uncover any information in the contractor’s possession about the identity of any covered articles, or products or services from a source subject to an applicable FASCSA order. The interim rule is explicit that a reasonable inquiry does not require an internal or third-party audit.

• FAR 52.204-29, Federal Acquisition Supply Chain Security Act Orders-Representation and Disclosures, requires offerors to represent that they will not provide or use as part of performance of the contract any named covered article, or any products or services from a named source, subject to an applicable FASCSA order, or disclose any such articles used in order to request a waiver.
  • Representation: Submission of an offer constitutes a representation that the offeror made a “reasonable inquiry” into its supply chain and does not propose to provide or use any covered article, or any products or services produced or provided by a source, if the article or source is prohibited by an applicable FASCSA order in response to the solicitation, except if waived by the solicitation, or as disclosed.
  • Disclosure and Waiver Request: If the offeror cannot make this representation, then for any covered article subject to an applicable FASCSA order, or any products or services produced or provided by a source subject to an applicable FASCSA order, the offeror may request a waiver.[1]
• FAR 52.204-30, Federal Acquisition Supply Chain Security Act Orders-Prohibition, prohibits contractors from providing or using in the performance of the contract any named covered article, or any product or service, covered by a FASCSA order (unless under a waiver). The clause requires the following:
  • Monitoring: Contractors must review the System for Award Management (“SAM”) at least once every three months or more often as advised by the contracting officer to determine if new FASCSA orders apply to their supply chains.[2] The contractor must conduct a reasonable inquiry to determine whether its supply chain is affected.  If the supply chain includes covered articles under a new FASCSA order (or it is discovered at any point that the supply chain or deliveries to the government have included covered articles under preexisting FASCSA orders), then the contractor must provide notice and report to the government.
  • Notice and Reporting: If a FASCSA order applies to a product in a contractor’s supply chain and is to be or has been provided to the Government or used during contract performance, the provision requires the contractor to report it to the contracting officer within three (3) business days with basic information on the product or service, including “readily available information about mitigation actions.”[3] Then, within ten (10) business days, the contractor must update that report with information on mitigation actions taken and actions taken to prevent future submissions or use of covered articles or sources.  Subcontractors must make the same report to the prime contractor, who in turn must notify the contracting officer.  
  • Waiver: A contractor may submit a written request to the contracting officer for a waiver to a new FASCSA order.[4] The contracting officer then decides whether—or not—to issue a waiver. 
  • Flowdown: These requirements must be flowed down to all subcontracts, including for commercial products and services.
• FAR 52.204-28, Federal Acquisition Supply Chain Security Act Orders-Federal Supply Schedules, Governmentwide Acquisition Contracts, and Multi-Agency Contracts, requires contractors to comply with FASCSA orders and to remove any covered articles or products or services subject to a FASCSA order when notified of the order by the contracting officer. This clause is a required provision in solicitations and contracts under all FSS, GWACs, and multi-agency contracts when FASCSA orders will be applied at the task- or delivery-order level. 

FAR Subpart 4.23, Federal Acquisition Security Council Information Sharing

The interim rule also adds FAR Subpart 4.23, which requires contracting agencies to share relevant supply chain risk information with FASC, and identifies procedures for agencies to implement FASCSA exclusion or removal orders for “covered articles.”  This Subpart establishes procedures for executive agencies to request waivers from a FASCSA order (or parts thereof) for (1) an agency; (2) specific agency actions or a specific class of acquisitions; (3) agency actions before compliance with a FASCSA order is practicable; or (4) other limited agency activities.[5] 

Key Takeaways

While the FAR Council acknowledges significant cost for contractors to perform the requisite supply chain diligence and monitoring, the Council assumes contractors will leverage existing policies and procedures for other exclusions (e.g., Kaspersky ban, Section 889) in implementing this supply chain management requirement.  While the new rule does provide for waivers, such waivers likely will be limited similar to the few granted waivers for Section 889 and other supply chain restrictions. 

Before the December 4, 2023 effective date, contractors can begin taking steps to ensure that they can comply with the new clauses by:

• Ensuring that their supply chain tracking systems are capable of conducting or supporting a “reasonably inquiry” to determine whether they have any “covered articles” subject to relevant FASCSA orders in their internal infrastructure and public sector supply chain.
• Establishing a process for reviewing solicitations for contract-specific FASCSA orders and reviewing SAM for new FASCSA orders at the time of proposal submission and, subsequently, at least every 3 months;
• Updating employee/subcontractor device policies as necessary to reflect FASCSA orders;
• Circulating guidance on FASCSA order restrictions to applicable supply chain management and procurement employees and to subcontractors;
• Communicating with information technology personnel and considering whether technical solutions can and should be deployed; and
• Preparing to incorporate FAR 52.204-28, -29, and -30 into subcontract flowdowns effective December 4, 2023.

 

We would like to thank Dilan Wickrema, Senior Law Clerk, for his contribution to this alert.