Off the (Supply) Chain: Director of National Intelligence Issues First Exclusion and Removal Order Under the Federal Acquisition Supply Chain Security Act

On September 18, 2025, the Director of National Intelligence (DNI) issued the first order under the authority conferred by the Federal Acquisition Supply Chain Security Act (FASCSA), requiring exclusion and removal of products and services by an identified source.^[1]

	Name	Excluding Agency	Additional Comments	Active Date	Termination Date	Creation Date	Update Date	Exclusion Type	FASCSA Order Flag
Firm	ACRONIS AG	ODNI	FASCA Order --Acronis and all subordinate, subsidiary, or affiliated organizations doing business under various names in support of the parent company, Acronis AG (Acronis), that the DNI has issued an order to exclude Acronis from all Intelligence Community (IC) executive agency procurement actions. It further orders the removal of covered articles provided by Acronis from information systems applicable to the IC and sensitive compartmented information systems. This order was issued pursuant to the Federal Acquisition Supply Chain Security Act of 2018, Pub. L. No.115-390, title II; codified at 41 U.S.C. §§ 1321-1328. The basis for this order pertains to information as was relayed to Acronis i the Notice to Source document.  Additional information is available in an Announcement on the NRO JWICS Acquisition Research Center Dashboard, search Acronis.	7/11/2025	Indefinite	9/15/2025	9/15/2025	Prohibition/Restriction	Y

 

This first order comes almost two years after the FAR Council issued the FAR clauses that dictate contractor compliance with FASCSA exclusion or removal orders. (Read more about the contractor obligations here.)

FASCSA established the Federal Acquisition Security Council (FASC), which is an inter-agency body created to assess supply-chain risk and make removal and exclusion recommendations to three order-issuing agencies: DNI, with respect to the Intelligence Community (IC) agencies, the Department of Homeland Security (DHS), with respect to civilian agencies, and the Department of Defense (DOD), with respect to defense agencies. This specific order, issued by the DNI, is applicable to the IC agencies^[2] and contracts involving sensitive compartmented information (SCI) systems. It has two parts. First, Acronis, its parent Acronis AG, and its affiliate companies (collectively, Acronis), are excluded from IC procurement actions. Second, the order designates as “covered articles” all Acronis products or services and requires contractors to remove all such Acronis “covered articles” from information systems “applicable to” the IC and SCI systems.

To carry out a FASCSA order, impacted contractors must undertake a reasonable inquiry into their supply chains to identify any provision or use of the “covered articles” in the performance of an applicable contract, pursuant to FAR 52.204-30. If a contractor identifies covered articles, then FAR 52.204-30 requires the contractor to notify the contracting officer within three business days and update that report with mitigation actions within ten business days.

With the FASCSA gates now open, contractors should continue to monitor both for additional FASCSA orders and impacts to their supply chains.