Subpart 4.23 Federal Acquisition Security Council.
4.2300 Scope of subpart.
This subpart implements the Federal Acquisition Supply Chain Security Act of 2018 (title II of Pub. L. 115–390) and the Federal Acquisition Security Council (FASC) regulation at 41 CFR part 201–1. The authority provided in this subpart expires on December 31, 2033 (see 41 U.S.C. 1328).
4.2301 Definitions.
As used in this subpart—
Covered article as defined in 41 U.S.C. 4713(k), means—
(1) Information technology, as defined in 40 U.S.C. 11101, including cloud computing services of all types;
(2) Telecommunications equipment or telecommunications service, as those terms are defined in section 3 of the Communications Act of 1934 (47 U.S.C. 153);
(3) The processing of information on a Federal or non-Federal information system, subject to the requirements of the Controlled Unclassified Information program (see 32 CFR part 2002); or
(4) Hardware, systems, devices, software, or services that include embedded or incidental information technology.
FASCSA order means any of the following orders issued under the Federal Acquisition Supply Chain Security Act (FASCSA) requiring the removal of covered articles from executive agency information systems or the exclusion of one or more named sources or named covered articles from executive agency procurement actions, as described in 41 CFR 201–1.303(d) and (e):
(1) The Secretary of Homeland Security may issue FASCSA orders applicable to civilian agencies, to the extent not covered by paragraph (2) or (3) of this definition. This type of FASCSA order may be referred to as a Department of Homeland Security (DHS) FASCSA order.
(2) The Secretary of Defense may issue FASCSA orders applicable to the Department of Defense (DoD) and national security systems other than sensitive compartmented information systems. This type of FASCSA order may be referred to as a DoD FASCSA order.
(3) The Director of National Intelligence (DNI) may issue FASCSA orders applicable to the intelligence community and sensitive compartmented information systems, to the extent not covered by paragraph (2) of this definition. This type of FASCSA order may be referred to as a DNI FASCSA order.
Federal Acquisition Security Council (FASC) means the Council established pursuant to 41 U.S.C. 1322(a).
Intelligence community, as defined by 50 U.S.C. 3003(4), means the following—
(1) The Office of the Director of National Intelligence;
(2) The Central Intelligence Agency;
(3) The National Security Agency;
(4) The Defense Intelligence Agency;
(5) The National Geospatial-Intelligence Agency;
(6) The National Reconnaissance Office;
(7) Other offices within the Department of Defense for the collection of specialized national intelligence through reconnaissance programs;
(8) The intelligence elements of the Army, the Navy, the Air Force, the Marine Corps, the Coast Guard, the Federal Bureau of Investigation, the Drug Enforcement Administration, and the Department of Energy;
(9) The Bureau of Intelligence and Research of the Department of State;
(10) The Office of Intelligence and Analysis of the Department of the Treasury;
(11) The Office of Intelligence and Analysis of the Department of Homeland Security; or
(12) Such other elements of any department or agency as may be designated by the President, or designated jointly by the Director of National Intelligence and the head of the department or agency concerned, as an element of the intelligence community.
National security system, as defined in 44 U.S.C. 3552, means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency—
(1) The function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions, but does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications); or
(2) Is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.
Reasonable inquiry means an inquiry designed to uncover any information in the entity's possession about the identity of any covered articles, or any products or services produced or provided by a source. This applies when the covered article or the source is subject to an applicable FASCSA order. A reasonable inquiry excludes the need to include an internal or third-party audit.
Sensitive compartmented information means classified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal access control systems established by the Director of National Intelligence.
Sensitive compartmented information system means a national security system authorized to process or store sensitive compartmented information.
Source means a non-Federal supplier, or potential supplier, of products or services, at any tier.
Supply chain risk, as defined in 41 U.S.C. 4713(k), means the risk that any person may sabotage, maliciously introduce unwanted functionality, extract data, or otherwise manipulate the design, integrity, manufacturing, production, distribution, installation, operation, maintenance, disposition, or retirement of covered articles so as to surveil, deny, disrupt, or otherwise manipulate the function, use, or operation of the covered articles or information stored or transmitted on the covered articles.
Supply chain risk information includes, but is not limited to, information that describes or identifies:
(1) Functionality and features of covered articles, including access to data and information system privileges;
(2) The user environment where a covered article is used or installed;
(3) The ability of a source to produce and deliver covered articles as expected;
(4) Foreign control of, or influence over, a source or covered article ( e.g., foreign ownership, personal and professional ties between a source and any foreign entity, legal regime of any foreign country in which a source is headquartered or conducts operations);
(5) Implications to government mission(s) or assets, national security, homeland security, or critical functions associated with use of a covered source or covered article;
(6) Vulnerability of Federal systems, programs, or facilities;
(7) Market alternatives to the covered source;
(8) Potential impact or harm caused by the possible loss, damage, or compromise of a product, material, or service to an organization's operations or mission; and
(9) Likelihood of a potential impact or harm, or the exploitability of a system;
(10) Security, authenticity, and integrity of covered articles and their supply and compilation chain;
(11) Capacity to mitigate risks identified;
(12) Factors that may reflect upon the reliability of other supply chain risk information; and
(13) Any other considerations that would factor into an analysis of the security, integrity, resilience, quality, trustworthiness, or authenticity of covered articles or sources.
4.2302 Sharing supply chain risk information.
(a) Executive agencies are required to share relevant supply chain risk information with the FASC if the executive agency has determined there is a reasonable basis to conclude a substantial supply chain risk associated with a source or covered article exists (see 41 CFR 201–1.201).
(b) In support of information sharing described in paragraph (a) of this section, the contracting officer shall work with the program office or requiring activity in accordance with agency procedures regarding the sharing of relevant information on actual or potential supply chain risk determined to exist during the procurement process.
4.2303 FASCSA orders.
(a) Executive agencies are prohibited from procuring or obtaining, or extending or renewing a contract to procure or obtain, any covered article, or any products or services produced or provided by a source, including contractor use of covered articles or sources, if that prohibition is established by an applicable FASCSA order issued by the Director of National Intelligence, Secretary of Defense, or Secretary of Homeland Security (the “issuing official”)(see 41 CFR 201–1.304(a)).
(b) If a covered article or the source is subject to an applicable Governmentwide FASCSA order issued collectively by the Director of National Intelligence, Secretary of Defense, and Secretary of Homeland Security, executive agencies responsible for management of the Federal Supply Schedules, Governmentwide acquisition contracts, and multi-agency contracts shall facilitate implementation of a collective FASCSA order by removing the covered articles or sources identified in the FASCSA order from such contracts (see 41 CFR 201–1.303(g)).
(c)
(1) FASCSA orders regarding sources or covered articles will be found in the System for Award Management (SAM), by searching for the phrase “FASCSA order”. SAM may be updated as new FASCSA orders are issued.
(2) Some FASCSA orders will not be identified in SAM and will need to be identified in the solicitation to be effective for that acquisition. The requiring activity or program office will identify these FASCSA orders to the contracting officer (see 4.2304(d)).
(3) The contracting officer shall work with the program office or requiring activity to identify which FASCSA orders apply to the acquisition.
4.2304 Procedures.
(a) Identifying applicable FASCSA orders. The applicability of FASCSA orders to a particular acquisition depends on the contracting office's agency, the scope of the FASCSA order, the funding, and whether the requirement involves certain types of information systems (see the definition of FASCSA order at 4.2301). The contracting officer shall coordinate with the program office or requiring activity to identify the FASCSA order(s) that apply to the acquisition as follows:
(1) Unless the program office or requiring activity instructs the contracting officer otherwise, FASCSA orders apply as follows: contracts awarded by civilian agencies will be subject to DHS FASCSA orders, and contracts awarded by the Department of Defense will be subject to DoD FASCSA orders. See paragraph (b) of 52.204-30, Federal Acquisition Supply Chain Security Act Orders-Prohibition.
(2) For acquisitions where the program office or the requiring activity instructs the contracting officer to select specific FASCSA orders, the contracting officer must select “yes” or “no” for each applicable type of FASCSA order ( i.e., “DHS FASCSA Order” “DoD FASCSA Order” or “DNI FASCSA Order”). See paragraph (b)(1) of 52.204-30, Federal Acquisition Supply Chain Security Act Orders—Prohibition, with its Alternate I.
(b) Federal Supply Schedules, Governmentwide acquisition contracts, multi-agency contracts specific procedures—
(1) Applying FASCSA orders. An agency awarding this type of contract may choose to apply FASCSA orders in accordance with agency policy as follows:
(i) Application at the contract level. The agency awarding the basic contract may choose to apply FASCSA orders to the basic contract award. This is the preferred method, especially if small value orders or orders without a request for quotation (RFQ) are expected. Ordering activity contracting officers may use this contract vehicle without taking further steps to identify applicable FASCSA orders in the order. The contracting officer awarding the basic contract would select “yes” for all FASCSA orders ( i.e., “DHS FASCSA Order” “DoD FASCSA Order” and “DNI FASCSA Order”) (see paragraph (b)(1) of 52.204-30, Federal Acquisition Supply Chain Security Act Orders—Prohibition, with its Alternate I). If the contracting officer becomes aware of a newly issued applicable FASCSA order, then the agency awarding the basic contract shall modify the basic contract to remove any covered article, or any products or services produced or provided by a source, prohibited by the newly issued FASCSA order.
(ii) Application at the order level. The agency awarding the basic contract may choose to apply FASCSA orders at the order level, as implemented by the ordering activity contracting officer.
(2) Collective FASCSA orders. If a new FASCSA order is issued collectively by the Secretary of Homeland Security, Secretary of Defense, and Director of National Intelligence, then the contracting officer shall modify the basic contract based upon the requirements of the order, removing any covered article, or any products or services produced or provided by a source (see 4.2303(b)).
(3) Interagency acquisitions. For an interagency acquisition (see subpart 17.5) where the funding agency differs from the awarding agency, the funding agency shall determine the applicable FASCSA orders.
(4) Inconsistencies. If any inconsistency is identified between the basic contract and the order, then the FASCSA orders identified in the order will take precedence.
(c) Updating the solicitation or contract for new FASCSA orders. The contracting officer shall update a solicitation or contract if the program office or requiring activity determines it is necessary to:
(1) Amend the solicitation to incorporate FASCSA orders in effect after the date the solicitation was issued but prior to contract award; or
(2) Modify the contract to incorporate FASCSA orders issued after the date of contract award.
(i) Any such modification should take place within a reasonable amount of time, but no later than 6 months from the determination of the program office or requiring activity.
(ii) If the contract is not modified within the time specified in paragraph (c)(2)(i) of this section, then the contract file shall be documented providing rationale why the contract could not be modified within this timeframe.
(d) Agency specific procedures. The contracting officer shall follow agency procedures for implementing FASCSA orders not identified in SAM (see 4.2303(c)(2)).
(e) Disclosures. If an offeror provides a disclosure pursuant to paragraph (e) of 52.204-29, Federal Acquisition Supply Chain Security Act Orders—Representation and Disclosures, the contracting officer shall engage with the program office or requiring activity to determine whether to pursue a waiver, if available, in accordance with 4.2305 and agency procedures or not award to that offeror. For FASCSA orders handled at the order level, the disclosures language is found at paragraph (b)(5) of 52.204-30, Federal Acquisition Supply Chain Security Act Orders—Prohibition, with its Alternate II.
(f) Waiver. An acquisition may be either fully or partially covered by a waiver. Partial waiver coverage occurs when only portions of the products or services being procured or provided by a source are covered by an applicable waiver. If the requiring activity notifies the contracting officer that the acquisition is partially covered by an approved individual waiver or class waiver under 4.2305, then the contracting officer shall work with the program office or requiring activity to identify in the solicitation, RFQ, or order, the covered articles or services produced by or provided by a source that are subject to the waiver (see 41 CFR 201–1.304(b)).
(g) Reporting. If a contractor provides a report pursuant to paragraph (c) of 52.204-30, Federal Acquisition Supply Chain Security Act Orders—Prohibition, the contracting officer shall engage with the agency supply chain risk management program in accordance with agency procedures.
4.2305 Waivers.
(a) An executive agency required to comply with a FASCSA order may submit a request that the order or some of its provisions not apply to—
(1) The agency;
(2) Specific actions of the agency or a specific class of acquisitions;
(3) Actions of the agency for a period of time before compliance with the order is practicable; or
(4) Other activities, as appropriate, that the requesting agency identifies.
(b) A request for waiver shall be submitted by the executive agency in writing to the official that issued the order, unless other instructions for submission are provided by the applicable FASCSA order.
(c) The request for waiver shall provide the following information for the issuing official to review and evaluate the request, including—
(1) Identification of the applicable FASCSA order;
(2) A description of the exception sought, including, if limited to only a portion of the order, a description of the order provisions from which an exception is sought;
(3) The name or a description sufficient to identify the covered article or the product or service provided by a source that is subject to the order from which an exception is sought;
(4) Compelling justification for why an exception should be granted, such as the impact of the order on the agency's ability to fulfill its mission-critical functions, or considerations related to the national interest, including national security reviews, national security investigations, or national security agreements;
(5) Any alternative mitigations to be undertaken to reduce the risks addressed by the FASCSA order; and
(6) Any other information requested by the issuing official.
(d) The contracting officer, in accordance with agency procedures and working with the program office or requiring activity, shall decide whether to pursue a waiver or to make award to an offeror that does not require a waiver in accordance with the procedures at 4.2304(f). If a waiver is being pursued, then the contracting officer may not make an award until written approval is obtained that the waiver has been granted.
4.2306 Solicitation provision and contract clauses.
(a) In all Federal Supply Schedules, Governmentwide acquisition contracts, and multi-agency contracts where FASCSA orders are applied at the order level, the contracting officer shall insert the clause at 52.204-28, Federal Acquisition Supply Chain Security Act Orders—Federal Supply Schedules, Governmentwide Acquisition Contracts, and Multi-Agency Contracts, in the basic contract solicitation and resultant contract (see 4.2304(b)(1)(ii)).
(b) The contracting officer shall insert the provision at 52.204-29, Federal Acquisition Supply Chain Security Act Orders—Representation and Disclosures—
(1) In all solicitations, except for Federal Supply Schedules, Governmentwide acquisition contracts, and multi-agency contracts.
(2) In all solicitations for Federal Supply Schedules, Governmentwide acquisition contracts, and multi-agency contracts, if FASCSA orders are applied at the contract level (see 4.2304(b)(1)(i)).
(c) The contracting officer shall insert the clause at 52.204-30, Federal Acquisition Supply Chain Security Act Orders—Prohibition—
(1) In solicitations and contracts if the conditions specified at 4.2304(a)(1) apply, except for Federal Supply Schedules, Governmentwide acquisition contracts, and multi-agency contracts. For acquisitions where conditions specified at 4.2304(a)(2) apply, then the contracting officer shall use the clause with its Alternate I.
(2) In Federal Supply Schedules, Governmentwide acquisition contracts, and multi-agency contracts—
(i) Where FASCSA orders are applied at the contract level, with its Alternate I in all solicitations and resultant contracts. See 4.2304(b)(1)(i).
(ii) Where FASCSA orders are applied at the order level, with its Alternate II in all RFQs, or in all notices of intent to place an order. See 4.2304(b)(1)(ii).