On October 5, 2023, the FAR Council released an Interim Rule on “Implementation of Federal Acquisition Supply Chain Security Act (FASCSA) Orders.” The Interim Rule implements requirements from Section 202 of the Federal Acquisition Supply Chain Security Act of 2018 (“FASCSA”), which will require contractors to ensure certain products and services are excluded from the U.S. Government supply chain as directed by the Federal Acquisition Security Council (“FASC”). The Interim Rule becomes effective 60 days after publication, requiring new FAR clauses to be incorporated into all solicitations and contracts (including orders and modifications) issued after December 4, 2023.
Section 202 of the FASCSA established the FASC, authorizing the Council to make recommendations for orders that would require the removal of specified articles from government information systems (“removal orders”), or the exclusion of sources or covered materials from procurement actions as a whole (“exclusion orders”). In August 2021, the FASC issued a Final Rule adding a new 41 C.F.R. part 201-1, implementing the FASCSA and setting forth the FASC’s processes for issuing removal and exclusion orders to protect the U.S. supply chain – importantly, the FASCSA, and as a result, the FASC itself, is focused primarily on the information and communications technology sector. According to the Final Rule, FASC will evaluate sources and/or covered articles that may present supply chain risk, conduct reasonable diligence into the covered articles and/or sources identified, and will issue a recommendation for next steps. When a removal or exclusion order is issued, U.S. executive agencies and their contractors are expected to comply.
Below are some of the key highlights from the Interim Rule and discussion of the three new FAR clauses:
- FASC can create both “exclusion” and “removal” orders, which may require contractors to “remove” items during contract performance. According to the FAR Council, “[a]n exclusion order is applicable during the process for awarding a new contract or task or delivery order, as it excludes from the offered supplies or services any products or services subject to a FASCSA order.” In other words, like the Section 889 ban, contractors will be prohibited in the first instance from providing articles or services subject to a FASCSA exclusion order during contract performance.
- A removal order, on the other hand, “requires removal of any products or services from an executive agency information system subject to a FASCSA order.” Contractors subject to a removal order may be forced to “remove” covered articles from their supply chains, even during contract performance. There is no guidance on how this process will occur or how much time contractors will be given to “rip and replace” covered articles and sources. When implementing the Section 889 ban, agencies generally issued waivers giving contractors the opportunity to identify and replace covered articles while causing minimal disruption to performance – it remains to be seen how much time contractors will be given to do the same under these new rules.
- As discussed further below, the Interim Rule requires contracting officers to identify FASCSA orders in the new FAR 52.204-30, which will direct contractors to SAM.gov in order to review the orders in full. The Interim Rule suggests that contractors only will need to search for “FASCSA order” on SAM.gov in order to find applicable orders – though it notes that there may be orders not available on SAM, in which case the contracting officers will be required to provide the orders to contractors.
- Offerors must represent compliance with applicable FASCSA orders. Under FAR 52.204-29, Federal Acquisition Supply Chain Security Act Orders – Representation and Disclosures, by virtue of submitting an offer in response to a solicitation containing this clause, offerors will be representing that they have “conducted a reasonable inquiry” and determined they do not propose to provide or use as part of performance any prohibited covered articles or products or services subject to the applicable FASCSA orders. Importantly, though the prohibition and related representation do refer to “use,” this is use in performance of the covered contract – and not “use” in the broader sense as understood under the Section 889 prohibitions.
- Contractors will be required to perform some sort of diligence in advance of submitting bids. A “reasonable inquiry” is defined in FAR 52.204-30 as “an inquiry designed to uncover any information in the entity’s possession about the identity of any covered articles, or any products or services produced or provided by a source,” but does not include “an internal or third-party audit.” This reasonable inquiry requirement will require contractors to have in place processes to not only identify their own covered articles, but also the use or provision of such articles by subcontractors and suppliers.
- Contractors will have a continuing obligation to monitor and report throughout performance. FAR 52.204-30 imposes two reporting obligations on contractors. First, if contractors identify that any covered article, or product or service produced or provided by a covered source, was provided to the Government or used during contract performance, contractors must submit a report to the contracting officer (and for DOD contractors, to https://dibnet.dod.mil), within three business days of such identification. Within ten business days, contractors must submit a follow-up report regarding mitigation actions and efforts to prevent use of such items in the future.
- Second, contractors also have an obligation to review SAM.gov every three months for additional FASCSA orders that may be applicable to contract performance that otherwise are not identified in the contract. Upon determining a new FASCSA order could impact a contractor’s supply chain, the contractor must again conduct a “reasonable inquiry” into whether the covered article or product or service produced or provided by a source was provided to the Government or used during contract performance. Similarly, contractors have three business days from such identification to notify their respective contracting officers.
- The requirements are applicable to all Federal contracts. The new FAR clauses are required to be included in all solicitations and contracts, regardless of the dollar size of the contract, the type of contract, or the type of offeror. In other words, there are no exceptions for purchases below the micro-purchase threshold or the simplified acquisition threshold. And there are no exceptions for small businesses, commercial offerors, or even commercially available, off-the-self (“COTS”) products.
- FAR 52.204-30 is a Mandatory Flow Down for subcontractors. Contractors will be required to include the substance of FAR 52.204-30 in all subcontracts, including with commercial subcontractors, except for the requirement to continuously monitor SAM.gov for additional FASCSA orders. Contractors also have the obligation to notify subcontractors if there are FASCSA orders applicable to contract performance that cannot be found on SAM.gov.
- For certain multi-agency contracts, FASCSA orders likely will apply at the order level. The new clause FAR 52.204-28, Federal Acquisition Supply Chain Security Act Orders – Federal Supply Schedules, Governmentwide Acquisition Contracts, and Multi-Agency Contracts, is to be used in all listed multi-agency contracts. Paragraph (b) again requires compliance with all applicable FASCSA orders throughout contract performance, but notes that applicable orders will be “identified in the request for quotation… or in the notice of intent to place an order.” Specifically, when FAR 52.204-28 is used, contracting officers are directed to also include FAR 52.204-30, Alternative II.
- The prohibition applies both to products and to sources. FASCSA orders may prohibit the use of particular “covered articles,” such as information technology, telecommunications equipment or services, information processors, hardware, systems, devices, software, and services. But orders may also cover certain “sources” themselves, prohibiting the use of any products or services provided by a named supplier, similar to the FAR prohibitions already in place for products and services provided by covered telecommunications equipment manufacturers named under Section 889, Kaspersky Labs, and others.
- Waivers may be available. If offerors are not able to make the representation in FAR 52.204-29, the FAR clause does recognize opportunities to seek waivers. Offerors must disclose all pertinent information in their bid, as laid out in paragraph (e), including the name of the product or service, the name of the covered article or source subject to a FASCSA order, the names of any applicable vendors or brands, model numbers, etc. This information is meant to inform the contracting officer as to whether a waiver is appropriate on a case-by-case basis.
* * * *
The Interim Rule extends the FASCSA requirements to contractors and suppliers, and continues the U.S. Government’s recent efforts to improve information sharing and address supply chain risks in acquisition – specifically, by reducing or removing threats that could result in data and/or intellectual property theft, damage to critical infrastructure, harm to information systems, or otherwise harm national security. This move follows along the lines of similar exclusions in government procurement in recent years, including the FY 2018 National Defense Authorization Act Section 889 bans on the procurement of certain covered telecommunications equipment. What makes this Interim Rule interesting, though, is its departure from standard rulemaking processes, The Interim Rule broadly incorporates the requirement for companies to comply with potentially ever-evolving exclusion and removal orders, allowing the Executive branch to issue orders prohibiting the procurement or use of covered articles and sources without going through a formal rulemaking process to create new regulatory requirements each time.
As of the date of this publication, there are no FASCSA orders published to SAM.gov. Only time will tell how many orders will be published, and how many orders may apply to any given contract. One can imagine how burdensome this process has the potential to become where contractors essentially are required to be aware of an evolving list of exclusions, comply with all FASCSA orders, and to have processes in place to address and/or remove any covered articles subject to new FASCSA orders as they are implemented throughout performance.
As a reminder, the Interim Rule becomes effective December 4, 2023 – and contractors are encouraged to submit questions and comments relating to the Final Rule by the same date. The FAR Council specifically seeks comment regarding: (1) additional information or guidance contractors need to comply with the Interim Rule, and (2) what challenges contractors anticipate facing in effectively complying with the Interim Rule – and notes that comments will be considered in the implementation of the forthcoming Final Rule. Though, given how long the FAR Council has taken to issue a Final Rule relating to Section 889 compliance, we are not holding our breath. In the meantime, contractors would be wise to evaluate internal processes and controls that can be used to identify covered articles and/or sources in the performance of their government contracts – and to start preparing now for the steps to be taken to handle FASCSA orders issued during performance.