Cyber and Government Procurement: An Update as the FASC Piles on Supply Chain Security Regulations

We continue to track developments affecting government contractor cybersecurity and supply chains, as the federal government churns out proposals and rules. Wiley’s supply chain, cyber, government contracts, and national security teams are helping clients deal with uncertainties created by varied developments. Recently, the Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) issued an interim rule amending the Federal Acquisition Regulations (FAR) to implement supply chain risk information sharing and exclusion or removal orders under the Federal Acquisition Supply Chain Security Act of 2018 (FASCSA) as well as amending a prior rule issued by the Federal Acquisition Security Council (FASC). The interim rule went into effect on December 4, 2023, and the comment deadline was February 2, 2024. This is just one of several procurement-related moves that the private sector has increasingly been watching and engaged on, and we have reviewed the docket for notable issues.

What is the FASC? The Federal Acquisition Supply Council was created by Congress in 2018 but it has been largely quiet and has not taken many public actions. The FASC has the authority to recommend the exclusion of technologies and manufacturers from future federal procurements and the removal of covered products or services from federal or contractor information systems during performance and will recommend the exclusion or removal orders. The FASC has not yet recommended any removal or exclusion orders, and contractors are watching for clues about the scope of orders that may be issued in the future. It was created as Congress and agencies began to take concrete actions to address concerns about equipment from hostile nation states being used in federal contracts. Wiley has covered those issues extensively, from the FASC’s first work to the implementation of National Defense Authorization Act (NDAA) Section 889 as well as DOD and other lists.

What is new? The new interim rule creates three new FAR clauses—FAR 52.204-28, -29, and -30, which aim to protect the federal supply chain by eliminating technology that foreign adversaries could exploit for malicious cyber activities. The interim rule specifies when each of the clauses should be used by contracting officers. 

  • When a FASCSA order is issued after award, the contracting officer may issue a contract term through a modification that incorporates FAR Clause 52.204-28, Federal Acquisition Supply Chain Security Act Orders-Federal Supply Schedules, Governmentwide Acquisition Contracts, and Multi-Agency Contracts requiring compliance with the order.
  • FAR Clause 52.204-29, Federal Acquisition Supply Chain Security Act Orders-Representation and Disclosures is used to prohibit contractors from providing covered articles, products or services. In responding to contract solicitations containing a new FASCSA order, the “offeror will represent, after conducting a reasonable inquiry, that the offeror does not propose to provide or use any prohibited covered articles or products or services subject to a FASCSA order.” 
  • Contracting officers will use FAR Clause 52.204-30, Federal Acquisition Supply Chain Security Act Orders-Prohibition to identify applicable FASCSA orders.

The interim rule intends to help the Department of Defense (for DoD and national security systems orders), Department of Homeland Security (for civilian agency orders), and Office of the Director of National Intelligence (for Intelligence Community orders) issue exclusion or removal orders for sources and covered articles posing supply chain risk in the procurement of information and communications technology (ICT).

Why does the private sector care? Among other things, industry is concerned about uncertainty and the disruptive effect that FASCSA orders may have. Groups like the Coalition for Government Procurement explained that contractors have “significant comments and questions related to how to best comply with the requirements contained in this interim rule and respectfully requests clarification from the Government on these issues prior to implementation. We request that the FASC delay the issuance of any FASCSA Orders or use by the government of the FASCSA site that is already available within SAM until the FASC has had time to consider industry’s comments.” The U.S. Chamber, along with Airlines for America (A4A), the  Association of American Railroads (AAR), and Edison Electric Institute (EEI), made several suggestions and raised concerns about practical issues like the impact of FASCSA orders on existing contracts and whether equitable adjustments would be permitted. They also noted that reporting deadlines are too short: “when a contractor identifies that a covered article or source is subject to a new FASCSA order and was provided to the government or used during contract performance, the contractor must notify the government within 3 business days and provide certain information."

Much like industry requests for clarification on how the process will work in practice, industry comments on the interim rule have sought clarification related to issues such as when a covered article is considered to be used “as part of” or “during” contract performance, contractors’ remedies when FASCSA orders are applied to existing contracts, contractors’ reporting obligations, and the extent of contractors’ obligations to monitor to identify new FASCSA orders.  

What is going to happen going forward? Contracting officers have begun incorporating the new clauses into all relevant solicitations and contracts (and contract extensions of performance) issued after December 4, 2023, including those below the simplified acquisition threshold and commercial acquisitions. Government contractors using equipment subject to a FASCSA order in an existing order may be forced to take costly mitigation actions. Going forward, the uncertainties created by the interim rule can be counterbalanced by routinely conducting inquiries into supply chains, using ICT that can be sourced from multiple vendors, tracking new FACSA orders, and adopting policies and contractual provisions to obtain and update supply chain information from vendors.

Wiley’s supply chain, cyber, government contracts, and national security teams will continue to monitor these developments.

Wiley Connect

Sign up for updates

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.