Companies have less than one week to submit comments regarding a recent interim rule that provides the responsibilities, processes, and procedures for the Federal Acquisition Security Council (“FASC”), established by the Federal Acquisition Supply Chain Security Act of 2018. Under the immediately effective interim rule, the FASC is responsible for assessing supply chain risk and making removal and exclusion recommendations to the Secretary of the Department of Homeland Security (“DHS”), Secretary of the Department of Defense (“DoD”), and Director of National Intelligence (“DNI”). Based on these recommendations, DoD, DHS, and the Office of the DNI (“ODNI”) then have authority to issue exclusion and removal orders for sources and/or covered articles deemed to pose a supply chain risk from certain procurements.
The interim rule is divided into three sections. As further described below, Subpart A provides key definitions, outlines the membership of the FASC (including representatives from at least 12 agencies or departments), and describes the FASC’s authority to request information and establish subordinate bodies. Subpart B establishes the DHS Cybersecurity and Infrastructure Security Agency (“CISA”) as the subordinate body for the collection of supply chain risk information from executive agencies and the Interagency Supply Chain Risk Management Task Force as the subordinate body for the analysis of that information. The interim rule also provides guidance on mandatory and voluntary supply chain risk information submissions. Finally, Subpart C focuses on the FASC’s removal and exclusion recommendation process, as well as the process for review of those recommendations.
Information-Sharing with the FASC. Executive agencies are required to submit supply chain risk information to CISA when (1) the FASC requests information relating to a particular source[1], covered article[2], or covered procurement[3]; or (2) the agency has determined there is a reasonable basis to conclude there is a substantial supply chain risk associated with a source, article, or covered procurement.
Contractors and any federal or non-federal entity may voluntarily submit information to the FASC that relates to supply chain risk management, covered articles or procurements, or sources. The interim rule provides some protection for the submitted information, but the relationship between the FASC’s information protections and Freedom of Information Act requests remains unclear. To be afforded information protections, submissions to the FASC should include proper markings, handling, dissemination, and use restrictions including IP markings, business confidentiality markings, or contractual dissemination restrictions. The rule states that the FASC, its Task Force, and CISA will handle the information in accordance with the markings provided.
Removal and Exclusion Recommendations. The FASC may evaluate sources or covered articles (1) upon referral to the FASC or to a member of the FASC; (2) upon written request by an executive agency; or (3) based on information that is submitted to the FASC on a mandatory or voluntary basis and that the FASC deems credible. The Council will then evaluate the sources or covered articles based on a series of non-exclusive factors including foreign ownership, control, or influence; security breaches; access to sensitive information; and other relevant supply chain risk information. As part of this analysis, the FASC also must conduct due diligence, such as (1) reviewing information available to the FASC; (2) evaluating and accounting for the level of confidence in the information provided and; (3) examining public and commercially-available information as necessary or appropriate. The FASC then prepares a recommendation for DoD, DHS, and ODNI. The recommendation must include a summary of the basis for the recommendation and the assessment conducted, the scope of the recommendation, information for identifying the sources or covered articles, and any possible mitigation steps that would change the FASC’s recommendation. Any source named in a recommendation will be provided notice of the FASC’s recommendation and may respond to the recommendation with additional information or argument. The FASC will not release any recommendations to a non-federal entity unless a decision on whether to issue an exclusion or removal order has been made by DoD, DHS, and ODNI and the affected source has been notified of the decision.
Removal and Exclusion Orders. The Secretary of DHS, the Secretary of DoD, and the DNI will review the Council’s recommendations, accompany information, and source-submitted information to determine whether to issue a removal or exclusion order. A DoD, DHS, or ODNI order is only applicable to the specific agencies under the DoD, DHS, or ODNI’s purview as identified in the rule (see Removal and Exclusion Order Applicability graphic). Orders must be reviewed annually and may be modified or rescinded; however, modifications may not apply more broadly than the initial order. Named sources, CISA, appropriate Congressional Committees and leadership, and the Interagency Suspension and Debarment Committee will be notified of an issued order. An exclusion order may require the exclusion of covered sources or articles from federal procurement activities (as a prime contractor or subcontractor at any tier), and/or could require removal of covered articles from federal or contractor information systems. And in the event that DHS, DoD, and ODNI all issue removal or exclusion orders that amount to a government-wide exclusion, then the Federal Supply Schedules (“FSS”) and government-wide acquisition contracts shall facilitate implementation by removing covered articles or sources identified in the removal and exclusion orders from such FSS and multi-agency contract vehicles.
Removal and Exclusion Order Applicability
Comments on the interim rule are due no later than November 2, 2020. Because of the potential costly impact of the removal and exclusion orders, as well as their mandatory ties to the Interagency Suspension and Debarment Committee, contractors should carefully consider the interim FASC process.
The FASC interim rule was one of many pieces of supply chain security-related news in September, along with the long-awaited DFARS cybersecurity rules and the National Counterintelligence and Security Center Supply Chain Risk Management Summary Publication. With the 2021 NDAA around the corner and 2020 NDAA microelectronics standards deadline looming, this will continue to be an active area for counsel to follow. For up to date information on Supply Chain Security and Risk Management developments, see Crowell’s SCRM site here.
[1] A “source” is a non-federal supplier, or potential supplier, of products or services, at any tier.
[2] A “covered article” is any of the following:
(1) Information technology, including any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency, if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency that requires the use of such equipment; computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources; and cloud computing services of all types;
(2) Telecommunications equipment or telecommunications service (meaning equipment, other than customer premises equipment, used by a carrier to provide telecommunications services, and includes software integral to such equipment (including upgrades) and telecommunications offerings for a fee directly to the public, or to such classes of users as to be effectively available directly to the public, regardless of the facilities used);
(3) The processing of information on a Federal or non-Federal information system, subject to the requirements of the Controlled Unclassified Information program or subsequent U.S. government program for controlling sensitive unclassified information; or
(4) Hardware, systems, devices, software, or services that include embedded or incidental information technology.
[3] A “covered procurement” is any of:
(1) A source selection for a covered article involving either a performance specification or an evaluation factor relating to a supply chain risk, or where supply chain risk considerations are included in the agency’s determination of whether a source is a responsible source;
(2) The consideration of proposals for and issuance of a task or delivery order for a covered article where the task or delivery order contract includes a contract clause establishing a requirement relating to a supply chain risk;
(3) Any contract action involving a contract for a covered article where the contract includes a clause establishing requirements relating to a supply chain risk; or
(4) Any other procurement in a category of procurements determined appropriate by the FASC, with the advice of the FASC.