Photo of Adelicia R. CliffePhoto of Kate GrowleyPhoto of Stephanie Crawford

Companies have less than one week to submit comments regarding a recent interim rule that provides the responsibilities, processes, and procedures for the Federal Acquisition Security Council (“FASC”), established by the Federal Acquisition Supply Chain Security Act of 2018.  Under the immediately effective interim rule, the FASC is responsible for assessing supply chain risk and making removal and exclusion recommendations to the Secretary of the Department of Homeland Security (“DHS”), Secretary of the Department of Defense (“DoD”), and Director of National Intelligence (“DNI”).  Based on these recommendations, DoD, DHS, and the Office of the DNI (“ODNI”) then have authority to issue exclusion and removal orders for sources and/or covered articles deemed to pose a supply chain risk from certain procurements.

The interim rule is divided into three sections.  As further described below, Subpart A provides key definitions, outlines the membership of the FASC (including representatives from at least 12 agencies or departments), and describes the FASC’s authority to request information and establish subordinate bodies.  Subpart B establishes the DHS Cybersecurity and Infrastructure Security Agency (“CISA”) as the subordinate body for the collection of supply chain risk information from executive agencies and the Interagency Supply Chain Risk Management Task Force as the subordinate body for the analysis of that information.  The interim rule also provides guidance on mandatory and voluntary supply chain risk information submissions.  Finally, Subpart C focuses on the FASC’s removal and exclusion recommendation process, as well as the process for review of those recommendations.

Information-Sharing with the FASC.  Executive agencies are required to submit supply chain risk information to CISA when (1) the FASC requests information relating to a particular source[1], covered article[2], or covered procurement[3]; or (2) the agency has determined there is a reasonable basis to conclude there is a substantial supply chain risk associated with a source, article, or covered procurement.

Contractors and any federal or non-federal entity may voluntarily submit information to the FASC that relates to supply chain risk management, covered articles or procurements, or sources.  The interim rule provides some protection for the submitted information, but the relationship between the FASC’s information protections and Freedom of Information Act requests remains unclear.  To be afforded information protections, submissions to the FASC should include proper markings, handling, dissemination, and use restrictions including IP markings, business confidentiality markings, or contractual dissemination restrictions.  The rule states that the FASC, its Task Force, and CISA will handle the information in accordance with the markings provided.

Removal and Exclusion Recommendations.  The FASC may evaluate sources or covered articles (1) upon referral to the FASC or to a member of the FASC; (2) upon written request by an executive agency; or (3) based on information that is submitted to the FASC on a mandatory or voluntary basis and that the FASC deems credible.  The Council will then evaluate the sources or covered articles based on a series of non-exclusive factors including foreign ownership, control, or influence; security breaches; access to sensitive information; and other relevant supply chain risk information.  As part of this analysis, the FASC also must conduct due diligence, such as (1) reviewing information available to the FASC; (2) evaluating and accounting for the level of confidence in the information provided and; (3) examining public and commercially-available information as necessary or appropriate.  The FASC then prepares a recommendation for DoD, DHS, and ODNI.  The recommendation must include a summary of the basis for the recommendation and the assessment conducted, the scope of the recommendation, information for identifying the sources or covered articles, and any possible mitigation steps that would change the FASC’s recommendation.  Any source named in a recommendation will be provided notice of the FASC’s recommendation and may respond to the recommendation with additional information or argument.  The FASC will not release any recommendations to a non-federal entity unless a decision on whether to issue an exclusion or removal order has been made by DoD, DHS, and ODNI and the affected source has been notified of the decision.

Removal and Exclusion Orders.  The Secretary of DHS, the Secretary of DoD, and the DNI will review the Council’s recommendations, accompany information, and source-submitted information to determine whether to issue a removal or exclusion order.  A DoD, DHS, or ODNI order is only applicable to the specific agencies under the DoD, DHS, or ODNI’s purview as identified in the rule (see Removal and Exclusion Order Applicability graphic).  Orders must be reviewed annually and may be modified or rescinded; however, modifications may not apply more broadly than the initial order.  Named sources, CISA, appropriate Congressional Committees and leadership, and the Interagency Suspension and Debarment Committee will be notified of an issued order.  An exclusion order may require the exclusion of covered sources or articles from federal procurement activities (as a prime contractor or subcontractor at any tier), and/or could require removal of covered articles from federal or contractor information systems.  And in the event that DHS, DoD, and ODNI all issue removal or exclusion orders that amount to a government-wide exclusion, then the Federal Supply Schedules (“FSS”) and government-wide acquisition contracts shall facilitate implementation by removing covered articles or sources identified in the removal and exclusion orders from such FSS and multi-agency contract vehicles.

Removal and Exclusion Order Applicability

Comments on the interim rule are due no later than November 2, 2020.  Because of the potential costly impact of the removal and exclusion orders, as well as their mandatory ties to the Interagency Suspension and Debarment Committee, contractors should carefully consider the interim FASC process.

The FASC interim rule was one of many pieces of supply chain security-related news in September, along with the long-awaited DFARS cybersecurity rules and the National Counterintelligence and Security Center Supply Chain Risk Management Summary Publication.  With the 2021 NDAA around the corner and 2020 NDAA microelectronics standards deadline looming, this will continue to be an active area for counsel to follow.  For up to date information on Supply Chain Security and Risk Management developments, see Crowell’s SCRM site here.

 

[1] A “source” is a non-federal supplier, or potential supplier, of products or services, at any tier.

[2] A “covered article” is any of the following:

(1) Information technology, including any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency, if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency that requires the use of such equipment; computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources; and cloud computing services of all types;

(2) Telecommunications equipment or telecommunications service (meaning equipment, other than customer premises equipment, used by a carrier to provide telecommunications services, and includes software integral to such equipment (including upgrades) and telecommunications offerings for a fee directly to the public, or to such classes of users as to be effectively available directly to the public, regardless of the facilities used);

(3) The processing of information on a Federal or non-Federal information system, subject to the requirements of the Controlled Unclassified Information program or subsequent U.S. government program for controlling sensitive unclassified information; or

(4) Hardware, systems, devices, software, or services that include embedded or incidental information technology.

[3] A “covered procurement” is any of:

(1) A source selection for a covered article involving either a performance specification or an evaluation factor relating to a supply chain risk, or where supply chain risk considerations are included in the agency’s determination of whether a source is a responsible source;

(2) The consideration of proposals for and issuance of a task or delivery order for a covered article where the task or delivery order contract includes a contract clause establishing a requirement relating to a supply chain risk;

(3) Any contract action involving a contract for a covered article where the contract includes a clause establishing requirements relating to a supply chain risk; or

(4) Any other procurement in a category of procurements determined appropriate by the FASC, with the advice of the FASC.

Tags: FASC, supply chain
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Adelicia R. Cliffe Adelicia R. Cliffe

Adelicia Cliffe is a partner in the Washington, D.C. office, a member of the Steering Committee for the firm’s Government Contracts Group, and a member of the International Trade Group. Addie is also co-chair of the firm’s National Security practice. Addie has been…

Adelicia Cliffe is a partner in the Washington, D.C. office, a member of the Steering Committee for the firm’s Government Contracts Group, and a member of the International Trade Group. Addie is also co-chair of the firm’s National Security practice. Addie has been named as a nationally recognized practitioner in the government contracts field by Chambers USA.

Read more about Adelicia R. Cliffe
Show more Show less
Photo of Kate Growley Kate Growley

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations…

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations, and policy engagement. With a unique combination of legal, policy, and consulting experience, Kate excels in translating complex technical topics into advice that is practical and informed by risk and business needs.

Kate has extensive experience working with members of the U.S. government contracting community, especially those within the Defense Industrial Base. She has partnered with contractors from every major sector, including technology, manufacturing, health care, and professional services. Kate is an IAPP AI Governance Professional (AIGP) and a Certified Information Privacy Professional for both the U.S. private and government sectors (CIPP/G and CIPP/US). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Having lived in Greater China for several years, Kate also brings an uncommon understanding of digital and national security requirements from across the Asia Pacific region. She has notable experience with the regulatory environments of Australia, Singapore, Japan, and Greater China—including the growing regulation of data flows between the latter and the United States.

Kate is a partner in the firm’s Washington, D.C., office, as well as a senior director in the firm’s consultancy Crowell Global Advisors, to which she was seconded for several years. She is a founding member of the firm’s Privacy & Cybersecurity Group and part of the firm’s AI Steering Committee. She has been internationally recognized by Chambers and named a “Rising Star” by both Law360 and the American Bar Association (ABA). She has held numerous leadership positions in the ABA’s Public Contract Law and Science & Technology Sections and has been inducted as a lifetime fellow in the American Bar Foundation.

Read more about Kate Growley
Show more Show less
Photo of Stephanie Crawford Stephanie Crawford

Stephanie Crawford is a trusted counselor to a broad range of industries facing reorganizations, transactions, national security issues, and questions of supply chain management. Stephanie provides related mergers and acquisitions, counseling, litigation, international arbitration, and investigations services to clients in the aerospace and

Stephanie Crawford is a trusted counselor to a broad range of industries facing reorganizations, transactions, national security issues, and questions of supply chain management. Stephanie provides related mergers and acquisitions, counseling, litigation, international arbitration, and investigations services to clients in the aerospace and defense, communications, energy, information technology, and consumer products sectors.

Stephanie has substantial experience with both buy-side and sell-side transactions. She has led government contracts diligence for numerous private equity entities and defense contractors. She assists clients with navigating post-closing government requirements, including unique license transfers and approvals; novation and change of name regulations; and Defense Counterintelligence and Security Agency communications and foreign ownership, control, and influence (FOCI) mitigation.

Stephanie counsels clients on supply chain, sourcing, and national security regulations and requirements. Such counseling includes compliance with the Defense Production Act, including priority orders, ratings and associated regulations; the Public Readiness and Emergency Preparedness Act; and National Industrial Security Program Operating Manual (NISPOM) regulations. She is also known for her ability to solve immediate and business-threatening System for Award Management (SAM) and Defense Logistics Agency (DLA) CAGE Code problems.

Stephanie defends government contractors facing potential tort litigation with a nexus to their government contracts and facing supply chain and national security-related investigations, litigation, and arbitrations.

Stephanie’s pro bono practice focuses on a broad range of veterans’ issues, including disability ratings and discharge upgrades

Read more about Stephanie Crawford
Show more Show less
Related Posts
Securing the Skies: Landmark Proposed Rule Contains New Security Requirements for Expanded Commercial Drone Deployments
September 24, 2025
Off the (Supply) Chain: Director of National Intelligence Issues First Exclusion and Removal Order Under the Federal Acquisition Supply Chain Security Act
September 22, 2025
New Year, Updated List: The U.S. Department of Defense Updates Its List of Chinese Military Companies with Ancillary Supply Chain and USG Contracting Impacts
January 14, 2025