Substantive cybersecurity amendments to the Federal Acquisition Regulation (FAR) are underway, significantly altering the duties and obligations of federal government contractors both prior to award and during contract performance. The FAR Council issued an Interim Final Rule implementing Section 202 of the Federal Acquisition Supply Chain Security Act of 2018 (FASCSA), as well as a 2021 Final Rule (Final Rule) granting the Federal Acquisition Security Council (FASC) authority to issue orders excluding or removing goods or services from the supply chain that were deemed prohibited (FASCSA Order(s)). To avoid contract termination and False Claims Act liability, government contractors should understand what FASCSA Orders are, where to find them, and what to do if they (or a subcontractor at any tier) are providing them to the government. This is PilieroMazza’s last installment of the blog series “Protecting Our Nation’s Data.” Check out Part 1 here and Part 2 here.
Background on FASC and FASCSA Orders
Section 202 of FASCSA established the FASC. The Final Rule provided FASC with the authority to issue recommendations to the Secretary of Homeland Security (DHS), Secretary of Defense (DOD), and/or the Director of National Intelligence (DNI) to: (i) exclude supplies or services from a procurement, or (ii) remove items from federal government information systems. The FASC utilizes a list of non-exclusive factors (as the Final Rule explains in detail) to issue a recommendation. Once a recommendation is received, the relevant entity (i.e., DHS, DOD, or DNI), individually or collectively, decides to issue a FASCSA Order. If DHS, DOD, or DNI decide to issue a FASCSA Order, all affected executive agencies are required to implement the FASCSA Order. This prohibits agencies from procuring or obtaining, or extending or renewing a contract to procure or obtain any covered article, good, or service produced or provided by a source. The Interim Final Rule seeks to implement the processes and procedures for implementing FASCSA Orders at the contract and task order levels.
Where to Find FASCSA Orders?
FASCSA Orders for sources or covered articles are searchable in the System for Award Management (SAM) database. Contractors simply need to search SAM for the phrase “FASCSA order.” In some rare cases, certain FASCSA Orders will not be identifiable in SAM. In those circumstances, contracting officers will list any applicable FASCSA Orders in the solicitation. For solicitations containing FAR 52.204-29, contractors need to search SAM, as well as conduct a “reasonable inquiry” into their supply chain to determine whether a covered product or service is being offered. During contract performance, FAR 52.204-30 requires contractors to conduct searches of SAM at least once every thirty days, unless the contracting officer states otherwise.
What To Do If Provided Goods or Services Are Subject to a FASCSA Order?
If a contractor determines that a covered article, good, or service will be provided as part of its offer, and it will not comply with the representations required by FAR 52.204-29, offerors need to request a waiver and provide the contracting officer with the following information:
- name of good(s) or service(s) being proposed;
- name of the covered article or source subject to a FASCSA Order;
- if applicable, the vendor’s name (including the Commercial and Government Entity code and unique entity identifier) that supplied the covered article, good, or service to the offeror;
- model number (original equipment manufacturer number, manufacturer part number, or wholesaler number);
- item description; and
- reason why the applicable covered article, good, or service is being provided or used.
Although contractors may request a waiver for covered goods or services, contracting officers have broad discretion in deciding whether to pursue a waiver.
During performance, if a contractor identifies (including through subcontractor notification) a covered good or service was provided to the government or used during performance, it must submit a detailed report, including similar information as listed above within three business days from the date of identification or notification to the responsible contracting officer. Notably, this report must also describe any “readily available information” about mitigation actions either already undertaken or recommended by the contractor. Moreover, within ten business days of submitting that report, the contractor should report any additional available information regarding mitigation actions taken/recommended, as well as the efforts it undertook to prevent submission or use of the covered article or service and any additional efforts that will be implemented to prevent future submission or use of the covered article or service. Upon notification from the contracting officer, the contractor must “promptly” make necessary changes or modifications to remove any covered goods or services from its supply chain.
The government-wide effort to reduce risks and vulnerabilities in the federal supply chain is becoming increasingly dependent on contractor self-identification and reporting requirements. Compliance with these reporting requirements, both substantively by providing all required information, as well as procedurally, by providing the relevant reports within the required timeframes, is imperative. Failure to do so may result in termination of your contract.
Notably, the representations and disclosures made in FAR 52.204-29 must be carefully reviewed. Contractors should regularly conduct reasonable inquiries into their supply chains to ensure no covered goods or services are being (or will be provided) to the government. If an offeror signs the contract with this clause, but fails to conduct this reasonable inquiry and a covered good or service is found within the contractor’s supply chain, they could face liability under the False Claims Act.
PilieroMazza recommends staying abreast of all FASCSA Orders and checking SAM (as well as your solicitation) regularly. As of the date of the Interim Final Rule, no FASCSA Orders were issued. Notwithstanding this, it would be wise to account for the goods or services you (and your subcontractors) provide to the government, as well as the sources you obtain them from prior to FASCSA Orders being released.
Comments on the Interim Final Rule can be submitted here until December 4, 2023. If you have questions about any goods or services subject to FASCSA Orders, and/or how to make sure you are correctly and timely submitting any relevant reports regarding them, please contact Cy Alba, Joe Loman, Daniel Figuenick, or another member of PilieroMazza’s Government Contracts or Cybersecurity & Data Privacy practice groups.
Looking for practical insights on gaining a competitive advantage through a deeper understanding of the government’s compliance requirements? Check out PilieroMazza’s podcasts “GovCon Live!” and “Clocking in with PilieroMazza.”