October 2023 has been an active month for new cybersecurity requirements. As we previously wrote, on October 3, 2023, the Federal Acquisition Regulatory Council (“FAR Council”) proposed rule changes to the Federal Acquisition Regulation (“FAR”) to significantly tighten cybersecurity and incident reporting requirements, including for civilian agencies. The government has not stopped there. On October 5, 2023, the FAR Council issued an Interim Rule that requires many federal contractors and subcontractors to examine their supply chains regularly and report to the government any items designated by the Federal Acquisition Security Council (“FASC”) as potentially harmful. Although some key details remain unknown, these rules could require many contractors and subcontractors to change the way they do business in significant and potentially expensive ways.

The new rules implement the Federal Acquisition Supply Chain Security Act of 2018 (“FASCSA”) and a final rule previously issued by the FASC. As with all recent initiatives to enhance the nation’s cybersecurity infrastructure, the purpose of the Interim Rule is to prevent foreign adversaries from “increasingly creating and exploiting vulnerabilities in information and communications technology to commit malicious cyber-enabled actions, including economic and industrial espionage against the United States and its citizens.” Information and communication technology ("ICT") is broadly defined to include any information technology and other equipment, systems, technologies, or processes, for which the principal function is the creation, manipulation, storage, display, receipt, or transmission of electronic data and information, as well as any associated content.

Building on rules already blocking certain Russian and Chinese products and services from the federal supply chain, the Interim Rule, which becomes December 4, 2023, will impose further restrictions targeting ICT, by requiring contractors to comply with any exclusionary or removal orders (collectively, “FASCSA orders”).[1] Although none have yet been issued, FASCSA orders will prohibit contractors from providing or using, as part of the performance of any contract, any covered article or products or services from any covered source identified in an applicable FASCSA order. Given rising concerns about cybersecurity, observers expect FASCSA orders to cover a considerable number of products across a variety of industry sectors.

Under the Interim Rule, contractors are expected to review whether there are any exclusionary orders that are applicable to a solicitation and whether any items or services designated under a FASCSA order will need to be excluded from any resulting contract. Contractors are also expected to review for removal orders, which will apply to noncompliant systems that are designated during contract performance and need to be removed. These requirements apply to all contracts, whether below the simplified acquisition threshold, those for commercial products, including commercial off-the-shelf (“COTS”) items, or commercial services, and must be flowed down to subcontractors. And, while a waiver process is available, the government is expected to use it sparingly. This post provides an overview of the changes to the FAR to implement the Interim Rule.

Overview of the New FAR Requirements

The Interim Rule makes numerous changes to the FAR but primarily relies on the addition of three new clauses. First, under FAR 52.204-29 contractors must submit with their offers a representation that, after conducting a reasonable inquiry regarding its supply chain, no covered articles or sources will be provided or used in response to any solicitation that are subject to an applicable FASCSA order in effect at the time of the solicitation, and if compliance is not possible an explanation as to the reasons why. The “reasonable inquiry” standard will likely be construed in the same manner as the prohibitions under Section 889 of the 2019 National Defense Authorization Act against the use of covered Chinese telecommunications equipment or services. However, unlike Section 889 matters, the representation required under FAR 52.204-29 pertains to the performance of a government contract whereas Section 889 clauses prohibit any use of covered equipment or services (irrespective of their connection with contract performance).

Second, under FAR 52.204-30, contractors have an ongoing obligation to assess and disclose any covered articles or sources in connection with any contractor or government information system for which they are responsible. In this regard, contractors must monitor SAM.gov at least every three months to determine if any new FASCSA orders applicable to their contracts have been issued, and if so, to disclose the issue to the contracting officer. A contractor has the same disclosure obligation if at any time during contract performance, and pursuant to any source, discovers that it is providing covered articles or products or services from a covered source subject to an applicable FASCSA order in connection with contract performance. Disclosures must be made within three (3) business days, followed by a supplemental report within ten (10) business days from the initial disclosure to address mitigation efforts, the contractor’s reasonable inquiry analysis, and any preventative action plans that may available.

Finally, at the direction of the contracting officer, FAR 52.204-28 will require contractors to remove and replace during contract performance any covered product or service subject to an applicable FASCSA order with conforming products and services. The rule does not provide any guidance on timing, except that any directed changes must be done “promptly.”

Takeaways

The Interim Rule raises several issues that stakeholders should consider before the comment period for the final rule closes on December 4, 2023. For example, in the case of the existing contracts and options that will be impacted (most of which will likely be fixed price in nature) the rules do not explain whether the government will incorporate the requirements through a unilateral or bilateral modification and whether contractors will be entitled to reimbursement under the changes clause in the event of the former or pursuant to a negotiated price adjustment in the event of the latter. The rules suggest that this clause will be used in new solicitations but may also be added to some IDIQ contracts. Contractors and subcontractors should exercise extreme caution to the extent government or prime contractor customers require the addition of this clause to existing agreements. Similarly, prime contractors will need to develop appropriate strategies for flowing these requirements down where applicable in a manner that minimizes both risk and higher costs.

Likewise, the rules do not clearly address: (1) who will pay for the removal and replacement costs for products or services that were not covered at the time of the solicitation or contract award; or (2) who will bear the risk for any delays and disruptions in contract performance, which could be significant, if a compliant solution proves difficult to implement in short order or is unavailable. Although some provisions in the Interim Rule suggest that contractors may be paid for removal services, the exact mechanism for such reimbursement remains unclear in the rules. This may be clarified in the future. In the meantime, contractors should be extremely careful to ensure that they are paid for any additional work required.

These and other issues suggest that the government’s compliance cost estimates in the Interim Rule may be quite low, and contractors are well-advised to provide their input before the comment period closes on December 4, 2023, particularly in response to the government’s requests for comment on whether: (1) additional information or guidance is needed to comply with the rule; and (2) whether there are any anticipated challenges in effectively complying with the rule.

In the meantime, as we approach the Interim Rule’s December 4 effective date, contractors should take or prepare for the following actions:

1. Review whether their Section 889 “reasonable inquiry” procedures, or other procedures or subcontracts, can be adapted to review covered articles and sources pursuant to applicable FASCSA orders;
2. Implement policies and procedures for reviewing FASCSA orders on SAM.gov or solicitations during the proposal phase and at least every three months on SAM after award;
3. Ensure that proper disclosure, mitigation, and corrective action procedures will be in place;
4. Engage with subcontractors to ensure they understand these obligations and are prepared to accept all flow down requirements by December 4;
5. Engage with prime contractors to ensure that only appropriate requirements are flowed down and costs properly allocated; and
6. After December 4, review any government contract modification requests to ensure compensation and risk are appropriately allocated, and review for any waivers or future rule changes and clarifications regarding price adjustments and other related topics.