“REGULATIONS .GOV”
"Content
Action
Notice of request for information (RFI).
Summary
DoD, GSA, and NASA recently established Federal Acquisition Regulation (FAR) part 40, Information Security and Supply Chain Security. The intent of this RFI is to solicit feedback from the general public on the scope and organization of FAR part 40.
Dates
Interested parties should submit written comments to the Regulatory Secretariat Division at the address shown below on or before June 10, 2024 to be considered in the formation of the changes to FAR part 40.
Addresses
Submit comments in response to this RFI to the Federal eRulemaking portal at https://www.regulations.gov by searching for “RFI FAR part 40”. Select the link “Comment Now” that corresponds with “RFI FAR part 40”. Follow the instructions provided on the “Comment Now” screen. Please include your name, company name (if any), and “RFI FAR part 40” on your attached document. If your comment cannot be submitted using https://www.regulations.gov, call or email the points of contact in the FOR FURTHER INFORMATION CONTACT section of this document for alternate instructions.
Instructions: Response to this RFI is voluntary. Respondents may answer as many or as few questions as they wish. Each individual or entity is requested to submit only one response to this RFI. Please identify your answers by responding to a specific question or topic if possible. Please submit responses only and cite “RFI FAR part 40” in all correspondence related to this RFI. Comments received generally will be posted without change to https://www.regulations.gov, including any personal and/or business confidential information provided. Public comments may be submitted as an individual, as an organization, or anonymously (see frequently asked questions at https://www.regulations.gov/faq ). To confirm receipt of your comment(s), please check https://www.regulations.gov, approximately two-to-three days after submission to verify posting.
For Further Information Contact
For clarification of content, contact Ms. Malissa Jones, Procurement Analyst, at 571-882-4687 or by email at malissa.jones@gsa.gov. For information pertaining to status, publication schedules, or alternate instructions for submitting comments if https://www.regulations.gov cannot be used, contact the Regulatory Secretariat Division at 202-501-4755 or GSARegSec@gsa.gov. Please cite FAR Case 2023-008.
Supplementary Information
The final FAR rule 2022-010, Establishing FAR part 40, amended the FAR to establish a framework for a new information security and supply chain security FAR part, FAR part 40. The final rule does not implement any of the information security and supply chain security policies or procedures; it simply established FAR part 40. The final FAR rule was published in the Federal Register at 89 FR 22604, on April 1, 2024. Relocation of existing requirements and placement of new requirements into FAR part 40 will be done through separate rulemakings.
Currently, the policies and procedures for prohibitions, exclusions, supply chain risk information sharing, and safeguarding information that address security objectives are dispersed across multiple parts of the FAR, which makes it difficult for the acquisition workforce and the general public to understand and implement applicable requirements. FAR part 40 will provide the acquisition team with a single, consolidated location in the FAR that addresses their role in implementing requirements related to managing information security and supply chain security when acquiring products and services.
The new FAR part 40 provides a location to cover broad security requirements that apply across acquisitions. These security requirements include requirements designed to bolster national security through the management of existing or potential adversary-based supply chain risks across technological, intent-based, or economic means ( e.g., cybersecurity supply chain risks, foreign-based risks, emerging technology risks). The intent is to structure FAR part 40 based on the objectives of the regulatory requirement (similar to how environmental objectives are covered in FAR part 23, and labor objectives are addressed in FAR part 22). Security-related requirements that include and go beyond information and communications technology (ICT) will be covered under FAR part 40. An example of products and services that include and go beyond ICT are cybersecurity supply chain risk management requirements such as requirements related to section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115-232). Security-related requirements that only apply to ICT acquisitions will continue to be covered in FAR part 39. The test for whether existing regulations would be in FAR part 40 would be based on the following questions:
Question 1: Is the regulation or FAR case addressing security objectives?
○ If yes, move to question 2
○ If no, the regulation would be located in another part of the FAR.
Question 2: Is the scope of the requirements limited to ICT?
○ If yes, the regulation would be located in FAR part 39
○ If no, the regulation would be located FAR part 40.
The following are examples of the FAR subparts and regulations that are under consideration and could potentially be located in, or relocated to, FAR part 40:
Part 40—Information Security and Supply Chain Security
40.000 Scope of part.
○ General Policy Statements
○ Cross reference to updated FAR part 39 scoped to ICT
Subpart 40.1—Processing Supply Chain Risk Information
○ FAR 4.2302, sharing supply chain risk information
○ Cross reference to counterfeit and nonconforming parts (FAR 46.317)
○ Cross reference to cyber threat and incident reporting and information sharing (FAR case 2021-017)
Subpart 40.2—Security Prohibitions and Exclusions
○ FAR subpart 4.20, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab
○ FAR subpart 4.21, Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment
○ FAR subpart 4.22, Prohibition on a ByteDance Covered Application, which covers the TikTok application, from FAR case 2023-010
○ Prohibition on Certain Semiconductor Products and Services (FAR case 2023-008)
○ FAR subpart 4.23, Federal Acquisition Security Council, except section 4.2302
○ Covered Procurement Action/agency specific exclusion orders (FAR case 2019-018)
○ FAR subpart 25.7, Prohibited Sources
○ Prohibition on Operation of Covered Unmanned Aircraft Systems from Covered Foreign Entities (FAR case 2024-002)
Subpart 40.3—Safeguarding Information
○ FAR subpart 4.4, Safeguarding Classified Information Within Industry
○ Controlled Unclassified Information (CUI) (FAR case 2017-016)
○ FAR subpart 4.19, Basic Safeguarding of Covered Contractor Information Systems
In this notice, DoD, GSA, and NASA are providing an opportunity for members of the public to provide comments on the proposed scope of FAR part 40. Feedback provided should support the goal of providing a single location to cover broad security requirements that apply across acquisitions. Providing the acquisition team with a single, consolidated location in the FAR that addresses their role in implementing requirements related to managing information security and supply chain security when acquiring products and services will enable the acquisition workforce to understand and implement applicable requirements more easily.
DoD, GSA, and NASA seek responses to any or all the questions that follow this paragraph. Where possible, include specific examples of how your organization is or would be impacted negatively or positively by the recommended scope and subparts; if applicable, provide rationale supporting your position. If you believe the proposed scope and subparts should be revised, suggest an alternative (which may include not providing guidance at all) and include an explanation, analysis, or both, of how the alternative might meet the same objective or be more effective. Comments on the economic effects including quantitative and qualitative data are especially helpful. In addition to the FAR parts and subparts proposed for relocation to FAR part 40, let us know:
1. What specific section(s) of the FAR would benefit from inclusion in FAR part 40?
2. What specific suggestions do you have for otherwise improving the proposed scope or subparts of FAR part 40?
William F. Clark,
Director, Office of Government-wide Acquisition Policy, Office of Acquisition Policy, Office of Government-wide Policy"