Federal contractors will need to closely monitor a government acquisition website for directives that ban products and services due to security concerns, similar to the Huawei ban, under a new rule published this month and set to go into effect in early December.
The Defense Department, the General Services Administration and NASA published an interim rule last week laying out how contractors will need to comply with orders from the Federal Acquisition Security Council.
The council was created as part of the SECURE Technology Act of 2018. It has the authority to issue recommendations for removing or excluding products and services from federal supply chains.
“Collectively, the information sharing requirements and implementation of FASCSA orders will address risks in supply chains by reducing or removing threats and vulnerabilities that may lead to data and intellectual property theft, damage to critical infrastructure, harm to federal information systems, and otherwise degrade our national security,” the interim rule states.
“This rule will also help make government supply chains and information systems more resilient and less subject to disruptions that could impact government operations,” it adds.
Chris DeRusha, the federal chief information security officer and chairman of the FASC, said the interim rule lays out key procedures for how the council will carry out its work.
“Let’s just be blunt about what we’re talking about: taking companies potentially off of the ability to bid for federal contracts and ripping technology out of current environments, potentially,” DeRusha said in an interview after speaking at ACT-IAC’s cyber summit last week. “That is why that is such a big, weighty authority. And there’s a lot of information here around how is that going to work in some detail.”
The new acquisition regulations will go into effect on Dec. 4.
The regulations give federal contracting officers the ability to implement removal or exclusion orders in “existing and new federal contracts and to share relevant information on potential supply chain risk,” the interim rule states. “These procedures reduce exploitations of vulnerabilities, in turn making the supply chain more resilient.”
It’s unclear whether the council has plans to ban any specific products or services in the near term.
“I can’t provide a whole lot of comment on that right now,” DeRusha said. “I can just say that we’re quite busy on the FASC and we’re also working to expand our capacity and truly have the resources we need to be able to take on what could become a pretty big workload one day. So I’m really focused on ensuring that we’re set up for success.”
Federal officials have primarily been concerned with information and communications technology products that could pose security risks.
In 2017, the Department of Homeland Security banned Kaspersky from federal networks due to the cybersecurity company’s alleged connections with Russian security services.
And in the 2019 National Defense Authorization Act, Congress passed Section 889 that banned five major Chinese telecommunications and technology suppliers, including Huawei and ZTE, from federal agency and contractor networks.
More recently, the 2023 NDAA bans prohibits agencies from doing business with companies that rely on certain Chinese semiconductor manufacturers.
The new FASC process is intended to shift decisions about supply chain security issues back to the executive branch.
“This could be the end of Congress getting involved in identifying companies, unless the FASC is not moving fast enough for them,” Eric Crusius, a federal contracting attorney at Holland & Knight, said in an interview.
“It’s certainly going to allow the government to work quickly, more efficiently, to exclude sources and products that they feel pose an unreasonable risk to the supply chain,” he added.
The council’s deliberations, however, will play out much more privately compared to Congressional wrangling over issues like the Section 889 ban.
“We don’t know if they’re going to put out one order every couple of years, or are they going to come out with 10 every three or four months?” Tracye Howard, a federal contracting attorney at Wiley Rein, said in an interview. “Their process is a little bit of a black box. And so we don’t really know what they might be considering, and won’t, until an order comes out.”
Under the interim rule, companies bidding for a contract have to search for the phrase “FASCA order” on Sam.gov to find any banned products or services. Meanwhile, companies already on a contract should search at least once every three months, the rule states, to check for banned products.
“Throughout contract performance, contractors will be required to report to the contracting officer once they become aware that a covered article or product or service subject to a FASCSA order has been delivered to the government or used in performance of the contract,” the rule states.
“Reporting this information to the contracting officer will provide the government the needed information to assess the risk and make a determination on how to proceed,” it adds.
The orders also cover products or services used “in the performance of a contract,” an area that can be difficult to define, Howard said.
“Whether that means directly supporting the contract or required by the contract, or does it include back office type functions, that to me is an area that’s not clear from the interim rule as it’s written,” she said.
With the onus being on contractors to monitor Sam.gov for new removal or exclusion orders, Howard suggested companies need to be “on the ball” to understand their obligations. Not complying with the directives could lead to breach of contract or potential False Claims Act allegations.
“Particularly with the ongoing monitoring requirements, this is not an area where you can submit your proposal and think that you’re compliant and move on,” she said. “You’re really going to perhaps have dedicated supply chain security personnel who are going to be responsible for all of the regulations that are coming out in this area.”