AGENCY:

Defense Acquisition Regulations System, Department of Defense (DoD).

ACTION:

Interim rule.

SUMMARY:

DoD is issuing an interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a section of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2011, as amended by the NDAA for FY 2013. This interim rule allows DoD to consider the impact of supply chain risk in specified types of procurements related to national security systems.

DATES:

Effective November 18, 2013.

Comment date: Comments on the interim rule should be submitted in writing to the address shown below on or before January 17, 2014, to be considered in the formation of a final rule.

ADDRESSES:

Submit comments identified by DFARS Case 2012-D050, using any of the following methods:

○ Regulations.gov: http://www.regulations.gov. Submit comments via the Federal eRulemaking portal by entering “DFARS Case 2012-D050” under the heading “Enter keyword or ID” and selecting “Search.” Select the link “Submit a Comment” that corresponds with “DFARS Case 2012-D050.” Follow the instructions provided at the “Submit a Comment” screen. Please include your name, company name (if any), and “DFARS Case 2012-D050” on your attached document.

○ Email: dfars@osd.mil. Include DFARS Case 2012-D050 in the subject line of the message.

○ Fax: 571-372-6094.

○ Mail: Defense Acquisition Regulations System, Attn: Dustin Pitsch, OUSD(AT&L)DPAP/DARS, Room 3B855, 3060 Defense Pentagon, Washington, DC 20301-3060.

Comments received generally will be posted without change to http://www.regulations.gov,, including any personal information provided. To confirm receipt of your comment(s), please check www.regulations.gov,, approximately two to three days after submission to verify posting (except allow 30 days for posting of comments submitted by mail).

FOR FURTHER INFORMATION CONTACT:

Dustin Pitsch, Defense Acquisition Regulations System, OUSD(AT&L)DPAP/DARS, Room 3B855, 3060 Defense Pentagon, Washington, DC 20301-3060, telephone 571-372-6090.

SUPPLEMENTARY INFORMATION:

I. Background

This interim rule amends the DFARS to implement section 806 of the National Defense Authorization Act for Fiscal Year 2011 (Pub. L. 111-383), entitled “Requirements for Information Relating to Supply Chain Risk,” as amended by section 806 of the NDAA for FY 2013 (Pub. L. 112-239), and allows DoD to consider the impact of supply chain risk in specified types of procurements related to national security systems. Section 806 defines supply chain risk as “the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.”

II. Discussion and Analysis

This DFARS change is necessary to implement the authorities provided to DoD by section 806, enabling DoD to establish a pilot program to mitigate supply chain risk, which is set to expire on September 30, 2018. These authorities are in addition to other available mitigations, which may not be adequate to protect against the malicious actions referred to in the definition of supply chain risk.

Section 806 actions are permitted in procurements related to National Security Systems (NSS) (see 44 U.S.C. 3542(b)) that include a requirement relating to supply chain risk. This rule implements section 806's three supply-chain risk-management approaches as follows:

(1) The exclusion of a source that fails to meet qualification standards established in accordance with the requirements of 10 U.S.C. 2319, for the purpose of reducing supply chain risk in the acquisition of covered systems.

(2) The exclusion of a source that fails to achieve an acceptable rating with regard to an evaluation factor providing for the consideration of supply chain risk in the evaluation of proposals for the award of a contract or the issuance of a task or delivery order.

(3) The decision to withhold consent for a contractor to subcontract with a particular source or to direct a contractor for a covered system to exclude a particular source from consideration for a subcontract under the contract.

The rule establishes a new provision and clause (see DFARS 239.7306) for inclusion in all solicitations and contracts, including contracts for commercial items or commercial off-the-shelf items involving the development or delivery of any information technology, whether acquired as a service or as a supply, because portions of these contracts may be used to support or link with one or more NSS. Another reason for including the provision and clause in all DoD solicitations and contracts for information technology is to manage the operational security risks of including the provision and clause only in procurements for very sensitive DoD procurements, thereby identifying those very procurements as a target for the risk section 806 aims to deter.

However, several limiting provisions exist before the Government can exercise its authorities under section 806. First, use of section 806 authorities is limited to the procurement of NSS or of covered items of supply used within NSS. Section 806 defines a “covered item of supply” as “an item of information technology . . . that is purchased for inclusion in (an NSS), and the loss of integrity of which could result in a supply chain risk” to the entire system. Therefore, though the clause will be inserted in all information-technology contracts, these authorities will not be able to be utilized for all information and communication technology in all systems, but rather only in those meeting the criteria stated above.

Second, the decision to exclude a source under section 806 can only be made by the “head of a covered agency,” limited by definition to the Secretary of Defense and the Secretaries of the military departments with delegation limited to officials at or above the level of the service acquisition executive for the agency.

Third, the head of a covered agency seeking to exercise the authority of section 806 must obtain a joint recommendation from the Under Secretary of Defense for Acquisition, Technology, and Logistics (USD(AT&L)) and the Chief Information Officer of the Department of Defense (DoD CIO), based on a risk assessment from the Under Secretary of Defense for Intelligence Start Printed Page 69269(USD(I)) that there is significant supply chain risk to a particular NSS.

Fourth, the head of a covered agency, with the concurrence of the USD(AT&L), must make a written determination that the use of section 806 authority is “necessary to protect national security by reducing supply chain risk” and that “less intrusive measures are not reasonably available to reduce such supply chain risk.”

Fifth, notice of each determination to exercise section 806 authorities must be provided in advance to the appropriate congressional committees.

Finally, section 806 expires on September 30, 2018 (see section 806 of FY 2013 NDAA, Public Law 112-239).

Section 806 also provides that the head of a covered agency may “limit, notwithstanding any other provision of law, in whole or in part, the disclosure of information relating to the basis for carrying out a covered procurement action” if the head of a covered agency, with the concurrence of the USD (AT&L), determines in writing that “the risk to national security due to disclosure of such information outweighs the risk due to not disclosing such information.”

If the Government exercises the authority provided to limit disclosure of information, no action undertaken by the Government under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court.

III. Executive Orders 12866 and 13563

Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.

IV. Regulatory Flexibility Act

DoD does not expect this interim rule to have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq., because companies have an existing interest in having a supply chain that it can rely on to provide it with material and supplies that allow the contractor to ultimately supply its customers with products that are safe and that do not impose threats or risks to government information systems.

However, an Initial Regulatory Flexibility Analysis (IRFA) has been prepared because there is a growing interest by both the Government and industry in establishing cost efficient ways to protect the supply chain related to information technology purchases. Congress has recognized a growing concern for risks to the supply chain for technology contracts supporting the Department of Defense (DoD). Congress has defined supply chain risk as “the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.” (See section 806(e)(4) of Pub. L. 111-383.)

The objective of this rule is to protect DoD against risks arising out of the supply chain.

The legal basis for this rule is section 806 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2011 (Pub. L. 111-383), as amended by section 806 of the NDAA for FY 2013 (Pub. L. 112-239). Additionally, the Department of Defense Instruction (DoDI) 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN), recognizes the need to improve supply chain risk management (SCRM). In doing so, the DoDI requires, among other things, implementation of section 806 in the DFARS and in appropriate solicitation and contract language.

This rule applies to contractors involved in the development or delivery of any information technology, whether acquired by DoD as a service or as a supply. This includes commercial purchases as well as purchases of commercial off-the-shelf (COTS) services or supplies.

This rule does not require any specific reporting, recordkeeping or compliance requirements. It does, however, recognize the need for information technology contractors to implement appropriate safeguards and countermeasures to minimize supply chain risk. This rule, by itself, does not require contractors to deploy additional supply chain risk protections, but leaves it up to the individual contractors to take the steps they think are necessary to maintain existing or otherwise required safeguards and countermeasures as necessary for their own particular industrial methods to protect their supply chain.

The rule does not duplicate, overlap, or conflict with any other Federal rules.

Consistent with the stated objectives of section 806 and the DoDI, no viable alternatives exist.

Possible alternatives considered included having all contractors report, on all contracts, the nature of the supply chain risk mitigation efforts they have applied to their manufacturing processes. This would be unduly burdensome for both contractors and the Government.

Another alternative is not to have section 806 clauses apply to commercial and COTS items or purchases below the simplified acquisition threshold. However, the requirements of section 806 should apply to contracts and subcontracts at or below the simplified acquisition threshold because the malicious introduction of unwanted functions may occur at any dollar threshold. Therefore, it would not be in the best interest of the Federal Government to exempt contracts and subcontracts at or below the simplified acquisition threshold from this requirement.

In a like manner, the requirements of section 806 should apply to the procurement of commercial items (including COTS items) because the intent of the statute is to protect the supply chain which in turn protects all NSS. Commercial and COTS information technology supplies and services often become part of NSSs. Protection of the NSSs using the authority of section 806 requires application in all information technology supply and services contacts. Therefore, exempting commercial (including COTS) items from application of the statute would negate the intended effect of the statute.

DoD invites comments from small business concerns and other interested parties on the expected impact of this rule on small entities.

DoD will also consider comments from small entities concerning the existing regulations in subparts affected by this rule in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 610 (DFARS Case 2012-D050) in correspondence.

V. Paperwork Reduction Act

The rule does not contain any information collection requirements that require the approval of the Office of Management and Budget under the Start Printed Page 69270Paperwork Reduction Act (44 U.S.C. chapter 35.

VI. Determination To Issue an Interim Rule

A determination has been made under the authority of the Secretary of Defense that urgent and compelling reasons exist to promulgate this interim rule without prior opportunity for public comment. This action is necessary because of the urgent need to protect the National Security Systems (NSS) and the integrity of the supply chain to NSS. It is necessary to reduce supply chain risk in the acquisition of sensitive information technology systems that are used for intelligence or cryptologic activities; used for command and control of military forces; or from an integral part of a weapon system by avoiding sabotage, maliciously introducing unwanted functions, or other subversion of the design, integrity, manufacturing, production, installation, operation or maintenance of systems. Such acquisition decisions are made daily and, like other cybersecurity measures, the costs to mitigate supply chain risk after a system is already in operation can be very high. In addition, as this is a pilot authority set to expire on September 30, 2018, and the Congress has requested a report on the effectiveness of the authority not later than January 1, 2017, therefore DoD must make this tool available immediately to begin the pilot program and gather feedback for the report to Congress.

The globalization of information technology has increased the vulnerability of DoD to attacks on its systems and networks. Failure to implement this rule may cause harm to the Government and to individuals relying on the integrity of NSS, for example, the risk of allowing the malicious insertion of software code or an unwanted function designed to degrade DOD's sensitive systems. DoD has proceeded cautiously to ensure that this rule very closely mirrors the authorities provided in the statute and has little leeway to vary from those terms. However, pursuant to 41 U.S.C. 1707 and FAR 1.501-3(b), DoD will consider public comments received in response to this interim rule in the formation of the final rule.

List of Subjects in 48 CFR Parts 208, 212, 215, 233, 239, 244, and 252

• Government procurement

Therefore, 48 CFR parts 208, 212, 215, 233, 239, 244, and 252 are amended as follows:

1. The authority citation for 48 CFR parts 208, 212, 215, 233, 239, 244, and 252 continues to read as follows:

Authority: 41 U.S.C. 1303 and 48 CFR Chapter 1.

PART 208—REQUIRED SOURCES OF SUPPLIES AND SERVICES

2. Add section 208.405 to read as follows:

3. Amend section 208.7402 by—

a. Designating the text as paragraph (1); and

b. Adding new paragraph (2) to read as follows:

PART 212—ACQUISITION OF COMMERCIAL ITEMS

4. Amend section 212.301 by—

a. Revising paragraph (f)(xiv);

b. Redesignating—

i. Paragraphs (f)(liii) through (lxv) as (lvi) through (lxvii); and

ii. Paragraphs (f)(xv) through (lii) as (f)(xvi) through (liii).

c. Adding new paragraphs (f)(xv), (liv), and (lv).

Revision and additions to read as follows:

PART 215—CONTRACTING BY NEGOTIATION

5. Amend section 215.304 by adding new paragraph (c)(v) to read as follows:

6. Add new subpart 215.5 to read as follows:

Subpart 215.5—Preaward, Award, and Postaward Notifications, Protests, and Mistakes

PART 233—PROTESTS, DISPUTES, AND APPEALS

7. Add new section 233.102 to read as follows:

PART 239—ACQUISITION OF INFORMATION TECHNOLOGY

8. Add new subpart 239.73 to read as follows:

Subpart 239.73—Requirements for Information Relating to Supply Chain Risk

PART 244—SUBCONTRACTING POLICIES AND PROCEDURES

9. Add new sections 244.201 and 244.201-1 to subpart 244.2 to read as follows:

PART 252—SOLICITATION PROVISIONS AND CONTRACT CLAUSES

10. Add section 252.239-7017 to read as follows:

11. Add section 252.239-7018 to read as follows: