AGENCY:

Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA).

ACTION:

Final rule.

SUMMARY:

DoD, GSA, and NASA are issuing a final rule amending the Federal Acquisition Regulation (FAR) to add the framework for a new FAR part on information security and supply chain security. The creation of this new FAR part does not implement any of the information security and supply chain security policies or procedures. The amendment simply establishes the new FAR part.

DATES:

Effective May 1, 2024.

FOR FURTHER INFORMATION CONTACT:

For clarification of content, contact Ms. Malissa Jones, Procurement Analyst, at 571-882-4687, or by email at Malissa.Jones@gsa.gov. For information pertaining to status or publication schedules, contact the Regulatory Secretariat Division at 202-501-4755 or GSARegSec@gsa.gov. Please cite FAC 2024-04, FAR Case 2022-010.

SUPPLEMENTARY INFORMATION:

I. Background

DoD, GSA, and NASA are amending the FAR to add the framework for a new FAR part 40, which will contain the policies and procedures for managing information security and supply chain security when acquiring products and services. The creation of this new FAR part does not implement any of the policies or procedures related to managing information security and supply chain security. The rule simply establishes the new FAR part. Relocation of the related existing policies or procedures will be done through separate rulemaking.

Currently, the policies and procedures for prohibitions, exclusions, supply chain risk information sharing, and safeguarding information that address security objectives are dispersed across multiple parts of the FAR, which makes it difficult for the acquisition workforce to locate, understand, and implement applicable requirements. This new part will provide contracting officers with a single, consolidated location in the FAR that addresses their role in implementing requirements related to managing information security and supply chain security when acquiring products and services. This is also helpful to contractors who may want to review the information security and supply chain security policies and procedures in FAR part 40.

This part will provide a location to cover broad security requirements that apply across acquisitions. These include security requirements designed to bolster national security through the management of existing or potential adversary-based supply chain risk across technological, intent-based, or economic means ( e.g., cybersecurity supply chain risks, foreign-based risks, Start Printed Page 22605 emerging technology risks). The new FAR part 40 would be structured based on the objectives of the regulation (similar to the way environmental objectives are covered in part 23 and labor objectives are addressed in part 22). Security-related requirements that include, but are not limited to, information and communications technology (ICT) will be covered in FAR part 40. An example of security-related requirements that include, but are not limited to, ICT are the security-related requirements from section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115-232). Security-related requirements that only apply to ICT acquisitions will continue to be covered in part 39.

Supply chain and information risks that are unrelated to security risks are covered in other parts of the FAR ( e.g., part 22 for labor and human trafficking risks and part 23 for climate-related risks).

II. Publication of This Final Rule for Public Comment Is Not Required by Statute

The statute that applies to the publication of the FAR is 41 U.S.C. 1707. Subsection (a)(1) of 41 U.S.C. 1707 requires that a procurement policy, regulation, procedure, or form (including an amendment or modification thereof) must be published for public comment if it relates to the expenditure of appropriated funds, and has either a significant effect beyond the internal operating procedures of the agency issuing the policy, regulation, procedure, or form, or has a significant cost or administrative impact on contractors or offerors. This final rule is not required to be published for public comment because it is only establishing a framework for a new FAR part and does not implement any policies or procedures that apply to the public. This rule only affects the internal operating procedures of the Government and without a significant cost or administrative impact on contractors or offerors.

III. Applicability to Contracts at or Below the Simplified Acquisition Threshold (SAT) and for Commercial Products, Including Commercially Available Off-the-Shelf (COTS) Items, or Commercial Services

This rule does not create new solicitation provisions or contract clauses or impact any existing provisions or clauses.

IV. Executive Orders 12866 and 13563

Executive Orders (E.O.s) 12866 (as amended by E.O. 14094) and 13563 direct agencies to assess the costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is not a significant regulatory action and, therefore, was not subject to review under Section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993.

V. Congressional Review Act

Pursuant to the Congressional Review Act, DoD, GSA, and NASA will send this rule to each House of the Congress and to the Comptroller General of the United States. The Office of Information and Regulatory Affairs (OIRA) in the Office of Management and Budget has determined that this rule does not meet the definition in 5 U.S.C. 804(2).

VI. Regulatory Flexibility Act

Because a notice of proposed rulemaking and an opportunity for public comment are not required to be given for this rule under 41 U.S.C. 1707(a)(1) (see section II. of this preamble), the analytical requirements of the Regulatory Flexibility Act (5 U.S.C. 601-612) are not applicable. Accordingly, no regulatory flexibility analysis is required, and none has been prepared.

VII. Paperwork Reduction Act

This rule does not contain any information collection requirements that require the approval of the Office of Management and Budget under the Paperwork Reduction Act (44 U.S.C. 3501-3521).

List of Subjects in 48 CFR Part 40

• Government procurement

Therefore, DoD, GSA, and NASA amend 48 CFR chapter 1 by adding part 40 to read as follows:

PART 40—INFORMATION SECURITY AND SUPPLY CHAIN SECURITY

Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 4 and 10 U.S.C. chapter 137 legacy provisions (see 10 U.S.C. 3016); and 51 U.S.C. 20113.

Subpart 40.1—[Reserved]

Subpart 40.2—[Reserved]

Subpart 40.3—[Reserved]