2024-06411. Federal Acquisition Regulation: Establishing Federal Acquisition Regulation Part 40  

  • Start Preamble

    AGENCY:

    Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA).

    ACTION:

    Final rule.

    SUMMARY:

    DoD, GSA, and NASA are issuing a final rule amending the Federal Acquisition Regulation (FAR) to add the framework for a new FAR part on information security and supply chain security. The creation of this new FAR part does not implement any of the information security and supply chain security policies or procedures. The amendment simply establishes the new FAR part.

    DATES:

    Effective May 1, 2024.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    For clarification of content, contact Ms. Malissa Jones, Procurement Analyst, at 571-882-4687, or by email at Malissa.Jones@gsa.gov. For information pertaining to status or publication schedules, contact the Regulatory Secretariat Division at 202-501-4755 or GSARegSec@gsa.gov. Please cite FAC 2024-04, FAR Case 2022-010.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    I. Background

    DoD, GSA, and NASA are amending the FAR to add the framework for a new FAR part 40, which will contain the policies and procedures for managing information security and supply chain security when acquiring products and services. The creation of this new FAR part does not implement any of the policies or procedures related to managing information security and supply chain security. The rule simply establishes the new FAR part. Relocation of the related existing policies or procedures will be done through separate rulemaking.

    Currently, the policies and procedures for prohibitions, exclusions, supply chain risk information sharing, and safeguarding information that address security objectives are dispersed across multiple parts of the FAR, which makes it difficult for the acquisition workforce to locate, understand, and implement applicable requirements. This new part will provide contracting officers with a single, consolidated location in the FAR that addresses their role in implementing requirements related to managing information security and supply chain security when acquiring products and services. This is also helpful to contractors who may want to review the information security and supply chain security policies and procedures in FAR part 40.

    This part will provide a location to cover broad security requirements that apply across acquisitions. These include security requirements designed to bolster national security through the management of existing or potential adversary-based supply chain risk across technological, intent-based, or economic means ( e.g., cybersecurity supply chain risks, foreign-based risks, Start Printed Page 22605 emerging technology risks). The new FAR part 40 would be structured based on the objectives of the regulation (similar to the way environmental objectives are covered in part 23 and labor objectives are addressed in part 22). Security-related requirements that include, but are not limited to, information and communications technology (ICT) will be covered in FAR part 40. An example of security-related requirements that include, but are not limited to, ICT are the security-related requirements from section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115-232). Security-related requirements that only apply to ICT acquisitions will continue to be covered in part 39.

    Supply chain and information risks that are unrelated to security risks are covered in other parts of the FAR ( e.g., part 22 for labor and human trafficking risks and part 23 for climate-related risks).

    II. Publication of This Final Rule for Public Comment Is Not Required by Statute

    The statute that applies to the publication of the FAR is 41 U.S.C. 1707. Subsection (a)(1) of 41 U.S.C. 1707 requires that a procurement policy, regulation, procedure, or form (including an amendment or modification thereof) must be published for public comment if it relates to the expenditure of appropriated funds, and has either a significant effect beyond the internal operating procedures of the agency issuing the policy, regulation, procedure, or form, or has a significant cost or administrative impact on contractors or offerors. This final rule is not required to be published for public comment because it is only establishing a framework for a new FAR part and does not implement any policies or procedures that apply to the public. This rule only affects the internal operating procedures of the Government and without a significant cost or administrative impact on contractors or offerors.

    III. Applicability to Contracts at or Below the Simplified Acquisition Threshold (SAT) and for Commercial Products, Including Commercially Available Off-the-Shelf (COTS) Items, or Commercial Services

    This rule does not create new solicitation provisions or contract clauses or impact any existing provisions or clauses.

    IV. Executive Orders 12866 and 13563

    Executive Orders (E.O.s) 12866 (as amended by E.O. 14094) and 13563 direct agencies to assess the costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is not a significant regulatory action and, therefore, was not subject to review under Section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993.

    V. Congressional Review Act

    Pursuant to the Congressional Review Act, DoD, GSA, and NASA will send this rule to each House of the Congress and to the Comptroller General of the United States. The Office of Information and Regulatory Affairs (OIRA) in the Office of Management and Budget has determined that this rule does not meet the definition in 5 U.S.C. 804(2).

    VI. Regulatory Flexibility Act

    Because a notice of proposed rulemaking and an opportunity for public comment are not required to be given for this rule under 41 U.S.C. 1707(a)(1) (see section II. of this preamble), the analytical requirements of the Regulatory Flexibility Act (5 U.S.C. 601-612) are not applicable. Accordingly, no regulatory flexibility analysis is required, and none has been prepared.

    VII. Paperwork Reduction Act

    This rule does not contain any information collection requirements that require the approval of the Office of Management and Budget under the Paperwork Reduction Act (44 U.S.C. 3501-3521).

    Start List of Subjects

    List of Subjects in 48 CFR Part 40

    • Government procurement
    End List of Subjects Start Signature

    William F. Clark,

    Director, Office of Government-wide Acquisition Policy, Office of Acquisition Policy, Office of Government-wide Policy.

    End Signature Start Amendment Part

    Therefore, DoD, GSA, and NASA amend 48 CFR chapter 1 by adding part 40 to read as follows:

    End Amendment Part Start Part

    PART 40—INFORMATION SECURITY AND SUPPLY CHAIN SECURITY

    40.000
    Scope of part.

    Subpart 40.1—[Reserved]

    Subpart 40.2—[Reserved]

    Subpart 40.3—[Reserved]

    Start Authority

    Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 4 and 10 U.S.C. chapter 137 legacy provisions (see 10 U.S.C. 3016); and 51 U.S.C. 20113.

    End Authority
    Scope of part.

    (a) This part addresses broad security requirements that apply to acquisitions of products and services. It prescribes policies and procedures for managing information security and supply chain security when acquiring products and services that include, but are not limited to, information and communications technology (ICT).

    (b) See part 39 for security-related policies and procedures that only apply to ICT.

    (c) See parts 4, 24, and 46 for additional policies and procedures related to managing information security and supply chain security.

    (d) Information and supply chain policies and procedures that are unrelated to security are covered in other parts of the FAR ( e.g., part 22 for labor and human trafficking risks and part 23 for climate-related risks).

    Subpart 40.1—[Reserved]

    Subpart 40.2—[Reserved]

    Subpart 40.3—[Reserved]

    End Part End Supplemental Information

    [FR Doc. 2024-06411 Filed 3-29-24; 8:45 am]

    BILLING CODE 6820-EP-P

Document Information

Effective Date:
5/1/2024
Published:
04/01/2024
Department:
National Aeronautics and Space Administration
Entry Type:
Rule
Action:
Final rule.
Document Number:
2024-06411
Dates:
Effective May 1, 2024.
Pages:
22604-22605 (2 pages)
Docket Numbers:
FAC 2024-04, FAR Case 2022-010, Docket No. FAR-2022-0010, Sequence No. 1
RINs:
9000-AO47: Federal Acquisition Regulation (FAR); FAR Case 2022-010, Establishing Federal Acquisition Regulation Part 40
RIN Links:
https://www.federalregister.gov/regulations/9000-AO47/federal-acquisition-regulation-far-far-case-2022-010-establishing-federal-acquisition-regulation-par
Topics:
Government procurement
PDF File:
2024-06411.pdf
CFR: (1)
48 CFR 40.000