2015-27463. Defense Federal Acquisition Regulation Supplement: Requirements Relating to Supply Chain Risk (DFARS Case 2012-D050)  

  • Start Preamble Start Printed Page 67244

    AGENCY:

    Defense Acquisition Regulations System, Department of Defense (DoD).

    ACTION:

    Final rule.

    SUMMARY:

    DoD has adopted as final, with changes, an interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a section of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2011, as amended by the NDAA for FY 2013. This final rule allows DoD to consider the impact of supply chain risk in specified types of procurements related to national security systems.

    DATES:

    Effective October 30, 2015.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Mr. Dustin Pitsch, telephone 571-372-6090.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    I. Background

    DoD published an interim rule in the Federal Register at 78 FR 69268 on November 18, 2013, to implement section 806 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2011 (Pub. L. 111-383), entitled “Requirements for Information Relating to Supply Chain Risk,” as amended by section 806 of the NDAA for FY 2013 (Pub. L. 112-239). This rule is part of DoD's retrospective plan, completed in August 2011, under Executive Order 13563, Improving Regulation and Regulatory Review. DoD's full plan and updates can be accessed at: http://www.regulations.gov/​#!docketDetail;​D=​DOD-2011-OS-0036.

    Eight respondents submitted public comments in response to the interim rule.

    II. Discussion and Analysis

    DoD reviewed the public comments in the development of the final rule. A discussion of the comments and the changes made to the rule as a result of those comments is provided, as follows:

    A. Significant Changes From the Interim Rule

    1. Language is added to the rule to clarify that section 806 authority is only applicable when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, including clarification of the prescriptions for DFARS provision 252.239-7017, Notice of Supply Chain Risk, and DFARS clause 252.239-7018, Supply Chain Risk.

    2. Guidance on the use of an evaluation factor regarding supply chain risk is modified to require the inclusion of the evaluation factor when acquiring information technology, whether as a service or as a supply that is a covered system, is a part of a covered system, or is in support of a covered system. Additional text regarding an evaluation factor has been added at DFARS 212.301, 213.106-1, 214.201-5, and 214.503-1.

    3. DFARS clause 252.239-7018, Supply Chain Risk, is changed as follows—

    a. Paragraph (b), is modified to state that the contractor shall mitigate supply chain risk in the provision of supplies and services to the Government; and

    b. Paragraph (c) is removed as the clause will no longer contain a requirement to flow down the clause to subcontractors.

    B. Analysis of Public Comments

    1. Interim Rule Should Be Reissued as a Proposed Rule

    Comment: Numerous respondents urged DoD to rescind the interim rule and reissue the rule as a proposed rule. One respondent suggested that the new rule authorizes the exclusion of businesses from the defense industrial base and that such authority should not be exercised without first hearing the views of and gathering all relevant information from the parties that will be directly impacted by this rule. One respondent commented that the rule could prevent suppliers from addressing and mitigating supply chain security risks, and that a public comment period would have allowed industry to suggest alternative approaches that could allow for risk mitigation. Another respondent commented that the interim rule denies industry and other critical stakeholders ample time, opportunity to shape, and ultimately collaborate with the DoD to design a complex program that addresses multiple risks and complexities. One respondent added that without a standard notice-and-comment rulemaking process, industry has no opportunity to comment on areas of concern before the rule takes effect whereby industry must incur costs and move towards compliance without guidance through the rulemaking process.

    Response: DoD issued an interim rule because of the need to protect national security systems (NSS) and the integrity of its supply chains. The rule implements the specific authorities provided in the statute. The pilot authority provided for by the statute will expire September 30, 2018. It is in DoD's interest to initiate the pilot program and begin gathering feedback for its report to Congress. DoD considered all public comments received during the public comment period in the formation of this final rule.

    2. Definitions

    a. “Covered Item”/“Covered System”

    Comment: Several respondents objected to the broad definitions of “covered system” and “covered item.” One respondent questioned why the Council chose to use the term “covered item” versus “covered item of supply,” which is the term used in section 806.

    Response: The definitions in the rule are taken directly from the statute. In the final rule, the term “covered item” has been replaced by the term “covered item of supply,” thereby conforming to the statute.

    b. Information Technology

    Comment: The same respondent commented that the definition of “information technology” is defined even more expansively than in Federal Acquisition Regulation (FAR) subpart 2.1, covering information systems ranging from systems used for intelligence activities to information systems used for the “direct fulfillment of military or intelligence missions.”

    Response: The definition of “information technology” in the rule is the same as in the statute (40 U.S.C. 11101(6)).

    c. Supply Chain Risk

    Comment: One respondent requested that DoD clarify the definition of “supply chain risk,” stating that DoD should clarify the phrase “maliciously introduce unwanted function” to clearly explain if this is a hardware or software concern or both, and recognize that threats posed maliciously are just one class of threat.

    Response: The definition of “supply chain risk” is taken directly from the statute. It addresses both hardware and software concerns and is the only class of threat to which section 806 and the rule apply.Start Printed Page 67245

    3. Scope and Applicability

    a. Prescription

    Comment: Three respondents commented that the scope is overly broad, recommending that DoD should include the rule's provisions and clauses in NSS solicitations and contracts only. One of these respondents commented that the rule should be narrowly scoped to reflect the intent of Congress, suggesting that DoD should include the rule's provisions and clauses in solicitations and contracts for information technology NSS rather than all information technology solicitations and contract, i.e., only in “covered procurements.” Another respondent commented that DoD should establish an independent, special review council to evaluate issues such as: (1) “covered” systems, technologies, items, procurements, and contracts; and (2) circumstances where the clause needs to be included and where information will be withheld under DFARS 239.7305(d), thus providing an independent check to ensure that this authority is being used in a manner consistent with section 806 of the FY 2011 NDAA and the underlying policy. This respondent also suggested that successful offerors be provided information that their contracts are covered by the clause. One respondent suggested that DoD should provide offerors sufficient notice that the goods or services they offer are to be used in a covered procurement.

    Response: The final rule limits use of the solicitation provision and contract clause to solicitations and contracts for information technology, whether acquired as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as that term is defined at 239.7301.

    b. NSS Classifications

    Comment: One respondent commented that mundane systems will be over classified by program managers as NSS and that NSS classifications should be reserved to an appropriate level above program manager. This respondent further stated that DoD should take steps to clearly designate systems as “NSS” and limit the NSS classification. Another respondent stated that because the interim rule incorporates the definition in 44 U.S.C. 3542(b) for “National Security System”, the rule's approach to include the clause in all DoD contracts seems contrary to the legislative intent to limit application to “covered procurements” as defined in section 806(e)(3) of the FY 2011 NDAA. This respondent further suggested that DoD more narrowly define when contracting officers should include and use this clause (e.g., what types of programs) and create some independent review of contracting activities' decisions to apply the interim rule.

    Response: In the final rule, the use of the provision and clause is only required when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined at DFARS 252.239-7302. In accordance with DoD Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), the requiring activity/program office will designate systems as NSS when it registers them in the DoD Component registry (e.g., DoD Information Technology Portfolio Repository (DITPR)).

    c. Flowdown

    Comment: One respondent suggested that because the clause is written to require flowdown to subcontractors regardless of tier, the Government intends to have the right to direct a supplier at any tier to be excluded for a contract. The respondent further stated that this could lead to even greater disruption of a program's supply chain since the loss of a supplier at a remote tier can have ripple effects on all higher-tier contractors and that the potential costs for the delay, disruption, and potential workarounds required to address the situation could be enormous. Failing to address the effects of exclusion of subcontractors almost guarantees that implementation of this rule will result in claims and disputes.

    Response: The requirement to include the substance of DFARS clause 252.239-7018 in subcontracts has been removed from this final rule.

    d. Other Applications

    Comment: One respondent commented that DoD should clarify whether or not the rule applies to embedded processing, whether the rule applies to cloud computing acquisitions, and whether cloud computing acquisitions are covered procurement actions as a class, since these types of acquisitions are not directly addressed in the interim rule.

    Response: The rule applies when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system. This includes embedded processing and cloud computing acquisitions if they are NSS.

    4. Managing Supply Chain Risk

    a. General

    Comment: Three respondents commented that the final rule should encourage industry to better manage supply chain risk, require that robust supply chain risk management principles be applied throughout procurement practices, or at the very least require that contracting officers apply supply chain risk management to contracts. One of these respondents further commented that the final rule should include language that reinforces the stated objective in the definition of supply chain risk, stating, “This rule, by itself, does not require contractors to deploy additional supply chain risk protections, but leaves it up to individual contractors to take the steps necessary. . .to protect their supply chain.” Another of these respondents suggested that, if the provisions of section 806 are to be implemented as intended, the rule must require robust supply chain analyses. One respondent suggested that the interim rule should provide that in all critical information technology acquisitions, supply chain security must be applied by the relevant Government procurement managers, both at the direct contract and supervisorial levels as a mandatory matter.

    Response: This rule has as its sole purpose the implementation of section 806. DoD has provided, and will continue to provide, additional guidance for the management and mitigation of supply chain risk.

    b. Evaluation Factor

    Comment: Three respondents commented that the interim rule should provide guidance on evaluation factors. One of these respondents commented that the rule creates uncertainty by failing to describe how supply chain risk will be used as an evaluation factor and suggests that the Government must realize that when managing risk, the steps necessary to exhaustively test all software to eliminate all potential unwanted functions is unaffordable. One respondent commented that the new requirement at DFARS 215.304 for departments and agencies to consider “the need for an evaluation factor regarding supply chain risk” provides insufficient guidance as to the type of supply chain risk evaluation factors to be utilized, further stating that while they would expect that such risk evaluations would be conducted on a case-by-case basis, guidance should be provided as to which evaluation factors should be used and when. One respondent suggested that the statement Start Printed Page 67246“Consider the need for an evaluation factor. . .” appears to give the contracting activity the discretion to determine whether an evaluation factor for supply chain risk is needed but does not provide guidance as to when the conditions which necessitate such a factor have been met.

    Response: In the final rule, guidance on the use of an evaluation factor regarding supply chain risk is modified to require the inclusion of the evaluation factor when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system. Risk levels, risk tolerance, and appropriate risk management measures must be determined at the local level. Evaluation factors are specified at the individual acquisition level and not in the DFARS. DoD is issuing DFARS Procedures, Guidance, and Information for the contracting workforce on developing and using supply chain risk evaluation factors.

    c. Information Sharing

    Comment: Three respondents commented on the disclosure of information regarding supply chain risk to offerors and contractors. One of these respondents urged the DoD to use its discretion in sharing information concerning threats sufficient to allow suppliers to alter product designs and change components on devices to overcome known vulnerabilities. Another respondent suggested that a requirement to report identified supply chain risks and issues would assure that immediate remediation could be undertaken if problems arose. One respondent commented that DoD should consider revising the rule to promote disclosure of information regarding supply chain risks to offerors and contractors whenever possible. Whenever such notice may be accomplished “consistent with the requirements of national security,” DoD should provide notification to the offeror or contractor of perceived supply chain risks early in the procurement process in accordance with standard Government procurement rules (e.g., during discussions in a negotiated procurement), so that the contractor has the opportunity to mitigate or eliminate the risk. Contractors are less able to mitigate supply chain risk if the Government fails or declines to share with them risk information it has developed internally.

    Response: The DoD intends to share information about supply chain risk with its contractors to the extent possible, consistent with the requirements of national security. The provisions of the rule and section 806 that limit disclosure are concerned with risk information that, for national security reasons, cannot be shared despite the transparency that is normally present in procurement activities.

    d. Mitigation/Less Intrusive Measures

    Comment: Several respondents commented on the need for DoD to focus on mitigation plans and less intrusive measures. One of these respondents commented that DoD should create a mechanism for vendors to file supply chain risk mitigation plans with DoD. DoD could take these plans into consideration when assessing supply chain risk for any particular procurement activity. By viewing filed mitigation plans from multiple vendors, DoD could gain greater insight into commercially viable supply chain mitigation practices. This respondent further stated that DoD should approach supply chain risk with an eye toward encouraging mitigation rather than simply disqualifying vendors, suggesting that DoD can and should implement robust supply chain security practices. One respondent suggested that DoD should clarify what it believes are less intrusive measures under section 239.7304(b)(1)(2), recommending that in order to prevent the interim rule from impeding the use of commercial technology (including commercially available off-the-shelf items) in NSS, which ultimately benefits DoD, the Department should provide wide discretion to the judgment of manufacturers in their use of industry standards and internal processes to meet its supply chain risk goals. This respondent further commented that while DFARS section 239.7304 of the rule provides that an exclusion under DFARS 239.7305 may occur when it is determined that, among other factors, “less intrusive measures are not reasonably available to reduce such supply chain risk,” at no point in the rule is clarity provided on what this language is defined as or what an authorized individual should refer to in order to gauge what “less intrusive measures” are and whether they are “not reasonably available.” Another of these respondents suggested that the opportunity to mitigate or eliminate the noticed risk from the supply chain would avoid significant costs that would be passed along to DoD. One respondent suggested that DoD modify the interim rule to clarify that the exercise of the authorities under DFARS 239.7305 should be a “last resort,” invoked only after other methods of mitigating supply chain risk have been considered or attempted.

    Response: Section 806(b)(2) requires that “less intrusive measures are not reasonably available to reduce supply chain risk” to use its authority. Whenever it is appropriate, DoD will work with its offerors to mitigate supply chain risk using less intrusive measures than exclusion based on section 806 authorities. In the notification to congressional committees when exercising section 806 authority, a summary of the mitigation analysis evaluating reasonably available mitigations will be documented. In most cases, DoD expects these mitigations will sufficiently mitigate the risks so that exclusion will not be necessary.

    e. Standards and Controls

    Comment: Several respondents commented on the need for the rule to specify relevant supply chain risk management (SCRM) standards, controls, etc. One respondent stated that while it does not suggest DoD explicitly endorse one set of controls over another, industry does need some guidance beyond “maintain controls.” There must be consistency in the call out of the relevant SCRM standards and ratings in solicitations so as not to create an unnecessary administrative burden for contractors to select suppliers and subcontractors based on a moving target of standards and ratings. Notwithstanding making a reference to the Regulatory Flexibility Act on page 69269 in the narrative of the Federal Register document that the rule “recognizes the need for information technology contractors to implement appropriate safeguards and countermeasures to minimize supply chain risk,” one respondent commented that the interim rule does not provide any guidance about what metric will be applied to its products, services, and business models. The respondent further stated that the rule requires contractors to “maintain controls in the provision of supplies and services to the Government to minimize supply chain risk” but does not provide any guidance to contractors or Government contracting officers as to the type of controls to be maintained to meet this requirement, recommending that DoD issue additional guidance that uses existing and proposed global, consensus-based standards. One respondent commented that the absence of what standard DoD will use to evaluate supply chain risks is likely to increase the time and cost of pursuing and performing Government contracts.

    Response: The final rule removes the language requiring contractors to Start Printed Page 67247“maintain controls” and now states that the contractor shall mitigate supply chain risk in the provision of supplies and services to the Government. This change was made because the DFARS cannot identify specific standards or controls as this would be up to each requiring activity to identify if any standards or controls are necessary particular to the risks and risk tolerance that would apply to each procurement. DoD continues to work with industry to identify risk management best practices and promulgate best practice documents for consideration.

    f. Verification/Inspection

    Comment: One respondent commented that suppliers should meet the requirement to provide supply chain security verification by documentation, suggesting that all levels of the supply chain—Government, prime contractors, subcontractors, and parts suppliers—should be in compliance with supply chain integrity requirements and have records and production locations available for inspection if necessary.

    Response: The practices, documentation, and information suggested in the comment are important tools in protecting against supply chain risk. However, these suggestions do not comply with the legislative requirements to implement section 806.

    5. Process

    a. General

    Comment: Two respondents commented that the interim rule could deprive potential contractors and subcontractors of due process and that by improving due process, DoD can better secure the supply chain. One of these respondents urged DoD to do more to guarantee due process to its suppliers under this rule, stating that notice, dialogue, and resolution, (i.e., due process) serve to identify root causes of supply chain risk and allow suppliers to clear their names when falsely accused. One respondent commented that implementation of the provision for a particular procurement or contract action may result in non-reviewable decisions that deprive actual or potential contractors and subcontractors of their property rights, including their right to fairly compete for procurements and subcontracts, suggesting that these non-reviewable exclusions may violate the due process clause and could negatively affect the procurement community. This respondent suggested that DoD modify the interim rule to clarify that the exercise of the authorities under DFARS 239.7305 should be a “last resort,” invoked only after other methods of mitigating supply chain risk have been considered or attempted.

    Response: Risk will be evaluated on a case-by-case basis, and any exclusion will be for a particular source selection and not a blanket exclusion. Contractors are eligible to compete for future solicitations even after application of the section 806 authority has excluded them from a particular source selection.

    b. Notice/Appropriate Parties

    Comment: Four respondents commented on the need for timely notification to organizations of pre- and post-exclusion status, and/or the need to clarify or define the “appropriate parties” in DFARS 239.7305(d)(2)(i). Two of these respondents commented that providing notice to the vendor in advance of any procurement action would permit appropriate response to the risk and allow offerors to rectify instances of unacceptable risk before DoD makes a determination based on incorrect or insufficient information, ensuring fairness to the offeror and benefitting DoD by enhancing fairness in competition for contracts. The opportunity to mitigate or eliminate the noticed risk from the supply chain would avoid significant costs that would be passed along to the DoD.

    Three of these respondents commented on the need for notification to excluded offerors of their post-exclusion status. One respondent commented that notification to excluded offerors of their post-exclusion status and the reasons for exclusion will allow them to take steps to remedy those flaws before future opportunities. One respondent suggested that if a determination is made that “less intrusive measures are not reasonably available [short of exclusion] to reduce such supply chain risk,” the rule should require that the notion of providing notice to the offeror has been explicitly considered and deemed unreasonable before a decision to exclude has been finalized. Another respondent suggested that DFARS 215.503 and 215.506 should be clarified to ensure that unsuccessful offerors are provided information demonstrating that DOD complied with the requirements of section 806(b) and (c) in making the determination to limit the disclosure of information relating to the basis for carrying out a covered procurement action.

    One of these respondents commented that clarification/definition of the term “appropriate parties” as encompassing the impacted offeror/bidder/contractor would ensure that the impacted offeror/bidder/contractor is advised, at a minimum, that it has been impacted by a supply chain risk determination under this DFARS section, and that any information that can be shared about the “basis for carrying out” the decision “consistent with the requirements of national security” will be shared with that entity. Another respondent commented that while the rule requires notice by the authorized individual to “appropriate parties” to the extent needed to execute a covered procurement action and to DoD and other Federal agencies, it makes no provision to provide notice to other Federal contractors that might be impacted by the exclusion.

    Response: The written determination detailed in DFARS 239.7304 will detail any limitations on disclosure of information related to a section 806 exclusion. “Appropriate parties” would be determined on a case-by-case basis.

    c. Exclusion Process

    Comment: Two respondents commented on the exclusions process itself. One respondent commented that the exclusion process is seriously flawed because it does not connect the acts conducted by those at higher levels in DoD with the actions of the contracting officers in any rational time phased application that would help offerors understand the proposal and business risk involved in any given source selection process. This respondent further commented that it is fundamentally unclear whether an exclusion will be made on a case-by-case basis or be a blanket exclusion of a contractor or subcontractor, and that it is unclear at what point in the acquisition process such exclusions may be authorized or executed. Under the new rule's language, a source could be excluded before, during, and/or after a contract award (whether as prime or subcontractor). One respondent suggests that its concerns that DoD can reject or modify acquisitions based upon concerns about supply chain integrity could be addressed by having any sensitive finding subject to review, and recommendation for approval or disapproval to the Secretary of Defense, by the DoD General Counsel, or a committee appointed by the Secretary of Defense charged with assuring the validity of such concerns and their sensitivity for release to suppliers.

    Response: Suppliers are expected to manage supply chain risk in their offerings. Under section 806 and the rule, exclusion of a source may occur during source selection before award (using an evaluation factor) or after award (by withholding consent to a subcontract). Exclusion of a source would be on a case-by-case basis, as the Start Printed Page 67248risk tolerance is not the same for all procurement actions. The authorization and recommendation mechanisms and participants described in the rule are mandated by the statute.

    d. Dispute Mechanism

    Comment: Two respondents commented on the need for an impartial process for addressing concerns. One respondent urged that the interim rule reinforce the need for a fair opportunity pre- and post-exclusion for concerns to be addressed by the contractor or vendor at issue. One respondent commented that neither section 806 of the NDAA for FY 2011 nor the interim rule provide for any procedures for proposed contractors or subcontractors to challenge a possible exclusion determination where DoD decides to limit the disclosure of information. This respondent further stated that DoD should provide some dispute mechanism for exclusion in protest and claim matters, whereby counsel for offerors, contractors, and proposed subcontractors can represent their clients and obtain access to information under protective order or clearance to assure that the required process was followed and proper grounds for invocation of the exclusion exist.

    Response: Exclusions using the authority of section 806 will be based generally on classified intelligence information. A dispute resolution mechanism is not appropriate under those circumstances.

    e. Remediation

    Comment: Two respondents commented on the need to provide equitable adjustments, a means of remedy, and/or a pathway to reinstatement once a supplier is excluded. One of the respondents commented that while DFARS 239.7305 allows DoD to exclude sources, it does not provide a pathway to reinstatement or for inclusion once a supplier is excluded, proposing that DoD establish a separate rulemaking and coordinate a unified policy with an industry-Government working group to gain insight into how remediation and rejoining the defense industrial base can be accomplished in a responsible manner. This respondent further commented that DoD should provide equitable adjustments and other remedies for prime contractors whose subcontractors are excluded, stating that the new regulations fail to provide relief for prime contractors who must exclude a source through no fault of its own. Another respondent suggested that a periodic review of excluded contractors should be required for ongoing contracts with new task orders, adding that if a vendor has been excluded without notice, the interim rule should require the agency to review that decision on no less than an annual basis for as long as the contract is in place. This respondent also commented that the regulation should specifically afford remedies, including equitable adjustments, whenever the authority at DFARS 239.7305(c) is exercised and a prime must exclude a subcontractor.

    Response: Risk will be evaluated on case-by-case basis, and any exclusion will be for a particular source selection and not a blanket exclusion. Offerors are eligible to compete for future solicitations even after section 806 has excluded them from a particular source selection. Consistent with national security, i.e., with proper clearances and in a manner that will not put the warfighter, the system, or intelligence operations at risk, DoD will discuss risks to the trust of critical systems or components with its industrial base as well as potential remedies. This is particularly true in the system integration context where the program office and the prime contractors are more likely to have the time and clearances to develop tailored mitigations. Where appropriate, DoD will partner with its contractors to mitigate supply chain risk in lieu of executing section 806 authorities. In most cases, non-806 mitigations will sufficiently manage the risk; when that is not the case and exclusion of a source is required, DoD does not intend to provide equitable adjustments or other remedies.

    6. Impact of Rule

    a. Economic/Cost Impact

    Comment: Numerous respondents commented that the estimates by DoD of the costs and economic impact of this rule are inadequate. One of these respondents commented that the rule creates costs beyond the supply chain risk management a responsible company would undertake in the course of ordinary business. Further, the scope of application of the interim rule, which requires compliance at all levels of the DoD supply chain, would require significant, costly, additional investments in supplier management and compliance mechanisms by industry. Another respondent suggested that absent a public comment period before implementation of the rule, industry has no opportunity to provide input regarding the costs and benefits of the approach DoD has taken. One respondent commented that the cumulative economic effect of the exclusion of any one company from any one contract would result in reductions in both Government and commercial business, and the loss of employment at the excluded company and the corresponding loss of payroll. Other losses would be incurred as a result of the ripple effect on primes, subcontractors, or suppliers to the excluded company, which will lose that source of supply and must then incur the expense of identifying and vetting new sources. One respondent commented that by not advising what standard DoD will use to evaluate supply chain risks, the interim rule is likely to increase the time and cost of pursuing and performing Government contracts.

    Response: DoD does not expect the rule to have a significant economic impact on a substantial number of entities. Companies have an existing interest in having a supply chain that they can rely on to provide it with material and supplies that allow the contractor to ultimately supply its customers with products that are safe and that do not impose threats or risks to Government information systems. The rule does not require contractors to deploy additional supply chain risk protections. Section 806 authority applies to a specific contract, task order, or delivery order only.

    b. Small Business

    Comment: One respondent commented that the rule will drive up costs for smaller businesses by requiring significant increase in investments in compliance. Another respondent commented that the rule could prompt prime contractors to exclude new or small businesses in order to improve the evaluation of their supply chain risk profile.

    Response: The rule does not require contractors to deploy additional supply chain risk protections.

    c. Barriers to the Federal Market

    Comment: Two respondents commented that the rule creates significant new barriers to the Federal market, further suggesting that the interim regulation poses significant burdens for existing companies in the market and will only further dissuade new and innovative companies from entering the market.

    Response: Since section 806 decisions rely on intelligence information, the operation of the rule presents no barrier to participation in the DoD market for either existing participants or new entrants.Start Printed Page 67249

    d. De Facto Debarment/Suspension

    Comment: Several respondents stated that the exercise of the exclusionary authority in the rule could result in a de facto debarment or suspension without any due process for the affected offeror.

    Response: Risk will be evaluated on case-by-case basis, and any exclusion will be for a particular source selection and not a blanket exclusion. Offerors are eligible to compete for future solicitations even after section 806 has excluded them from a particular source selection.

    e. Security

    Comment: One respondent commented that the rule could unintentionally but negatively impact the Federal Government's security because it prevents DoD from informing suppliers about supply chain risks that DoD believes exist and prevents any consultation with offerors.

    Response: This will be taken into consideration in any instance that the section 806 authority is utilized.

    7. Qualification standard

    Comment: Three respondents commented that the interim rule should provide more guidance regarding the qualification standard(s) that may be established to reduce supply chain risk. One respondent urged DoD to develop the systems and data security requirements for covered procurements and issue them to potential offerors during the procurement process as a requirement for bid eligibility. This approach would focus the use of this clause to procurements for covered systems or covered items of supply and would increase competition by limiting unnecessary disqualification of offerors (and contractors and subcontractors/suppliers) that could meet the Government's requirements. Another respondent commented that the rule should be amended to provide more specificity as to the type of “qualification standards” that may be established “for the purposes of reducing supply chain risk in the acquisition of covered systems.”

    Response: DoD has no present plans to use section 806 authority to exclude a source based on failure to meet a qualification standard to reduce supply chain risk. To use this authority DoD must first develop qualification standards in accordance with the requirements of 10 U.S.C. 2319, which include providing the qualification requirements to potential offerors.

    8. Synchronize/Harmonize With Related Rules/Initiatives

    Comment: Five respondents requested that DoD harmonize the requirements of the rule with industry- and Government-led supply chain risk management regimes and initiatives in order to avoid inconsistencies. One respondent encouraged DoD to harmonize the requirements of the rule with the guidance issued by the Secretary of Defense memorandum dated October 10, 2013, entitled “Safeguarding Unclassified Controlled Technical Information;” the Office of Management and Budget's circular M-14-13 dated November 18, 2013, entitled “Enhancing the Security of Federal Information and Information Systems;” and other Departmental requirements. This respondent further recommends that the final rule include a statement that “the rule complements rather than conflicts with other related requirements.” Another respondent further encouraged DoD to avoid the creation of unneeded duplication of certifications of these important assurance efforts, by affirming that the interim rule shall not impact the duties of contractors and vendors in assessing relevant procurements related to NSS.

    Response: DoD is involved in a myriad of efforts to address supply chain risks, specifically, as well as cybersecurity broadly. All of these policies and strategic efforts aim to improve the overall risk posture of the Federal Government's information systems and those of its industry partners. A patchwork of policies and regulations is sometimes necessary to address the variabilities of the system ownership and operation, and the risk tolerance of the mission. The rule is specific to DoD and narrowly scoped to NSS, which often have a lower risk tolerance due to the criticality of missions utilizing such systems.

    9. Tracking

    Comment: One respondent commented that DoD should catalog the number of source exclusions executed under the section 806 authority between 2013 and 2018.

    Response: DoD is required to submit a report on January 1, 2017, on the effectiveness of section 806 authorities, to include how frequently DoD exercises the authority.

    III. Applicability to Acquisitions Not Greater Than the Simplified Acquisition Threshold (SAT) and Commercial Items, Including Commercially Available Off-the-Shelf (COTS) Items

    Consistent with 41 U.S.C. 1905, 1906, and 1907, the Director Defense Procurement and Acquisition Policy (DPAP), determined that it would not be in the best interest of the United States to exempt acquisitions not greater than the SAT and acquisitions of commercials items, including COTS items, from the applicability of section 806 of the NDAA for FY 2011 as amended by section 806 of the NDAA for FY 2013.

    A. Applicability to Contracts at or Below the SAT

    41 U.S.C. 1905 governs the applicability of laws to contracts or subcontracts in amounts not greater than the SAT. It is intended to limit the applicability of laws to such contracts or subcontracts. 41 U.S.C. 1905 provides that if a provision of law contains criminal or civil penalties, or if the FAR Council makes a written determination that it is not in the best interest of the Federal Government to exempt contracts or subcontracts at or below the SAT, the law will apply to them. The Director, DPAP, is the appropriate authority to make comparable determinations for regulations to be published in the DFARS, which is part of the FAR system of regulations. DoD has made that determination, therefore this rule does apply below the SAT.

    Given that the requirements of section 806 of the NDAA for FY 2011 and section 806 of the NDAA for FY 2013 were enacted to protect the supply chain, which in turn protects NSS from malicious actions, DoD has determined that it is in the best interest of the Federal Government to apply the rule to contracts below the SAT, as defined at FAR 2.101. An exception for contracts for the acquisition below the SAT would exclude contracts intended to be covered by the law, thereby undermining the overarching public policy purpose of the law.

    B. Applicability to Contracts for the Acquisition of Commercial Items, Including COTS Items

    41 U.S.C. 1906 governs the applicability of laws to contracts for the acquisition of commercial items, and is intended to limit the applicability of laws to contracts for the acquisition of commercial items. 41 U.S.C. 1906 provides that if a provision of law contains criminal or civil penalties, or if Start Printed Page 67250the FAR Council makes a written determination that it is not in the best interest of the Federal Government to exempt commercial item contracts, the provision of law will apply to contracts for the acquisition of commercial items. Likewise, 41 U.S.C. 1907 governs the applicability of laws to COTS items, with the Administrator for Federal Procurement Policy the decision authority to determine that it is in the best interest of the Government to apply a provision of law to acquisitions of COTS items in the FAR. The Director, DPAP, is the appropriate authority to make comparable determinations for regulations to be published in the DFARS, which is part of the FAR system of regulations.

    Given that the requirements of section 806 of the NDAA for FY 2011 and section 806 of the NDAA for FY 2013 were enacted to protect the supply chain, which in turn protects NSS from malicious actions, DoD has determined that it is in the best interest of the Federal Government to apply the rule to contracts for the acquisition of commercial items, including COTS items, as defined at FAR 2.101. An exception for contracts for the acquisition of commercial items, including COTS items, would exclude contracts intended to be covered by the law, thereby undermining the overarching public policy purpose of the law.

    IV. Executive Orders 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.

    V. Regulatory Flexibility Act

    A final regulatory flexibility analysis has been prepared consistent with the Regulatory Flexibility Act, 5 U.S.C. 601, et seq., and is summarized as follows:

    The objective of this final rule is to implement in the Defense Federal Acquisition Regulation Supplement protection against risks to the supply chain affecting National Security Systems (NSS). The legal basis for this final rule is section 806 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) of 2011 (Pub. L. 111.383), as amended by section 806 of the NDAA for FY 2013 (Pub. L. 112-239). Congress has recognized a growing concern for risks to the supply chain for technology contracts supporting the Department of Defense (DoD). Congress has defined supply chain risk as the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system (see 806(e)(4) of Pub. L. 111-383).

    This final rule calls for contractors providing information technology to DoD, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, to mitigate supply chain risk to the supplies and services being provided to the Government. It also enables agencies to exclude sources identified as having a supply chain risk from consideration for award of a covered contract, in order to minimize the potential risk for supplies and services purchased by DoD to maliciously degrade the integrity and operation of sensitive information technology systems. Ultimately, DoD anticipates significant savings to taxpayers by reducing the risk of unsafe products entering our supply chain, which pose serious threats or risks to sensitive government information technology systems.

    No comments were received in response to the initial regulatory flexibility analysis.

    This rule applies to contractors providing the Government with information technology that qualifies as a covered system or covered item of supply. This includes purchases of commercial items, including commercial off-the-shelf items, and contracts not greater than the simplified acquisition threshold. While it is not possible to estimate the number of small businesses impacted, DoD does not expect this final rule to have a significant economic impact on a substantial number of contractors, since (1) the rule applies only when acquiring information technology that is part of a covered system or in support of a covered system and (2) the authority provided by the rule is expected to be invoked very infrequently.

    This rule does not require any specific reporting, recordkeeping or compliance requirements.

    No significant economic impact on small businesses is anticipated; however, the final rule does have a modified applicability for the provision and clause created by the rule. Instead of being prescribed for all information technology acquisitions the provision and clause will only apply to acquisitions for information technology that is a covered system or covered item of supply. This will significantly reduce the number of acquisitions to which the provision and clause will apply.

    VI. Paperwork Reduction Act

    The rule does not contain any information collection requirements that require the approval of the Office of Management and Budget under the Paperwork Reduction Act (44 U.S.C. chapter 35).

    Start List of Subjects

    List of Subjects in 48 CFR Parts 202, 208, 212, 213, 214, 215, 233, 239, 244, and 252

    • Government procurement
    End List of Subjects Start Signature

    Jennifer L. Hawes,

    Editor, Defense Acquisition Regulations System.

    End Signature

    Accordingly, DoD adopts as final the interim rule published at 78 FR 69268 on November 18, 2013, with the following changes:

    Start Amendment Part

    1. The authority citation for 48 CFR parts 202, 208, 212, 213, 214, 215, 239, 244, and 252 continues to read as follows:

    End Amendment Part Start Authority

    Authority: 41 U.S.C. 1303 and 48 CFR chapter 1.

    End Authority Start Part

    PART 202—DEFINITIONS OF WORDS AND TERMS

    End Part Start Amendment Part

    2. Amend section 202.101 by adding, in alphabetical order, a definition for “Information technology” to read as follows:

    End Amendment Part
    Definitions.
    * * * * *

    Information technology (see 40 U.S.C. 11101(6)) means, in lieu of the definition at FAR 2.1, any equipment, or interconnected system(s) or subsystem(s) of equipment, that is used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency.

    (1) For purposes of this definition, equipment is used by an agency if the equipment is used by the agency directly or is used by a contractor under Start Printed Page 67251a contract with the agency that requires—

    (i) Its use; or

    (ii) To a significant extent, its use in the performance of a service or the furnishing of a product.

    (2) The term “information technology” includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources.

    (3) The term “information technology” does not include any equipment acquired by a contractor incidental to a contract.

    * * * * *
    Start Part

    PART 208—REQUIRED SOURCES OF SUPPLIES AND SERVICES

    End Part Start Amendment Part

    3. Revise section 208.405 to read as follows:

    End Amendment Part
    Ordering procedures for Federal Supply Schedules.

    Include an evaluation factor regarding supply chain risk (see subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in 239.7301.

    Start Amendment Part

    4. In section 208.7402, revise paragraph (2) to read as follows:

    End Amendment Part
    General.
    * * * * *

    (2) Include an evaluation factor regarding supply chain risk (see subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in 239.7301.

    Start Part

    PART 212—ACQUISITION OF COMMERCIAL ITEMS

    End Part Start Amendment Part

    5. Amend section 212.301 by—

    End Amendment Part Start Amendment Part

    a. Adding paragraph (c); and

    End Amendment Part Start Amendment Part

    b. Revising paragraphs (f)(xv)(C) and (D).

    End Amendment Part

    The addition and revisions read as follows:

    Solicitation provisions and contract clauses for acquisition of commercial items.

    (c) Include an evaluation factor regarding supply chain risk (see subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in 239.7301.

    (f) * * *

    (xv) * * *

    (C) Use the provision at 252.239-7017, Notice of Supply Chain Risk, as prescribed in 239.7306(a), to comply with section 806 of Public Law 111-383.

    (D) Use the clause at 252.239-7018, Supply Chain Risk, as prescribed in 239.7306(b), to comply with section 806 of Public Law 111-383.

    * * * * *
    Start Part

    PART 213—SIMPLIFIED ACQUISITION PROCEDURES

    End Part Start Amendment Part

    6. Add section 213.106-1 to read as follows:

    End Amendment Part
    Soliciting competition.

    (a)(2) Include an evaluation factor regarding supply chain risk (see subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in 239.7301.

    Start Part

    PART 214—SEALED BIDDING

    End Part Start Amendment Part

    7. Add section 214.201-5 to read as follows:

    End Amendment Part
    Part IV—Representations and instructions.

    (c) Include an evaluation factor regarding supply chain risk (see subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in 239.7301.

    Start Amendment Part

    8. Add subpart 214.5 to read as follows:

    End Amendment Part
    Subpart 214.5 Two-Step Sealed Bidding
    214.503
    Procedures.
    214.503-1
    Step one.

    Subpart 214.5 Two-Step Sealed Bidding

    Procedures.
    Step one.

    (a)(4) Include an evaluation factor regarding supply chain risk (see subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in 239.7301.

    Start Part

    PART 215—CONTRACTING BY NEGOTIATION

    End Part Start Amendment Part

    9. In section 215.304, revise paragraph (c)(v) to read as follows:

    End Amendment Part
    Evaluation factors and significant subfactors.

    (c) * * *

    (v) Include an evaluation factor regarding supply chain risk (see subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in 239.7301. For additional guidance see PGI 215.304(c)(v).

    Start Part

    PART 239—ACQUISITION OF INFORMATION TECHNOLOGY

    End Part Start Amendment Part

    10. Add section 239.001 to read as follows:

    End Amendment Part
    Applicability.

    Notwithstanding FAR 39.001, this part applies to acquisitions of information technology, including national security systems.

    [Redesignated as 239.7302 and 239.7301]
    Start Amendment Part

    11. Redesignate sections 239.7301 and 239.7302 as sections 239.7302 and 239.7301, respectively.

    End Amendment Part Start Amendment Part

    12. Amend newly redesignated 239.7301 by—

    End Amendment Part Start Amendment Part

    a. In the definition of “ Covered item”, removing “Covered item” and adding “Covered item of supply” in its place;

    End Amendment Part Start Amendment Part

    b. Removing the definition of “ Information technology”; and

    End Amendment Part Start Amendment Part

    c. Adding, in alphabetical order, a definition for “ Supply chain risk”.

    End Amendment Part

    The addition reads as follows:

    Definitions.
    * * * * *

    Supply chain risk means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a national security system (as that term is defined at 44 U.S.C. 3542(b)) so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.

    [Amended]
    Start Amendment Part

    13. Amend newly redesignated 239.7302 by removing “covered item” everywhere it appears and adding “covered item of supply” in its place.

    End Amendment Part
    [Amended]
    Start Amendment Part

    14. Amend section 239.7304 by—

    End Amendment Part Start Amendment Part

    a. In paragraph (b)(1), removing “239.7305(a)(b) or (c)” and adding Start Printed Page 67252“239.7305(a), (b), or (c)” in its place; and

    End Amendment Part Start Amendment Part

    b. In paragraph (c)(2)(ii) and (iii) removing “paragraph (a)” and adding “paragraph (a) of this section” in both places.

    End Amendment Part Start Amendment Part

    15. Amend section 239.7305 by—

    End Amendment Part Start Amendment Part

    a. Revising the introductory text; and

    End Amendment Part Start Amendment Part

    b. Revising paragraph (d)(2)(i).

    End Amendment Part

    The revisions read as follows:

    Exclusion and limitation on disclosure.

    Subject to 239.7304, the individuals authorized in 239.7303 may, in the course of procuring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system—

    * * * * *

    (d) * * *

    (2) * * *

    (i) Notify appropriate parties of action taken under paragraphs (a) through (d) of this section and the basis for such action only to the extent necessary to effectuate the action;

    * * * * *
    Start Amendment Part

    16. Revise section 239.7306 to read as follows:

    End Amendment Part
    Solicitation provision and contract clause.

    (a) Insert the provision at 252.239-7017, Notice of Supply Chain Risk, in solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial items, for information technology, whether acquired as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined at 239.7301.

    (b) Insert the clause at 252.239-7018, Supply Chain Risk, in solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, for information technology, whether acquired as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined at 239.7301.

    Start Part

    PART 244—SUBCONTRACTING POLICIES AND PROCEDURES

    End Part Start Amendment Part

    17. Revise section 244.201-1 to read as follows:

    End Amendment Part
    Consent requirements.

    In solicitations and contracts for information technology, whether acquired as a service or as a supply, that is a covered system or covered item of supply as those terms are defined at 239.7301, consider the need for a consent to subcontract requirement regarding supply chain risk (see subpart 239.73). For additional guidance see PGI 244.201-1.

    Start Part

    PART 252—SOLICITATION PROVISIONS AND CONTRACT CLAUSES

    [Amended]
    End Part Start Amendment Part

    18. Amend section 252.239-7018 by—

    End Amendment Part Start Amendment Part

    a. Removing the clause date “(NOV 2013)” and adding “(OCT 2015)” in its place;

    End Amendment Part Start Amendment Part

    b. Amending paragraph (b) by removing “shall maintain controls” and adding “shall mitigate supply chain risk” in its place, and removing the phrase “to minimize supply chain risk” before the period; and

    End Amendment Part Start Amendment Part

    c. Removing paragraph (e).

    End Amendment Part End Supplemental Information

    [FR Doc. 2015-27463 Filed 10-29-15; 8:45 am]

    BILLING CODE 5001-06-P

Document Information

Effective Date:
10/30/2015
Published:
10/30/2015
Department:
Defense Acquisition Regulations System
Entry Type:
Rule
Action:
Final rule.
Document Number:
2015-27463
Dates:
Effective October 30, 2015.
Pages:
67243-67252 (10 pages)
Docket Numbers:
Docket No. DARS 2013-0052
RINs:
0750-AH96: Requirements Relating to Supply Chain Risk (DFARS Case 2012-D050)
RIN Links:
https://www.federalregister.gov/regulations/0750-AH96/requirements-relating-to-supply-chain-risk-dfars-case-2012-d050-
Topics:
Government procurement
PDF File:
2015-27463.pdf
CFR: (18)
48 CFR 239.7301 and 239.7302
48 CFR 202.101
48 CFR 208.405
48 CFR 208.7402
48 CFR 212.301
More ...