80 FR 67243 - Defense Federal Acquisition Regulation Supplement: Requirements Relating to Supply Chain Risk (DFARS Case 2012-D050)
DEPARTMENT OF DEFENSE
Defense Acquisition Regulations System Federal Register Volume 80, Issue 210 (October 30, 2015)
Defense Acquisition Regulations System
Federal Register Volume 80, Issue 210 (October 30, 2015)
| Page Range | 67243-67252 | |
| FR Document | 2015-27463 |
[Federal Register Volume 80, Number 210 (Friday, October 30, 2015)] [Rules and Regulations] [Pages 67243-67252] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2015-27463] [[Page 67243]] Vol. 80 Friday, No. 210 October 30, 2015 Part VII Department of Defense ----------------------------------------------------------------------- Defense Acquisition Regulations System ----------------------------------------------------------------------- 48 CFR Parts 201, 202, 206, et al. Defense Federal Acquisition Regulation Supplements; Final Rules ��Federal Register / Vol. 80 , No. 210 / Friday, October 30, 2015 / Rules and Regulations�� [[Page 67244]] ----------------------------------------------------------------------- DEPARTMENT OF DEFENSE Defense Acquisition Regulations System 48 CFR Parts 202, 208, 212, 213, 214, 215, 233, 239, 244, and 252 [Docket No. DARS 2013-0052] RIN 0750-AH96 Defense Federal Acquisition Regulation Supplement: Requirements Relating to Supply Chain Risk (DFARS Case 2012-D050) AGENCY: Defense Acquisition Regulations System, Department of Defense (DoD). ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: DoD has adopted as final, with changes, an interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a section of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2011, as amended by the NDAA for FY 2013. This final rule allows DoD to consider the impact of supply chain risk in specified types of procurements related to national security systems. DATES: Effective October 30, 2015. FOR FURTHER INFORMATION CONTACT: Mr. Dustin Pitsch, telephone 571-372- 6090. SUPPLEMENTARY INFORMATION: I. Background DoD published an interim rule in the Federal Register at 78 FR 69268 on November 18, 2013, to implement section 806 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2011 (Pub. L. 111-383), entitled ``Requirements for Information Relating to Supply Chain Risk,'' as amended by section 806 of the NDAA for FY 2013 (Pub. L. 112-239). This rule is part of DoD's retrospective plan, completed in August 2011, under Executive Order 13563, Improving Regulation and Regulatory Review. DoD's full plan and updates can be accessed at: http://www.regulations.gov/#!docketDetail;D=DOD-2011-OS-0036. Eight respondents submitted public comments in response to the interim rule. II. Discussion and Analysis DoD reviewed the public comments in the development of the final rule. A discussion of the comments and the changes made to the rule as a result of those comments is provided, as follows: A. Significant Changes From the Interim Rule 1. Language is added to the rule to clarify that section 806 authority is only applicable when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, including clarification of the prescriptions for DFARS provision 252.239-7017, Notice of Supply Chain Risk, and DFARS clause 252.239- 7018, Supply Chain Risk. 2. Guidance on the use of an evaluation factor regarding supply chain risk is modified to require the inclusion of the evaluation factor when acquiring information technology, whether as a service or as a supply that is a covered system, is a part of a covered system, or is in support of a covered system. Additional text regarding an evaluation factor has been added at DFARS 212.301, 213.106-1, 214.201- 5, and 214.503-1. 3. DFARS clause 252.239-7018, Supply Chain Risk, is changed as follows-- a. Paragraph (b), is modified to state that the contractor shall mitigate supply chain risk in the provision of supplies and services to the Government; and b. Paragraph (c) is removed as the clause will no longer contain a requirement to flow down the clause to subcontractors. B. Analysis of Public Comments 1. Interim Rule Should Be Reissued as a Proposed Rule Comment: Numerous respondents urged DoD to rescind the interim rule and reissue the rule as a proposed rule. One respondent suggested that the new rule authorizes the exclusion of businesses from the defense industrial base and that such authority should not be exercised without first hearing the views of and gathering all relevant information from the parties that will be directly impacted by this rule. One respondent commented that the rule could prevent suppliers from addressing and mitigating supply chain security risks, and that a public comment period would have allowed industry to suggest alternative approaches that could allow for risk mitigation. Another respondent commented that the interim rule denies industry and other critical stakeholders ample time, opportunity to shape, and ultimately collaborate with the DoD to design a complex program that addresses multiple risks and complexities. One respondent added that without a standard notice-and- comment rulemaking process, industry has no opportunity to comment on areas of concern before the rule takes effect whereby industry must incur costs and move towards compliance without guidance through the rulemaking process. Response: DoD issued an interim rule because of the need to protect national security systems (NSS) and the integrity of its supply chains. The rule implements the specific authorities provided in the statute. The pilot authority provided for by the statute will expire September 30, 2018. It is in DoD's interest to initiate the pilot program and begin gathering feedback for its report to Congress. DoD considered all public comments received during the public comment period in the formation of this final rule. 2. Definitions a. ``Covered Item''/``Covered System'' Comment: Several respondents objected to the broad definitions of ``covered system'' and ``covered item.'' One respondent questioned why the Council chose to use the term ``covered item'' versus ``covered item of supply,'' which is the term used in section 806. Response: The definitions in the rule are taken directly from the statute. In the final rule, the term ``covered item'' has been replaced by the term ``covered item of supply,'' thereby conforming to the statute. b. Information Technology Comment: The same respondent commented that the definition of ``information technology'' is defined even more expansively than in Federal Acquisition Regulation (FAR) subpart 2.1, covering information systems ranging from systems used for intelligence activities to information systems used for the ``direct fulfillment of military or intelligence missions.'' Response: The definition of ``information technology'' in the rule is the same as in the statute (40 U.S.C. 11101(6)). c. Supply Chain Risk Comment: One respondent requested that DoD clarify the definition of ``supply chain risk,'' stating that DoD should clarify the phrase ``maliciously introduce unwanted function'' to clearly explain if this is a hardware or software concern or both, and recognize that threats posed maliciously are just one class of threat. Response: The definition of ``supply chain risk'' is taken directly from the statute. It addresses both hardware and software concerns and is the only class of threat to which section 806 and the rule apply. [[Page 67245]] 3. Scope and Applicability a. Prescription Comment: Three respondents commented that the scope is overly broad, recommending that DoD should include the rule's provisions and clauses in NSS solicitations and contracts only. One of these respondents commented that the rule should be narrowly scoped to reflect the intent of Congress, suggesting that DoD should include the rule's provisions and clauses in solicitations and contracts for information technology NSS rather than all information technology solicitations and contract, i.e., only in ``covered procurements.'' Another respondent commented that DoD should establish an independent, special review council to evaluate issues such as: (1) ``covered'' systems, technologies, items, procurements, and contracts; and (2) circumstances where the clause needs to be included and where information will be withheld under DFARS 239.7305(d), thus providing an independent check to ensure that this authority is being used in a manner consistent with section 806 of the FY 2011 NDAA and the underlying policy. This respondent also suggested that successful offerors be provided information that their contracts are covered by the clause. One respondent suggested that DoD should provide offerors sufficient notice that the goods or services they offer are to be used in a covered procurement. Response: The final rule limits use of the solicitation provision and contract clause to solicitations and contracts for information technology, whether acquired as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as that term is defined at 239.7301. b. NSS Classifications Comment: One respondent commented that mundane systems will be over classified by program managers as NSS and that NSS classifications should be reserved to an appropriate level above program manager. This respondent further stated that DoD should take steps to clearly designate systems as ``NSS'' and limit the NSS classification. Another respondent stated that because the interim rule incorporates the definition in 44 U.S.C. 3542(b) for ``National Security System'', the rule's approach to include the clause in all DoD contracts seems contrary to the legislative intent to limit application to ``covered procurements'' as defined in section 806(e)(3) of the FY 2011 NDAA. This respondent further suggested that DoD more narrowly define when contracting officers should include and use this clause (e.g., what types of programs) and create some independent review of contracting activities' decisions to apply the interim rule. Response: In the final rule, the use of the provision and clause is only required when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined at DFARS 252.239-7302. In accordance with DoD Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), the requiring activity/program office will designate systems as NSS when it registers them in the DoD Component registry (e.g., DoD Information Technology Portfolio Repository (DITPR)). c. Flowdown Comment: One respondent suggested that because the clause is written to require flowdown to subcontractors regardless of tier, the Government intends to have the right to direct a supplier at any tier to be excluded for a contract. The respondent further stated that this could lead to even greater disruption of a program's supply chain since the loss of a supplier at a remote tier can have ripple effects on all higher-tier contractors and that the potential costs for the delay, disruption, and potential workarounds required to address the situation could be enormous. Failing to address the effects of exclusion of subcontractors almost guarantees that implementation of this rule will result in claims and disputes. Response: The requirement to include the substance of DFARS clause 252.239-7018 in subcontracts has been removed from this final rule. d. Other Applications Comment: One respondent commented that DoD should clarify whether or not the rule applies to embedded processing, whether the rule applies to cloud computing acquisitions, and whether cloud computing acquisitions are covered procurement actions as a class, since these types of acquisitions are not directly addressed in the interim rule. Response: The rule applies when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system. This includes embedded processing and cloud computing acquisitions if they are NSS. 4. Managing Supply Chain Risk a. General Comment: Three respondents commented that the final rule should encourage industry to better manage supply chain risk, require that robust supply chain risk management principles be applied throughout procurement practices, or at the very least require that contracting officers apply supply chain risk management to contracts. One of these respondents further commented that the final rule should include language that reinforces the stated objective in the definition of supply chain risk, stating, ``This rule, by itself, does not require contractors to deploy additional supply chain risk protections, but leaves it up to individual contractors to take the steps necessary. . .to protect their supply chain.'' Another of these respondents suggested that, if the provisions of section 806 are to be implemented as intended, the rule must require robust supply chain analyses. One respondent suggested that the interim rule should provide that in all critical information technology acquisitions, supply chain security must be applied by the relevant Government procurement managers, both at the direct contract and supervisorial levels as a mandatory matter. Response: This rule has as its sole purpose the implementation of section 806. DoD has provided, and will continue to provide, additional guidance for the management and mitigation of supply chain risk. b. Evaluation Factor Comment: Three respondents commented that the interim rule should provide guidance on evaluation factors. One of these respondents commented that the rule creates uncertainty by failing to describe how supply chain risk will be used as an evaluation factor and suggests that the Government must realize that when managing risk, the steps necessary to exhaustively test all software to eliminate all potential unwanted functions is unaffordable. One respondent commented that the new requirement at DFARS 215.304 for departments and agencies to consider ``the need for an evaluation factor regarding supply chain risk'' provides insufficient guidance as to the type of supply chain risk evaluation factors to be utilized, further stating that while they would expect that such risk evaluations would be conducted on a case- by-case basis, guidance should be provided as to which evaluation factors should be used and when. One respondent suggested that the statement [[Page 67246]] ``Consider the need for an evaluation factor. . .'' appears to give the contracting activity the discretion to determine whether an evaluation factor for supply chain risk is needed but does not provide guidance as to when the conditions which necessitate such a factor have been met. Response: In the final rule, guidance on the use of an evaluation factor regarding supply chain risk is modified to require the inclusion of the evaluation factor when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system. Risk levels, risk tolerance, and appropriate risk management measures must be determined at the local level. Evaluation factors are specified at the individual acquisition level and not in the DFARS. DoD is issuing DFARS Procedures, Guidance, and Information for the contracting workforce on developing and using supply chain risk evaluation factors. c. Information Sharing Comment: Three respondents commented on the disclosure of information regarding supply chain risk to offerors and contractors. One of these respondents urged the DoD to use its discretion in sharing information concerning threats sufficient to allow suppliers to alter product designs and change components on devices to overcome known vulnerabilities. Another respondent suggested that a requirement to report identified supply chain risks and issues would assure that immediate remediation could be undertaken if problems arose. One respondent commented that DoD should consider revising the rule to promote disclosure of information regarding supply chain risks to offerors and contractors whenever possible. Whenever such notice may be accomplished ``consistent with the requirements of national security,'' DoD should provide notification to the offeror or contractor of perceived supply chain risks early in the procurement process in accordance with standard Government procurement rules (e.g., during discussions in a negotiated procurement), so that the contractor has the opportunity to mitigate or eliminate the risk. Contractors are less able to mitigate supply chain risk if the Government fails or declines to share with them risk information it has developed internally. Response: The DoD intends to share information about supply chain risk with its contractors to the extent possible, consistent with the requirements of national security. The provisions of the rule and section 806 that limit disclosure are concerned with risk information that, for national security reasons, cannot be shared despite the transparency that is normally present in procurement activities. d. Mitigation/Less Intrusive Measures Comment: Several respondents commented on the need for DoD to focus on mitigation plans and less intrusive measures. One of these respondents commented that DoD should create a mechanism for vendors to file supply chain risk mitigation plans with DoD. DoD could take these plans into consideration when assessing supply chain risk for any particular procurement activity. By viewing filed mitigation plans from multiple vendors, DoD could gain greater insight into commercially viable supply chain mitigation practices. This respondent further stated that DoD should approach supply chain risk with an eye toward encouraging mitigation rather than simply disqualifying vendors, suggesting that DoD can and should implement robust supply chain security practices. One respondent suggested that DoD should clarify what it believes are less intrusive measures under section 239.7304(b)(1)(2), recommending that in order to prevent the interim rule from impeding the use of commercial technology (including commercially available off-the-shelf items) in NSS, which ultimately benefits DoD, the Department should provide wide discretion to the judgment of manufacturers in their use of industry standards and internal processes to meet its supply chain risk goals. This respondent further commented that while DFARS section 239.7304 of the rule provides that an exclusion under DFARS 239.7305 may occur when it is determined that, among other factors, ``less intrusive measures are not reasonably available to reduce such supply chain risk,'' at no point in the rule is clarity provided on what this language is defined as or what an authorized individual should refer to in order to gauge what ``less intrusive measures'' are and whether they are ``not reasonably available.'' Another of these respondents suggested that the opportunity to mitigate or eliminate the noticed risk from the supply chain would avoid significant costs that would be passed along to DoD. One respondent suggested that DoD modify the interim rule to clarify that the exercise of the authorities under DFARS 239.7305 should be a ``last resort,'' invoked only after other methods of mitigating supply chain risk have been considered or attempted. Response: Section 806(b)(2) requires that ``less intrusive measures are not reasonably available to reduce supply chain risk'' to use its authority. Whenever it is appropriate, DoD will work with its offerors to mitigate supply chain risk using less intrusive measures than exclusion based on section 806 authorities. In the notification to congressional committees when exercising section 806 authority, a summary of the mitigation analysis evaluating reasonably available mitigations will be documented. In most cases, DoD expects these mitigations will sufficiently mitigate the risks so that exclusion will not be necessary. e. Standards and Controls Comment: Several respondents commented on the need for the rule to specify relevant supply chain risk management (SCRM) standards, controls, etc. One respondent stated that while it does not suggest DoD explicitly endorse one set of controls over another, industry does need some guidance beyond ``maintain controls.'' There must be consistency in the call out of the relevant SCRM standards and ratings in solicitations so as not to create an unnecessary administrative burden for contractors to select suppliers and subcontractors based on a moving target of standards and ratings. Notwithstanding making a reference to the Regulatory Flexibility Act on page 69269 in the narrative of the Federal Register document that the rule ``recognizes the need for information technology contractors to implement appropriate safeguards and countermeasures to minimize supply chain risk,'' one respondent commented that the interim rule does not provide any guidance about what metric will be applied to its products, services, and business models. The respondent further stated that the rule requires contractors to ``maintain controls in the provision of supplies and services to the Government to minimize supply chain risk'' but does not provide any guidance to contractors or Government contracting officers as to the type of controls to be maintained to meet this requirement, recommending that DoD issue additional guidance that uses existing and proposed global, consensus-based standards. One respondent commented that the absence of what standard DoD will use to evaluate supply chain risks is likely to increase the time and cost of pursuing and performing Government contracts. Response: The final rule removes the language requiring contractors to [[Page 67247]] ``maintain controls'' and now states that the contractor shall mitigate supply chain risk in the provision of supplies and services to the Government. This change was made because the DFARS cannot identify specific standards or controls as this would be up to each requiring activity to identify if any standards or controls are necessary particular to the risks and risk tolerance that would apply to each procurement. DoD continues to work with industry to identify risk management best practices and promulgate best practice documents for consideration. f. Verification/Inspection Comment: One respondent commented that suppliers should meet the requirement to provide supply chain security verification by documentation, suggesting that all levels of the supply chain-- Government, prime contractors, subcontractors, and parts suppliers-- should be in compliance with supply chain integrity requirements and have records and production locations available for inspection if necessary. Response: The practices, documentation, and information suggested in the comment are important tools in protecting against supply chain risk. However, these suggestions do not comply with the legislative requirements to implement section 806. 5. Process a. General Comment: Two respondents commented that the interim rule could deprive potential contractors and subcontractors of due process and that by improving due process, DoD can better secure the supply chain. One of these respondents urged DoD to do more to guarantee due process to its suppliers under this rule, stating that notice, dialogue, and resolution, (i.e., due process) serve to identify root causes of supply chain risk and allow suppliers to clear their names when falsely accused. One respondent commented that implementation of the provision for a particular procurement or contract action may result in non- reviewable decisions that deprive actual or potential contractors and subcontractors of their property rights, including their right to fairly compete for procurements and subcontracts, suggesting that these non-reviewable exclusions may violate the due process clause and could negatively affect the procurement community. This respondent suggested that DoD modify the interim rule to clarify that the exercise of the authorities under DFARS 239.7305 should be a ``last resort,'' invoked only after other methods of mitigating supply chain risk have been considered or attempted. Response: Risk will be evaluated on a case-by-case basis, and any exclusion will be for a particular source selection and not a blanket exclusion. Contractors are eligible to compete for future solicitations even after application of the section 806 authority has excluded them from a particular source selection. b. Notice/Appropriate Parties Comment: Four respondents commented on the need for timely notification to organizations of pre- and post-exclusion status, and/or the need to clarify or define the ``appropriate parties'' in DFARS 239.7305(d)(2)(i). Two of these respondents commented that providing notice to the vendor in advance of any procurement action would permit appropriate response to the risk and allow offerors to rectify instances of unacceptable risk before DoD makes a determination based on incorrect or insufficient information, ensuring fairness to the offeror and benefitting DoD by enhancing fairness in competition for contracts. The opportunity to mitigate or eliminate the noticed risk from the supply chain would avoid significant costs that would be passed along to the DoD. Three of these respondents commented on the need for notification to excluded offerors of their post-exclusion status. One respondent commented that notification to excluded offerors of their post- exclusion status and the reasons for exclusion will allow them to take steps to remedy those flaws before future opportunities. One respondent suggested that if a determination is made that ``less intrusive measures are not reasonably available [short of exclusion] to reduce such supply chain risk,'' the rule should require that the notion of providing notice to the offeror has been explicitly considered and deemed unreasonable before a decision to exclude has been finalized. Another respondent suggested that DFARS 215.503 and 215.506 should be clarified to ensure that unsuccessful offerors are provided information demonstrating that DOD complied with the requirements of section 806(b) and (c) in making the determination to limit the disclosure of information relating to the basis for carrying out a covered procurement action. One of these respondents commented that clarification/definition of the term ``appropriate parties'' as encompassing the impacted offeror/ bidder/contractor would ensure that the impacted offeror/bidder/ contractor is advised, at a minimum, that it has been impacted by a supply chain risk determination under this DFARS section, and that any information that can be shared about the ``basis for carrying out'' the decision ``consistent with the requirements of national security'' will be shared with that entity. Another respondent commented that while the rule requires notice by the authorized individual to ``appropriate parties'' to the extent needed to execute a covered procurement action and to DoD and other Federal agencies, it makes no provision to provide notice to other Federal contractors that might be impacted by the exclusion. Response: The written determination detailed in DFARS 239.7304 will detail any limitations on disclosure of information related to a section 806 exclusion. ``Appropriate parties'' would be determined on a case-by-case basis. c. Exclusion Process Comment: Two respondents commented on the exclusions process itself. One respondent commented that the exclusion process is seriously flawed because it does not connect the acts conducted by those at higher levels in DoD with the actions of the contracting officers in any rational time phased application that would help offerors understand the proposal and business risk involved in any given source selection process. This respondent further commented that it is fundamentally unclear whether an exclusion will be made on a case-by-case basis or be a blanket exclusion of a contractor or subcontractor, and that it is unclear at what point in the acquisition process such exclusions may be authorized or executed. Under the new rule's language, a source could be excluded before, during, and/or after a contract award (whether as prime or subcontractor). One respondent suggests that its concerns that DoD can reject or modify acquisitions based upon concerns about supply chain integrity could be addressed by having any sensitive finding subject to review, and recommendation for approval or disapproval to the Secretary of Defense, by the DoD General Counsel, or a committee appointed by the Secretary of Defense charged with assuring the validity of such concerns and their sensitivity for release to suppliers. Response: Suppliers are expected to manage supply chain risk in their offerings. Under section 806 and the rule, exclusion of a source may occur during source selection before award (using an evaluation factor) or after award (by withholding consent to a subcontract). Exclusion of a source would be on a case-by-case basis, as the [[Page 67248]] risk tolerance is not the same for all procurement actions. The authorization and recommendation mechanisms and participants described in the rule are mandated by the statute. d. Dispute Mechanism Comment: Two respondents commented on the need for an impartial process for addressing concerns. One respondent urged that the interim rule reinforce the need for a fair opportunity pre- and post-exclusion for concerns to be addressed by the contractor or vendor at issue. One respondent commented that neither section 806 of the NDAA for FY 2011 nor the interim rule provide for any procedures for proposed contractors or subcontractors to challenge a possible exclusion determination where DoD decides to limit the disclosure of information. This respondent further stated that DoD should provide some dispute mechanism for exclusion in protest and claim matters, whereby counsel for offerors, contractors, and proposed subcontractors can represent their clients and obtain access to information under protective order or clearance to assure that the required process was followed and proper grounds for invocation of the exclusion exist. Response: Exclusions using the authority of section 806 will be based generally on classified intelligence information. A dispute resolution mechanism is not appropriate under those circumstances. e. Remediation Comment: Two respondents commented on the need to provide equitable adjustments, a means of remedy, and/or a pathway to reinstatement once a supplier is excluded. One of the respondents commented that while DFARS 239.7305 allows DoD to exclude sources, it does not provide a pathway to reinstatement or for inclusion once a supplier is excluded, proposing that DoD establish a separate rulemaking and coordinate a unified policy with an industry-Government working group to gain insight into how remediation and rejoining the defense industrial base can be accomplished in a responsible manner. This respondent further commented that DoD should provide equitable adjustments and other remedies for prime contractors whose subcontractors are excluded, stating that the new regulations fail to provide relief for prime contractors who must exclude a source through no fault of its own. Another respondent suggested that a periodic review of excluded contractors should be required for ongoing contracts with new task orders, adding that if a vendor has been excluded without notice, the interim rule should require the agency to review that decision on no less than an annual basis for as long as the contract is in place. This respondent also commented that the regulation should specifically afford remedies, including equitable adjustments, whenever the authority at DFARS 239.7305(c) is exercised and a prime must exclude a subcontractor. Response: Risk will be evaluated on case-by-case basis, and any exclusion will be for a particular source selection and not a blanket exclusion. Offerors are eligible to compete for future solicitations even after section 806 has excluded them from a particular source selection. Consistent with national security, i.e., with proper clearances and in a manner that will not put the warfighter, the system, or intelligence operations at risk, DoD will discuss risks to the trust of critical systems or components with its industrial base as well as potential remedies. This is particularly true in the system integration context where the program office and the prime contractors are more likely to have the time and clearances to develop tailored mitigations. Where appropriate, DoD will partner with its contractors to mitigate supply chain risk in lieu of executing section 806 authorities. In most cases, non-806 mitigations will sufficiently manage the risk; when that is not the case and exclusion of a source is required, DoD does not intend to provide equitable adjustments or other remedies. 6. Impact of Rule a. Economic/Cost Impact Comment: Numerous respondents commented that the estimates by DoD of the costs and economic impact of this rule are inadequate. One of these respondents commented that the rule creates costs beyond the supply chain risk management a responsible company would undertake in the course of ordinary business. Further, the scope of application of the interim rule, which requires compliance at all levels of the DoD supply chain, would require significant, costly, additional investments in supplier management and compliance mechanisms by industry. Another respondent suggested that absent a public comment period before implementation of the rule, industry has no opportunity to provide input regarding the costs and benefits of the approach DoD has taken. One respondent commented that the cumulative economic effect of the exclusion of any one company from any one contract would result in reductions in both Government and commercial business, and the loss of employment at the excluded company and the corresponding loss of payroll. Other losses would be incurred as a result of the ripple effect on primes, subcontractors, or suppliers to the excluded company, which will lose that source of supply and must then incur the expense of identifying and vetting new sources. One respondent commented that by not advising what standard DoD will use to evaluate supply chain risks, the interim rule is likely to increase the time and cost of pursuing and performing Government contracts. Response: DoD does not expect the rule to have a significant economic impact on a substantial number of entities. Companies have an existing interest in having a supply chain that they can rely on to provide it with material and supplies that allow the contractor to ultimately supply its customers with products that are safe and that do not impose threats or risks to Government information systems. The rule does not require contractors to deploy additional supply chain risk protections. Section 806 authority applies to a specific contract, task order, or delivery order only. b. Small Business Comment: One respondent commented that the rule will drive up costs for smaller businesses by requiring significant increase in investments in compliance. Another respondent commented that the rule could prompt prime contractors to exclude new or small businesses in order to improve the evaluation of their supply chain risk profile. Response: The rule does not require contractors to deploy additional supply chain risk protections. c. Barriers to the Federal Market Comment: Two respondents commented that the rule creates significant new barriers to the Federal market, further suggesting that the interim regulation poses significant burdens for existing companies in the market and will only further dissuade new and innovative companies from entering the market. Response: Since section 806 decisions rely on intelligence information, the operation of the rule presents no barrier to participation in the DoD market for either existing participants or new entrants. [[Page 67249]] d. De Facto Debarment/Suspension Comment: Several respondents stated that the exercise of the exclusionary authority in the rule could result in a de facto debarment or suspension without any due process for the affected offeror. Response: Risk will be evaluated on case-by-case basis, and any exclusion will be for a particular source selection and not a blanket exclusion. Offerors are eligible to compete for future solicitations even after section 806 has excluded them from a particular source selection. e. Security Comment: One respondent commented that the rule could unintentionally but negatively impact the Federal Government's security because it prevents DoD from informing suppliers about supply chain risks that DoD believes exist and prevents any consultation with offerors. Response: This will be taken into consideration in any instance that the section 806 authority is utilized. 7. Qualification standard Comment: Three respondents commented that the interim rule should provide more guidance regarding the qualification standard(s) that may be established to reduce supply chain risk. One respondent urged DoD to develop the systems and data security requirements for covered procurements and issue them to potential offerors during the procurement process as a requirement for bid eligibility. This approach would focus the use of this clause to procurements for covered systems or covered items of supply and would increase competition by limiting unnecessary disqualification of offerors (and contractors and subcontractors/suppliers) that could meet the Government's requirements. Another respondent commented that the rule should be amended to provide more specificity as to the type of ``qualification standards'' that may be established ``for the purposes of reducing supply chain risk in the acquisition of covered systems.'' Response: DoD has no present plans to use section 806 authority to exclude a source based on failure to meet a qualification standard to reduce supply chain risk. To use this authority DoD must first develop qualification standards in accordance with the requirements of 10 U.S.C. 2319, which include providing the qualification requirements to potential offerors. 8. Synchronize/Harmonize With Related Rules/Initiatives Comment: Five respondents requested that DoD harmonize the requirements of the rule with industry- and Government-led supply chain risk management regimes and initiatives in order to avoid inconsistencies. One respondent encouraged DoD to harmonize the requirements of the rule with the guidance issued by the Secretary of Defense memorandum dated October 10, 2013, entitled ``Safeguarding Unclassified Controlled Technical Information;'' the Office of Management and Budget's circular M-14-13 dated November 18, 2013, entitled ``Enhancing the Security of Federal Information and Information Systems;'' and other Departmental requirements. This respondent further recommends that the final rule include a statement that ``the rule complements rather than conflicts with other related requirements.'' Another respondent further encouraged DoD to avoid the creation of unneeded duplication of certifications of these important assurance efforts, by affirming that the interim rule shall not impact the duties of contractors and vendors in assessing relevant procurements related to NSS. Response: DoD is involved in a myriad of efforts to address supply chain risks, specifically, as well as cybersecurity broadly. All of these policies and strategic efforts aim to improve the overall risk posture of the Federal Government's information systems and those of its industry partners. A patchwork of policies and regulations is sometimes necessary to address the variabilities of the system ownership and operation, and the risk tolerance of the mission. The rule is specific to DoD and narrowly scoped to NSS, which often have a lower risk tolerance due to the criticality of missions utilizing such systems. 9. Tracking Comment: One respondent commented that DoD should catalog the number of source exclusions executed under the section 806 authority between 2013 and 2018. Response: DoD is required to submit a report on January 1, 2017, on the effectiveness of section 806 authorities, to include how frequently DoD exercises the authority. III. Applicability to Acquisitions Not Greater Than the Simplified Acquisition Threshold (SAT) and Commercial Items, Including Commercially Available Off-the-Shelf (COTS) Items Consistent with 41 U.S.C. 1905, 1906, and 1907, the Director Defense Procurement and Acquisition Policy (DPAP), determined that it would not be in the best interest of the United States to exempt acquisitions not greater than the SAT and acquisitions of commercials items, including COTS items, from the applicability of section 806 of the NDAA for FY 2011 as amended by section 806 of the NDAA for FY 2013. A. Applicability to Contracts at or Below the SAT 41 U.S.C. 1905 governs the applicability of laws to contracts or subcontracts in amounts not greater than the SAT. It is intended to limit the applicability of laws to such contracts or subcontracts. 41 U.S.C. 1905 provides that if a provision of law contains criminal or civil penalties, or if the FAR Council makes a written determination that it is not in the best interest of the Federal Government to exempt contracts or subcontracts at or below the SAT, the law will apply to them. The Director, DPAP, is the appropriate authority to make comparable determinations for regulations to be published in the DFARS, which is part of the FAR system of regulations. DoD has made that determination, therefore this rule does apply below the SAT. Given that the requirements of section 806 of the NDAA for FY 2011 and section 806 of the NDAA for FY 2013 were enacted to protect the supply chain, which in turn protects NSS from malicious actions, DoD has determined that it is in the best interest of the Federal Government to apply the rule to contracts below the SAT, as defined at FAR 2.101. An exception for contracts for the acquisition below the SAT would exclude contracts intended to be covered by the law, thereby undermining the overarching public policy purpose of the law. B. Applicability to Contracts for the Acquisition of Commercial Items, Including COTS Items 41 U.S.C. 1906 governs the applicability of laws to contracts for the acquisition of commercial items, and is intended to limit the applicability of laws to contracts for the acquisition of commercial items. 41 U.S.C. 1906 provides that if a provision of law contains criminal or civil penalties, or if [[Page 67250]] the FAR Council makes a written determination that it is not in the best interest of the Federal Government to exempt commercial item contracts, the provision of law will apply to contracts for the acquisition of commercial items. Likewise, 41 U.S.C. 1907 governs the applicability of laws to COTS items, with the Administrator for Federal Procurement Policy the decision authority to determine that it is in the best interest of the Government to apply a provision of law to acquisitions of COTS items in the FAR. The Director, DPAP, is the appropriate authority to make comparable determinations for regulations to be published in the DFARS, which is part of the FAR system of regulations. Given that the requirements of section 806 of the NDAA for FY 2011 and section 806 of the NDAA for FY 2013 were enacted to protect the supply chain, which in turn protects NSS from malicious actions, DoD has determined that it is in the best interest of the Federal Government to apply the rule to contracts for the acquisition of commercial items, including COTS items, as defined at FAR 2.101. An exception for contracts for the acquisition of commercial items, including COTS items, would exclude contracts intended to be covered by the law, thereby undermining the overarching public policy purpose of the law. IV. Executive Orders 12866 and 13563 Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804. V. Regulatory Flexibility Act A final regulatory flexibility analysis has been prepared consistent with the Regulatory Flexibility Act, 5 U.S.C. 601, et seq., and is summarized as follows: The objective of this final rule is to implement in the Defense Federal Acquisition Regulation Supplement protection against risks to the supply chain affecting National Security Systems (NSS). The legal basis for this final rule is section 806 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) of 2011 (Pub. L. 111.383), as amended by section 806 of the NDAA for FY 2013 (Pub. L. 112-239). Congress has recognized a growing concern for risks to the supply chain for technology contracts supporting the Department of Defense (DoD). Congress has defined supply chain risk as the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system (see 806(e)(4) of Pub. L. 111-383). This final rule calls for contractors providing information technology to DoD, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, to mitigate supply chain risk to the supplies and services being provided to the Government. It also enables agencies to exclude sources identified as having a supply chain risk from consideration for award of a covered contract, in order to minimize the potential risk for supplies and services purchased by DoD to maliciously degrade the integrity and operation of sensitive information technology systems. Ultimately, DoD anticipates significant savings to taxpayers by reducing the risk of unsafe products entering our supply chain, which pose serious threats or risks to sensitive government information technology systems. No comments were received in response to the initial regulatory flexibility analysis. This rule applies to contractors providing the Government with information technology that qualifies as a covered system or covered item of supply. This includes purchases of commercial items, including commercial off-the-shelf items, and contracts not greater than the simplified acquisition threshold. While it is not possible to estimate the number of small businesses impacted, DoD does not expect this final rule to have a significant economic impact on a substantial number of contractors, since (1) the rule applies only when acquiring information technology that is part of a covered system or in support of a covered system and (2) the authority provided by the rule is expected to be invoked very infrequently. This rule does not require any specific reporting, recordkeeping or compliance requirements. No significant economic impact on small businesses is anticipated; however, the final rule does have a modified applicability for the provision and clause created by the rule. Instead of being prescribed for all information technology acquisitions the provision and clause will only apply to acquisitions for information technology that is a covered system or covered item of supply. This will significantly reduce the number of acquisitions to which the provision and clause will apply. VI. Paperwork Reduction Act The rule does not contain any information collection requirements that require the approval of the Office of Management and Budget under the Paperwork Reduction Act (44 U.S.C. chapter 35). List of Subjects in 48 CFR Parts 202, 208, 212, 213, 214, 215, 233, 239, 244, and 252 Government procurement. Jennifer L. Hawes, Editor, Defense Acquisition Regulations System. Accordingly, DoD adopts as final the interim rule published at 78 FR 69268 on November 18, 2013, with the following changes: 0 1. The authority citation for 48 CFR parts 202, 208, 212, 213, 214, 215, 239, 244, and 252 continues to read as follows: Authority: 41 U.S.C. 1303 and 48 CFR chapter 1. PART 202--DEFINITIONS OF WORDS AND TERMS 0 2. Amend section 202.101 by adding, in alphabetical order, a definition for ``Information technology'' to read as follows: 202.101 Definitions. * * * * * Information technology (see 40 U.S.C. 11101(6)) means, in lieu of the definition at FAR 2.1, any equipment, or interconnected system(s) or subsystem(s) of equipment, that is used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency. (1) For purposes of this definition, equipment is used by an agency if the equipment is used by the agency directly or is used by a contractor under [[Page 67251]] a contract with the agency that requires-- (i) Its use; or (ii) To a significant extent, its use in the performance of a service or the furnishing of a product. (2) The term ``information technology'' includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources. (3) The term ``information technology'' does not include any equipment acquired by a contractor incidental to a contract. * * * * * PART 208--REQUIRED SOURCES OF SUPPLIES AND SERVICES 0 3. Revise section 208.405 to read as follows: 208.405 Ordering procedures for Federal Supply Schedules. Include an evaluation factor regarding supply chain risk (see subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in 239.7301. 0 4. In section 208.7402, revise paragraph (2) to read as follows: 208.7402 General. * * * * * (2) Include an evaluation factor regarding supply chain risk (see subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in 239.7301. PART 212--ACQUISITION OF COMMERCIAL ITEMS 0 5. Amend section 212.301 by-- 0 a. Adding paragraph (c); and 0 b. Revising paragraphs (f)(xv)(C) and (D). The addition and revisions read as follows: 212.301 Solicitation provisions and contract clauses for acquisition of commercial items. (c) Include an evaluation factor regarding supply chain risk (see subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in 239.7301. (f) * * * (xv) * * * (C) Use the provision at 252.239-7017, Notice of Supply Chain Risk, as prescribed in 239.7306(a), to comply with section 806 of Public Law 111-383. (D) Use the clause at 252.239-7018, Supply Chain Risk, as prescribed in 239.7306(b), to comply with section 806 of Public Law 111-383. * * * * * PART 213--SIMPLIFIED ACQUISITION PROCEDURES 0 6. Add section 213.106-1 to read as follows: 213.106-1 Soliciting competition. (a)(2) Include an evaluation factor regarding supply chain risk (see subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in 239.7301. PART 214--SEALED BIDDING 0 7. Add section 214.201-5 to read as follows: 214.201-5 Part IV--Representations and instructions. (c) Include an evaluation factor regarding supply chain risk (see subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in 239.7301. 0 8. Add subpart 214.5 to read as follows: Subpart 214.5 Two-Step Sealed Bidding Sec. 214.503 Procedures. 214.503-1 Step one. Subpart 214.5 Two-Step Sealed Bidding 214.503 Procedures. 214.503-1 Step one. (a)(4) Include an evaluation factor regarding supply chain risk (see subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in 239.7301. PART 215--CONTRACTING BY NEGOTIATION 0 9. In section 215.304, revise paragraph (c)(v) to read as follows: 215.304 Evaluation factors and significant subfactors. (c) * * * (v) Include an evaluation factor regarding supply chain risk (see subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in 239.7301. For additional guidance see PGI 215.304(c)(v). PART 239--ACQUISITION OF INFORMATION TECHNOLOGY 0 10. Add section 239.001 to read as follows: 239.001 Applicability. Notwithstanding FAR 39.001, this part applies to acquisitions of information technology, including national security systems. 239.7301 and 239.7302 [Redesignated as 239.7302 and 239.7301] 0 11. Redesignate sections 239.7301 and 239.7302 as sections 239.7302 and 239.7301, respectively. 0 12. Amend newly redesignated 239.7301 by-- 0 a. In the definition of ``Covered item'', removing ``Covered item'' and adding ``Covered item of supply'' in its place; 0 b. Removing the definition of ``Information technology''; and 0 c. Adding, in alphabetical order, a definition for ``Supply chain risk''. The addition reads as follows: 239.7301 Definitions. * * * * * Supply chain risk means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a national security system (as that term is defined at 44 U.S.C. 3542(b)) so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system. 239.7302 [Amended] 0 13. Amend newly redesignated 239.7302 by removing ``covered item'' everywhere it appears and adding ``covered item of supply'' in its place. 239.7304 [Amended] 0 14. Amend section 239.7304 by-- 0 a. In paragraph (b)(1), removing ``239.7305(a)(b) or (c)'' and adding [[Page 67252]] ``239.7305(a), (b), or (c)'' in its place; and 0 b. In paragraph (c)(2)(ii) and (iii) removing ``paragraph (a)'' and adding ``paragraph (a) of this section'' in both places. 0 15. Amend section 239.7305 by-- 0 a. Revising the introductory text; and 0 b. Revising paragraph (d)(2)(i). The revisions read as follows: 239.7305 Exclusion and limitation on disclosure. Subject to 239.7304, the individuals authorized in 239.7303 may, in the course of procuring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system-- * * * * * (d) * * * (2) * * * (i) Notify appropriate parties of action taken under paragraphs (a) through (d) of this section and the basis for such action only to the extent necessary to effectuate the action; * * * * * 0 16. Revise section 239.7306 to read as follows: 239.7306 Solicitation provision and contract clause. (a) Insert the provision at 252.239-7017, Notice of Supply Chain Risk, in solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial items, for information technology, whether acquired as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined at 239.7301. (b) Insert the clause at 252.239-7018, Supply Chain Risk, in solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, for information technology, whether acquired as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined at 239.7301. PART 244--SUBCONTRACTING POLICIES AND PROCEDURES 0 17. Revise section 244.201-1 to read as follows: 244.201-1 Consent requirements. In solicitations and contracts for information technology, whether acquired as a service or as a supply, that is a covered system or covered item of supply as those terms are defined at 239.7301, consider the need for a consent to subcontract requirement regarding supply chain risk (see subpart 239.73). For additional guidance see PGI 244.201-1. PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES 252.239-7018 [Amended] 0 18. Amend section 252.239-7018 by-- 0 a. Removing the clause date ``(NOV 2013)'' and adding ``(OCT 2015)'' in its place; 0 b. Amending paragraph (b) by removing ``shall maintain controls'' and adding ``shall mitigate supply chain risk'' in its place, and removing the phrase ``to minimize supply chain risk'' before the period; and 0 c. Removing paragraph (e). [FR Doc. 2015-27463 Filed 10-29-15; 8:45 am] BILLING CODE 5001-06-P
![67244 Federal Register / Vol. 80, No. 210 / Friday, October 30, 2015 / Rules and Regulations
DEPARTMENT OF DEFENSE A. Significant Changes From the Interim has no opportunity to comment on areas
Rule of concern before the rule takes effect
Defense Acquisition Regulations 1. Language is added to the rule to whereby industry must incur costs and
System clarify that section 806 authority is only move towards compliance without
applicable when acquiring information guidance through the rulemaking
48 CFR Parts 202, 208, 212, 213, 214, technology, whether as a service or as a process.
215, 233, 239, 244, and 252 supply, that is a covered system, is a Response: DoD issued an interim rule
part of a covered system, or is in because of the need to protect national
[Docket No. DARS 2013–0052] support of a covered system, including security systems (NSS) and the integrity
clarification of the prescriptions for of its supply chains. The rule
DFARS provision 252.239–7017, Notice implements the specific authorities
RIN 0750–AH96
of Supply Chain Risk, and DFARS provided in the statute. The pilot
Defense Federal Acquisition clause 252.239–7018, Supply Chain authority provided for by the statute
Regulation Supplement: Requirements Risk. will expire September 30, 2018. It is in
Relating to Supply Chain Risk (DFARS 2. Guidance on the use of an DoD’s interest to initiate the pilot
Case 2012–D050) evaluation factor regarding supply chain program and begin gathering feedback
risk is modified to require the inclusion for its report to Congress. DoD
AGENCY: Defense Acquisition of the evaluation factor when acquiring considered all public comments
Regulations System, Department of information technology, whether as a received during the public comment
Defense (DoD). service or as a supply that is a covered period in the formation of this final rule.
ACTION: Final rule. system, is a part of a covered system, or 2. Definitions
is in support of a covered system. a. ‘‘Covered Item’’/‘‘Covered System’’
SUMMARY: DoD has adopted as final, Additional text regarding an evaluation
with changes, an interim rule amending factor has been added at DFARS Comment: Several respondents
the Defense Federal Acquisition 212.301, 213.106–1, 214.201–5, and objected to the broad definitions of
Regulation Supplement (DFARS) to 214.503–1. ‘‘covered system’’ and ‘‘covered item.’’
implement a section of the National 3. DFARS clause 252.239–7018, One respondent questioned why the
Defense Authorization Act (NDAA) for Supply Chain Risk, is changed as Council chose to use the term ‘‘covered
Fiscal Year (FY) 2011, as amended by follows— item’’ versus ‘‘covered item of supply,’’
the NDAA for FY 2013. This final rule a. Paragraph (b), is modified to state which is the term used in section 806.
allows DoD to consider the impact of that the contractor shall mitigate supply Response: The definitions in the rule
supply chain risk in specified types of chain risk in the provision of supplies are taken directly from the statute. In
procurements related to national and services to the Government; and the final rule, the term ‘‘covered item’’
security systems. b. Paragraph (c) is removed as the has been replaced by the term ‘‘covered
clause will no longer contain a item of supply,’’ thereby conforming to
DATES: Effective October 30, 2015. the statute.
requirement to flow down the clause to
FOR FURTHER INFORMATION CONTACT: Mr. subcontractors. b. Information Technology
Dustin Pitsch, telephone 571–372–6090.
B. Analysis of Public Comments Comment: The same respondent
SUPPLEMENTARY INFORMATION:
1. Interim Rule Should Be Reissued as commented that the definition of
I. Background a Proposed Rule ‘‘information technology’’ is defined
even more expansively than in Federal
DoD published an interim rule in the Comment: Numerous respondents Acquisition Regulation (FAR) subpart
Federal Register at 78 FR 69268 on urged DoD to rescind the interim rule 2.1, covering information systems
November 18, 2013, to implement and reissue the rule as a proposed rule. ranging from systems used for
section 806 of the National Defense One respondent suggested that the new intelligence activities to information
Authorization Act (NDAA) for Fiscal rule authorizes the exclusion of systems used for the ‘‘direct fulfillment
Year (FY) 2011 (Pub. L. 111–383), businesses from the defense industrial of military or intelligence missions.’’
entitled ‘‘Requirements for Information base and that such authority should not Response: The definition of
Relating to Supply Chain Risk,’’ as be exercised without first hearing the ‘‘information technology’’ in the rule is
amended by section 806 of the NDAA views of and gathering all relevant the same as in the statute (40 U.S.C.
for FY 2013 (Pub. L. 112–239). This rule information from the parties that will be 11101(6)).
is part of DoD’s retrospective plan, directly impacted by this rule. One
completed in August 2011, under respondent commented that the rule c. Supply Chain Risk
Executive Order 13563, Improving could prevent suppliers from addressing Comment: One respondent requested
Regulation and Regulatory Review. and mitigating supply chain security that DoD clarify the definition of
DoD’s full plan and updates can be risks, and that a public comment period ‘‘supply chain risk,’’ stating that DoD
accessed at: http://www.regulations.gov/ would have allowed industry to suggest should clarify the phrase ‘‘maliciously
#!docketDetail;D=DOD-2011-OS-0036. alternative approaches that could allow introduce unwanted function’’ to clearly
Eight respondents submitted public for risk mitigation. Another respondent explain if this is a hardware or software
comments in response to the interim commented that the interim rule denies concern or both, and recognize that
rule. industry and other critical stakeholders threats posed maliciously are just one
ample time, opportunity to shape, and class of threat.
tkelley on DSK3SPTVN1PROD with RULES5
II. Discussion and Analysis
ultimately collaborate with the DoD to Response: The definition of ‘‘supply
DoD reviewed the public comments in design a complex program that chain risk’’ is taken directly from the
the development of the final rule. A addresses multiple risks and statute. It addresses both hardware and
discussion of the comments and the complexities. One respondent added software concerns and is the only class
changes made to the rule as a result of that without a standard notice-and- of threat to which section 806 and the
those comments is provided, as follows: comment rulemaking process, industry rule apply.
VerDate Sep<11>2014 19:59 Oct 29, 2015 Jkt 238001 PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 E:\FR\FM\30OCR5.SGM 30OCR5](https://thefederalregister.org/doc/80_FR_67453/page/2.svg)
![Federal Register / Vol. 80, No. 210 / Friday, October 30, 2015 / Rules and Regulations 67247
‘‘maintain controls’’ and now states that after other methods of mitigating supply a supply chain risk determination under
the contractor shall mitigate supply chain risk have been considered or this DFARS section, and that any
chain risk in the provision of supplies attempted. information that can be shared about the
and services to the Government. This Response: Risk will be evaluated on a ‘‘basis for carrying out’’ the decision
change was made because the DFARS case-by-case basis, and any exclusion ‘‘consistent with the requirements of
cannot identify specific standards or will be for a particular source selection national security’’ will be shared with
controls as this would be up to each and not a blanket exclusion. Contractors that entity. Another respondent
requiring activity to identify if any are eligible to compete for future commented that while the rule requires
standards or controls are necessary solicitations even after application of notice by the authorized individual to
particular to the risks and risk tolerance the section 806 authority has excluded ‘‘appropriate parties’’ to the extent
that would apply to each procurement. them from a particular source selection. needed to execute a covered
DoD continues to work with industry to b. Notice/Appropriate Parties procurement action and to DoD and
identify risk management best practices other Federal agencies, it makes no
and promulgate best practice documents Comment: Four respondents provision to provide notice to other
for consideration. commented on the need for timely Federal contractors that might be
notification to organizations of pre- and impacted by the exclusion.
f. Verification/Inspection post-exclusion status, and/or the need to Response: The written determination
Comment: One respondent clarify or define the ‘‘appropriate detailed in DFARS 239.7304 will detail
commented that suppliers should meet parties’’ in DFARS 239.7305(d)(2)(i). any limitations on disclosure of
the requirement to provide supply chain Two of these respondents commented information related to a section 806
security verification by documentation, that providing notice to the vendor in exclusion. ‘‘Appropriate parties’’ would
suggesting that all levels of the supply advance of any procurement action be determined on a case-by-case basis.
chain—Government, prime contractors, would permit appropriate response to
the risk and allow offerors to rectify c. Exclusion Process
subcontractors, and parts suppliers—
should be in compliance with supply instances of unacceptable risk before Comment: Two respondents
chain integrity requirements and have DoD makes a determination based on commented on the exclusions process
records and production locations incorrect or insufficient information, itself. One respondent commented that
available for inspection if necessary. ensuring fairness to the offeror and the exclusion process is seriously
Response: The practices, benefitting DoD by enhancing fairness flawed because it does not connect the
documentation, and information in competition for contracts. The acts conducted by those at higher levels
suggested in the comment are important opportunity to mitigate or eliminate the in DoD with the actions of the
noticed risk from the supply chain contracting officers in any rational time
tools in protecting against supply chain
would avoid significant costs that phased application that would help
risk. However, these suggestions do not
would be passed along to the DoD. offerors understand the proposal and
comply with the legislative Three of these respondents business risk involved in any given
requirements to implement section 806. commented on the need for notification source selection process. This
5. Process to excluded offerors of their post- respondent further commented that it is
exclusion status. One respondent fundamentally unclear whether an
a. General
commented that notification to exclusion will be made on a case-by-
Comment: Two respondents excluded offerors of their post-exclusion case basis or be a blanket exclusion of
commented that the interim rule could status and the reasons for exclusion will a contractor or subcontractor, and that it
deprive potential contractors and allow them to take steps to remedy is unclear at what point in the
subcontractors of due process and that those flaws before future opportunities. acquisition process such exclusions may
by improving due process, DoD can One respondent suggested that if a be authorized or executed. Under the
better secure the supply chain. One of determination is made that ‘‘less new rule’s language, a source could be
these respondents urged DoD to do more intrusive measures are not reasonably excluded before, during, and/or after a
to guarantee due process to its suppliers available [short of exclusion] to reduce contract award (whether as prime or
under this rule, stating that notice, such supply chain risk,’’ the rule should subcontractor). One respondent suggests
dialogue, and resolution, (i.e., due require that the notion of providing that its concerns that DoD can reject or
process) serve to identify root causes of notice to the offeror has been explicitly modify acquisitions based upon
supply chain risk and allow suppliers to considered and deemed unreasonable concerns about supply chain integrity
clear their names when falsely accused. before a decision to exclude has been could be addressed by having any
One respondent commented that finalized. Another respondent suggested sensitive finding subject to review, and
implementation of the provision for a that DFARS 215.503 and 215.506 should recommendation for approval or
particular procurement or contract be clarified to ensure that unsuccessful disapproval to the Secretary of Defense,
action may result in non-reviewable offerors are provided information by the DoD General Counsel, or a
decisions that deprive actual or demonstrating that DOD complied with committee appointed by the Secretary of
potential contractors and subcontractors the requirements of section 806(b) and Defense charged with assuring the
of their property rights, including their (c) in making the determination to limit validity of such concerns and their
right to fairly compete for procurements the disclosure of information relating to sensitivity for release to suppliers.
and subcontracts, suggesting that these the basis for carrying out a covered Response: Suppliers are expected to
non-reviewable exclusions may violate procurement action. manage supply chain risk in their
the due process clause and could One of these respondents commented offerings. Under section 806 and the
tkelley on DSK3SPTVN1PROD with RULES5
negatively affect the procurement that clarification/definition of the term rule, exclusion of a source may occur
community. This respondent suggested ‘‘appropriate parties’’ as encompassing during source selection before award
that DoD modify the interim rule to the impacted offeror/bidder/contractor (using an evaluation factor) or after
clarify that the exercise of the would ensure that the impacted offeror/ award (by withholding consent to a
authorities under DFARS 239.7305 bidder/contractor is advised, at a subcontract). Exclusion of a source
should be a ‘‘last resort,’’ invoked only minimum, that it has been impacted by would be on a case-by-case basis, as the
VerDate Sep<11>2014 19:59 Oct 29, 2015 Jkt 238001 PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 E:\FR\FM\30OCR5.SGM 30OCR5](https://thefederalregister.org/doc/80_FR_67453/page/5.svg)
![Federal Register / Vol. 80, No. 210 / Friday, October 30, 2015 / Rules and Regulations 67251
a contract with the agency that part of a covered system, or is in PART 215—CONTRACTING BY
requires— support of a covered system, as defined NEGOTIATION
(i) Its use; or in 239.7301.
(ii) To a significant extent, its use in (f) * * * ■ 9. In section 215.304, revise paragraph
the performance of a service or the (c)(v) to read as follows:
furnishing of a product. (xv) * * *
(C) Use the provision at 252.239– 215.304 Evaluation factors and significant
(2) The term ‘‘information subfactors.
technology’’ includes computers, 7017, Notice of Supply Chain Risk, as
prescribed in 239.7306(a), to comply (c) * * *
ancillary equipment (including imaging (v) Include an evaluation factor
peripherals, input, output, and storage with section 806 of Public Law 111–383.
regarding supply chain risk (see subpart
devices necessary for security and (D) Use the clause at 252.239–7018, 239.73) when acquiring information
surveillance), peripheral equipment Supply Chain Risk, as prescribed in technology, whether as a service or as a
designed to be controlled by the central 239.7306(b), to comply with section 806 supply, that is a covered system, is a
processing unit of a computer, software, of Public Law 111–383. part of a covered system, or is in
firmware and similar procedures, * * * * * support of a covered system, as defined
services (including support services), in 239.7301. For additional guidance see
and related resources. PART 213—SIMPLIFIED ACQUISITION PGI 215.304(c)(v).
(3) The term ‘‘information PROCEDURES
technology’’ does not include any PART 239—ACQUISITION OF
equipment acquired by a contractor ■ 6. Add section 213.106–1 to read as INFORMATION TECHNOLOGY
incidental to a contract. follows:
* * * * * ■ 10. Add section 239.001 to read as
213.106–1 Soliciting competition. follows:
PART 208—REQUIRED SOURCES OF (a)(2) Include an evaluation factor 239.001 Applicability.
SUPPLIES AND SERVICES regarding supply chain risk (see subpart Notwithstanding FAR 39.001, this
239.73) when acquiring information part applies to acquisitions of
■ 3. Revise section 208.405 to read as
technology, whether as a service or as a information technology, including
follows:
supply, that is a covered system, is a national security systems.
208.405 Ordering procedures for Federal part of a covered system, or is in
Supply Schedules. support of a covered system, as defined 239.7301 and 239.7302 [Redesignated as
in 239.7301. 239.7302 and 239.7301]
Include an evaluation factor regarding
supply chain risk (see subpart 239.73) ■ 11. Redesignate sections 239.7301 and
when acquiring information technology, PART 214—SEALED BIDDING 239.7302 as sections 239.7302 and
whether as a service or as a supply, that 239.7301, respectively.
is a covered system, is a part of a ■ 7. Add section 214.201–5 to read as ■ 12. Amend newly redesignated
covered system, or is in support of a follows: 239.7301 by—
covered system, as defined in 239.7301. ■ a. In the definition of ‘‘Covered item’’,
214.201–5 Part IV—Representations and
■ 4. In section 208.7402, revise instructions. removing ‘‘Covered item’’ and adding
paragraph (2) to read as follows: ‘‘Covered item of supply’’ in its place;
(c) Include an evaluation factor ■ b. Removing the definition of
208.7402 General. regarding supply chain risk (see subpart ‘‘Information technology’’; and
* * * * * 239.73) when acquiring information ■ c. Adding, in alphabetical order, a
(2) Include an evaluation factor technology, whether as a service or as a definition for ‘‘Supply chain risk’’.
regarding supply chain risk (see subpart supply, that is a covered system, is a The addition reads as follows:
239.73) when acquiring information part of a covered system, or is in
239.7301 Definitions.
technology, whether as a service or as a support of a covered system, as defined
in 239.7301. * * * * *
supply, that is a covered system, is a Supply chain risk means the risk that
part of a covered system, or is in ■ 8. Add subpart 214.5 to read as an adversary may sabotage, maliciously
support of a covered system, as defined follows: introduce unwanted function, or
in 239.7301. otherwise subvert the design, integrity,
Subpart 214.5 Two-Step Sealed Bidding
PART 212—ACQUISITION OF Sec.
manufacturing, production, distribution,
COMMERCIAL ITEMS 214.503 Procedures. installation, operation, or maintenance
214.503–1 Step one. of a national security system (as that
■ 5. Amend section 212.301 by— term is defined at 44 U.S.C. 3542(b)) so
■ a. Adding paragraph (c); and Subpart 214.5 Two-Step Sealed as to surveil, deny, disrupt, or otherwise
■ b. Revising paragraphs (f)(xv)(C) and Bidding degrade the function, use, or operation
(D). of such system.
214.503 Procedures.
The addition and revisions read as 239.7302 [Amended]
follows: 214.503–1 Step one.
■ 13. Amend newly redesignated
212.301 Solicitation provisions and (a)(4) Include an evaluation factor 239.7302 by removing ‘‘covered item’’
contract clauses for acquisition of regarding supply chain risk (see subpart
tkelley on DSK3SPTVN1PROD with RULES5
everywhere it appears and adding
commercial items. 239.73) when acquiring information ‘‘covered item of supply’’ in its place.
(c) Include an evaluation factor technology, whether as a service or as a
regarding supply chain risk (see subpart supply, that is a covered system, is a 239.7304 [Amended]
239.73) when acquiring information part of a covered system, or is in ■ 14. Amend section 239.7304 by—
technology, whether as a service or as a support of a covered system, as defined ■ a. In paragraph (b)(1), removing
supply, that is a covered system, is a in 239.7301. ‘‘239.7305(a)(b) or (c)’’ and adding
VerDate Sep<11>2014 19:59 Oct 29, 2015 Jkt 238001 PO 00000 Frm 00009 Fmt 4701 Sfmt 4700 E:\FR\FM\30OCR5.SGM 30OCR5](https://thefederalregister.org/doc/80_FR_67453/page/9.svg)
![67252 Federal Register / Vol. 80, No. 210 / Friday, October 30, 2015 / Rules and Regulations
‘‘239.7305(a), (b), or (c)’’ in its place; regarding supply chain risk (see subpart clauses. This rule implements the
and 239.73). For additional guidance see PGI Department of State Public Notice: 9162,
■ b. In paragraph (c)(2)(ii) and (iii) 244.201–1. Rescission of Determination Regarding
removing ‘‘paragraph (a)’’ and adding Cuba, announcing removal of Cuba from
‘‘paragraph (a) of this section’’ in both PART 252—SOLICITATION the U.S. list of state sponsors of
places. PROVISIONS AND CONTRACT terrorism, effective May 29, 2015. This
■ 15. Amend section 239.7305 by— CLAUSES action was based upon the Presidential
■ a. Revising the introductory text; and 252.239–7018 [Amended] Report of April 14, 2015, to Congress,
■ b. Revising paragraph (d)(2)(i). indicating the Administration’s intent to
The revisions read as follows: ■ 18. Amend section 252.239–7018 by— rescind the designation of Cuba as a
■ a. Removing the clause date ‘‘(NOV state sponsor of terrorism, including the
239.7305 Exclusion and limitation on 2013)’’ and adding ‘‘(OCT 2015)’’ in its
disclosure.
certification that Cuba has not provided
place; any support for international terrorism
Subject to 239.7304, the individuals ■ b. Amending paragraph (b) by during the previous six months, and
authorized in 239.7303 may, in the removing ‘‘shall maintain controls’’ and that Cuba has provided assurance that it
course of procuring information adding ‘‘shall mitigate supply chain will not support acts of international
technology, whether as a service or as a risk’’ in its place, and removing the terrorism in the future.
supply, that is a covered system, is a phrase ‘‘to minimize supply chain risk’’
part of a covered system, or is in before the period; and II. Publication of This Final Rule for
support of a covered system— ■ c. Removing paragraph (e). Public Comment is Not Required by
* * * * * [FR Doc. 2015–27463 Filed 10–29–15; 8:45 am] Statute
(d) * * * BILLING CODE 5001–06–P
(2) * * * The statute that applies to the
(i) Notify appropriate parties of action publication of the Federal Acquisition
taken under paragraphs (a) through (d) DEPARTMENT OF DEFENSE Regulation (FAR) is 41 U.S.C. 1707,
of this section and the basis for such Publication of Proposed Regulations.
action only to the extent necessary to Defense Acquisition Regulations Paragraph (a)(1) of the statute requires
effectuate the action; System that a procurement policy, regulation,
procedure or form (including an
* * * * *
48 CFR Part 252 amendment or modification thereof)
■ 16. Revise section 239.7306 to read as
must be published for public comment
follows: RIN 0750–AI67 if it has either a significant effect
239.7306 Solicitation provision and Defense Federal Acquisition beyond the internal operating
contract clause. Regulation Supplement: Removal of procedures of the agency issuing the
(a) Insert the provision at 252.239– Cuba From the List of State Sponsors policy, regulation, procedure or form, or
7017, Notice of Supply Chain Risk, in of Terrorism (DFARS 2015–D032) has a significant cost or administrative
solicitations, including solicitations impact on contractors or offerors. This
using FAR part 12 procedures for the AGENCY: Defense Acquisition final rule is not required to be published
acquisition of commercial items, for Regulations System, Department of for public comment, because it is only
information technology, whether Defense (DoD). implementing the Department of State
acquired as a service or as a supply, that ACTION: Final rule. Public Notice: 9162, Rescission of
is a covered system, is a part of a Determination Regarding Cuba,
covered system, or is in support of a SUMMARY: DoD is issuing a final rule announced on June 4, 2015, and, as
covered system, as defined at 239.7301. amending the Defense Federal such, the rule does not have a
(b) Insert the clause at 252.239–7018, Acquisition Regulation Supplement significant cost or administrative impact
Supply Chain Risk, in solicitations and (DFARS) to remove Cuba from the on contractors or offerors.
contracts, including solicitations and definition of ‘‘state sponsor of
terrorism’’ in two DFARS clauses. This III. Executive Orders 12866 and 13563
contracts using FAR part 12 procedures
for the acquisition of commercial items, rule implements the Department of
Executive Orders (E.O.s) 12866 and
for information technology, whether Department of State Public Notice: 9162,
13563 direct agencies to assess all costs
acquired as a service or as a supply, that Rescission of Determination Regarding
and benefits of available regulatory
is a covered system, is a part of a Cuba.
alternatives and, if regulation is
covered system, or is in support of a DATES: Effective October 30, 2015. necessary, to select regulatory
covered system, as defined at 239.7301. FOR FURTHER INFORMATION CONTACT:Ms. approaches that maximize net benefits
Kyoung Lee, telephone 571–372–6093. (including potential economic,
PART 244—SUBCONTRACTING environmental, public health and safety
POLICIES AND PROCEDURES SUPPLEMENTARY INFORMATION:
effects, distributive impacts, and
I. Background equity). E.O. 13563 emphasizes the
■ 17. Revise section 244.201–1 to read
as follows: This final rule amends DFARS clause importance of quantifying both costs
252.225–7049, Prohibition on and benefits, of reducing costs, of
244.201–1 Consent requirements. Acquisition of Commercial Satellite harmonizing rules, and of promoting
In solicitations and contracts for Services from Certain Foreign Entities— flexibility. This is not a significant
tkelley on DSK3SPTVN1PROD with RULES5
information technology, whether Representations, and clause 252.225– regulatory action and, therefore, was not
acquired as a service or as a supply, that 7050, Disclosure of Ownership or subject to review under section 6(b) of
is a covered system or covered item of Control by the Government of a Country E.O. 12866, Regulatory Planning and
supply as those terms are defined at that is a State Sponsor of Terrorism, by Review, dated September 30, 1993. This
239.7301, consider the need for a removing Cuba from the definition of rule is not a major rule under 5 U.S.C.
consent to subcontract requirement ‘‘state sponsor of terrorism’’ in these 804.
VerDate Sep<11>2014 19:59 Oct 29, 2015 Jkt 238001 PO 00000 Frm 00010 Fmt 4701 Sfmt 4700 E:\FR\FM\30OCR5.SGM 30OCR5](https://thefederalregister.org/doc/80_FR_67453/page/10.svg)
Document Created: 2015-12-14 15:29:01
Document Modified: 2015-12-14 15:29:01
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Rules and Regulations | |
| Action | Final rule. | |
| Dates | Effective October 30, 2015. | |
| Contact | Mr. Dustin Pitsch, telephone 571-372- 6090. | |
| FR Citation | 80 FR 67243 | |
| RIN Number | 0750-AH96 | |
| CFR Citation | 48
CFR
202 48 CFR 208 48 CFR 212 48 CFR 213 48 CFR 214 48 CFR 215 48 CFR 233 48 CFR 239 48 CFR 244 48 CFR 252 |
2024 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR