[Federal Register Volume 80, Number 210 (Friday, October 30, 2015)]
[Rules and Regulations]
[Pages 67244-67252]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-27463]
[[Page 67243]]
Vol. 80
Friday,
No. 210
October 30, 2015
Part VII
Department of Defense
-----------------------------------------------------------------------
Defense Acquisition Regulations System
-----------------------------------------------------------------------
48 CFR Parts 201, 202, 206, et al.
Defense Federal Acquisition Regulation Supplements; Final Rules
��Federal Register / Vol. 80 , No. 210 / Friday, October 30, 2015 /
Rules and Regulations��
[[Page 67244]]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Defense Acquisition Regulations System
48 CFR Parts 202, 208, 212, 213, 214, 215, 233, 239, 244, and 252
[Docket No. DARS 2013-0052]
RIN 0750-AH96
Defense Federal Acquisition Regulation Supplement: Requirements
Relating to Supply Chain Risk (DFARS Case 2012-D050)
AGENCY: Defense Acquisition Regulations System, Department of Defense
(DoD).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: DoD has adopted as final, with changes, an interim rule
amending the Defense Federal Acquisition Regulation Supplement (DFARS)
to implement a section of the National Defense Authorization Act (NDAA)
for Fiscal Year (FY) 2011, as amended by the NDAA for FY 2013. This
final rule allows DoD to consider the impact of supply chain risk in
specified types of procurements related to national security systems.
DATES: Effective October 30, 2015.
FOR FURTHER INFORMATION CONTACT: Mr. Dustin Pitsch, telephone 571-372-
6090.
SUPPLEMENTARY INFORMATION:
I. Background
DoD published an interim rule in the Federal Register at 78 FR
69268 on November 18, 2013, to implement section 806 of the National
Defense Authorization Act (NDAA) for Fiscal Year (FY) 2011 (Pub. L.
111-383), entitled ``Requirements for Information Relating to Supply
Chain Risk,'' as amended by section 806 of the NDAA for FY 2013 (Pub.
L. 112-239). This rule is part of DoD's retrospective plan, completed
in August 2011, under Executive Order 13563, Improving Regulation and
Regulatory Review. DoD's full plan and updates can be accessed at:
http://www.regulations.gov/#!docketDetail;D=DOD-2011-OS-0036.
Eight respondents submitted public comments in response to the
interim rule.
II. Discussion and Analysis
DoD reviewed the public comments in the development of the final
rule. A discussion of the comments and the changes made to the rule as
a result of those comments is provided, as follows:
A. Significant Changes From the Interim Rule
1. Language is added to the rule to clarify that section 806
authority is only applicable when acquiring information technology,
whether as a service or as a supply, that is a covered system, is a
part of a covered system, or is in support of a covered system,
including clarification of the prescriptions for DFARS provision
252.239-7017, Notice of Supply Chain Risk, and DFARS clause 252.239-
7018, Supply Chain Risk.
2. Guidance on the use of an evaluation factor regarding supply
chain risk is modified to require the inclusion of the evaluation
factor when acquiring information technology, whether as a service or
as a supply that is a covered system, is a part of a covered system, or
is in support of a covered system. Additional text regarding an
evaluation factor has been added at DFARS 212.301, 213.106-1, 214.201-
5, and 214.503-1.
3. DFARS clause 252.239-7018, Supply Chain Risk, is changed as
follows--
a. Paragraph (b), is modified to state that the contractor shall
mitigate supply chain risk in the provision of supplies and services to
the Government; and
b. Paragraph (c) is removed as the clause will no longer contain a
requirement to flow down the clause to subcontractors.
B. Analysis of Public Comments
1. Interim Rule Should Be Reissued as a Proposed Rule
Comment: Numerous respondents urged DoD to rescind the interim rule
and reissue the rule as a proposed rule. One respondent suggested that
the new rule authorizes the exclusion of businesses from the defense
industrial base and that such authority should not be exercised without
first hearing the views of and gathering all relevant information from
the parties that will be directly impacted by this rule. One respondent
commented that the rule could prevent suppliers from addressing and
mitigating supply chain security risks, and that a public comment
period would have allowed industry to suggest alternative approaches
that could allow for risk mitigation. Another respondent commented that
the interim rule denies industry and other critical stakeholders ample
time, opportunity to shape, and ultimately collaborate with the DoD to
design a complex program that addresses multiple risks and
complexities. One respondent added that without a standard notice-and-
comment rulemaking process, industry has no opportunity to comment on
areas of concern before the rule takes effect whereby industry must
incur costs and move towards compliance without guidance through the
rulemaking process.
Response: DoD issued an interim rule because of the need to protect
national security systems (NSS) and the integrity of its supply chains.
The rule implements the specific authorities provided in the statute.
The pilot authority provided for by the statute will expire September
30, 2018. It is in DoD's interest to initiate the pilot program and
begin gathering feedback for its report to Congress. DoD considered all
public comments received during the public comment period in the
formation of this final rule.
2. Definitions
a. ``Covered Item''/``Covered System''
Comment: Several respondents objected to the broad definitions of
``covered system'' and ``covered item.'' One respondent questioned why
the Council chose to use the term ``covered item'' versus ``covered
item of supply,'' which is the term used in section 806.
Response: The definitions in the rule are taken directly from the
statute. In the final rule, the term ``covered item'' has been replaced
by the term ``covered item of supply,'' thereby conforming to the
statute.
b. Information Technology
Comment: The same respondent commented that the definition of
``information technology'' is defined even more expansively than in
Federal Acquisition Regulation (FAR) subpart 2.1, covering information
systems ranging from systems used for intelligence activities to
information systems used for the ``direct fulfillment of military or
intelligence missions.''
Response: The definition of ``information technology'' in the rule
is the same as in the statute (40 U.S.C. 11101(6)).
c. Supply Chain Risk
Comment: One respondent requested that DoD clarify the definition
of ``supply chain risk,'' stating that DoD should clarify the phrase
``maliciously introduce unwanted function'' to clearly explain if this
is a hardware or software concern or both, and recognize that threats
posed maliciously are just one class of threat.
Response: The definition of ``supply chain risk'' is taken directly
from the statute. It addresses both hardware and software concerns and
is the only class of threat to which section 806 and the rule apply.
[[Page 67245]]
3. Scope and Applicability
a. Prescription
Comment: Three respondents commented that the scope is overly
broad, recommending that DoD should include the rule's provisions and
clauses in NSS solicitations and contracts only. One of these
respondents commented that the rule should be narrowly scoped to
reflect the intent of Congress, suggesting that DoD should include the
rule's provisions and clauses in solicitations and contracts for
information technology NSS rather than all information technology
solicitations and contract, i.e., only in ``covered procurements.''
Another respondent commented that DoD should establish an independent,
special review council to evaluate issues such as: (1) ``covered''
systems, technologies, items, procurements, and contracts; and (2)
circumstances where the clause needs to be included and where
information will be withheld under DFARS 239.7305(d), thus providing an
independent check to ensure that this authority is being used in a
manner consistent with section 806 of the FY 2011 NDAA and the
underlying policy. This respondent also suggested that successful
offerors be provided information that their contracts are covered by
the clause. One respondent suggested that DoD should provide offerors
sufficient notice that the goods or services they offer are to be used
in a covered procurement.
Response: The final rule limits use of the solicitation provision
and contract clause to solicitations and contracts for information
technology, whether acquired as a service or as a supply, that is a
covered system, is a part of a covered system, or is in support of a
covered system, as that term is defined at 239.7301.
b. NSS Classifications
Comment: One respondent commented that mundane systems will be over
classified by program managers as NSS and that NSS classifications
should be reserved to an appropriate level above program manager. This
respondent further stated that DoD should take steps to clearly
designate systems as ``NSS'' and limit the NSS classification. Another
respondent stated that because the interim rule incorporates the
definition in 44 U.S.C. 3542(b) for ``National Security System'', the
rule's approach to include the clause in all DoD contracts seems
contrary to the legislative intent to limit application to ``covered
procurements'' as defined in section 806(e)(3) of the FY 2011 NDAA.
This respondent further suggested that DoD more narrowly define when
contracting officers should include and use this clause (e.g., what
types of programs) and create some independent review of contracting
activities' decisions to apply the interim rule.
Response: In the final rule, the use of the provision and clause is
only required when acquiring information technology, whether as a
service or as a supply, that is a covered system, is a part of a
covered system, or is in support of a covered system, as defined at
DFARS 252.239-7302. In accordance with DoD Instruction 8510.01, Risk
Management Framework (RMF) for DoD Information Technology (IT), the
requiring activity/program office will designate systems as NSS when it
registers them in the DoD Component registry (e.g., DoD Information
Technology Portfolio Repository (DITPR)).
c. Flowdown
Comment: One respondent suggested that because the clause is
written to require flowdown to subcontractors regardless of tier, the
Government intends to have the right to direct a supplier at any tier
to be excluded for a contract. The respondent further stated that this
could lead to even greater disruption of a program's supply chain since
the loss of a supplier at a remote tier can have ripple effects on all
higher-tier contractors and that the potential costs for the delay,
disruption, and potential workarounds required to address the situation
could be enormous. Failing to address the effects of exclusion of
subcontractors almost guarantees that implementation of this rule will
result in claims and disputes.
Response: The requirement to include the substance of DFARS clause
252.239-7018 in subcontracts has been removed from this final rule.
d. Other Applications
Comment: One respondent commented that DoD should clarify whether
or not the rule applies to embedded processing, whether the rule
applies to cloud computing acquisitions, and whether cloud computing
acquisitions are covered procurement actions as a class, since these
types of acquisitions are not directly addressed in the interim rule.
Response: The rule applies when acquiring information technology,
whether as a service or as a supply, that is a covered system, is a
part of a covered system, or is in support of a covered system. This
includes embedded processing and cloud computing acquisitions if they
are NSS.
4. Managing Supply Chain Risk
a. General
Comment: Three respondents commented that the final rule should
encourage industry to better manage supply chain risk, require that
robust supply chain risk management principles be applied throughout
procurement practices, or at the very least require that contracting
officers apply supply chain risk management to contracts. One of these
respondents further commented that the final rule should include
language that reinforces the stated objective in the definition of
supply chain risk, stating, ``This rule, by itself, does not require
contractors to deploy additional supply chain risk protections, but
leaves it up to individual contractors to take the steps necessary. .
.to protect their supply chain.'' Another of these respondents
suggested that, if the provisions of section 806 are to be implemented
as intended, the rule must require robust supply chain analyses. One
respondent suggested that the interim rule should provide that in all
critical information technology acquisitions, supply chain security
must be applied by the relevant Government procurement managers, both
at the direct contract and supervisorial levels as a mandatory matter.
Response: This rule has as its sole purpose the implementation of
section 806. DoD has provided, and will continue to provide, additional
guidance for the management and mitigation of supply chain risk.
b. Evaluation Factor
Comment: Three respondents commented that the interim rule should
provide guidance on evaluation factors. One of these respondents
commented that the rule creates uncertainty by failing to describe how
supply chain risk will be used as an evaluation factor and suggests
that the Government must realize that when managing risk, the steps
necessary to exhaustively test all software to eliminate all potential
unwanted functions is unaffordable. One respondent commented that the
new requirement at DFARS 215.304 for departments and agencies to
consider ``the need for an evaluation factor regarding supply chain
risk'' provides insufficient guidance as to the type of supply chain
risk evaluation factors to be utilized, further stating that while they
would expect that such risk evaluations would be conducted on a case-
by-case basis, guidance should be provided as to which evaluation
factors should be used and when. One respondent suggested that the
statement
[[Page 67246]]
``Consider the need for an evaluation factor. . .'' appears to give the
contracting activity the discretion to determine whether an evaluation
factor for supply chain risk is needed but does not provide guidance as
to when the conditions which necessitate such a factor have been met.
Response: In the final rule, guidance on the use of an evaluation
factor regarding supply chain risk is modified to require the inclusion
of the evaluation factor when acquiring information technology, whether
as a service or as a supply, that is a covered system, is a part of a
covered system, or is in support of a covered system. Risk levels, risk
tolerance, and appropriate risk management measures must be determined
at the local level. Evaluation factors are specified at the individual
acquisition level and not in the DFARS. DoD is issuing DFARS
Procedures, Guidance, and Information for the contracting workforce on
developing and using supply chain risk evaluation factors.
c. Information Sharing
Comment: Three respondents commented on the disclosure of
information regarding supply chain risk to offerors and contractors.
One of these respondents urged the DoD to use its discretion in sharing
information concerning threats sufficient to allow suppliers to alter
product designs and change components on devices to overcome known
vulnerabilities. Another respondent suggested that a requirement to
report identified supply chain risks and issues would assure that
immediate remediation could be undertaken if problems arose. One
respondent commented that DoD should consider revising the rule to
promote disclosure of information regarding supply chain risks to
offerors and contractors whenever possible. Whenever such notice may be
accomplished ``consistent with the requirements of national security,''
DoD should provide notification to the offeror or contractor of
perceived supply chain risks early in the procurement process in
accordance with standard Government procurement rules (e.g., during
discussions in a negotiated procurement), so that the contractor has
the opportunity to mitigate or eliminate the risk. Contractors are less
able to mitigate supply chain risk if the Government fails or declines
to share with them risk information it has developed internally.
Response: The DoD intends to share information about supply chain
risk with its contractors to the extent possible, consistent with the
requirements of national security. The provisions of the rule and
section 806 that limit disclosure are concerned with risk information
that, for national security reasons, cannot be shared despite the
transparency that is normally present in procurement activities.
d. Mitigation/Less Intrusive Measures
Comment: Several respondents commented on the need for DoD to focus
on mitigation plans and less intrusive measures. One of these
respondents commented that DoD should create a mechanism for vendors to
file supply chain risk mitigation plans with DoD. DoD could take these
plans into consideration when assessing supply chain risk for any
particular procurement activity. By viewing filed mitigation plans from
multiple vendors, DoD could gain greater insight into commercially
viable supply chain mitigation practices. This respondent further
stated that DoD should approach supply chain risk with an eye toward
encouraging mitigation rather than simply disqualifying vendors,
suggesting that DoD can and should implement robust supply chain
security practices. One respondent suggested that DoD should clarify
what it believes are less intrusive measures under section
239.7304(b)(1)(2), recommending that in order to prevent the interim
rule from impeding the use of commercial technology (including
commercially available off-the-shelf items) in NSS, which ultimately
benefits DoD, the Department should provide wide discretion to the
judgment of manufacturers in their use of industry standards and
internal processes to meet its supply chain risk goals. This respondent
further commented that while DFARS section 239.7304 of the rule
provides that an exclusion under DFARS 239.7305 may occur when it is
determined that, among other factors, ``less intrusive measures are not
reasonably available to reduce such supply chain risk,'' at no point in
the rule is clarity provided on what this language is defined as or
what an authorized individual should refer to in order to gauge what
``less intrusive measures'' are and whether they are ``not reasonably
available.'' Another of these respondents suggested that the
opportunity to mitigate or eliminate the noticed risk from the supply
chain would avoid significant costs that would be passed along to DoD.
One respondent suggested that DoD modify the interim rule to clarify
that the exercise of the authorities under DFARS 239.7305 should be a
``last resort,'' invoked only after other methods of mitigating supply
chain risk have been considered or attempted.
Response: Section 806(b)(2) requires that ``less intrusive measures
are not reasonably available to reduce supply chain risk'' to use its
authority. Whenever it is appropriate, DoD will work with its offerors
to mitigate supply chain risk using less intrusive measures than
exclusion based on section 806 authorities. In the notification to
congressional committees when exercising section 806 authority, a
summary of the mitigation analysis evaluating reasonably available
mitigations will be documented. In most cases, DoD expects these
mitigations will sufficiently mitigate the risks so that exclusion will
not be necessary.
e. Standards and Controls
Comment: Several respondents commented on the need for the rule to
specify relevant supply chain risk management (SCRM) standards,
controls, etc. One respondent stated that while it does not suggest DoD
explicitly endorse one set of controls over another, industry does need
some guidance beyond ``maintain controls.'' There must be consistency
in the call out of the relevant SCRM standards and ratings in
solicitations so as not to create an unnecessary administrative burden
for contractors to select suppliers and subcontractors based on a
moving target of standards and ratings. Notwithstanding making a
reference to the Regulatory Flexibility Act on page 69269 in the
narrative of the Federal Register document that the rule ``recognizes
the need for information technology contractors to implement
appropriate safeguards and countermeasures to minimize supply chain
risk,'' one respondent commented that the interim rule does not provide
any guidance about what metric will be applied to its products,
services, and business models. The respondent further stated that the
rule requires contractors to ``maintain controls in the provision of
supplies and services to the Government to minimize supply chain risk''
but does not provide any guidance to contractors or Government
contracting officers as to the type of controls to be maintained to
meet this requirement, recommending that DoD issue additional guidance
that uses existing and proposed global, consensus-based standards. One
respondent commented that the absence of what standard DoD will use to
evaluate supply chain risks is likely to increase the time and cost of
pursuing and performing Government contracts.
Response: The final rule removes the language requiring contractors
to
[[Page 67247]]
``maintain controls'' and now states that the contractor shall mitigate
supply chain risk in the provision of supplies and services to the
Government. This change was made because the DFARS cannot identify
specific standards or controls as this would be up to each requiring
activity to identify if any standards or controls are necessary
particular to the risks and risk tolerance that would apply to each
procurement. DoD continues to work with industry to identify risk
management best practices and promulgate best practice documents for
consideration.
f. Verification/Inspection
Comment: One respondent commented that suppliers should meet the
requirement to provide supply chain security verification by
documentation, suggesting that all levels of the supply chain--
Government, prime contractors, subcontractors, and parts suppliers--
should be in compliance with supply chain integrity requirements and
have records and production locations available for inspection if
necessary.
Response: The practices, documentation, and information suggested
in the comment are important tools in protecting against supply chain
risk. However, these suggestions do not comply with the legislative
requirements to implement section 806.
5. Process
a. General
Comment: Two respondents commented that the interim rule could
deprive potential contractors and subcontractors of due process and
that by improving due process, DoD can better secure the supply chain.
One of these respondents urged DoD to do more to guarantee due process
to its suppliers under this rule, stating that notice, dialogue, and
resolution, (i.e., due process) serve to identify root causes of supply
chain risk and allow suppliers to clear their names when falsely
accused. One respondent commented that implementation of the provision
for a particular procurement or contract action may result in non-
reviewable decisions that deprive actual or potential contractors and
subcontractors of their property rights, including their right to
fairly compete for procurements and subcontracts, suggesting that these
non-reviewable exclusions may violate the due process clause and could
negatively affect the procurement community. This respondent suggested
that DoD modify the interim rule to clarify that the exercise of the
authorities under DFARS 239.7305 should be a ``last resort,'' invoked
only after other methods of mitigating supply chain risk have been
considered or attempted.
Response: Risk will be evaluated on a case-by-case basis, and any
exclusion will be for a particular source selection and not a blanket
exclusion. Contractors are eligible to compete for future solicitations
even after application of the section 806 authority has excluded them
from a particular source selection.
b. Notice/Appropriate Parties
Comment: Four respondents commented on the need for timely
notification to organizations of pre- and post-exclusion status, and/or
the need to clarify or define the ``appropriate parties'' in DFARS
239.7305(d)(2)(i). Two of these respondents commented that providing
notice to the vendor in advance of any procurement action would permit
appropriate response to the risk and allow offerors to rectify
instances of unacceptable risk before DoD makes a determination based
on incorrect or insufficient information, ensuring fairness to the
offeror and benefitting DoD by enhancing fairness in competition for
contracts. The opportunity to mitigate or eliminate the noticed risk
from the supply chain would avoid significant costs that would be
passed along to the DoD.
Three of these respondents commented on the need for notification
to excluded offerors of their post-exclusion status. One respondent
commented that notification to excluded offerors of their post-
exclusion status and the reasons for exclusion will allow them to take
steps to remedy those flaws before future opportunities. One respondent
suggested that if a determination is made that ``less intrusive
measures are not reasonably available [short of exclusion] to reduce
such supply chain risk,'' the rule should require that the notion of
providing notice to the offeror has been explicitly considered and
deemed unreasonable before a decision to exclude has been finalized.
Another respondent suggested that DFARS 215.503 and 215.506 should be
clarified to ensure that unsuccessful offerors are provided information
demonstrating that DOD complied with the requirements of section 806(b)
and (c) in making the determination to limit the disclosure of
information relating to the basis for carrying out a covered
procurement action.
One of these respondents commented that clarification/definition of
the term ``appropriate parties'' as encompassing the impacted offeror/
bidder/contractor would ensure that the impacted offeror/bidder/
contractor is advised, at a minimum, that it has been impacted by a
supply chain risk determination under this DFARS section, and that any
information that can be shared about the ``basis for carrying out'' the
decision ``consistent with the requirements of national security'' will
be shared with that entity. Another respondent commented that while the
rule requires notice by the authorized individual to ``appropriate
parties'' to the extent needed to execute a covered procurement action
and to DoD and other Federal agencies, it makes no provision to provide
notice to other Federal contractors that might be impacted by the
exclusion.
Response: The written determination detailed in DFARS 239.7304 will
detail any limitations on disclosure of information related to a
section 806 exclusion. ``Appropriate parties'' would be determined on a
case-by-case basis.
c. Exclusion Process
Comment: Two respondents commented on the exclusions process
itself. One respondent commented that the exclusion process is
seriously flawed because it does not connect the acts conducted by
those at higher levels in DoD with the actions of the contracting
officers in any rational time phased application that would help
offerors understand the proposal and business risk involved in any
given source selection process. This respondent further commented that
it is fundamentally unclear whether an exclusion will be made on a
case-by-case basis or be a blanket exclusion of a contractor or
subcontractor, and that it is unclear at what point in the acquisition
process such exclusions may be authorized or executed. Under the new
rule's language, a source could be excluded before, during, and/or
after a contract award (whether as prime or subcontractor). One
respondent suggests that its concerns that DoD can reject or modify
acquisitions based upon concerns about supply chain integrity could be
addressed by having any sensitive finding subject to review, and
recommendation for approval or disapproval to the Secretary of Defense,
by the DoD General Counsel, or a committee appointed by the Secretary
of Defense charged with assuring the validity of such concerns and
their sensitivity for release to suppliers.
Response: Suppliers are expected to manage supply chain risk in
their offerings. Under section 806 and the rule, exclusion of a source
may occur during source selection before award (using an evaluation
factor) or after award (by withholding consent to a subcontract).
Exclusion of a source would be on a case-by-case basis, as the
[[Page 67248]]
risk tolerance is not the same for all procurement actions. The
authorization and recommendation mechanisms and participants described
in the rule are mandated by the statute.
d. Dispute Mechanism
Comment: Two respondents commented on the need for an impartial
process for addressing concerns. One respondent urged that the interim
rule reinforce the need for a fair opportunity pre- and post-exclusion
for concerns to be addressed by the contractor or vendor at issue. One
respondent commented that neither section 806 of the NDAA for FY 2011
nor the interim rule provide for any procedures for proposed
contractors or subcontractors to challenge a possible exclusion
determination where DoD decides to limit the disclosure of information.
This respondent further stated that DoD should provide some dispute
mechanism for exclusion in protest and claim matters, whereby counsel
for offerors, contractors, and proposed subcontractors can represent
their clients and obtain access to information under protective order
or clearance to assure that the required process was followed and
proper grounds for invocation of the exclusion exist.
Response: Exclusions using the authority of section 806 will be
based generally on classified intelligence information. A dispute
resolution mechanism is not appropriate under those circumstances.
e. Remediation
Comment: Two respondents commented on the need to provide equitable
adjustments, a means of remedy, and/or a pathway to reinstatement once
a supplier is excluded. One of the respondents commented that while
DFARS 239.7305 allows DoD to exclude sources, it does not provide a
pathway to reinstatement or for inclusion once a supplier is excluded,
proposing that DoD establish a separate rulemaking and coordinate a
unified policy with an industry-Government working group to gain
insight into how remediation and rejoining the defense industrial base
can be accomplished in a responsible manner. This respondent further
commented that DoD should provide equitable adjustments and other
remedies for prime contractors whose subcontractors are excluded,
stating that the new regulations fail to provide relief for prime
contractors who must exclude a source through no fault of its own.
Another respondent suggested that a periodic review of excluded
contractors should be required for ongoing contracts with new task
orders, adding that if a vendor has been excluded without notice, the
interim rule should require the agency to review that decision on no
less than an annual basis for as long as the contract is in place. This
respondent also commented that the regulation should specifically
afford remedies, including equitable adjustments, whenever the
authority at DFARS 239.7305(c) is exercised and a prime must exclude a
subcontractor.
Response: Risk will be evaluated on case-by-case basis, and any
exclusion will be for a particular source selection and not a blanket
exclusion. Offerors are eligible to compete for future solicitations
even after section 806 has excluded them from a particular source
selection. Consistent with national security, i.e., with proper
clearances and in a manner that will not put the warfighter, the
system, or intelligence operations at risk, DoD will discuss risks to
the trust of critical systems or components with its industrial base as
well as potential remedies. This is particularly true in the system
integration context where the program office and the prime contractors
are more likely to have the time and clearances to develop tailored
mitigations. Where appropriate, DoD will partner with its contractors
to mitigate supply chain risk in lieu of executing section 806
authorities. In most cases, non-806 mitigations will sufficiently
manage the risk; when that is not the case and exclusion of a source is
required, DoD does not intend to provide equitable adjustments or other
remedies.
6. Impact of Rule
a. Economic/Cost Impact
Comment: Numerous respondents commented that the estimates by DoD
of the costs and economic impact of this rule are inadequate. One of
these respondents commented that the rule creates costs beyond the
supply chain risk management a responsible company would undertake in
the course of ordinary business. Further, the scope of application of
the interim rule, which requires compliance at all levels of the DoD
supply chain, would require significant, costly, additional investments
in supplier management and compliance mechanisms by industry. Another
respondent suggested that absent a public comment period before
implementation of the rule, industry has no opportunity to provide
input regarding the costs and benefits of the approach DoD has taken.
One respondent commented that the cumulative economic effect of the
exclusion of any one company from any one contract would result in
reductions in both Government and commercial business, and the loss of
employment at the excluded company and the corresponding loss of
payroll. Other losses would be incurred as a result of the ripple
effect on primes, subcontractors, or suppliers to the excluded company,
which will lose that source of supply and must then incur the expense
of identifying and vetting new sources. One respondent commented that
by not advising what standard DoD will use to evaluate supply chain
risks, the interim rule is likely to increase the time and cost of
pursuing and performing Government contracts.
Response: DoD does not expect the rule to have a significant
economic impact on a substantial number of entities. Companies have an
existing interest in having a supply chain that they can rely on to
provide it with material and supplies that allow the contractor to
ultimately supply its customers with products that are safe and that do
not impose threats or risks to Government information systems. The rule
does not require contractors to deploy additional supply chain risk
protections. Section 806 authority applies to a specific contract, task
order, or delivery order only.
b. Small Business
Comment: One respondent commented that the rule will drive up costs
for smaller businesses by requiring significant increase in investments
in compliance. Another respondent commented that the rule could prompt
prime contractors to exclude new or small businesses in order to
improve the evaluation of their supply chain risk profile.
Response: The rule does not require contractors to deploy
additional supply chain risk protections.
c. Barriers to the Federal Market
Comment: Two respondents commented that the rule creates
significant new barriers to the Federal market, further suggesting that
the interim regulation poses significant burdens for existing companies
in the market and will only further dissuade new and innovative
companies from entering the market.
Response: Since section 806 decisions rely on intelligence
information, the operation of the rule presents no barrier to
participation in the DoD market for either existing participants or new
entrants.
[[Page 67249]]
d. De Facto Debarment/Suspension
Comment: Several respondents stated that the exercise of the
exclusionary authority in the rule could result in a de facto debarment
or suspension without any due process for the affected offeror.
Response: Risk will be evaluated on case-by-case basis, and any
exclusion will be for a particular source selection and not a blanket
exclusion. Offerors are eligible to compete for future solicitations
even after section 806 has excluded them from a particular source
selection.
e. Security
Comment: One respondent commented that the rule could
unintentionally but negatively impact the Federal Government's security
because it prevents DoD from informing suppliers about supply chain
risks that DoD believes exist and prevents any consultation with
offerors.
Response: This will be taken into consideration in any instance
that the section 806 authority is utilized.
7. Qualification standard
Comment: Three respondents commented that the interim rule should
provide more guidance regarding the qualification standard(s) that may
be established to reduce supply chain risk. One respondent urged DoD to
develop the systems and data security requirements for covered
procurements and issue them to potential offerors during the
procurement process as a requirement for bid eligibility. This approach
would focus the use of this clause to procurements for covered systems
or covered items of supply and would increase competition by limiting
unnecessary disqualification of offerors (and contractors and
subcontractors/suppliers) that could meet the Government's
requirements. Another respondent commented that the rule should be
amended to provide more specificity as to the type of ``qualification
standards'' that may be established ``for the purposes of reducing
supply chain risk in the acquisition of covered systems.''
Response: DoD has no present plans to use section 806 authority to
exclude a source based on failure to meet a qualification standard to
reduce supply chain risk. To use this authority DoD must first develop
qualification standards in accordance with the requirements of 10
U.S.C. 2319, which include providing the qualification requirements to
potential offerors.
8. Synchronize/Harmonize With Related Rules/Initiatives
Comment: Five respondents requested that DoD harmonize the
requirements of the rule with industry- and Government-led supply chain
risk management regimes and initiatives in order to avoid
inconsistencies. One respondent encouraged DoD to harmonize the
requirements of the rule with the guidance issued by the Secretary of
Defense memorandum dated October 10, 2013, entitled ``Safeguarding
Unclassified Controlled Technical Information;'' the Office of
Management and Budget's circular M-14-13 dated November 18, 2013,
entitled ``Enhancing the Security of Federal Information and
Information Systems;'' and other Departmental requirements. This
respondent further recommends that the final rule include a statement
that ``the rule complements rather than conflicts with other related
requirements.'' Another respondent further encouraged DoD to avoid the
creation of unneeded duplication of certifications of these important
assurance efforts, by affirming that the interim rule shall not impact
the duties of contractors and vendors in assessing relevant
procurements related to NSS.
Response: DoD is involved in a myriad of efforts to address supply
chain risks, specifically, as well as cybersecurity broadly. All of
these policies and strategic efforts aim to improve the overall risk
posture of the Federal Government's information systems and those of
its industry partners. A patchwork of policies and regulations is
sometimes necessary to address the variabilities of the system
ownership and operation, and the risk tolerance of the mission. The
rule is specific to DoD and narrowly scoped to NSS, which often have a
lower risk tolerance due to the criticality of missions utilizing such
systems.
9. Tracking
Comment: One respondent commented that DoD should catalog the
number of source exclusions executed under the section 806 authority
between 2013 and 2018.
Response: DoD is required to submit a report on January 1, 2017, on
the effectiveness of section 806 authorities, to include how frequently
DoD exercises the authority.
III. Applicability to Acquisitions Not Greater Than the Simplified
Acquisition Threshold (SAT) and Commercial Items, Including
Commercially Available Off-the-Shelf (COTS) Items
Consistent with 41 U.S.C. 1905, 1906, and 1907, the Director
Defense Procurement and Acquisition Policy (DPAP), determined that it
would not be in the best interest of the United States to exempt
acquisitions not greater than the SAT and acquisitions of commercials
items, including COTS items, from the applicability of section 806 of
the NDAA for FY 2011 as amended by section 806 of the NDAA for FY 2013.
A. Applicability to Contracts at or Below the SAT
41 U.S.C. 1905 governs the applicability of laws to contracts or
subcontracts in amounts not greater than the SAT. It is intended to
limit the applicability of laws to such contracts or subcontracts. 41
U.S.C. 1905 provides that if a provision of law contains criminal or
civil penalties, or if the FAR Council makes a written determination
that it is not in the best interest of the Federal Government to exempt
contracts or subcontracts at or below the SAT, the law will apply to
them. The Director, DPAP, is the appropriate authority to make
comparable determinations for regulations to be published in the DFARS,
which is part of the FAR system of regulations. DoD has made that
determination, therefore this rule does apply below the SAT.
Given that the requirements of section 806 of the NDAA for FY 2011
and section 806 of the NDAA for FY 2013 were enacted to protect the
supply chain, which in turn protects NSS from malicious actions, DoD
has determined that it is in the best interest of the Federal
Government to apply the rule to contracts below the SAT, as defined at
FAR 2.101. An exception for contracts for the acquisition below the SAT
would exclude contracts intended to be covered by the law, thereby
undermining the overarching public policy purpose of the law.
B. Applicability to Contracts for the Acquisition of Commercial Items,
Including COTS Items
41 U.S.C. 1906 governs the applicability of laws to contracts for
the acquisition of commercial items, and is intended to limit the
applicability of laws to contracts for the acquisition of commercial
items. 41 U.S.C. 1906 provides that if a provision of law contains
criminal or civil penalties, or if
[[Page 67250]]
the FAR Council makes a written determination that it is not in the
best interest of the Federal Government to exempt commercial item
contracts, the provision of law will apply to contracts for the
acquisition of commercial items. Likewise, 41 U.S.C. 1907 governs the
applicability of laws to COTS items, with the Administrator for Federal
Procurement Policy the decision authority to determine that it is in
the best interest of the Government to apply a provision of law to
acquisitions of COTS items in the FAR. The Director, DPAP, is the
appropriate authority to make comparable determinations for regulations
to be published in the DFARS, which is part of the FAR system of
regulations.
Given that the requirements of section 806 of the NDAA for FY 2011
and section 806 of the NDAA for FY 2013 were enacted to protect the
supply chain, which in turn protects NSS from malicious actions, DoD
has determined that it is in the best interest of the Federal
Government to apply the rule to contracts for the acquisition of
commercial items, including COTS items, as defined at FAR 2.101. An
exception for contracts for the acquisition of commercial items,
including COTS items, would exclude contracts intended to be covered by
the law, thereby undermining the overarching public policy purpose of
the law.
IV. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). E.O.
13563 emphasizes the importance of quantifying both costs and benefits,
of reducing costs, of harmonizing rules, and of promoting flexibility.
This is a significant regulatory action and, therefore, was subject to
review under section 6(b) of E.O. 12866, Regulatory Planning and
Review, dated September 30, 1993. This rule is not a major rule under 5
U.S.C. 804.
V. Regulatory Flexibility Act
A final regulatory flexibility analysis has been prepared
consistent with the Regulatory Flexibility Act, 5 U.S.C. 601, et seq.,
and is summarized as follows:
The objective of this final rule is to implement in the Defense
Federal Acquisition Regulation Supplement protection against risks to
the supply chain affecting National Security Systems (NSS). The legal
basis for this final rule is section 806 of the National Defense
Authorization Act (NDAA) for Fiscal Year (FY) of 2011 (Pub. L.
111.383), as amended by section 806 of the NDAA for FY 2013 (Pub. L.
112-239). Congress has recognized a growing concern for risks to the
supply chain for technology contracts supporting the Department of
Defense (DoD). Congress has defined supply chain risk as the risk that
an adversary may sabotage, maliciously introduce unwanted function, or
otherwise subvert the design, integrity, manufacturing, production,
distribution, installation, operation, or maintenance of a covered
system so as to surveil, deny, disrupt, or otherwise degrade the
function, use, or operation of such system (see 806(e)(4) of Pub. L.
111-383).
This final rule calls for contractors providing information
technology to DoD, whether as a service or as a supply, that is a
covered system, is a part of a covered system, or is in support of a
covered system, to mitigate supply chain risk to the supplies and
services being provided to the Government. It also enables agencies to
exclude sources identified as having a supply chain risk from
consideration for award of a covered contract, in order to minimize the
potential risk for supplies and services purchased by DoD to
maliciously degrade the integrity and operation of sensitive
information technology systems. Ultimately, DoD anticipates significant
savings to taxpayers by reducing the risk of unsafe products entering
our supply chain, which pose serious threats or risks to sensitive
government information technology systems.
No comments were received in response to the initial regulatory
flexibility analysis.
This rule applies to contractors providing the Government with
information technology that qualifies as a covered system or covered
item of supply. This includes purchases of commercial items, including
commercial off-the-shelf items, and contracts not greater than the
simplified acquisition threshold. While it is not possible to estimate
the number of small businesses impacted, DoD does not expect this final
rule to have a significant economic impact on a substantial number of
contractors, since (1) the rule applies only when acquiring information
technology that is part of a covered system or in support of a covered
system and (2) the authority provided by the rule is expected to be
invoked very infrequently.
This rule does not require any specific reporting, recordkeeping or
compliance requirements.
No significant economic impact on small businesses is anticipated;
however, the final rule does have a modified applicability for the
provision and clause created by the rule. Instead of being prescribed
for all information technology acquisitions the provision and clause
will only apply to acquisitions for information technology that is a
covered system or covered item of supply. This will significantly
reduce the number of acquisitions to which the provision and clause
will apply.
VI. Paperwork Reduction Act
The rule does not contain any information collection requirements
that require the approval of the Office of Management and Budget under
the Paperwork Reduction Act (44 U.S.C. chapter 35).
List of Subjects in 48 CFR Parts 202, 208, 212, 213, 214, 215, 233,
239, 244, and 252
Government procurement.
Jennifer L. Hawes,
Editor, Defense Acquisition Regulations System.
Accordingly, DoD adopts as final the interim rule published at 78
FR 69268 on November 18, 2013, with the following changes:
0
1. The authority citation for 48 CFR parts 202, 208, 212, 213, 214,
215, 239, 244, and 252 continues to read as follows:
Authority: 41 U.S.C. 1303 and 48 CFR chapter 1.
PART 202--DEFINITIONS OF WORDS AND TERMS
0
2. Amend section 202.101 by adding, in alphabetical order, a definition
for ``Information technology'' to read as follows:
202.101 Definitions.
* * * * *
Information technology (see 40 U.S.C. 11101(6)) means, in lieu of
the definition at FAR 2.1, any equipment, or interconnected system(s)
or subsystem(s) of equipment, that is used in the automatic
acquisition, storage, analysis, evaluation, manipulation, management,
movement, control, display, switching, interchange, transmission, or
reception of data or information by the agency.
(1) For purposes of this definition, equipment is used by an agency
if the equipment is used by the agency directly or is used by a
contractor under
[[Page 67251]]
a contract with the agency that requires--
(i) Its use; or
(ii) To a significant extent, its use in the performance of a
service or the furnishing of a product.
(2) The term ``information technology'' includes computers,
ancillary equipment (including imaging peripherals, input, output, and
storage devices necessary for security and surveillance), peripheral
equipment designed to be controlled by the central processing unit of a
computer, software, firmware and similar procedures, services
(including support services), and related resources.
(3) The term ``information technology'' does not include any
equipment acquired by a contractor incidental to a contract.
* * * * *
PART 208--REQUIRED SOURCES OF SUPPLIES AND SERVICES
0
3. Revise section 208.405 to read as follows:
208.405 Ordering procedures for Federal Supply Schedules.
Include an evaluation factor regarding supply chain risk (see
subpart 239.73) when acquiring information technology, whether as a
service or as a supply, that is a covered system, is a part of a
covered system, or is in support of a covered system, as defined in
239.7301.
0
4. In section 208.7402, revise paragraph (2) to read as follows:
208.7402 General.
* * * * *
(2) Include an evaluation factor regarding supply chain risk (see
subpart 239.73) when acquiring information technology, whether as a
service or as a supply, that is a covered system, is a part of a
covered system, or is in support of a covered system, as defined in
239.7301.
PART 212--ACQUISITION OF COMMERCIAL ITEMS
0
5. Amend section 212.301 by--
0
a. Adding paragraph (c); and
0
b. Revising paragraphs (f)(xv)(C) and (D).
The addition and revisions read as follows:
212.301 Solicitation provisions and contract clauses for acquisition
of commercial items.
(c) Include an evaluation factor regarding supply chain risk (see
subpart 239.73) when acquiring information technology, whether as a
service or as a supply, that is a covered system, is a part of a
covered system, or is in support of a covered system, as defined in
239.7301.
(f) * * *
(xv) * * *
(C) Use the provision at 252.239-7017, Notice of Supply Chain Risk,
as prescribed in 239.7306(a), to comply with section 806 of Public Law
111-383.
(D) Use the clause at 252.239-7018, Supply Chain Risk, as
prescribed in 239.7306(b), to comply with section 806 of Public Law
111-383.
* * * * *
PART 213--SIMPLIFIED ACQUISITION PROCEDURES
0
6. Add section 213.106-1 to read as follows:
213.106-1 Soliciting competition.
(a)(2) Include an evaluation factor regarding supply chain risk
(see subpart 239.73) when acquiring information technology, whether as
a service or as a supply, that is a covered system, is a part of a
covered system, or is in support of a covered system, as defined in
239.7301.
PART 214--SEALED BIDDING
0
7. Add section 214.201-5 to read as follows:
214.201-5 Part IV--Representations and instructions.
(c) Include an evaluation factor regarding supply chain risk (see
subpart 239.73) when acquiring information technology, whether as a
service or as a supply, that is a covered system, is a part of a
covered system, or is in support of a covered system, as defined in
239.7301.
0
8. Add subpart 214.5 to read as follows:
Subpart 214.5 Two-Step Sealed Bidding
Sec.
214.503 Procedures.
214.503-1 Step one.
Subpart 214.5 Two-Step Sealed Bidding
214.503 Procedures.
214.503-1 Step one.
(a)(4) Include an evaluation factor regarding supply chain risk
(see subpart 239.73) when acquiring information technology, whether as
a service or as a supply, that is a covered system, is a part of a
covered system, or is in support of a covered system, as defined in
239.7301.
PART 215--CONTRACTING BY NEGOTIATION
0
9. In section 215.304, revise paragraph (c)(v) to read as follows:
215.304 Evaluation factors and significant subfactors.
(c) * * *
(v) Include an evaluation factor regarding supply chain risk (see
subpart 239.73) when acquiring information technology, whether as a
service or as a supply, that is a covered system, is a part of a
covered system, or is in support of a covered system, as defined in
239.7301. For additional guidance see PGI 215.304(c)(v).
PART 239--ACQUISITION OF INFORMATION TECHNOLOGY
0
10. Add section 239.001 to read as follows:
239.001 Applicability.
Notwithstanding FAR 39.001, this part applies to acquisitions of
information technology, including national security systems.
239.7301 and 239.7302 [Redesignated as 239.7302 and 239.7301]
0
11. Redesignate sections 239.7301 and 239.7302 as sections 239.7302 and
239.7301, respectively.
0
12. Amend newly redesignated 239.7301 by--
0
a. In the definition of ``Covered item'', removing ``Covered item'' and
adding ``Covered item of supply'' in its place;
0
b. Removing the definition of ``Information technology''; and
0
c. Adding, in alphabetical order, a definition for ``Supply chain
risk''.
The addition reads as follows:
239.7301 Definitions.
* * * * *
Supply chain risk means the risk that an adversary may sabotage,
maliciously introduce unwanted function, or otherwise subvert the
design, integrity, manufacturing, production, distribution,
installation, operation, or maintenance of a national security system
(as that term is defined at 44 U.S.C. 3542(b)) so as to surveil, deny,
disrupt, or otherwise degrade the function, use, or operation of such
system.
239.7302 [Amended]
0
13. Amend newly redesignated 239.7302 by removing ``covered item''
everywhere it appears and adding ``covered item of supply'' in its
place.
239.7304 [Amended]
0
14. Amend section 239.7304 by--
0
a. In paragraph (b)(1), removing ``239.7305(a)(b) or (c)'' and adding
[[Page 67252]]
``239.7305(a), (b), or (c)'' in its place; and
0
b. In paragraph (c)(2)(ii) and (iii) removing ``paragraph (a)'' and
adding ``paragraph (a) of this section'' in both places.
0
15. Amend section 239.7305 by--
0
a. Revising the introductory text; and
0
b. Revising paragraph (d)(2)(i).
The revisions read as follows:
239.7305 Exclusion and limitation on disclosure.
Subject to 239.7304, the individuals authorized in 239.7303 may, in
the course of procuring information technology, whether as a service or
as a supply, that is a covered system, is a part of a covered system,
or is in support of a covered system--
* * * * *
(d) * * *
(2) * * *
(i) Notify appropriate parties of action taken under paragraphs (a)
through (d) of this section and the basis for such action only to the
extent necessary to effectuate the action;
* * * * *
0
16. Revise section 239.7306 to read as follows:
239.7306 Solicitation provision and contract clause.
(a) Insert the provision at 252.239-7017, Notice of Supply Chain
Risk, in solicitations, including solicitations using FAR part 12
procedures for the acquisition of commercial items, for information
technology, whether acquired as a service or as a supply, that is a
covered system, is a part of a covered system, or is in support of a
covered system, as defined at 239.7301.
(b) Insert the clause at 252.239-7018, Supply Chain Risk, in
solicitations and contracts, including solicitations and contracts
using FAR part 12 procedures for the acquisition of commercial items,
for information technology, whether acquired as a service or as a
supply, that is a covered system, is a part of a covered system, or is
in support of a covered system, as defined at 239.7301.
PART 244--SUBCONTRACTING POLICIES AND PROCEDURES
0
17. Revise section 244.201-1 to read as follows:
244.201-1 Consent requirements.
In solicitations and contracts for information technology, whether
acquired as a service or as a supply, that is a covered system or
covered item of supply as those terms are defined at 239.7301, consider
the need for a consent to subcontract requirement regarding supply
chain risk (see subpart 239.73). For additional guidance see PGI
244.201-1.
PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
252.239-7018 [Amended]
0
18. Amend section 252.239-7018 by--
0
a. Removing the clause date ``(NOV 2013)'' and adding ``(OCT 2015)'' in
its place;
0
b. Amending paragraph (b) by removing ``shall maintain controls'' and
adding ``shall mitigate supply chain risk'' in its place, and removing
the phrase ``to minimize supply chain risk'' before the period; and
0
c. Removing paragraph (e).
[FR Doc. 2015-27463 Filed 10-29-15; 8:45 am]
BILLING CODE 5001-06-P