The Federal Acquisition Security Council (FASC) published a final rule in the Federal Register this week to assess Federal government supply chain risk information, as well as remove and exclude IT products, systems, or services that pose a national security risk.
FASC is an interagency council established by the Federal Acquisition Supply Chain Security Act of 2018 to develop policies and procedures for Federal government purchasing of information and communications technology and services.
The council is made up of representatives from the Office of Management and Budget (OMB), the General Services Administration, the Department of Homeland Security (DHS), the Office of the Director of National Intelligence, the Department of Justice, the Department of Defense, and the Department of Commerce.
OMB published an interim rule last year, which outlined FASC’s guidelines for the removal and exclusion of IT products, systems, or services. Additionally, it outlined information sharing guidelines for supply chain risk information, designating DHS, “acting primarily through the Cybersecurity and Infrastructure Security Agency,” as the executive agency for information sharing.
The final rule builds upon the interim rule, expanding upon relevant definitions; explaining specific procedures for the removal and exclusion process; and explaining more of DHS’ role as the information sharing agency (ISA).
“The ISA standardizes processes and procedures for submission and dissemination of supply chain information and facilitates the operations of a Supply Chain Risk Management (SCRM) Task Force under the FASC,” the final rule says. “This FASC Task Force consists of designated technical experts who assist the FASC in implementing its information sharing, risk analysis, and risk assessment functions.”
The rule details that agencies must submit supply chain risk information to the ISA if asked by the FASC, if the agency “has determined there is a reasonable basis to conclude that a substantial supply chain risk exists,” if the risk has already been identified, or if the risk regards “any covered procurement actions by the agency” or “any orders issued by the agency.”
Additionally, the rule explains how all Federal and non-Federal entities can voluntarily submit supply chain risk information to the FASC.
The final rule is effective today, Sept. 27.
