The Office of Management and Budget (OMB) released a new interim final rule in today’s Federal Register detailing Federal Acquisition Security Council (FASC) guidelines for managing supply chain risk, and recommending the removal and exclusion of IT and communications that fall below the standard.
FASC is an interagency council established by the Federal Acquisition Supply Chain Security Act of 2018 to develop policies and procedures for Federal government purchasing of information and communications technology and services. The new rule outlines how the council processes the removal of certain goods and services from the Federal supply chain.
The removal or exclusion order process will begin either by referral of the FASC or a member agency, written request from a government body, or based on information submitted by a credible individual or entity. Then, FASC will evaluate the source based on a common set of factors.
“In addition, the FASC will consult with the National Institute of Standards and Technology (NIST), before recommending issuance of an exclusion or removal order, to ensure that recommended orders do not conflict with existing federal standards and guidelines,” the Federal Register notice explains.
Once FASC issues the recommendation, it goes to the Secretary of Homeland Security, the Secretary of Defense, or the Director of National Intelligence to determine whether to issue an exclusion or removal order. Once that order is issued, agencies to which it applies would be required to comply, and the order would be reviewed annually.
As the orders are reviewed, “an authorized official of the issuing agency may modify or rescind an issued exclusion or removal order, so long as a modified order does not apply more broadly than the order before modification,” the rule states.
The council is made up of representatives from OMB, the General Services Administration, the Department of Homeland Security (DHS), the Office of the Director of National Intelligence, the Department of Justice, the Department of Defense, and the Department of Commerce.
Per the rule, the DHS will be the executive agency for information sharing and establish a supply chain risk management and information sharing task force within FASC.
This task force will be responsible for developing processes and procedures on how Federal and non-Federal entities can submit supply chain risk information, how information to support supply chain risk analyses will be shared, and how to provide information to the FASC and executive agencies on removal orders. The notice clarifies that these responsibilities will happen “primarily through the Cybersecurity and Infrastructure Security Agency,” a DHS subcomponent serving as the FASC Information Sharing Agency.
OMB is accepting comments on the interim rule through November 2.