A community resource for the acquisition workforce not a .gov website
part52.dev Federal Acquisition Clause Monitor
DFARS Clause ACTIVE

252.239-7017

Notice of Supply Chain Risk.
Search on acquisition.gov · View on eCFR.gov
Effective Date
DEC 2022
Active Deviations
3
Versions
3 (since 2016-12-22)
DEV
This clause is modified by 3 active class deviations
  • 2026-O0028 — DFARS RFO Implementation (Part 12)
  • 2026-O0025 — DFARS RFO Implementation (Part 40)
    Add clause 252.239-7017
  • 2026-O0024 — DFARS RFO Implementation (Part 39)
    Modified by RFO class deviation
View per-deviation details → 
252.239-7017 Notice of Supply Chain Risk.

As prescribed in 239.7306(a), use the following provision:

Notice of Supply Chain Risk (DEC 2022)

(a)
Definition. Supply chain risk,
as used in this provision, means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system (see 10 U.S.C. 3252).

(b) In order to manage supply chain risk, the Government may use the authorities provided by 10 U.S.C. 3252. In exercising these authorities, the Government may consider information, public and non-public, including all-source intelligence, relating to an offeror and its supply chain.

(c) If the Government exercises the authority provided in 10 U.S.C. 3252 to limit disclosure of information, no action undertaken by the Government under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court.

(End of provision)

[78 FR 69272, Nov. 18, 2013, as amended at 84 FR 4370, Feb. 15, 2019; 87 FR 76998, Dec. 16, 2022]
RFO
Prescription superseded under the RFO

The prescription shown below is from the codified eCFR. The Revolutionary FAR Overhaul relocates this clause's prescription as follows:

  • 239.7306240.271-7 (prescriptive text also revised)
  • 212.301212.205-70 (prescriptive text also revised)

See the deviation memorandum for the current prescription authority.

View deviation: 2026-O0028 → · View deviation: 2026-O0025 → · View deviation: 2026-O0024 →

R-DFARS Prescription Source

This clause is prescribed in the R-DFARS by the following deviation:

  • 2026-O0025 — DFARS RFO Implementation (Part 40) (DFARS Part 240)
    Add clause 252.239-7017
239.7306(a)
(a) Insert the provision at 252.239-7017, Notice of Supply Chain Risk, in all solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial products and commercial services, for information technology, whether acquired as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined at 239.7301 .
Prescription data sourced from eCFR as of 2026-06-10 03:16 UTC. Cross-references within the prescription are not resolved automatically.

Regulatory Stack

The layers of regulation that govern this clause, from the FAR prescription through agency-specific supplements and any active deviations.

R-DFARS R-DFARS Prescription Per Deviation 2026-O0025 (DFARS Part 240)
2026-O0025: DFARS RFO Implementation (Part 40) — DFARS Part 240

View Deviation 2026-O0025 →

DFARS DFARS Supplement (eCFR) ⚠ May be superseded by RFO 239.7306(a)
(a) Insert the provision at 252.239-7017, Notice of Supply Chain Risk, in all solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial products and commercial services, for information technology, whether acquired as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined at 239.7301 .

Search on acquisition.gov · View on eCFR.gov

Version History

Version history is sourced from the codified eCFR. Changes published only as class deviations or by the Revolutionary FAR Overhaul do not appear here until they are incorporated into the eCFR. For RFO-driven changes see the RFO Version tab and any active deviations cited above.

3 versions tracked from 2016-12-22 to 2022-12-30.
DEC 2022 December 30, 2022 CURRENT SUBSTANTIVE
Removed in this version
Added in this version
Unchanged
December 16, 2022 (previous)
December 30, 2022 (current)
1 added, 1 removed
(a)
(a) Definition. Supply chain risk, as used in this provision, means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system (see 10 U.S.C. 2339a).
(a)
(a) Definition. Supply chain risk, as used in this provision, means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system (see 10 U.S.C. 3252).
1 added, 1 removed
(b)
(b) In order to manage supply chain risk, the Government may use the authorities provided by 10 U.S.C. 2339a. In exercising these authorities, the Government may consider information, public and non-public, including all-source intelligence, relating to an offeror and its supply chain.
(b)
(b) In order to manage supply chain risk, the Government may use the authorities provided by 10 U.S.C. 3252. In exercising these authorities, the Government may consider information, public and non-public, including all-source intelligence, relating to an offeror and its supply chain.
1 added, 1 removed
(c)
(c) If the Government exercises the authority provided in 10 U.S.C. 2339a to limit disclosure of information, no action undertaken by the Government under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court. (End of provision)
(c)
(c) If the Government exercises the authority provided in 10 U.S.C. 3252 to limit disclosure of information, no action undertaken by the Government under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court. (End of provision)
DEC 2022 December 16, 2022 SUBSTANTIVE
Removed in this version
Added in this version
Unchanged
DEC 2016 (previous)
DEC 2022 (current)
6 added, 12 removed
(a)
(a) Definition. Supply chain risk, as used in this provision, means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a national security system (as that term is defined at 44 U.S.C. 3542(b)) so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.
(a)
(a) Definition. Supply chain risk, as used in this provision, means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system (see 10 U.S.C. 2339a).
3 added, 6 removed
(b)
(b) In order to manage supply chain risk, the Government may use the authorities provided by section 806 of Public Law 111-383. In exercising these authorities, the Government may consider information, public and non-public, including all-source intelligence, relating to an offeror and its supply chain.
(b)
(b) In order to manage supply chain risk, the Government may use the authorities provided by 10 U.S.C. 2339a. In exercising these authorities, the Government may consider information, public and non-public, including all-source intelligence, relating to an offeror and its supply chain.
3 added, 6 removed
(c)
(c) If the Government exercises the authority provided in section 806 of Pub. L. 111-383 to limit disclosure of information, no action undertaken by the Government under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court. (End of provision)
(c)
(c) If the Government exercises the authority provided in 10 U.S.C. 2339a to limit disclosure of information, no action undertaken by the Government under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court. (End of provision)
DEC 2016 December 22, 2016 SUBSTANTIVE
Earliest version available from the eCFR

Active Class Deviations

2026-O0028
DFARS RFO Implementation (Part 12) Modify clause 252.239-7017
MODIFIED
2026-O0025
DFARS RFO Implementation (Part 40) Add clause 252.239-7017
MODIFIED
2026-O0024
DFARS RFO Implementation (Part 39) Modified by RFO class deviation
MODIFIED
Use with AI assistant
Copy a link and prompt for use with Gemini or another AI assistant.