DEV
This clause is modified by 3 active class deviations
- 2026-O0028 — DFARS RFO Implementation (Part 12)
- 2026-O0025 — DFARS RFO Implementation (Part 40)
- 2026-O0024 — DFARS RFO Implementation (Part 39)
252.239-7018 Supply Chain Risk. As prescribed in 239.7306(b), use the following clause: Supply Chain Risk (DEC 2022) (a) Definitions. As used in this clause— Information technology (see 40 U.S.C 11101(6)) means, in lieu of the definition at FAR 2.1, any equipment, or interconnected system(s) or subsystem(s) of equipment, that is used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency. (1) For purposes of this definition, equipment is used by an agency if the equipment is used by the agency directly or is used by a contractor under a contract with the agency that requires— (i) Its use; or (ii) To a significant extent, its use in the performance of a service or the furnishing of a product. (2) The term "information technology" includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources. (3) The term "information technology" does not include any equipment acquired by a contractor incidental to a contract. Supply chain risk means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system (see 10 U.S.C. 3252). (b) The Contractor shall mitigate supply chain risk in the provision of supplies and services to the Government. (c) In order to manage supply chain risk, the Government may use the authorities provided by 10 U.S.C. 3252. In exercising these authorities, the Government may consider information, public and non-public, including all-source intelligence, relating to a Contractor's supply chain. (d) If the Government exercises the authority provided in 10 U.S.C. 3252 to limit disclosure of information, no action undertaken by the Government under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court. (End of clause) [78 FR 69272, Nov. 18, 2013, as amended at 80 FR 67252, Oct. 30, 2015; 84 FR 4370, Feb. 15, 2019; 87 FR 76998, Dec. 16, 2022]
RFO
Prescription superseded under the RFO
The prescription shown below is from the codified eCFR. The Revolutionary FAR Overhaul relocates this clause's prescription as follows:
-
225.772-5→212.205-70(prescriptive text also revised) -
239.7306→240.271-7(prescriptive text also revised) -
212.301→240.272-4(prescriptive text also revised)
See the deviation memorandum for the current prescription authority.
View deviation: 2026-O0028 → · View deviation: 2026-O0025 → · View deviation: 2026-O0024 →R-DFARS Prescription Source
This clause is prescribed in the R-DFARS by the following deviation:
-
2026-O0025
— DFARS RFO Implementation (Part 40)
(DFARS Part 240)
Add clause 252.239-7018
239.7306(b)
(b) Insert the clause at 252.239-7018, Supply Chain Risk, in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial products and commercial services, for information technology, whether acquired as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined at 239.7301 .
Prescription data sourced from eCFR as of 2026-06-10 03:16 UTC.
Cross-references within the prescription are not resolved automatically.
Regulatory Stack
The layers of regulation that govern this clause, from the FAR prescription through agency-specific supplements and any active deviations.
R-DFARS
R-DFARS Prescription
Per Deviation 2026-O0025 (DFARS Part 240)
2026-O0025: DFARS RFO Implementation (Part 40) — DFARS Part 240
DFARS
DFARS Supplement (eCFR)
⚠ May be superseded by RFO
239.7306(b)
(b) Insert the clause at 252.239-7018, Supply Chain Risk, in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial products and commercial services, for information technology, whether acquired as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined at 239.7301 .
Version History
Version history is sourced from the codified eCFR. Changes published only as class deviations or by the Revolutionary FAR Overhaul do not appear here until they are incorporated into the eCFR. For RFO-driven changes see the RFO Version tab and any active deviations cited above.
3 versions tracked from 2016-12-22 to 2022-12-30.
DEC 2022
December 30, 2022
CURRENT
Removed in this version
Added in this version
Unchanged
December 16, 2022 (previous)
December 30, 2022 (current)
1 added, 1 removed
(3)
(3) The term "information technology" does not include any equipment acquired by a contractor incidental to a contract. Supply chain risk means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system (see 10 U.S.C. 2339a).
(3)
(3) The term "information technology" does not include any equipment acquired by a contractor incidental to a contract. Supply chain risk means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system (see 10 U.S.C. 3252).
1 added, 1 removed
(c)
(c) In order to manage supply chain risk, the Government may use the authorities provided by 10 U.S.C. 2339a. In exercising these authorities, the Government may consider information, public and non-public, including all-source intelligence, relating to a Contractor's supply chain.
(c)
(c) In order to manage supply chain risk, the Government may use the authorities provided by 10 U.S.C. 3252. In exercising these authorities, the Government may consider information, public and non-public, including all-source intelligence, relating to a Contractor's supply chain.
1 added, 1 removed
(d)
(d) If the Government exercises the authority provided in 10 U.S.C. 2339a to limit disclosure of information, no action undertaken by the Government under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court. (End of clause)
(d)
(d) If the Government exercises the authority provided in 10 U.S.C. 3252 to limit disclosure of information, no action undertaken by the Government under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court. (End of clause)
DEC 2022
December 16, 2022
SUBSTANTIVE
Removed in this version
Added in this version
Unchanged
DEC 2016 (previous)
DEC 2022 (current)
6 added, 12 removed
(3)
(3) The term "information technology" does not include any equipment acquired by a contractor incidental to a contract. Supply chain risk means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a national security system (as that term is defined at 44 U.S.C. 3542(b)) so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.
(3)
(3) The term "information technology" does not include any equipment acquired by a contractor incidental to a contract. Supply chain risk means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system (see 10 U.S.C. 2339a).
3 added, 6 removed
(c)
(c) In order to manage supply chain risk, the Government may use the authorities provided by section 806 of Public Law 111-383. In exercising these authorities, the Government may consider information, public and non-public, including all-source intelligence, relating to a Contractor's supply chain.
(c)
(c) In order to manage supply chain risk, the Government may use the authorities provided by 10 U.S.C. 2339a. In exercising these authorities, the Government may consider information, public and non-public, including all-source intelligence, relating to a Contractor's supply chain.
3 added, 6 removed
(d)
(d) If the Government exercises the authority provided in section 806 of Public Law 111-383 to limit disclosure of information, no action undertaken by the Government under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court. (End of clause)
(d)
(d) If the Government exercises the authority provided in 10 U.S.C. 2339a to limit disclosure of information, no action undertaken by the Government under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court. (End of clause)
DEC 2016
December 22, 2016
SUBSTANTIVE
Earliest version available from the eCFR
Active Class Deviations
Use with AI assistant
Copy a link and prompt for use with Gemini or another AI assistant.