FAR Companion Change
| Date Detected | 2026-03-11 09:24 UTC |
| Type | COMPANION_MODIFIED |
| Entity | PART_40 |
Summary
PART_40 updated: 75 lines added, 1 lines removed
Diff
--- previous +++ current @@ -1 +1,77 @@ -Part 40 - Information Security and Supply Chain Security ....................................................... 102+Part 40 - Information Security and Supply Chain Security +FC 40.1 Integrate security throughout the acquisition lifecycle. +For acquisitions involving sensitive information (e.g., controlled unclassified information, +classified information) or at higher risk of violating a security exclusion or prohibition (e.g., +telecommunications, video surveillance, unmanned aircraft systems, foreign acquisitions), +expanding the acquisition team proves valuable. +A cross-functional acquisition team composition, with roles such as those detailed in the table +below, ensures comprehensive security expertise throughout the acquisition lifecycle for +protecting sensitive information and implementing security prohibitions and exclusions. +Role/Position Subject Matter Expertise Key Contributions +Chief Information Cybersecurity Bring cybersecurity expertise to +Security Officers requirement development and +(CISOs) or proposal evaluation +Representatives +Supply Chain Specialists Logistics and Industrial Offer insights on manufacturing +Security risks and component authenticity +verification methods +Legal Counsel Regulations, Export Controls, Help navigate complex regulatory +Foreign Ownership landscapes with expertise in +export controls and foreign +ownership restrictions +End Users Operations Contribute practical perspectives +on security usability +IT Technical Evaluators Hardware Engineering Assess hardware tampering +vulnerabilities +102 +Federal Acquisition Regulation (FAR) Companion +Role/Position Subject Matter Expertise Key Contributions +Program Managers Program Portfolio Help ensure interoperability with +existing security architecture +This diverse team composition ensures comprehensive security expertise throughout the +acquisition lifecycle for protecting sensitive information and implementing security prohibitions +and exclusions. +For higher risk procurements, acquisition teams can enhance security outcomes for these +critical acquisitions by incorporating appropriate controls at key decision points across the +acquisition lifecycle. +For instance, during market research, teams can gather intelligence on vendor security +practices, component origins, and manufacturing processes to inform requirements +development. +When drafting requirements involving information and communications technology, teams +should consider building in additional security that requires offerors to demonstrate they do not +pose significant supply chain risks that could adversely affect contract performance. Such +language in the requirements enables teams to evaluate supply chain risk information provided +by the offeror to the government, along with any other government data sources, to assess the +overall supply chain risk as part of the minimum requirements for the procurement. Supply chain +risk information can include: +● Foreign control of, or influence over, a source, product or service (e.g., foreign +ownership, personal and professional ties between a source and any foreign entity, legal +regime of any adversary in which a source is headquartered or conducts operations) +● Functionality and features of awarded products and services, including access to data +and information system privileges; +● The ability of a source to produce and deliver products and services as expected; +● Any other considerations that would factor into an analysis of the security, integrity, +resilience, quality, trustworthiness, or authenticity of products, services or sources; and +● The offerors’ capacity to mitigate identified risks. +In the solicitation phase for high risk or high dollar value procurements, including evaluation +criteria that reward vendors offering enhanced visibility into their supply chains and security +architectures encourages industry to prioritize these elements. +During responsibility determinations, supply chain risks can be considered as part of the general +standards in FAR 9.104-1 when determining whether offerors have the necessary organization, +experience, accounting and operational controls, and technical skills, or the ability to obtain +them. +Postaward administration presents opportunities to implement ongoing verification activities, +such as random sampling of delivered items, regular code reviews, or security testing to verify +103 +Federal Acquisition Regulation (FAR) Companion +compliance with contract requirements, including applicable FAR clauses (e.g., country of origin +for Trade Agreements Act compliance, 15 controls within FAR 52.204-21). When contracts +include requirements to mitigate supply chain risks, it is essential to continuously monitor +contractor performance to identify and respond to any new and evolving threats during the +contract period. If new supply chain risks are identified during contract performance, assess the +severity and potential impact on the government. Based on the assessment, appropriate actions +may include but are not limited to requiring corrective action, deciding not to extend the period +of performance, withholding the exercise of option periods, or pursuing contract termination to +protect government interest and maintain supply chain integrity. +Contract closeout offers valuable data collection points, documenting security performance to +inform future acquisitions.