FAR Companion Part 40

Part 40 - Information Security and Supply Chain Security

FC40.1 FC 40.1 Integrate security throughout the acquisition lifecycle.

For acquisitions involving sensitive information (e.g., controlled unclassified information, classified information) or at higher risk of violating a security exclusion or prohibition (e.g., telecommunications, video surveillance, unmanned aircraft systems, foreign acquisitions), expanding the acquisition team proves valuable. A cross-functional acquisition team composition, with roles such as those detailed in the table below, ensures comprehensive security expertise throughout the acquisition lifecycle for protecting sensitive information and implementing security prohibitions and exclusions. Role/Position Subject Matter Expertise Key Contributions Chief Information Security Cybersecurity Bring cybersecurity expertise to Security Officers (CISOs) or requirement development and (CISOs) or proposal evaluation Representatives evaluation Supply Chain Specialists Logistics and Industrial Security Offer insights on manufacturing Security risks and component authenticity verification methods Legal Counsel Regulations, Export Controls, Foreign Help navigate complex regulatory Foreign Ownership landscapes with expertise in export controls and foreign ownership restrictions End Users Operations Contribute practical perspectives on security usability IT Technical Evaluators Hardware Engineering Assess hardware tampering vulnerabilities Federal Acquisition Regulation (FAR) Companion Role/Position Subject Matter Expertise Key Contributions Program Managers Program Portfolio Help ensure interoperability with existing security architecture This diverse team composition ensures comprehensive security expertise throughout the acquisition lifecycle for protecting sensitive information and implementing security prohibitions and exclusions. Federal Acquisition Regulation (FAR) Companion For higher risk procurements, acquisition teams can enhance security outcomes for these critical acquisitions by incorporating appropriate controls at key decision points across the acquisition lifecycle. For instance, during market research, teams can gather intelligence on vendor security practices, component origins, and manufacturing processes to inform requirements development. When drafting requirements involving information and communications technology, teams should consider building in additional security that requires offerors to demonstrate they do not pose significant supply chain risks that could adversely affect contract performance. Such language in the requirements enables teams to evaluate supply chain risk information provided by the offeror to the government, along with any other government data sources, to assess the overall supply chain risk as part of the minimum requirements for the procurement. Supply chain risk information can include: ● Foreign control of, or influence over, a source, product or service (e.g., foreign ownership, personal and professional ties between a source and any foreign entity, legal regime of any adversary in which a source is headquartered or conducts operations) ● Functionality and features of awarded products and services, including access to data and information system privileges; ● The ability of a source to produce and deliver products and services as expected; ● Any other considerations that would factor into an analysis of the security, integrity, resilience, quality, trustworthiness, or authenticity of products, services or sources; and ● The offerors’ capacity to mitigate identified risks. In the solicitation phase for high risk or high dollar value procurements, including evaluation criteria that reward vendors offering enhanced visibility into their supply chains and security architectures encourages industry to prioritize these elements. During responsibility determinations, supply chain risks can be considered as part of the general standards in FAR 9.104-1 when determining whether offerors have the necessary organization, experience, accounting and operational controls, and technical skills, or the ability to obtain them. Postaward administration presents opportunities to implement ongoing verification activities, such as random sampling of delivered items, regular code reviews, or security testing to verify Federal Acquisition Regulation (FAR) Companion compliance with contract requirements, including applicable FAR clauses (e.g., country of origin for Trade Agreements Act compliance, 15 controls within FAR 52.204-21). When contracts include requirements to mitigate supply chain risks, it is essential to continuously monitor contractor performance to identify and respond to any new and evolving threats during the contract period. If new supply chain risks are identified during contract performance, assess the severity and potential impact on the government. Based on the assessment, appropriate actions may include but are not limited to requiring corrective action, deciding not to extend the period of performance, withholding the exercise of option periods, or pursuing contract termination to protect government interest and maintain supply chain integrity. Federal Acquisition Regulation (FAR) Companion Contract closeout offers valuable data collection points, documenting security performance to inform future acquisitions.