Privacy & Cybersecurity Law Blog

On November 2, 2020, the comment period for the Federal Acquisition Security Council’s (“FASC”) interim final rule (the “Interim Final Rule”) implementing the Federal Acquisition Supply Chain Security Act of 2018 (the “2018 Act”) will close.

The FASC was established by the 2018 Act. As an executive branch interagency council, FASC is tasked with recommending to other federal agencies orders to exclude or remove from government information systems and future procurements certain “sources” (i.e., non-federal suppliers or potential suppliers of products or services) and “covered articles” (i.e., information technology, including cloud computing services; telecommunications equipment or services; certain processing of information on a Federal or non-federal information system; or hardware, systems, devices, software or services that include embedded or incidental information technology). The FASC’s recommended exclusion and removal orders are intended to reduce supply chain risk – that is, the risk of surveillance, denial, disruption or manipulation of covered technology or information stored or transmitted by covered technology. FASC orders will be reviewed by designated federal officials, who may then issue exclusion and removal orders applicable to federal agencies within their remit, pursuant to procedures provided in the 2018 Act.

The Interim Final Rule, which was issued by the FASC on September 1, 2020, provides for: (1) establishing the membership of the FASC and the role of the FASC’s Information Sharing Agency; (2) prescribing mandatory and voluntary information sharing criteria for federal agencies (along with associated information protection requirements); and (3) identifying the criteria and procedures by which the FASC will evaluate relevant supply chain risks and recommend removal and exclusion orders (along with a process for waiver requests).

Formal comments on the Interim Final Rule may be submitted until November 2, 2020.