Contract, contract modifications, blanket purchase agreements, and task and/or delivery orders may be executed manually or electronically using a digital signature. In the absence of the original contracting officer, another contracting officer with appropriate warrant authority may sign. Always type or stamp the name and title of the contracting officer signing the contract on the document, unless it is electronically signed. An electronic contract which includes the name of the contracting officer satisfies the typed, stamped or printed requirement found in FAR 4.101. GSA Order CIO 2162.2, GSA Digital Signature Policy, is the guidance for the use of digital signatures as the preferred means of providing signatures for GSA documents, forms, correspondence, and emails.

(a)  The contracting officer must send documentation to the paying office on all contracts for which GSA generates a delivery or task order.

(1)  For Federal Acquisition Service contracts entered into the FSS-19 system, the contracting officer must send a system generated contract listing.

(2)  For all other contracts, the contracting officer must send a “Duplicate Original” of the entire contract or modification.

(b)  The contracting officer must certify that the “Duplicate Original” is a true copy of the contract, modification, task and/or delivery order, if not electronically signed, by writing your signature, in ink, on the award or modification form (i.e., SF 26, 33, 1442, etc.). The contracting officer must certify all contracts except:

(1)  Leases of real property.

(2)  Schedule contracts.

(3)  Standard or GSA multipage purchase/delivery/task order carbon forms.

FAR 4.203(a) does not apply to leases of real property (see 504.904) or FAR 38 Federal Supply Schedule Contracting.

(a)  Contracting officers must recover classified information, unless it has been destroyed as provided in Section 7 of Chapter 5 of the National Industrial Security Program Operating Manual (NISPOM). Information on NISPOM can be found at https://fas.org/sgp/index.html.

(b)  Contracting officers must ensure that classified information provided by the government is returned immediately after any of the following events:

(1)  Bid opening or closing date for receipt of proposals by non-responding offerors.

(2)  Contract award by unsuccessful offerors.

(3)  Termination or completion of the contract.

(4)  Notification that authorization to release classified information has been withdrawn.

(5)  Notification that a facility:

(i)  Does not have adequate means to safeguard classified information; or

(ii)  Has had its security clearance revoked or inactivated.

(6)  Whenever otherwise instructed by the authority responsible for the security classification.

(c)  The Government agency that provided classified information to a GSA contractor is responsible for the return of the information.

(a) This subpart prescribes a contract file format standard for all contracts that exceed the micro-purchase threshold. This subpart may be applied to purchases at or below the micro-purchase threshold.

(b) The purpose of this standard is to ensure that the documentation in the file complies with FAR 4.801(b)(1) and FAR 4.802(c) requirements.

(a) Contract files shall be maintained electronically, unless otherwise determined, in writing, by the HCA to be prohibitively burdensome.

(b) The contracting officer must place all information and documentation required by FAR 4.802 and 4.803 in the contract file and organize the file in the format as set out in each individual contracting activity's contract file standard.

(c)  Contracting officer responsibilities.

(1)  The contracting officer is responsible for the official contract file. Individuals creating documents relating to the contract must provide those documents to the contracting officer for inclusion in the file. Other members of the acquisition team may be responsible for the maintenance and archival of any delegated responsibilities (e.g., contract administration and delegated contract administration function) according to prescribed contracting activity policies and procedures.

(2)  The contracting officer shall-

(i) Place all information and documentation required by the FAR (see FAR subpart 4.8), the GSAM, and any other policy and procedure in the contract file.

(ii)  Include an index or checklist identifying the location of any documentation contained in the contract file when such identification is not already prescribed by policy. The index or checklist can be electronic.

(iii)  Identify in a clear and logical manner, within the contract file, any documentation maintained in another location.

(iv)  Comply with applicable file and document naming convention/nomenclature requirements.

(3)  When responsibility for a contract transfer from one contracting officer to another contracting officer (e.g., employee departure, transfer of assignments, or redelegation of contract administration authority (intraoffice or interoffice))-

(i)  The successor contracting officer shall review the files being transferred. The purpose of the review is to identify any issues with the contract file (e.g., missing or incomplete documentation or information).

(ii)  The successor contracting officer shall attempt to resolve any issues identified during their review of the transferred files. The successor contracting officer should write a memo-to-file that documents any issues with the contract file that were not able to be resolved as part of the transfer.

(d)  Head of contracting activity responsibilities. Head of contracting activities consistent with their delegated authorities are responsible for-

(1)  Developing policies and procedures that discuss, at a minimum, the following:

(i) The different types of files identified in FAR 4.801(c) along with any other files that are to be established (e.g., unsolicited proposals);

(ii)  The location where file documentation is to be stored (e.g., an electronic contract filing system, another official system of record, or some type of combination thereof). If file documentation must be stored in different locations, the policy and procedure shall discuss the rationale for the need (e.g., separation of classified and unclassified documentation) and medium (e.g., paper) to be used;

(iii) The approach used to identify the documents to be retained within a contract file (see FAR 4.803) and any other files established per paragraph (d)(1)(ii) of this section (e.g., use of a checklist or index that includes the citation of the authority for retaining a document);

(iv) The organization(s) or individual(s) responsible for maintaining file documentation when such responsibility does not reside with the contracting officer (see 504.802(b));

(v)  The filing and document convention/nomenclature to be used;

(vi) The content, access, and other applicable requirements for contracting officer representative (COR) contract files (see FAR 1.604) and any other files (see paragraph (a) of this section); and

(vii)  The internal controls (e.g. quarterly review by the contracting activity) to be used for ensuring compliance with FAR, GSAM, and other requirements.

(2)  Designating a point of contact within its organization for purposes of supporting file audits and reviews by internal and external organizations (e.g., the Procurement Management Review (PMR) office). Support may include, but not be limited to:

(i)  Providing copies of applicable policies and procedures;

(ii)  Assisting in resolving issues (e.g., locating a contract file) and questions;

(iii)  Providing access to files and systems; and

(iv)  Notifying the contracting officer of the status of the review or audit.

In addition to the examples of contract file documents described in FAR 4.802 and listed in FAR 4.803, the contract file shall include, if applicable, the following:

(a)  GSA Form 2689 (see 519.502-70 for applicability), and

(b)  Checklist documenting review of the small business subcontracting plan (see 519.705-4 for applicability).

(c)  Documents required by individual contracting activity in accordance with such activity's internal policies and procedures.

The contracting officer’s accountability for contract files ends when the following three conditions exist:

(a)  The files’ retention period expires.

(b)  The contracting officer receives the notice of disposal from the National Archives and Records Administration.

(c)  The records liaison officer whose organization has functional responsibility for the files approves disposal.

(a) Debt collection. The Debt Collection Improvement Act of 1996 requires each contractor doing business with GSA to furnish its Tax Identification Number (TIN). The Government is required to include with each certified voucher prepared and submitted to a disbursing official, the TIN of the contractor receiving payment under the voucher. The TIN may be used by the Office of Financial Policy and Operations to collect and report on any delinquent amounts arising out of the contractor's relationship with the Government.

(b) Information reporting to the IRS. The TIN is also required for Office of Financial Policy and Operations reporting of certain contract information (see FAR 4.903) and payment information (see GSAM 504.904) to the IRS.

(a)  The Office of Financial Policy and Operations reports to IRS on payments made to certain contractors for services performed and to lessors for providing space in buildings. This is required by 26 U.S.C. 6041 and 6041A and implemented in 26 CFR. To assist the Office of Financial Policy and Operations in reporting to the IRS, contracting officers must indicate on obligating documents sent to Finance (e.g., purchase, delivery, or task orders; contracts; or certified invoices) the contractor's organizational structure (e.g., corporation, or partnership) and taxpayer identification number (TIN).

(a) General.

The CIO P 2181.1 - GSA HSPD-12 Personal Identity Verification (PIV) and Credentialing Handbook includes guidance for–

(1)Managing contract employee credentials;

(2) Ensuring contract employee credentials are returned to the GSA Office of Mission Assurance (OMA) when a contractor employee receives an unfavorable suitability determination, leaves the contract or when a contract ends; and

(3) Disabling access to information technology when a contractor employee leaves the contract or when a contract ends.

(b)Delegating Responsibilities.

(1) Contracting officers must manage PIV cards, also referred to as “GSA Access Cards”, provided to contractor employees. Contracting officers may delegate this authority to a contracting officer’s representative.

(2) If delegated, the contracting officer must ensure any contracting officer's representative delegation letter includes language for credentials and access management responsibilities.

(3) The Government contracting official who requests PIV cards on behalf of a contractor employee is also referred to as a “requesting official” pursuant to CIO P 2181.1.

(4) Standard delegation language can be found on GSA's Acquisition Portal at https://insite.gsa.gov/acquisitionportal.

(c) Required Verifications. There are multiple types of verifications to ensure only contractor employees who require PIV cards have them.

(1) Automated verification.

(i) Contractors and authorized Government contracting officials are automatically notified prior to the end date of the contract period of performance listed in the Office of Mission Assurance (OMA) system GSA Credentialing and Identity Management System (GCIMS). PIV cards will be automatically inactivated 30 days after the period of performance.

(ii) If the contractor requires a PIV card beyond 30 days after the contract period of performance, the authorized Government contracting official must submit a contractor information worksheet (CIW) (GSA Form 850) to update GCIMS, including appropriate justification.

(iii) When a contractor is made inactive in GCIMS, GCIMS will send an email to contractors and authorized Government contracting officials notifying everyone that the contractor PIV card needs to be returned. If the contractor does not comply with the terms of the automated notification, the authorized Government contracting official shall take the actions listed in paragraph (d).

(iv) The contracting officer shall include documentation in the contract file, as necessary.

(2) Manual verification.

(i) Authorized Government contracting officials are required to conduct a PIV card review annually or prior to exercising an option (see 517.207 Exercise of options.(c)), whichever comes first, to verify the contract information in GCIMS is correct (e.g. contract number, contract period of performance, contractor point of contact).

(ii) Authorized Government contracting officials shall send a letter to contractors to determine the need for continued access of individual employees and for return of PIV cards, requesting a response within no more than 15 business days.

(iii) Authorized Government contracting officials are required to submit a contractor information worksheet (CIW) (GSA Form 850) to update GCIMS, as necessary.

(iv) The contracting officer shall include documentation in the contract file, as necessary.

(d) The authorized Government contracting official shall take the following actions when contractors do not return PIV cards.

(1) Withhold Final Payment - COs may delay final payment under a contract if the contractor fails to comply with the PIV card requirements in accordance with paragraph (c) of FAR 52.204-9.

(2) Contractor Performance Assessment Rating System (CPARS) - If the authorized Government contracting official has been unsuccessful in retrieving PIV cards and other Government Furnished Equipment (GFE) from the vendor in accordance with FAR 52.245-1 Alternate 1, then the CO shall document this in CPARS. Assessment may be noted under the “management or business relations” or “other” section of the CPARS report.

(3) Suspension/Debarment Referral Considerations - For willful non-compliance, the CO shall refer the contractor to the Suspension and Debarment Official (SDO). The SDO will review the complaint and decide whether or not action should be taken against the contractor.

(4) Termination Considerations - If the contractor shows a pattern of willful non-compliance regarding PIV card requirements during the performance of the contract (e.g., annual review of PIV cards), the CO may terminate the contract.

(e) The CIO P 2181.1 - GSA HSPD-12 Personal Identity Verification and Credentialing Handbook, as well as additional resources for implementing the credentials and access management requirements, can be found on the Acquisition Portal at: https://insite.gsa.gov/hspd12inprocurement.

(a) Elements of a PIID. The PIID consists of 13 alphanumeric characters as follows:

(b) Procurement Instrument Type Codes. Indicate the type of instrument consistent with the letter designation provided in FAR 4.1603(a)(3). The letter designations for the identified type of instruments unique to agency policy are identified as follows:

(c) Serial Number Codes.

(1)  A separate series of numbers may be used for each basic instrument type (see 504.1603(b)).

(2)  For delivery or task orders, each order issued by contracting office must receive a consecutive serial number. That is, orders are numbered in sequence as issued by the contracting office, but they are not in sequence under any individual contract.

(3)  At the beginning of each fiscal year, the first number assigned is 0001.

(4)  Alphanumeric characters are serially assigned after the numeric series is exhausted.

(5)  The allowable numeric and alphanumeric sequences, excluding alpha I and O are–

(i)  0001 through 9999;

(ii)  A001 through A999, B001 through B999;

(iii)  and so on to Z001 through Z999.

(6)  Each issuing office is responsible for controlling serial number assignments.

(a) General. Procurements supporting a leasehold interest include: architectural and engineering (A&E) design and other related activities, project management, construction, space alterations (irrespective of size or scope), security-related tenant buildout, building-specific security countermeasures, personal (moveable) property, and overtime utilities.

(b) Procurement Actions. Any procurement supporting a leasehold interest (including those at or below the micro-purchase threshold), including stand-alone contracts or lease amendments, must reference the associated lease number (8-character number such as LMA00001) in the system of record (e.g., EASi, G-REX, RETA, REXUS, Pegasys) in which that action is being processed or recorded, and on the procurement document. Data must be recorded in a standardized data field, as appropriate. For systems that do not have the capability to capture the associated lease number, the lease number may be placed on the procurement document itself alone.

(c) Reimbursable Work Authorizations (RWAs).

(1) RWAs prior to lease award. For any RWA submissions (including at or below the micro-purchase threshold) where the lease is not yet awarded, the associated lease number (8-character number such as LMA00001) shall be input into the system of record for the RWA and on the procurement document, within 3 business days of the lease award date or the creation of a lease number, whichever is later. Data must be recorded in a standardized data field, as appropriate. For systems that do not have the capability to capture the associated lease number, the lease number may be placed on the procurement document itself alone.

(2) RWAs after lease award. For any RWA submissions (including at or below the micro-purchase threshold) where the lease is already awarded, the associated lease number (8-character number such as LMA00001) shall be input into the system of record for the RWA and on the procurement document. Data must be recorded in a standardized data field, as appropriate. For systems that do not have the capability to capture the associated lease number, the lease number may be placed on the procurement document itself alone.

This subpart prescribes acquisition policies and procedures for mitigating cyber-supply chain risks of procurements funded by GSA. Procedures in this subpart apply to all GSA-funded contracts and orders, regardless of the estimated value of the solicitation, contract or order, including purchases under the micro-purchase threshold and purchases using a Government Purchase Card.

“Cyber-Supply Chain Event” means any situation or occurrence in or to a network, information system, or within the supply chain, not purchased on behalf of another agency, that has the potential to cause undesirable consequences or impacts. Cyber-Supply Chain Events, as they relate to this subpart, can include:

(a) Occurrence of an IT security incident;

(b) Discovery of a prohibited article or source; and

(c) Identification of supply chain risk information.

“Cyber-Supply Chain Risk Management”, or “C-SCRM”, means management of cyber-related (or, more generally, technology-related) risks in all phases of the acquisition lifecycle and at all levels of the supply chain, regardless of the product(s) or service(s) procured.

“Cyber-Supply Chain Risk Management Policy Advisor” means the identified lead of the Service-level acquisition management (e.g., the Federal Acquisition Service’s Office of Policy and Compliance (OPC), the Public Building Service’s Office of Acquisition Management (OAM), the Office of Administrative Services).

“IT security incident” means an occurrence that:

(a) Actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system;

(b) Constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies;

(c) Results in lost, stolen, or inappropriately accessed Controlled Unclassified Information (CUI) (including Personally Identifiable Information (PII)), lost or stolen GSA-owned devices (mobile phones, laptops, Personal Identity Verification (PIV) cards), and any other incident included in CIO-IT-Security-01-02); or

(d) Results in a situation that severely impairs, manipulates, or shuts down the operation of a system or group of systems (e.g., Building Automation Systems, Heating, Ventilation, Air Conditioning (HVAC) systems, Physical Access Control Systems (PACS), Advanced Metering Systems, Lighting Control Systems).

“Prohibited article” means any prohibited product, system, or service that the contractor offers or provides to the Government that conflicts with the supply chain terms or conditions of the solicitation or contract (e.g., Federal Acquisition Security Council (FASC) exclusion order, GSA CIO Order, counterfeit items, or FAR provision or clause, including, without limitation, FAR Clause at 52.204-23, Prohibition on Contracting for Hardware, Software, Products and Services Developed or Provided by Kaspersky Lab and Other Covered Entities, FAR Provision at 52.204-24, Representation Regarding Certain Telecommunications and Video Surveillance Services or Equipment, and FAR Clause at 52.204-25, Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment).

“Prohibited source” means any entity with which the Government may not enter into or renew a contract or from which the Government may not purchase products or services due to conflicts with the supply chain terms or conditions of the solicitation or contract (e.g., FASC exclusion order, GSA CIO Order, FAR provision or clause, contract-specific provision or clause).

“Supply chain risk information” is defined at 41 C.F.R. 201-1.101. Failure of an offeror to meet a solicitation’s requirements, including security requirements, will not by itself constitute supply chain risk information.

“Substantial supply chain risk information” means supply chain risk information that leads to any of the following:

(a) Removal of a presumptive awardee from pre-award consideration or competition;

(b) Rejection of a proposed subcontractor;

(c) Removal of a subcontractor from a contract; or

(d) Termination of a contract.

(a)The Federal Information Security Modernization Act of 2014 (Public Law 113-283) and associated National Institute of Standards and Technology (NIST) guidance requires Federal agencies to manage supply chain risks for Federal information systems and to ensure the effectiveness of information security controls and risks.

(b)The SECURE Technology Act (Public Law 115-390), which includes the Federal Acquisition Supply Chain Security Act of 2018, established the Federal Acquisition Security Council (FASC) to improve executive branch coordination, supply chain information sharing, and actions to address supply chain risks and requires GSA to have a lead representative for the agency.

(c) OMB Circular A-130, “Managing Information as a Strategic Resource,” directs agencies to implement supply chain risk management principles to protect against the insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software, and poor manufacturing and development practices throughout the system development life cycle.

(d) GSA Information Technology (IT) Security Procedural Guide CIO-IT Security-01-02, “Incident Response (IR)” (including successor policies), provides additional processes and procedures for incident response, as outlined by GSA’s Office of the Chief Information Security Officer (OCISO).

(e) GSA Information Technology (IT) Security Procedural Guide CIO-IT Security-21-117, “Office of the Chief Information Security Officer (OCISO) Cyber Supply Chain Risk Management (C-SCRM) Program” (including successor policies), establishes a C-SCRM program within GSA’s OCISO and serves as the Tier 2 plan for GSA.

(f) GSA CIO Order 2100.1, “GSA Information Technology (IT) Security Policy” (including successor policies), sets forth GSA’s IT security policy and establishes controls required to comply with Federal laws and regulations.

(a) GSA contracting activities may discuss supply chain concerns with the relevant Cyber-Supply Chain Risk Management Policy Advisor(s) listed on the GSA Acquisition Portal (http://insite.gsa.gov/cscrm) at any time, including during acquisition planning, requirements development, and post award. Changes to this list shall be reported to spe.request@gsa.gov.

(b)In addition to the Cyber-Supply Chain Events listed in 504.7005, additional risks may require notification to GSA’s Office of Mission Assurance (OMA):

(1) Any law enforcement or criminal activity, suspicious packages, or damage to GSA infrastructure should be reported to the GSA Emergency Operations Center (as specified under GSA Order 2400.2) at EOC@gsa.gov or 202-219-0338.

(2)Insider threats, including acts of commission or omission by an insider who intentionally or unintentionally compromises an agency's ability to accomplish its mission (e.g., espionage, unauthorized disclosure of information, any activity resulting in the loss or degradation of departmental resources or capabilities) should be reported to the OMA Insider Threat Program at insider-threat-program@gsa.gov

(a) Acquisition Planning. For cyber-supply chain risk management acquisition planning considerations, see 507.105 (f).

(b) Market Research. For cyber-supply chain risk management market research considerations, see 510.002 (c) and (d)

(c) Evaluation. As part of evaluating past performance, review the Contractor Performance Assessment Reporting System (CPARS) for any reported noncompliance with supply chain requirements and/or otherwise evaluate similar past performance information in accordance with the policies and procedures contained in the applicable subpart.

(d) Pre-award. Apparent successful offeror. If the apparent successful offeror responds that it “will” provide or “does” use covered telecommunications equipment or services in response to the representation provision at FAR 52.204-24 then, regardless of the offeror’s response to the SAM representation provision(s) (e.g., FAR 52.204-26, FAR 52.212-3(v)), clarify with the apparent successful offeror to ensure that it accurately completed the representation(s). After clarifying the apparent successful offeror accurately completed the representation(s), follow the procedures at 504.7005 (c) and consider the following:

(1) If the contracting officer determines that awarding to the apparent successful offeror will result in a violation of the prohibition at FAR 52.204-24(b), the contracting officer should determine that the offeror is not eligible for award and should move to the next offeror in line for award.

(2) If the contracting officer does not identify an eligible offeror, the acquisition team should explore other acquisition strategies, making a partial award, cancelling the solicitation, changing the requirement, or finding another approach that does not involve the use of covered telecommunications equipment or services.

(3) As a last resort, the acquisition team may consider pursuing a waiver for an offeror. The acquisition team should contact the appropriate Cyber-Supply Chain Risk Management Policy Advisor (see 504.7003 (a)) for assistance and coordination. Instructions for requesting a waiver are available on the GSA Acquisition Portal (http://insite.gsa.gov/cscrm).

(a) General.

(1) For any potential cyber-supply chain event, including occurrence of an IT security incident, discovery of a prohibited article or source, or identification of supply chain risk information, the contracting officer or another acquisition team member must contact the GSA IT Service Desk by phone at 866-450-5250 or by email at ITServiceDesk@gsa.gov.

(i) Do not include source selection sensitive information in the notification to the GSA IT Service Desk.

(ii) Do not include other sensitive information (e.g., IP address, access information such as an account login and password) in the notification to the GSA IT Service Desk. The notification should state that additional information is sensitive and will be provided in person or via a secured method.

(iii) Determining whether the identified issue or potential issue is applicable under the procedures for each event type should not delay the acquisition team member from submitting a notification. When unsure, it is better to notify quickly rather than delay the event notification. The GSA IT Service Desk can assist in defining the event type once submitted.

(b) Occurrence of an IT security incident.

(1) If an IT security incident occurs, concerning any GSA information system or data (owned or operated by GSA or by a contractor or other organization on behalf of GSA), regardless of the estimated value of the contract or order, including purchases under the micro-purchase threshold and purchases using a Government Purchase Card, the contracting officer or another acquisition team member must immediately contact the GSA IT Service Desk.

(2) The notification to the GSA IT Service Desk - whether via phone or email - should document as much information as possible, including:

(i) Description, date and time of the incident;

(ii) Whether any PII or contractor-attributional information is affected; and

(iii) Contract information (contract number, contractor name, name of GSA contracting office), as applicable.

(3) Do not delay notifying the GSA IT Service Desk even if all the information requested or considered to be relevant is not available.

(4) Additional guidance is available from the GSA IT Security Procedural Guide CIO-IT Security-01-02, “Incident Response (IR)”, and GSA IT Security Procedural Guide CIO-IT Security-21-117, “OCISO Cyber Supply Chain Risk Management (C-SCRM) Program”.

(5) After initial notification, GSA IT may request additional information and will work with the notifier to resolve the issue.

(c) Discovery of a prohibited article or source .

(1)If a prohibited article or source is discovered within the supply chain of a procurement, regardless of the estimated value of the solicitation, contract, or order, including purchases under the micro-purchase threshold and purchases using a Government Purchase Card, the contracting officer or another acquisition team member must immediately contact the GSA IT Service Desk.

(2)The notification to the GSA IT Service Desk - whether via phone or email - should document as much information as possible, including:

(i)Contract or solicitation information, including contract or solicitation number, contractor or offeror name, and name of GSA contracting office;

(ii)Prohibited article or source name; and

(iii)Reason why prohibited article or source is banned on contract.

(iv) A “critical date,” no less than three (3) business days in the future, for when a response from GSA’s Supply Chain Review Board is requested.

(3) Do not delay notifying the GSA IT Service Desk even if all the information requested or considered to be relevant is not available.

(4) After initial notification, GSA’s Supply Chain Review Board may request additional information and will work with the notifier to resolve the issue.

(i) If the SCRM Review Board has not responded by the “critical date” required by 504.7005(c)(2)(iv), the contracting officer may make a determination without the SCRM Review Board’s input, but should seek input and guidance from the appropriate Cyber-Supply Chain Risk Management Policy Advisor (see GSAM 504.7003(a)) and review additional guidance available on the GSA Acquisition Portal ( http://insite.gsa.gov/cscrm) prior to making the determination.

(d) Identification of supply chain risk information.

(1)If substantial supply chain risk information is identified, or the contracting officer or another acquisition team member including the GSA Information Technology Office (GSA IT) (e.g., Chief Information Officer, Chief Information Security Officer) thinks supply chain risk information should be voluntarily shared with the FASC, the contracting officer or another acquisition team member must contact the GSA IT Service Desk. The GSA IT Service Desk will gather relevant information and share it with the appropriate Cyber-Supply Chain Risk Management Policy Advisor.

(i) Service-level policy may adopt additional procedures to provide acquisition team members with guidance prior to notifying the GSA IT Service Desk.

(2) After initial notification, the appropriate Cyber-Supply Chain Risk Management Policy Advisor may request additional information and will work with the notifier to resolve the issue.

(3) The Cyber-Supply Chain Risk Management Policy Advisors will share information with the Office of Acquisition Policy within OGP.

(4)OGP will share supply chain risk information with relevant GSA offices and personnel, as appropriate, and with the FASC when:

(i)The FASC requests information associated with a particular source, a covered article, or a covered procurement (as defined at 41 U.S.C. 4713(k));

(ii) GSA determines that a substantial supply chain risk associated with a source, a covered article, or a covered procurement exists as described in 41 C.F.R. 201-1.101; or

(iii) GSA identifies supply chain risk management information (including both C-SCRM and non-C-SCRM risks) associated with a source, a covered article, or a covered procurement action and deems such information relevant to share with the FASC.

(e) Cyber-Supply Chain Event Risk Mitigation. The contract administration procedures under FAR part 49 (e.g., cure notice, termination for cause, past performance review) can be used as needed to address immediate or future supply chain event concerns. Additional guidance on contract administration procedures is available on the GSA Acquisition Portal ( http://insite.gsa.gov/cscrm).

(f) Past Performance Evaluation. The contracting officer must report any contractor non-compliance with supply chain requirements within the “Other Areas” portion of any applicable past performance evaluation form.

Acquisitions and contract actions requiring SPE review or approval must conduct an acquisition review, consistent with HCA policy established under 504.7103.

(a) General. The FAR, GSAM, Acquisition Letters, and other policies and procedures identify acquisitions and contracting actions that require SPE review or approval. The SPE may request review of any acquisition or contract action, in addition to those where SPE review or approval is required.

(1)An HCA may notify the SPE according to paragraph (b) of this section of acquisitions or contract actions that otherwise do not require SPE review or approval. A reason may be to seek assistance, advice, or guidance from the SPE about a potential or planned acquisition, a contract action, or an award.

(b) Notification. The SPE shall be notified of acquisitions and contract actions requiring SPE review or approval as early in the acquisition life cycle as possible. Notification shall be sent to spe.request@gsa.gov and include the following information:

(1)Description of the need for SPE involvement (e.g., SPE approval of a consolidation determination);

(2)Description of the requirement, including key dates (e.g., anticipated solicitation date, anticipated award date);

(3)Date(s) of acquisition review(s); and

(4)Any other important information.

(c) Approval. Acquisitions and contract actions requiring SPE review or approval shall be sent to spe.request@gsa.gov and include the following information;

(1)Description of the requirement, action required, and due date;

(2)The document(s) requiring SPE review or approval;

(3)Evidence of Service-level concurrences;

(4)Evidence of legal concurrence;

(5)Evidence of other applicable concurrences where applicable (e.g., category manager and OSDBU);

(6)Supporting attachments, if applicable; and

(7)Any other important information.

(d) Participants. Acquisition reviews involving the SPE are to include key members of the acquisition team as well as the following participants:

(1)SPE or authorized designee;

(2)Head of the contracting activity or authorized designee;

(3)Office of Small and Disadvantaged Business Utilization; and

(4) Office of the Chief Sustainability Officer, Office of Federal High Performance Green Buildings, or authorized sustainability designee

(5) Other key stakeholders (e.g., GSA Office of Information Technology for GSA-funded technology acquisitions).