Subpart 239.73 - REQUIREMENTS FOR INFORMATION RELATING TO SUPPLY CHAIN RISK
239.7300 Scope of subpart.
This subpart implements 10 U.S.C. 3252 and elements of DoD Instruction 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN), at https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/520044p.pdf?ver=2018-11-08-075800-903.
As used in this subpart—
“Covered item of supply” means an item of information technology that is purchased for inclusion in a covered system, and the loss of integrity of which could result in a supply chain risk for a covered system (see 10 U.S.C. 3252).
“Covered system” means a national security system, as that term is defined at 44 U.S.C. 3552(b) (see 10 U.S.C. 3252). It is any information system, including any telecommunications system, used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency—
(1) The function, operation, or use of which—
(i) Involves intelligence activities;
(ii) Involves cryptologic activities related to national security;
(iii) Involves command and control of military forces;
(iv) Involves equipment that is an integral part of a weapon or weapons system; or
(v) Is critical to the direct fulfillment of military or intelligence missions, but this does not include a system that is to be used for routine administrative and business applications, including payroll, finance, logistics, and personnel management applications; or
(2) Is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.
“Information technology” (see 40 U.S.C 11101(6)) means, in lieu of the definition at FAR 2.1, any equipment, or interconnected system(s) or subsystem(s) of equipment, that is used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency.
(1) For purposes of this definition, equipment is used by an agency if the equipment is used by the agency directly or is used by a contractor under a contract with the agency that requires—
(i) Its use; or
(ii) To a significant extent, its use in the performance of a service or the furnishing of a product.
(2) The term “information technology” includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources.
(3) The term “information technology” does not include any equipment acquired by a contractor incidental to a contract.
“Supply chain risk” means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system (see 10 U.S.C. 3252).
Notwithstanding FAR 39.001, this subpart shall be applied to acquisition of information technology for covered systems (see 10 U.S.C. 3252) for procurements involving—
(a) A source selection for a covered system or a covered item of supply involving either a performance specification (see 10 U.S.C. 3206(a)(3)(B)), or an evaluation factor (see 10 U.S.C. 3206(b)(1)), relating to supply chain risk;
(b) The consideration of proposals for and issuance of a task or delivery order for a covered system or a covered item of supply where the task or delivery order contract concerned includes a requirement relating to supply chain risk (see 10 U.S.C. 3406(d)(3) and FAR 16.505(b)(1)(iv)(D)); or
(c) Any contract action involving a contract for a covered system or a covered item of supply where such contract includes a requirement relating to supply chain risk.
239.7303 Authorized individuals.
(a) Subject to 239.7304 , the following individuals are authorized to take the actions authorized by 239.7305 :
(1) The Secretary of Defense.
(2) The Secretary of the Army.
(3) The Secretary of the Navy.
(4) The Secretary of the Air Force.
(b) The individuals authorized at paragraph (a) may not delegate the authority to take the actions at 239.7305 or the responsibility for making the determination required by 239.7304 to an official below the level of—
(1) For the Department of Defense, the Under Secretary of Defense for Acquisition and Sustainment; and
(2) For the military departments, the service acquisition executive for the department concerned.
239.7304 Determination and notification.
The individuals authorized in 239.7303 may exercise the authority provided in 239.7305 only after—
(a) Obtaining a joint recommendation by the Under Secretary of Defense for Acquisition and Sustainment and the Chief Information Officer of the Department of Defense, on the basis of a risk assessment by the Under Secretary of Defense for Intelligence, that there is a significant supply chain risk to a covered system;
(b) Making a determination in writing, in unclassified or classified form, with the concurrence of the Under Secretary of Defense for Acquisition and Sustainment, that—
(1) Use of the authority in 239.7305 (a),(b), or (c) is necessary to protect national security by reducing supply chain risk;
(2) Less intrusive measures are not reasonably available to reduce such supply chain risk; and
(3) In a case where the individual authorized in 239.7303 plans to limit disclosure of information under 239.7305 (d), the risk to national security due to the disclosure of such information outweighs the risk due to not disclosing such information; and
(c)(1) Providing a classified or unclassified notice of the determination made under paragraph (b) of this section—
(i) In the case of a covered system included in the National Intelligence Program or the Military Intelligence Program, to the Select Committee on Intelligence of the Senate, the Permanent Select Committee on Intelligence of the House of Representatives, and the congressional defense committees; and
(ii) In the case of a covered system not otherwise included in paragraph (a) of this section, to the congressional defense committees; and
(2) The notice shall include—
(i) The following information (see 10 U.S.C. 3204(e)(2)):
(A) A description of the agency's needs.
(B) An identification of the statutory exception from the requirement to use competitive procedures and a demonstration, based on the proposed contractor's qualifications or the nature of the procurement, of the reasons for using that exception.
(C) A determination that the anticipated cost will be fair and reasonable.
(D) A description of the market survey conducted or a statement of the reasons a market survey was not conducted.
(E) A listing of the sources, if any, that expressed in writing an interest in the procurement.
(F) A statement of the actions, if any, the agency may take to remove or overcome any barrier to competition before a subsequent procurement for such needs;
(ii) The joint recommendation by the Under Secretary of Defense for Acquisition and Sustainment and the Chief Information Officer of the Department of Defense as specified in paragraph (a) of this section;
(iii) A summary of the risk assessment by the Under Secretary of Defense for Intelligence that serves as the basis for the joint recommendation specified in paragraph (a) of this section; and
(iv) A summary of the basis for the determination, including a discussion of less intrusive measures that were considered and why they were not reasonably available to reduce supply chain risk.
239.7305 Exclusion and limitation on disclosure.
Subject to 239.7304 , the individuals authorized in 239.7303 may, in the course of procuring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system—
(a) Exclude a source that fails to meet qualification standards established in accordance with the requirements of 10 U.S.C. 3243, for the purpose of reducing supply chain risk in the acquisition of covered systems;
(b) Exclude a source that fails to achieve an acceptable rating with regard to an evaluation factor providing for the consideration of supply chain risk in the evaluation of proposals for the award of a contract or the issuance of a task or delivery order;
(c) Withhold consent for a contractor to subcontract with a particular source or direct a contractor for a covered system to exclude a particular source from consideration for a subcontract under the contract; and
(d) Limit, notwithstanding any other provision of law, in whole or in part, the disclosure of information relating to the basis for carrying out any of the actions authorized by paragraphs (a) through (c) of this section, and if such disclosures are so limited—
(1) No action undertaken by the individual authorized under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court; and
(2) The authorized individual shall—
(i) Notify appropriate parties of action taken under paragraphs (a) through (d) of this section and the basis for such action only to the extent necessary to effectuate action;
(ii) Notify other Department of Defense components or other Federal agencies responsible for procurements that may be subject to the same or similar supply chain risk, in a manner and to the extent consistent with the requirements of national security; and
(iii) Ensure the confidentiality of any such notifications.
239.7306 Solicitation provision and contract clause.
(a) Insert the provision at 252.239-7017, Notice of Supply Chain Risk, in all solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial products and commercial services, for information technology, whether acquired as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined at 239.7301 .
(b) Insert the clause at 252.239-7018, Supply Chain Risk, in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial products and commercial services, for information technology, whether acquired as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined at 239.7301 .