On April 1, 2024, the Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) issued a Final Rule amending the Federal Acquisition Regulation (FAR) to establish a framework for a new FAR Part 40 focusing on information security and supply chain security.

The Final Rule did not itself establish any new FAR requirements applicable to government contractors, but rather created the structure of the new Part 40, which will be populated with regulations in the future (with at least three subparts presently contemplated). The creation of Part 40 follows the influx of FAR provisions related to supply chain security and information security more broadly, including the implementation of wide ranging federal prohibitions such as:

• June 2018: Interim rule and regulations that implement the National Defense Authorization Act’s prohibition on the use of hardware, software, and services of Kaspersky Lab and its related entities in response to concerns that Kaspersky executives had close ties to the Russian government and intelligence community.
• July 2020: Section 889 interim rule and regulations on telecommunication and video surveillance services or equipment, prohibiting federal contractors from using federal funds to contract for certain foreign owned (namely originating from China) equipment, services, or systems for use as substantial or critical components of any system.
• June 2023: Interim rule and regulations that implemented the No TikTok on Government Devices Act, prohibiting the presence or use of TikTok (or any successor application or service owned, developed, and deployed by ByteDance Limited) on devices used in the performance of federal contracts.

Currently, these and other supply chain and information security requirements are scattered throughout the FAR. Over time, federal contractors can expect that these and other supply chain and information security provisions will likely be moved into the new Part 40 along with other, new prohibitions and policies.

To that end, on April 10, 2024, DoD, GSA, and NASA issued a Request for Information (RFI) seeking input on the scope and organization of FAR Part 40. The RFI provides guidance on the genesis of Part 40, including the determination to consolidate and streamline existing policies and procedures to render it easier for the “acquisition workforce and the general public to understand and implement applicable requirements.” The RFI also clarifies that Part 40 will contain regulations that (1) address security objectives and (2) include, but also go beyond, information and communications technology requirements. Requirements that focus solely on information and communications technology will remain in FAR Part 39.

The RFI includes a list of current FAR provisions that may be moved to FAR Part 40 and requests feedback from the public on this proposed content and structure. The list is currently broken into three subparts: (1) Processing Supply Chain Risk Information, (2) Security Prohibitions and Exclusions, and (3) Safeguarding Information. The RFI requests that interested parties review the list and provide comments on the following two questions:

1. What specific section(s) of the FAR would benefit from inclusion in FAR Part 40?
2. What specific suggestions do you have for otherwise improving the proposed scope or subparts of FAR Part 40?

Public responses to the RFI are due no later than June 10, 2024.