Whether you’re aware or not, semiconductors are part of a vast variety of electronics. Semiconductors appear in items ranging from smartphones to pacemakers. The Federal Acquisition Regulatory Council (FAR Council) issued an Advanced Notice of Proposed Rulemaking (Proposed Rule), which would amend the Federal Acquisition Regulation (FAR) to prohibit executive agencies from procuring products and services that contain certain “covered” semiconductors. The Proposed Rule is expected to impact up to 75% of all government contract awardees. For contractors affected by the Proposed Rule, the costs of compliance and penalties for non-compliance will be high. Below, PilieroMazza highlights key aspects of the Proposed Rule and potential issues contractors would be wise to consider before the comment period ends on August 2.

Background

Semiconductors are the cornerstone of all technology, from the simplest to the most complex. Due to their prevalence in electronic products and services, semiconductors are vectors for attack on the economic, political, and physical safety of the United States. To counter this threat, Congress passed Section 5949 of the National Defense Authorization Act for Fiscal Year 2023 (Act), which prohibits agencies from procuring or obtaining (1) electronic products or electronic services that include “covered” semiconductor products or services or (2) electronic products that use electronic components that include “covered” semiconductor products or services. The Proposed Rule seeks to implement the broad prohibitions enumerated in Section 5949 of the Act.

Generally, these “covered” semiconductors will flow from entities—as determined by the Secretary of Defense and Secretary of Commerce—to be owned by, controlled by, or connected to governments of any of the following nations: North Korea, China, Iran, and Russia. More specifically, the FAR Council tentatively designated three entities (and their subsidiaries, affiliates, or successors) as “covered” entities: (1) the Semiconductor Manufacturing International Corporation (SMIC), (2) ChangXin Memory Technologies (CXMT), and (3) the Yangtze Memory Technologies Corp (YMTC). Thus, a semiconductor, a semiconductor product, a product that incorporates a semiconductor product, or a service that utilizes such a product that is designed, produced, or provided by any of these entities are considered a “covered” semiconductor product or service.  

Continuing Obligations for Contractors

The Proposed Rule will require all contractors to, among other things:

1. Conduct a reasonable inquiry to detect and avoid the use of “covered” semiconductor products or services in electronic products or electronic services provided to the government.
2. Notify appropriate federal authorities in writing within sixty days if they become aware of or have reason to suspect any product to be used in a critical system containing a “covered” semiconductor product or service.
3. Disclose to direct government customers the inclusion of a “covered” semiconductor product or service in electronic products or electronic services.
4. Incorporate the substance of the Section 5949 prohibitions and applicable FAR clause into all subcontracts for the supply of any electronic products.

Violations of the proposed FAR clause could be met with civil penalties and designation of the contractor as “not presently responsible” unless timely disclosed to the government.  Contractors that fail to disclose the inclusion of “covered” semiconductors in a timely manner will be responsible for reworks and corrective actions to remedy the use or inclusion of such “covered” semiconductors. Costs incurred during those corrective actions will not be allowable. To avoid civil liability and any non-responsibility designation, contractors must (1) report any suspected or discovered non-compliance to appropriate federal authorities within sixty days and (2) make a “comprehensive and documentable effort” to identify and remove the “covered” semiconductor products or services.

Key Takeaways

While the prospect of verifying compliance may appear daunting, the Proposed Rule contemplates several mechanisms that would make compliance less burdensome. For example, it would (i) allow contractors and subcontractors to reasonably rely on certifications of compliance from subcontractors and suppliers of electronic products or services when submitting proposals to the government and (ii) not require them to conduct independent third-party audits or other formal reviews related to such certifications. Additionally, the FAR Council is considering referencing in the Proposed Rule a publicly-available web page or report issued by the Department of Commerce that would identify a list of electronic products and services that include “covered” semiconductor products or services that utilize such products, such as telecommunications and cloud storage or computing services. Similar to how FASCSA Orders are posted on Sam.gov, this would lessen the burden on contractors trying to identify which products can or cannot be provided to the federal government.

The final rule may also require that offerors disclose the source of the supply chain for semiconductor components in each electronic product supplied to the government, ensuring that “covered” semiconductors are not used. The required information for semiconductor products could include, but is not limited to: identification of vendors and facilities responsible for the design, fabrication, assembly, packaging, and testing of the product, as well as the manufacturer and distributor codes used for the product. This potential requirement appears to be a similar trend amongst cybersecurity rulemakings—requiring private companies to identify and share increasing amounts of confidential and proprietary information regarding its supply chain and offered products and services.

Lastly, besides the potential penalties for non-disclosure and/or non-compliance, the FAR Council estimates that the Proposed Rule will affect roughly 75% of all federal government contract awardees. The affected contractors must expend resources on educating employees and updating policies to ensure compliance. Indeed, the FAR Council anticipates that for each non-compliant semiconductor product or service, it will cost, on average, $10,000 to come into compliance by providing an alternative product or service or updating the product or service to remove prohibited semiconductors.

The comment period for the Proposed Rule ends on August 2, 2024, and comments can be inserted here.