Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA).
Interim rule.
DoD, GSA, and NASA are issuing an interim rule amending the Federal Acquisition Regulation (FAR) to implement a section of the National Defense Authorization Act for Fiscal Year 2018.
• Contracting officers shall include the clause at FAR 52.204–23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab or Other Covered Entities—
• In solicitations issued on or after July 16, 2018, and resultant contracts; and
• In solicitations issued before July 16, 2018, provided award of the resulting contract(s) occurs on or after July 16, 2018.
• Contracting officers shall modify, in accordance with FAR 1.108(d)(3), existing indefinite-delivery contracts to include the FAR clause for future orders, prior to placing any further orders on or after July 16, 2018.
• If modifying an existing contract to extend the period of performance by more than 6 months, contracting officers should include the clause in accordance with 1.108(d).
Submit comments identified by FAC 2005–99, FAR Case 2018–010, by any of the following methods:
•
•
Ms. Camara Francis, Procurement Analyst, at 202–550–0935, for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat at 202–501–4755. Please cite FAC 2005–99, FAR Case 2018–010.
This interim rule revises the FAR to implement section 1634 of Division A of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2018 (Pub. L. 115–91). Section 1634 of this law prohibits the use of hardware, software, and services of Kaspersky Lab and its related entities by the Federal Government on or after October 1, 2018.
Implementation of this rule in the FAR should not impact or impair any other planned or ongoing efforts agencies may undertake to implement section 1634 of Division A of the NDAA for FY 2018, including consideration by agencies of the presence of hardware, software, or services developed or provided by Kaspersky Lab as a technical evaluation factor in the source selection process.
This rule amends FAR part 4, adding a new subpart 4.20, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab, with a corresponding new contract clause at 52.204–23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities. The rule also adds text in subpart 13.2, Actions at or Below the Micro-Purchase Threshold, to address section 1634 with regard to micro-purchases.
To implement section 1634, the clause at 52.204–23 prohibits contractors from providing any hardware, software, or services developed or provided by Kaspersky Lab or its related entities, or using any such hardware, software, or services in the development of data or deliverables first produced in the performance of the contract. The contractor must also report any such hardware, software, or services discovered during contract performance; this requirement flows down to subcontractors. For clarity, the rule defines “covered entity” and “covered article.” A covered entity includes the entities described in section 1634. A covered article includes hardware, software, or services that the Federal Government will use on or after October 1, 2018.
As the Government considers additional actions to implement section 1634, DoD, GSA, and NASA especially welcome input on steps that the Government could take to better identify and reduce the burden on contractors related to identifying covered articles. For example:
• Is the prohibition scoped appropriately to protect the Government by including situations in which covered articles may be used in the development of data or deliverables first produced during contract performance, for example, under a systems development contract?
• Are the Government's analysis and estimates in sections VI and VII, including the estimate that 5 percent of contractors would be required to submit reports in accordance with the clause, reasonable? How could these estimates be improved?
• If the Government were to consider establishing a list to publicly share information regarding products identified as meeting the definition of a covered article (
• What protocols should the Government apply prior to placing a product on the excluded list (
• Should different protocols apply depending on whether the product is made by the original equipment manufacturer, sold by a reseller, or customized by a firm?
• When is it appropriate to leave a product on the excluded list indefinitely (
• Are there steps that the Government can take to avoid inappropriately affecting the producer's interests (
This rule adds a new contract clause at 52.204–23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities, in order to implement section 1634 of the NDAA for FY 2018. Section 1634 of this law prohibits the use of hardware, software, and services developed or provided by Kaspersky Lab and related entities by the Federal Government on or after October 1, 2018.
41 U.S.C. 1905 governs the applicability of laws to acquisitions at or below the simplified acquisition threshold (SAT). Section 1905 generally limits the applicability of new laws when agencies are making acquisitions at or below the SAT, but provides that such acquisitions will not be exempt from a provision of law if: (i) The law contains criminal or civil penalties; (ii) the law specifically refers to 41 U.S.C. 1905 and states that the law applies to contracts and subcontracts in amounts not greater than the SAT; or (iii) the FAR Council makes a written determination and finding that it would not be in the best interest of the Federal Government to exempt contracts and subcontracts in amounts not greater than the SAT from the provision of law.
41 U.S.C. 1906 governs the applicability of laws to contracts for the acquisition of commercial items, and is intended to limit the applicability of laws to contracts for the acquisition of commercial items. Section 1906 provides that if a provision of law contains criminal or civil penalties, or if the FAR Council makes a written determination that it is not in the best interest of the Federal Government to exempt commercial item contracts, the provision of law will apply to contracts for the acquisition of commercial items.
Finally, 41 U.S.C. 1907 states that acquisitions of commercially available off-the-shelf (COTS) items will be exempt from a provision of law unless the law (i) contains criminal or civil penalties; (ii) specifically refers to 41 U.S.C. 1907 and states that the law applies to acquisitions of COTS items; (iii) concerns authorities or responsibilities under the Small Business Act (15 U.S.C. 644) or bid protest procedures developed under the authority of 31 U.S.C. 3551
The FAR Council has determined that it is in the best interest of the Government to apply the rule to contracts at or below the SAT and for the acquisition of commercial items. The Administrator for Federal Procurement Policy has determined that it is in the best interest of the Government to apply this rule to contracts for the acquisition of COTS items.
While the law does not specifically address acquisitions of commercial items, including COTS items, there is an unacceptable level of risk for the Government in buying hardware, software, or services developed or provided in whole or in part by Kaspersky Lab. This level of risk is not alleviated by the fact that the item being acquired has been sold or offered for sale to the general public, either in the same form or a modified form as sold to the Government (
Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This rule has been designated a “significant regulatory action” under Executive Order 12866. Accordingly, the Office of Management and Budget (OMB) has reviewed this rule. This rule is not a major rule under 5 U.S.C. 804.
This rule is not subject to the requirements of E.O. 13771 because the rule is issued with respect to a national security function of the United States.
The change may have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act 5 U.S.C. 601
The objective of the rule is to prescribe appropriate policies and procedures to enable agencies to determine and ensure that they are not purchasing products and services of Kaspersky Lab and its related entities for use by the Government on or after October 1, 2018. The legal basis for the rule is section 1634 of the NDAA for FY 2018, which prohibits Government use of such products on or after that date.
Data from the Federal Procurement Data System (FPDS) for FY 2017 has been used as the basis for estimating the number of contractors that may be affected by this rule. Approximately 97,632 unique entities received new awards in Fiscal Year (FY) 2017. Of these entities, 72,447 (74 percent) unique small entities received awards during 2017. It is estimated that the reports required by this rule will be submitted by 5 percent of contractors, or 3,623 small entities.
The rule requires contractors and subcontractors that are subject to the clause to report to the contracting officer, or for DoD, to the website listed in the clause, any discovery of a covered article during the course of contract performance.
The rule does not duplicate, overlap, or conflict with any other Federal rules.
Because of the nature of the prohibition enacted by section 1634, it is not possible to establish different compliance or reporting requirements or timetables that take into account the resources available to small entities or to exempt small entities from coverage of the rule, or any part thereof. DoD, GSA, and NASA were unable to identify any alternatives that would reduce the burden on small entities and still meet the objectives of section 1634.
The Regulatory Secretariat has submitted a copy of the IRFA to the Chief Counsel for Advocacy of the Small Business Administration. A copy of the IRFA may be obtained from the Regulatory Secretariat. DoD, GSA, and NASA invite comments from small business concerns and other interested parties on the expected impact of this rule on small entities.
DoD, GSA, and NASA will also consider comments from small entities concerning the existing regulations in subparts affected by this rule in accordance with 5 U.S.C. 610. Interested
The Paperwork Reduction Act of 1995 (44 U.S.C. 3501
DoD, GSA, and NASA requested and OMB authorized emergency processing of an information collection involved in this rule, as OMB Control Number 9000–0197, consistent with 5 CFR 1320.13. DoD, GSA, and NASA have determined the following conditions have been met:
a. The collection of information is needed prior to the expiration of time periods normally associated with a routine submission for review under the provisions of the Paperwork Reduction Act, in view of the deadline for this provision of the NDAA which was signed into law in December 2017 and requires action before the prohibition goes into effect on October 1, 2018.
b. The collection of information is essential to the mission of the agencies to ensure the Federal Government does not purchase prohibited articles, and can respond appropriately if any such articles are not identified until after delivery or use.
c. The use of normal clearance procedures would prevent the collection of information from contractors, for national security purposes, as discussed in section VIII of this preamble.
Passage of the omnibus appropriations bill and the availability of additional funding for FY 18 has increased agency purchasing activity, and the information to be collected is necessary to ensure that this purchasing is done responsibly and consistent with national security.
Moreover, DoD, GSA, and NASA cannot comply with the normal clearance procedures because public harm is reasonably likely to result if current clearance procedures are followed. Not only would agencies be more likely to purchase and install prohibited items, but even if such items were identified prior to the October 1 date, agencies would incur substantial additional costs replacing such items, as well as additional administrative costs for reprocurement.
DoD, GSA, and NASA intend to provide separate 60-day notice in the
The public reporting burden for this collection of information consists of reports of identified covered articles during contract performance as required by 52.204–23. Reports are estimated to average 1.5 hour per response, including the time for reviewing definitions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the report.
The subsequent 60-day notice published by DoD, GSA, and NASA will invite public comments.
A determination has been made under the authority of the Secretary of Defense (DoD), Administrator of General Services (GSA), and the Administrator of the National Aeronautics and Space Administration (NASA) that urgent and compelling reasons exist to promulgate this interim rule without prior opportunity for public comment. It is critical that the FAR is immediately revised to include the requirements of the law, which prohibits the Federal Government from using hardware, software, or services of Kaspersky Lab and its related entities on or after October 1, 2018.
Although this prohibition does not apply until October 1, 2018, agencies and contractors must begin to take steps immediately to meet this deadline. In this regard, covered articles include hardware, software, and services acquired before October 1, 2018, that the Federal Government will use on or after October 1, 2018. Because so many IT products and services are used for more than a few months, it is critical that contractors be placed on notice as soon as possible of this prohibition so that agencies can ensure that they comply with the law and avoid acquisitions of covered articles that the Government will continue to use on or after October 1, 2018. Pursuant to 41 U.S.C. 1707 and FAR 1.501–3(b), DoD, GSA, and NASA will consider public comments received in response to this interim rule in the formation of the final rule.
Government procurement.
Therefore, DoD, GSA, and NASA amend 48 CFR parts 1, 4, 13, 39, and 52 as set forth below:
40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 51 U.S.C. 20113.
As used in this subpart—
(1) Is developed or provided by a covered entity;
(2) Includes any hardware, software, or service developed or provided in whole or in part by a covered entity; or
(3) Contains components using any hardware or software developed in whole or in part by a covered entity.
(1) Kaspersky Lab;
(2) Any successor entity to Kaspersky Lab;
(3) Any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or
(4) Any entity of which Kaspersky Lab has a majority ownership.
Section 1634 of Division A of the National Defense Authorization Act for Fiscal Year 2018 (Pub. L. 115–91) prohibits Government use on or after October 1, 2018, of any hardware, software, or services developed or provided, in whole or in part, by a covered entity. Contractors are prohibited from—
(a) Providing any covered article that the Government will use on or after October 1, 2018; and
(b) Using any covered article on or after October 1, 2018, in the development of data or deliverables first produced in the performance of the contract.
When a contractor provides notification pursuant to 52.204–23, follow agency procedures.
The contracting officer shall insert the clause at 52.204–23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities, in all solicitations and contracts.
(i) Do not purchase any hardware, software, or services developed or provided by Kaspersky Lab that the Government will use on or after October 1, 2018. (See 4.2002.)
(e) Contracting officers shall not purchase any hardware, software, or services developed or provided by Kaspersky Lab that the Government will use on or after October 1, 2018. (See 4.2002.)
As prescribed in 4.2004, insert the following clause:
(a)
(1) Is developed or provided by a covered entity;
(2) Includes any hardware, software, or service developed or provided in whole or in part by a covered entity; or
(3) Contains components using any hardware or software developed in whole or in part by a covered entity.
(1) Kaspersky Lab;
(2) Any successor entity to Kaspersky Lab;
(3) Any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or
(4) Any entity of which Kaspersky Lab has a majority ownership.
(b)
(1) Providing any covered article that the Government will use on or after October 1, 2018; and
(2) Using any covered article on or after October 1, 2018, in the development of data or deliverables first produced in the performance of the contract.
(c)
(2) The Contractor shall report the following information pursuant to paragraph (c)(1) of this clause:
(i) Within 1 business day from the date of such identification or notification: The contract number; the order number(s), if applicable; supplier name; brand; model number (Original Equipment Manufacturer (OEM) number, manufacturer part number, or wholesaler number); item description; and any readily available information about mitigation actions undertaken or recommended.
(ii) Within 10 business days of submitting the report pursuant to paragraph (c)(1) of this clause: Any further available information about mitigation actions undertaken or recommended. In addition, the Contractor shall describe the efforts it undertook to prevent use or submission of a covered article, any reasons that led to the use or submission of the covered article, and any additional efforts that will be incorporated to prevent future use or submission of covered articles.
(d)
The revisions and additions read as follows:
(a) * * *
____ (2) 52.204–23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities (Jul 2018) (Section 1634 of Pub. L. 115–91).
(e)(1) * * *
(iii) 52.204–23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities (Jul 2018) (Section 1634 of Pub. L. 115–91).
(e)(1) * * *
(ii) * * *
(C) 52.204–23, Prohibition on Contracting for Hardware, Software, and Services
The revision and addition read as follows:
(a) * * *
(1) * * *
(ii) 52.204–23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities (Jul 2018) (Section 1634 of Pub. L. 115–91).
The revision and addition read as follows:
(c)(1) * * *
(iv) 52.204–23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities (Jul 2018) (Section 1634 of Pub. L. 115–91).