Federal Acquisition Regulation: Use of Products and Services of Kaspersky Lab

AGENCY:

Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA).

ACTION:

Final rule.

SUMMARY:

DoD, GSA, and NASA are adopting as final, without change, an interim rule amending the Federal Acquisition Regulation (FAR) to implement a section of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2018.

DATES:

Effective September 10, 2019.

FOR FURTHER INFORMATION CONTACT:

Ms. Camara Francis, Procurement Analyst, at 202-550-0935 for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat Division at 202-501-4755. Please cite FAC 2019-06, FAR Case 2018-010.

SUPPLEMENTARY INFORMATION:

I. Background

DoD, GSA, and NASA published an interim rule in the Federal Register at 83 FR 28141 on June 15, 2018, to revise the FAR to implement section 1634 of Division A of the NDAA for FY 2018 (Pub. L. 115-91). Section 1634 of this law prohibits the use of products or services of Kaspersky Lab and its related entities by the Federal Government on or after October 1, 2018.

The interim rule amended FAR part 4, adding a new subpart 4.20, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab, with a corresponding new contract clause at 52.204-23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities. The interim rule also added text in subpart 13.2, Actions at or Below the Micro-Purchase Threshold, to address section 1634 with regard to micro-purchases. To implement section 1634, the clause at 52.204-23 prohibits contractors from providing any hardware, software, or services developed or provided by Kaspersky Lab or its related entities, or using any such hardware, software, or services in the development of data or deliverables first produced in the performance of the contract. The contractor must also report any such hardware, software, or services discovered during contract performance; this requirement flows down to subcontractors. For clarity, the rule defines “covered entity” and “covered article”. A covered entity includes the entities described in section 1634. A covered article includes hardware, software, or services that the Federal Government will use on or after October 1, 2018. The public comment period ended August 14, 2018.

II. Discussion and Analysis

Three respondents submitted public comments, one of which was outside the scope of the rule. There are no changes made to the final rule as a result of the public comments. Responses to comments received follow below.

Comment: A respondent stated, “To reduce burden on contractors, a specific list or definition around `covered article' or `covered entity' are requested. It is also requested to share how and when an entity or article would be added to this list and incorporated into this clause.”

Response: The rule defines “covered article” and “covered entity” in FAR 4.2001, Definitions. With respect to use of a products list, the preamble to the interim rule included a series of detailed questions designed to elicit feedback on how a list might be developed and maintained, as well as other steps that might be taken to reduce burden, but no public input was offered. Due to the continually evolving nature of technological product and service offerings, including third-party products that may either add or eliminate inclusion of elements such as Kaspersky Lab software, and the lack of suggestions for how this challenge might be managed, DoD, GSA, and NASA have concluded that providing a definitive list of hardware, software, or services subject to the definition of “covered article” is impractical, particularly in regulation. Similar challenges regarding the shifting nature of ownership, affiliate and subsidiary relationships also apply to the definition of “covered entity.” DoD, GSA, and NASA intend to confer with the Federal Acquisition Security Council staff as it considers issues related to the appropriate sharing of information to support management decisions associated with supply chain risk management.

Comment: A respondent indicated that the prohibition should be effective immediately to prevent continued use and additional risk to the Government. The respondent had similar concerns that existing contracts would not be modified to incorporate the clause unless the period of performance was being extended for six or more months.

Response: The statutory prohibition in section 1634 took effect on October 1, 2018, and the interim rule was published in advance of the effective date in order to provide sufficient time for both Government and industry to identify any current use or planned procurements of covered articles from covered entities. Publication of the FAR rule was one tool to help agencies in their implementation of section 1634, but the rule did not impact or impair any other planned or ongoing efforts agencies undertook to address the presence of covered articles.

III. Applicability to Contracts at or Below the Simplified Acquisition Threshold (SAT) and for Commercial Items, Including Commercially Available Off-the-Shelf (COTS) Items

This rule applies the requirements of section 1634 of the NDAA for FY 2018 to contracts at or below the SAT, to include contracts for the acquisition of commercial items, including COTS items.

A. Applicability to Contracts at or Below the Simplified Acquisition Threshold

41 U.S.C. 1905 governs the applicability of laws to acquisitions at or below the simplified acquisition threshold (SAT). Section 1905 generally limits the applicability of new laws when agencies are making acquisitions at or below the SAT, but provides that such acquisitions will not be exempt from a provision of law if: (i) the law contains criminal or civil penalties; (ii) the law specifically refers to 41 U.S.C. 1905 and states that the law applies to contracts and subcontracts in amounts not greater than the SAT; or (iii) the FAR Council makes a written determination and finding that it would not be in the best interest of the Federal Government to exempt contracts and subcontracts in amounts not greater than the SAT from the provision of law.

B. Applicability to Contracts for the Acquisition of Commercial Items, Including COTS Items

41 U.S.C. 1906 governs the applicability of laws to contracts for the acquisition of commercial items, and is intended to limit the applicability of laws to contracts for the acquisition of commercial items. Section 1906 provides that if a provision of law contains criminal or civil penalties, or if the FAR Council makes a written determination that it is not in the best interest of the Federal Government to exempt commercial item contracts, the provision of law will apply to contracts for the acquisition of commercial items.

Finally, 41 U.S.C. 1907 states that acquisitions of COTS items will be exempt from a provision of law unless the law (i) contains criminal or civil penalties; (ii) specifically refers to 41 U.S.C. 1907 and states that the law applies to acquisitions of COTS items; (iii) concerns authorities or responsibilities under the Small Business Act (15 U.S.C. 644) or bid protest procedures developed under the authority of 31 U.S.C. 3551 et seq., 10 U.S.C. 2305(e) and (f), or 41 U.S.C. 3706 and 3707; or (iv) the Administrator for Federal Procurement Policy makes a written determination and finding that would not be in the best interest of the Federal Government to exempt contracts for the procurement of COTS items from the provision of law.

C. Determinations

With the publication of the interim rule the FAR Council has determined it was in the best interest of the Government to apply the rule to contracts at or below the SAT and for the acquisition of commercial items. Likewise, the Administrator for Federal Procurement Policy determined it was in the best interest of the Government to apply this rule to contracts for the acquisition of COTS items.

While the law does not specifically address acquisitions of commercial items, including COTS items, there is an unacceptable level of risk for the Government in buying hardware, software, or services developed or provided in whole or in part by Kaspersky Lab. This level of risk is not alleviated by the fact that the item being acquired has been sold or offered for sale to the general public, either in the same form or a modified form as sold to the Government (i.e., that it is a commercial item or COTS item), nor by the small size of the purchase (i.e., at or below the SAT). As a result, agencies may face increased exposure for violating the law and unknowingly acquiring a covered article absent coverage of these types of acquisitions by this rule.

IV. Executive Orders 12866 and 13563

Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is not a significant regulatory action and, therefore, was not subject to review under section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.

V. Executive Order 13771

This rule is not subject to E.O. 13771, because this rule is not a significant regulatory action under E.O. 12866.

VI. Regulatory Flexibility Act

A final Regulatory Flexibility Analysis (FRFA) consistent with the Regulatory Flexibility Act, 5 U.S.C. 601, et seq. was prepared. The FRFA is summarized below.

This final rule implements section 1634 of Division A of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2018 (Pub. L. 115-91). The objective of the rule is to prescribe appropriate policies and procedures to enable agencies to determine that they are not purchasing articles that section 1634 prohibits for use by the Government on or after October 1, 2018.

There were no significant issues raised by the public in response to the Initial Regulatory Flexibility Analysis provided in the interim rule.

The rule applies to all contractors and subcontractors, regardless of size. Data from the Federal Procurement Data System (FPDS) indicates that the Government awarded contracts to an average of 93,792 unique entities in FY 2017 and FY 2018, of which an average of 68,778 (73 percent) were small entities. It is estimated that reports will be submitted by 5 percent of contractors, or 3,439 small entities.

The rule requires contractors and subcontractors that are subject to the clause to report to the contracting officer, or for DoD, to the website listed in the clause, any discovery of a covered article during the course of contract performance.

Because of the nature of the prohibition enacted by section 1634, it is not possible to establish different compliance or reporting requirements or timetables that take into account the resources available to small entities or to exempt small entities from coverage of the rule, or any part thereof. DoD, GSA, and NASA were unable to identify any alternatives that would reduce the burden on small entities and still meet the objectives of section 1634.

Interested parties may obtain a copy of the FRFA from the Regulatory Secretariat Division. The Regulatory Secretariat Division has submitted a copy of the FRFA to the Chief Counsel for Advocacy of the Small Business Administration.

VII. Paperwork Reduction Act

This rule contains information collection requirements that have been approved by the Office of Management and Budget under the Paperwork Reduction Act (44 U.S.C. chapter 35). This information collection requirement has been assigned OMB Control Number 9000-0197, entitled “Use of Products and Services of Kaspersky Lab”.

List of Subjects in 48 CFR Parts 1, 4, 13, 39, and 52

• Government procurement

Interim Rule Adopted as Final Without Change

Accordingly, the interim rule amending 48 CFR parts 1, 4, 13, 39, and 52 which was published in the Federal Register at 83 FR 28141 on June 15, 2018, is adopted as a final rule without change.