Celebrating FAR Part 40!!
On April 1, 2024 (April Fools’ Day), 40 years to the day after the Federal Acquisition Regulation (FAR) became effective, the Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) announced a new FAR Part, PART 40—INFORMATION SECURITY AND SUPPLY CHAIN SECURITY.
Well, not a new FAR Part, per se, but providing structure and content for a part that had previously been Reserved. When the FAR became effective 40 years ago there were six Reserved Parts (i.e., 6, 18, 21, 25, 40, 41). Reserved Parts were placeholders for future content. Four of the Reserved parts have since been filled (i.e., Part 6 - Competition Requirements, Part 18 - Emergency Acquisitions, Part 25 - Foreign Acquisition, and Part 41 - Acquisition of Utility Services). Another, Part 20, formerly, Labor Surplus Area Concerns, has become reserved.
DoD, GSA, and NASA issued a Final Rule, effective May 1, 2024, amending the Federal Acquisition Regulation (FAR) to add the framework for a new FAR part on information security and supply chain security. The creation of this new FAR part does not implement any of the information security and supply chain security policies or procedures. The amendment simply establishes a new part of the FAR, providing its Scope and creating three Subparts, which are, currently, Reserved.
Here is the entirety of the new part:
PART 40—INFORMATION SECURITY AND SUPPLY CHAIN SECURITY
40.000 Scope of part.
(a) This part addresses broad security requirements that apply to acquisitions of products and services. It prescribes policies and procedures for managing information security and supply chain security when acquiring products and services that include, but are not limited to, information and communications technology (ICT). (b) See part 39 for security-related policies and procedures that only apply to ICT. (c) See parts 4, 24, and 46 for additional policies and procedures related to managing information security and supply chain security. (d) Information and supply chain policies and procedures that are unrelated to security are covered in other parts of the FAR (e.g., part 22 for labor and human trafficking risks and part 23 for climate-related risks).
Subpart 40.1—[Reserved]
Subpart 40.2—[Reserved]
Subpart 40.3—[Reserved]
Given the scope of the new part, we can expect the FAR Council to go about fleshing out the new subparts in the not-too-distant future. And, if what has happened in the fleshing out of other previously Reserved Parts, you can expect more work for contracting officers and Industry when they do.