Part 40 - Information Security and Supply Chain Security
40.000 Scope of part.
(a) This part addresses broad security requirements that apply to acquisitions of products and services. It prescribes policies and procedures for managing information security and supply chain security when acquiring products and services that include, but are not limited to, information and communications technology (ICT).
(b) See part 39 for security-related policies and procedures that only apply to ICT.
(c) See parts 4, 24, and 46 for additional policies and procedures related to managing information security and supply chain security.
(d) Information and supply chain policies and procedures that are unrelated to security are covered in other parts of the FAR ( e.g., part 22 for labor and human trafficking risks and part 23 for climate-related risks).
Subpart 40.1 - [Reserved]
Subpart 40.2 - Security Prohibitions and Exclusions
40.200 Scope of subpart.
(a) This subpart provides policies and procedures to implement security prohibitions and exclusions that restrict Federal agencies from procuring, obtaining, or using certain products, services, or sources.
(b) The following prohibitions and exclusions are implemented in this subpart:
(1) The American Security Drone Act of 2023, of the National Defense Authorization Act for Fiscal Year 2024 (Pub. L. 118-31, 41 U.S.C. 3901 note prec.), which provides a prohibition on the procurement and operation of unmanned aircraft systems.
(2) [Reserved]
(c) Additional security prohibitions and exclusions are found at subparts 4.20 through 4.23 and 25.7.
40.201 Definitions.
As used in this subpart-
American Security Drone Act-covered foreign entitymeans an entity included on a list developed and maintained by the Federal Acquisition Security Council (FASC) and published in the System for Award Management (SAM) at https://www.sam.gov (section 1822 of Pub. L. 118-31, 41 U.S.C. 3901 note prec.).
FASC-prohibited unmanned aircraft systemmeans an unmanned aircraft system manufactured or assembled by an American Security Drone Act-covered foreign entity.
Unmanned aircraftmeans an aircraft that is operated without the possibility of direct human intervention from within or on the aircraft (49 U.S.C. 44801(11)).
Unmanned aircraft systemmeans an unmanned aircraft and associated elements (including communication links and the components that control the unmanned aircraft) that are required for the operator to operate safely and efficiently in the national airspace system (49 U.S.C. 44801(12)).
40.202 Prohibition on the procurement and operation of unmanned aircraft systems manufactured or assembled by American Security Drone Act-covered foreign entities. s.
(a) Section 40.202 prescribes policies and procedures regarding the procurement and operation of unmanned aircraft systems, which includes unmanned aircraft (i.e., drones) and associated elements.
(b) The authorities in 40.202 expire on December 22, 2028 (section 1833 of Pub. L. 118-31, 41 U.S.C. 3901 note prec.).
40.202-1 Scope.
(a) Section 40.202 prescribes policies and procedures regarding the procurement and operation of unmanned aircraft systems, which includes unmanned aircraft (i.e., drones) and associated elements.
(b) The authorities in 40.203 expire on December 22, 2028 (section 1833 of Pub. L. 118-31, 41 U.S.C. 3901 note prec.).
40.202-2 Applicability.
Section 40.202 applies to all acquisitions, including contracts at or below the micro-purchase threshold and to contracts for commercial products or for commercial services.
40.202-3 Prohibition.
Unless an exemption, exception, or waiver applies (see 40.202-4, 40.202-5, and 40.202-6, respectively), executive agencies are prohibited from-
(a) Procuring a FASC-prohibited unmanned aircraft system (section 1823 and 1826 of Pub. L. 118-31, 41 U.S.C. 3901 note prec.). The prohibition includes extending or renewing a contract (e.g., exercising an option);
(b) On or after December 22, 2025, procuring services for the operation of a FASC-prohibited unmanned aircraft system (section 1824 of Pub. L. 118-31, 41 U.S.C. 3901 note prec.). The prohibition includes extending or renewing a contract (e.g., exercising an option); and
(c) On or after December 22, 2025, using Federal funds for the procurement or operation of a FASC-prohibited unmanned aircraft system (section 1825 of Pub. L. 118-31, 41 U.S.C. 3901 note prec.).
40.202-4 Exemptions.
The prohibitions in 40.202 do not apply to the following (see sections 1823, 1824, and 1825 of Pub. L. 118-31, 41 U.S.C. 3901 note prec.):
(a) Department of Homeland Security, Department of Defense, Department of State, and the Department of Justice exemptions. The Secretary of Homeland Security, the Secretary of Defense, the Secretary of State, and the Attorney General are exempt from the prohibitions in 40.202 if the procurement or operation is required in the national interest of the United States and-
(1) Is for the sole purposes of research, evaluation, training, testing, or analysis for electronic warfare, information warfare operations, cybersecurity, or development of unmanned aircraft system or counter-unmanned aircraft system technology;
(2) Is for the sole purposes of conducting counterterrorism or counterintelligence activities, protective missions, or Federal criminal or national security investigations, including forensic examinations, or for electronic warfare, information warfare operations, cybersecurity, or development of an unmanned aircraft system or counter-unmanned aircraft system technology; or
(3) Is an unmanned aircraft system that, as procured or as modified after procurement but before operational use, can no longer transfer to, or download data from, an American Security Drone Act-covered foreign entity and otherwise poses no national security cybersecurity risks as determined by the exempting official, as described in agency procedures.
(b) Department of Transportation exemption. The Secretary of Transportation is exempt from the prohibitions in 40.202 if the operation or procurement is deemed to support the safe, secure, or efficient operation of the National Air Space System or maintenance of public safety.
(c) National Transportation Safety Board exemption. The National Transportation Safety Board, in consultation with the Secretary of Homeland Security, is exempt from the prohibitions, in 40.202 if the operation or procurement is necessary for the sole purpose of conducting safety investigations.
(d) National Oceanic and Atmospheric Administration (NOAA) exemption. The Administrator of NOAA, in consultation with the Secretary of Homeland Security, is exempt from the prohibitions of 40.202, if the operation or procurement for the purposes of meeting NOAA’s science or management objectives or operational mission.
40.202-5 Exceptions.
The prohibitions in this section do not apply to the following (section 1832 of Pub. L. 118-31, 41 U.S.C. 3901 note prec.):
(a) Wildfire management operations and search and rescue operations exception. The prohibitions in section 40.202 do not apply to an appropriate Federal agency to the extent that an authorized official at the agency, in consultation with the Secretary of Homeland Security, determines that the procurement or operation is necessary for the purposes of supporting the full range of wildfire management operations or search and rescue operations.
(b) Intelligence activities exception. The prohibitions of 40.202 do not apply to any activity subject to the reporting requirements under title V of the National Security Act of 1947 (50 U.S.C. 3091 et seq.), any authorized intelligence activities of the United States, or any activity or procurement that supports an authorized intelligence activity.
(c) Tribal law enforcement or emergency service agency exception. The prohibitions in 40.202 do not apply to Tribal law enforcement or Tribal emergency service agencies to the extent that an authorized official at the agency, in consultation with the Secretary of Homeland Security, determines that the procurement or operation is necessary for the purposes of supporting the full range of law enforcement operations or search and rescue operations on Indian lands.
40.202-6 Waivers.
The head of the agency may waive the prohibitions under 40.202 on a case-by-case basis in accordance with agency procedures and based on the statutory waiver provisions (sections 1823, 1824, and 1825 of Pub. L. 118-31, 41 U.S.C. 3901 note prec.)—
(a)With the approval of the Director of the Office of Management and Budget, after consultation with the FASC; and
(b)Upon notification to-
(1) The Committee on Homeland Security and Governmental Affairs of the Senate;
(2) The Committee on Oversight and Accountability in the House of Representatives; and
(3) Other appropriate congressional committees of jurisdiction.
40.202-7 Procedures.
(a) Documenting exemptions, exceptions, or waivers. The contracting officer shall document the file with any exemption, exception, or waiver provided by the program office or requiring activity. Additionally, the contracting officer shall work with the program office or requiring activity to ensure the presence and scoping of any such exemptions, exceptions, or waivers are identified in the solicitation and resultant contract.
(b) Assessment of unmanned aircraft systems. Except where an exemption, exception, or waiver applies, the contracting officer shall work with the program office or requiring activity to review proposals to ensure they are not proposing delivery of a FASC-prohibited unmanned aircraft system. On or after December 22, 2025, this assessment shall expand to include review for not only proposed delivery, but also operation, of a FASC-prohibited unmanned aircraft system.
40.202-8 Contract clause.
Insert the clause at 52.240-1, Prohibition on Unmanned Aircraft Systems Manufactured or Assembled by American Security Drone Act-Covered Foreign Entities, in all solicitations and contracts.