Navigating the New FAR Part 40 on Information and Supply Chain Security  

On April 1st (officially 04/04/2024), the Department of Defense (DoD), General Services Administration (GSA) and National Aeronautics and Space Administration (NASA) issued a final rule amending the Federal Acquisition Regulation (FAR). The amendment adds the framework for a new FAR part 40 on information security and supply chain security.  The effective date for this ruling is 05/01/2024.  

As currently written, the FAR makes it challenging for the acquisition workforce to identify, understand, and implement security requirements. Policies and procedures for prohibitions, exclusions, supply chain risk information sharing, and safeguarding information that address security objectives are spread across various parts of the FAR.

The purpose of this ruling is to amend the FAR to create a new FAR part 40, which will be the new central location for cybersecurity and supply chain requirements in the FAR. This new FAR part will provide contracting officers with one consolidated location in the FAR for cybersecurity supply chain risk management requirements that apply across acquisitions. This will also benefit government contractors seeking to review information security and supply chain security policies and procedures.

The ruling does not implement any of the information security and supply chain security policies or procedures, but instead simply establishes the new FAR part to address broad security requirements that apply to acquisitions of products and services. Likewise, the rule neither establishes new provisions for solicitation or contract clauses, nor does it affect any existing ones.

The new FAR part 40 will cover:

  • Security requirements aimed to strengthen national security through managing: 
    • Cybersecurity supply chain risks 
    • Foreign-based risks 
    • Emerging technology risks 
  • Security-related requirements that include, but are not limited to, information and communications technology (ICT)  

The new FAR part 40 will not cover:

  • Security-related requirements that only apply to ICT acquisitions 
  • Supply chain and information risks that are unrelated to security risks 

Consolidation or additions that will move under the new FAR part 40 will be executed through separate rulemaking.

The new FAR part 40 is a significant step towards improving information security and supply chain security in government contracting. Government contractors and the acquisition workforce are encouraged to familiarize themselves with the new requirements and ensure compliance.

Author: Jason Spezzano, Executive Cybersecurity Advisor | [email protected]

Contact Us

For personalized guidance and support on cyber and information security compliance for federal contracts, reach out to Withum’s Government Contractor Services Team