What are the practical implications of Information Security and Supply Chain Security?

* **Supply Chain Audits:** Contractors providing drone-related services (e.g., aerial photography, site inspections, or delivery) must immediately audit their fleets. Even if a drone was legal to use last year, it may be prohibited for federal work now if the manufacturer is added to the SAM exclusion list. * **No "De Minimis" Exception:** Because the rule applies to micro-purchases, government employees cannot use purchase cards (GPC) to buy prohibited drones for "off-the-shelf" use. * **The 2025 Operational Pivot:** Companies providing "Services" that involve drones (where the government doesn't take ownership of the drone but pays for the data/service) have until late 2025 to transition their fleets to compliant hardware (e.g., "Blue UAS" or American-made alternatives). * **Broad Scope of "Associated Elements":** The prohibition isn't just the drone itself; it includes communication links and control components. This means a compliant drone using a prohibited ground control station or data-link software would still result in a violation.

Who is responsible for Information Security and Supply Chain Security?

* **Contracting Officers (COs):** * Must include FAR clause 52.240-1 in every solicitation and contract. * Responsible for reviewing proposals to ensure contractors are not proposing prohibited UAS. * Must document the contract file regarding any applicable exemptions, exceptions, or waivers. * Starting Dec 2025, must expand proposal assessments to ensure prohibited drones are not used in the *performance* (operation) of the contract. * **Program Managers / Requiring Activities:** * Identify the need for exemptions or waivers early in the acquisition planning phase. * Work with the CO to ensure the scope of any exemption is clearly defined in the solicitation. * Conduct the technical assessment of UAS hardware/software to verify origin. * **Agency Heads:** * Authorized to grant case-by-case waivers, provided they obtain OMB approval and notify relevant Congressional committees. * **Federal Acquisition Security Council (FASC):** * Responsible for developing and maintaining the list of prohibited foreign entities.

← All Free ToolsGo back to previous tools page

Explore More Tools →

part40

Information Security and Supply Chain Security

FAR Part 40 establishes a centralized framework for managing information security and supply chain security risks across all federal acquisitions. Its primary i

Subparts

3 items

40.1 · Subpart 40.1 - [Reserved]

40.2 · Subpart 40.2 - Security Prohibitions and Exclusions

40.3 · Subpart 40.3 - [Reserved]

Overview

FAR Part 40 establishes a centralized framework for managing information security and supply chain security risks across all federal acquisitions. Its primary immediate focus is the implementation of the American Security Drone Act of 2023, which prohibits the procurement and operation of Unmanned Aircraft Systems (UAS) manufactured or assembled by specific foreign entities deemed a security risk.

Key Rules

The "Drone Ban": Executive agencies are prohibited from procuring UAS (drones) and associated elements manufactured or assembled by "American Security Drone Act-covered foreign entities."
Phased Implementation:
- Procurement: Prohibited immediately (includes exercising options or renewing contracts).
- Operation/Funding: Beginning December 22, 2025, agencies are prohibited from using federal funds to operate or procure services involving these prohibited systems.
Universal Applicability: These rules apply to all acquisitions, including those at or below the micro-purchase threshold ($10,000) and for commercial products or services.
The "SAM" List: Covered foreign entities are identified by the Federal Acquisition Security Council (FASC) and listed in the System for Award Management (SAM.gov).
Sunset Provision: The authorities and prohibitions under section 40.202 are currently scheduled to expire on December 22, 2028.
Mandatory Clause: Contracting Officers must insert the clause at 52.240-1 in all solicitations and contracts.

Responsibilities

Contracting Officers (COs):
- Must include FAR clause 52.240-1 in every solicitation and contract.
- Responsible for reviewing proposals to ensure contractors are not proposing prohibited UAS.
- Must document the contract file regarding any applicable exemptions, exceptions, or waivers.
- Starting Dec 2025, must expand proposal assessments to ensure prohibited drones are not used in the performance (operation) of the contract.
Program Managers / Requiring Activities:
- Identify the need for exemptions or waivers early in the acquisition planning phase.
- Work with the CO to ensure the scope of any exemption is clearly defined in the solicitation.
- Conduct the technical assessment of UAS hardware/software to verify origin.
Agency Heads:
- Authorized to grant case-by-case waivers, provided they obtain OMB approval and notify relevant Congressional committees.
Federal Acquisition Security Council (FASC):
- Responsible for developing and maintaining the list of prohibited foreign entities.

Practical Implications

Supply Chain Audits: Contractors providing drone-related services (e.g., aerial photography, site inspections, or delivery) must immediately audit their fleets. Even if a drone was legal to use last year, it may be prohibited for federal work now if the manufacturer is added to the SAM exclusion list.
No "De Minimis" Exception: Because the rule applies to micro-purchases, government employees cannot use purchase cards (GPC) to buy prohibited drones for "off-the-shelf" use.
The 2025 Operational Pivot: Companies providing "Services" that involve drones (where the government doesn't take ownership of the drone but pays for the data/service) have until late 2025 to transition their fleets to compliant hardware (e.g., "Blue UAS" or American-made alternatives).
Broad Scope of "Associated Elements": The prohibition isn't just the drone itself; it includes communication links and control components. This means a compliant drone using a prohibited ground control station or data-link software would still result in a violation.

Need help?

Get FAR guidance, audit prep support, and proposal insights from the AudCor team.

Talk to an expert