FAR Council Proposes Consolidated Part 40 Framework for Security and Supply Chain Compliance
On June 23, 2026, the Federal Acquisition Regulatory Council (FAR Council) issued a proposed rule (FAR Case 2026-001) as part of the formal rulemaking phase of the Revolutionary FAR Overhaul (RFO), which includes significant changes to security and supply chain requirements in FAR Part 40 and the related Part 52 provisions and clauses. See here for our overview of all four proposed rules the FAR Council released to start the formal rulemaking process for the RFO. As we previously noted, comments on the proposed rules are due July 23, 2026.
The proposed rule retains the RFO class deviation’s reorganization of FAR Part 40 into three subparts: FAR 40.1, Processing Supply Chain Risk Information; FAR 40.2, Security Prohibitions and Exclusions; and FAR 40.3, Safeguarding Information. Proposed FAR 40.1 would require executive agencies to share relevant supply chain risk information with the Federal Acquisition Security Council when the agencies determine there is a reasonable basis to conclude that a substantial supply chain risk associated with a source or covered article exists. Proposed FAR 40.2 would be the main consolidation point for the security and supply chain restrictions currently spread across FAR Parts 4, 25, and 40. Contractors still would need to analyze each regime separately, but the starting point would shift from dispersed provisions and clauses to this consolidated Part 40 structure. Proposed FAR 40.3 would collect requirements for classified information, covered federal information, and controlled unclassified information (CUI). (We will address the proposed rule’s revisions to FAR Subpart 40.3 in a separate alert.)
The proposed rule continues the consolidation of existing content from FAR Parts 4, 25, and 40. Similar to the class deviation, five existing solicitation provisions (addressing Section 889, Federal Acquisition Supply Chain Security Act (FASCSA) orders, restrictions on business operations in Sudan, and restrictions on activities and transactions related to Iran) would move into proposed FAR 52.240-2, and seven existing contract clauses (addressing prohibitions related to Kaspersky Labs, Section 889 telecommunications equipment and services, ByteDance applications, FASCSA orders, foreign suppliers subject to U.S. sanctions, and foreign suppliers of unmanned aircraft systems) would move into proposed FAR 52.240-3. According to the FAR Council, this consolidation is intended to make the relationship among current prohibitions clearer for contractors and the acquisition workforce. It also would change how several requirements are defined, implemented, and reported.
The proposed rule also incorporates several prior FAR cases and proposed or interim FAR rulemakings. Those include the Section 889 interim rules, the FASCSA proposed rule, the TikTok and ByteDance interim rule, and the American Security Drone Act interim rule. The FAR Council states that it reviewed and considered the public comments on those prior rules when drafting the current proposed rule.
WHAT DOES IT MEAN FOR INDUSTRY
The proposed rule would make FAR Part 40 the primary location for many security and supply chain compliance requirements. It would also change how contractors provide several representations as well as the timing for certain disclosures and reports to the Government. Substantively, the proposed rule would revise some Section 889 terminology and clarify that certain activities do not constitute “use” of covered telecommunications equipment or services. It also would establish a covered procurement action framework for agency-specific supply chain exclusions. The FAR Council identifies several changes intended to reduce burden and address comments on prior rulemakings, including a harmonized reasonable inquiry standard for all prohibitions in proposed FAR 52.240-2 and 52.240-3 and a standard 72-hour disclosure and reporting timeframe for those prohibitions.
Proposed FAR 52.240-2 would implement the offeror representations associated with FAR subpart 40.2. Rather than making separate, affirmative representations of compliance in the System for Award Management (SAM), as contractors do now, by submission of an offer, contractors would represent that they comply with the prohibitions related to Section 889, FASCSA orders, Sudan, Iran, and any covered procurement actions, unless a specific disclosure accompanies the offer. These representations would be based on the contractor’s “reasonable inquiry,” defined as encompassing accessible information in the offeror’s possession but not including an internal or third-party audit. If an offeror cannot represent compliance, it would have to disclose the issue within 72 hours and identify the affected prohibition, product or service, producing entity, and relevant functionality. Later-discovered required information also would have to be disclosed within 72 hours of discovery.
Proposed FAR 52.240-3 would implement the contract performance prohibitions in FAR subpart 40.2 and consolidate restrictions that now appear in seven separate contract clauses. The consolidated clause would be easier to locate, but not necessarily easier to apply. The Section 889 prohibition would retain the distinction between providing covered telecommunications equipment or services (Section 889 Part A) and using such equipment or services (Section 889 Part B).
The proposed rule addresses comments on the Section 889 interim rules by updating or adding several defined terms and clarifying the scope of exceptions and contractor “use”:
- The definition of “covered telecommunications equipment or services” would be revised to clarify that “produced” means manufactured, designed, developed, or licensed intellectual property. That clarification would be incorporated in proposed FAR 40.201 and proposed FAR 52.240-3.
- The definition of “critical technology” would be revised to mean a technology in whose absence a system cannot adequately operate or function, which is significantly different from the current definition that references export control laws that apply to a limited set of advanced technologies such as AI, quantum computing, surveillance, etc. That change would appear in proposed FAR 52.240-3(a).
- The proposed rule would add definitions for “system,” “telecommunications equipment,” “telecommunications services,” “video surveillance equipment,” and “video surveillance services.” These definitions are intended to align with the DFARS definition of telecommunications.
- The proposed rule would clarify the scope of the existing Section 889 prohibition exceptions, including further explanation of equipment that does not have the capability to route or redirect user data traffic, in proposed FAR 52.240-3(b)(3).
For the purposes of the Section 889 use prohibition, the proposed rule would state that commercial sales, maintenance, testing services, warranty services, and an employee’s use of personal equipment are not individually considered use of covered telecommunications equipment or services.
The proposed rule would also implement the American Security Drone Act within the consolidated FAR 52.240-3 clause, rather than leaving the unmanned aircraft systems prohibition in a standalone FAR clause. As proposed, contractors would need to account for both the prohibited foreign-entity list and the updated definition of unmanned aircraft system when reviewing drone-related products and performance activities.
- Proposed FAR 40.201 would define “American Security Drone Act-covered foreign entity” by reference to the list developed and maintained by the Federal Acquisition Security Council (FASC) and published in SAM.
- Proposed FAR 40.201 and FAR 52.240-3 would define “unmanned aircraft” by reference to 49 U.S.C. § 44801(11).
- The proposed definition of “unmanned aircraft system” would include the unmanned aircraft and associated elements required for safe and efficient operation in the national airspace system, and would point to 41 C.F.R. § 201-1.101 for the associated elements identified by the FASC.
- Proposed FAR 52.240-3 would prohibit delivery of a FASC-prohibited unmanned aircraft system. As required by the American Security Drone Act, for contract performance on or after December 22, 2025, it would also prohibit operating such a system in contract performance or using federal funds to procure or operate one, unless an exemption, exception, or waiver applies.
Proposed FAR 52.240-2 and FAR 52.240-3 would apply to commercial product, commercial service, and COTS acquisitions. Proposed FAR 52.240-3 would flow down to commercial product, commercial service, and COTS subcontracts but proposed FAR 52.240-3(k) would exclude two prime-level obligations from that flowdown: the FAR 52.240-3(d)(1) Section 889 use prohibition barring use of covered telecommunications equipment or services, and the FAR 52.240-3(j)(1) obligation to conduct quarterly reviews of SAM for new FASCSA exclusion orders.
The practical impacts of the proposed rule would be felt in proposal review, supplier screening, internal escalation, and subcontract flowdown. Proposal teams would need to confirm which proposed FAR 52.240-2 representations apply, determine whether covered products, services, or sources are implicated, and prepare any required disclosures within the proposed 72-hour timeframe. Prime contractors also would need to update supplier-screening and subcontract procedures for the consolidated FAR 52.240-3 clause, particularly where prohibited products may be embedded in larger systems or services.
Wiley’s Government Contracts Practice has followed the FAR and DFARS overhaul closely on its FAR and DFARS overhaul site and will continue to monitor and report on this second phase of the FAR overhaul process. Wiley’s Telecommunications, Media and Technology and National Security practices also regularly advise clients on issues related to unmanned aircraft systems, U.S. sanctions, and related supply chain restrictions.
Authors
Partner
Partner
Partner
Partner
Of Counsel
Associate
