First FASC Order Could Broadly Impact ICT Supply Chains and National Security in Federal Systems
WHAT: The Director of National Intelligence (DNI), as recommended by the Federal Acquisition Security Council (FASC), issued the first order under the Federal Acquisition Supply Chain Security Act (FASCSA or Act). The order is a removal and exclusion order against Acronis AG and all subordinate, subsidiary, or affiliated organizations doing business under various names in support of Acronis (collectively, Acronis). It (1) excludes Acronis from all Intelligence Community (IC) procurement actions, and (2) orders the removal of covered articles provided by Acronis from information systems applicable to the IC and sensitive compartmented information systems.
On September 18, the General Services Administration (GSA) also announced that in response to the Acronis Order, it had removed Acronis products and services from GSA Advantage and would be issuing contract modifications to remove all Acronis products and services from GSA Multiple Award Schedule (MAS) contracts pursuant to FAR 52.204-30 Alternate I.
WHEN: Although the order was issued on September 15, 2025, the “active date” is listed as July 11, 2025. It is effective immediately.
WHAT DOES IT MEAN FOR INDUSTRY: For contractors serving the IC and sensitive compartmented information systems with contracts that include FAR 52.204-30, this order could require immediate action. Under the FAR clause, those contractors must conduct a reasonable inquiry to identify whether Acronis products or services were provided to the Government or used during contract performance, including by a subcontractor, and provide a report to the Government within three business days of identifying such products or services. Agencies may also modify contracts to incorporate the Acronis Order, which would require contractors to halt use of and remove any Acronis products and services on affected contracts. Contractors also may not provide to the Government or use any Acronis products and services on IC contracts or government-wide acquisition contracts in the future. The Acronis Order also may result in the addition of Acronis to the FCC’s Covered List, as further explained below.
BACKGROUND
FASCSA is designed to coordinate government efforts to protect the information and communications technology (ICT) supply chain, including by improving information sharing and coordinating actions to protect the supply chain. The Act created the FASC, an Executive branch interagency council, chaired by a senior-level official from the Office of Management and Budget and including representatives from the General Services Administration, Department of Homeland Security (DHS), Office of the Director of National Intelligence, and the Departments of Justice, Defense, and Commerce. The FASC is authorized to perform a variety of functions, including making recommendations for orders that would require the removal of covered ICT articles from Executive agency information systems or the exclusion of sources or covered articles from Executive agency procurement actions.
FASC’s recommendations for exclusion and removal orders are intended to reduce federal government supply chain risk, such as the risk of surveillance, denial, disruption, or manipulation of covered technology or information stored or transmitted by covered technology. FASC’s recommendations for exclusion and removal are sent to the Secretaries of DHS and Defense, and the Director of National Intelligence, who may then issue the order for removal or exclusion for the information systems under their respective authorities. Contractors are required under FAR 52.204-30 to monitor the FASCSA orders website here for new orders at least every three months.
THE SEPTEMBER 15 ACRONIS ORDER
On September 15, 2025, the SAM.gov “Supply Chain Security Orders” website was updated and Acronis AG was added to the SAM excluded entities list. Both entries include the following Comments:
FASCSA Order – Acronis and all subordinate, subsidiary, or affiliated organizations doing business under various names in support of the parent company, Acronis AG (Acronis), that the DNI has issued an order to exclude Acronis from all Intelligence Community (IC) Executive agency procurement actions. It further orders the removal of covered articles provided by Acronis from information systems applicable to the IC and sensitive compartmented information systems. This order was issued pursuant to the Federal Acquisition Supply Chain Security Act of 2018, Pub. L. No. 115-390, title II; codified at 41 U.S.C. §§ 1321-1328. The basis for this order pertains to information as was relayed to Acronis in the Notice to Source document.
Additional information is available in an Announcement on the NRO JWICS Acquisition Research Center Dashboard, search Acronis.
The order does not include a justification for the removal and exclusion.
KEY TAKEAWAYS FOR INDUSTRY
Next Steps for Governments Contractors. Contractors serving the IC and sensitive compartmented information systems with contracts that include FAR 52.204-30 are bound by this FASCSA order. Those contractors must immediately conduct a reasonable inquiry to identify whether Acronis products or services were provided to the Government or used during contract performance. This inquiry must include information from subcontractors at any tier. If the inquiry identifies Acronis products or services, the contractor must notify the Government within three business days and provide information such as the affected contract(s), make and model of the product or service, and any mitigation actions taken or recommended. Additional reports are due within 10 business days of the original report to the Government. Contractors also may not provide to the Government or use any Acronis products and services on IC contracts or government-wide acquisition contracts in the future. Agencies may also modify contracts or amend solicitations to incorporate the Acronis Order.
Consistent with FAR 52.204-30, GSA directed MAS contractors to review their MAS contracts and catalogs to ensure no Acronis products or services are sold or used in performance of a contract, submit a report to the Government if any Acronis products or services were previously provided to the Government or used in performance of a MAS contract, and ensure subcontractor compliance with these requirements. GSA has stated that it intends to modify MAS contracts to require removal of Acronis products and services.
Potential Inclusion on the FCC’s Covered List. The Acronis Order may result in the addition of Acronis to the FCC’s Covered List, given that the Acronis Order was issued by the DNI based on the FASC’s recommendation, and both the FASC and DNI are included in the four sources from which the FCC must draw for Covered List updates.
Accordingly, to the extent the FCC considers Acronis products or services to be “communications equipment and services,” it could issue a Public Notice announcing Acronis’ addition to the Covered List (see, e.g., the FCC’s Kaspersky Public Notice). Alternatively, the FCC may seek public comment prior to updating the Covered List (see, e.g., the FCC’s Connected Vehicle Public Notice).
Wiley’s cross-disciplinary Government Contracts, National Security, and Telecom, Media & Technology teams will continue to monitor these developments and advise clients on compliance issues related to the Acronis Order and future FASCSA Orders.
