FAR 4.2—Subpart 4.2

Procedures.

FAR 4.201 explains how contracting officers must distribute signed contracts and contract modifications after execution. It covers the 10-working-day deadline, the minimum recipients for the initial contract copy, and additional distribution requirements when a contract is assigned to another office for administration, when funds from accounting and finance offices are cited, when the contract includes a Cost Accounting Standards (CAS) clause but is not otherwise assigned for administration, when audit services are needed, and when other organizations must perform contract administration support functions. In practice, this section ensures that the right offices receive the right documents quickly so payment, funding control, administration, audit, and oversight can begin without delay. It also helps maintain an accurate distribution trail for modifications, which is critical when multiple offices, funding sources, or manufacturing locations are involved. For contractors and government personnel alike, the rule is mainly about timely, complete, and properly targeted document distribution after award or modification execution.

Agency distribution requirements.

FAR 4.202 addresses agency distribution requirements for contract documents and related records. It has two main topics: first, agencies must keep any extra distribution requirements to the minimum needed to perform essential functions; second, when contract administration is assigned to a contract administration office in a different agency than the contracting office, the two agencies must agree on any additional distribution beyond the baseline distribution required by FAR 4.201. In practice, this section is about avoiding unnecessary paperwork and duplicate circulation while still making sure the right offices receive the information they need to administer the contract properly. It supports efficient internal controls, reduces administrative burden, and helps prevent confusion over who should receive copies of contract actions, modifications, and other records. For contractors, the rule matters because it can affect where documents are sent and which offices are involved in administration. For agencies, it creates a coordination requirement whenever administration crosses agency lines.

Taxpayer identification information.

FAR 4.203 explains how taxpayer identification information must be captured, documented, and passed to the payment office so the government can make proper payments and maintain accurate contractor records. It covers use of the contractor’s Taxpayer Identification Number (TIN) and type of organization information from solicitation representations, how to handle that information when it comes from another source, and what to do if the contractor provides it after award. The section also addresses special handling for Federal Supply Schedule orders and for basic ordering agreements and other indefinite-delivery contracts, including what information must be shared with other contracting officers and with the payment office. In practice, this rule is about making sure payment systems have the right contractor identity data, reducing payment errors, and ensuring consistency across awards and orders. It is primarily an administrative and data-transmittal requirement, but it has real operational importance because missing or late TIN information can delay payment processing or create mismatches in contractor records.

Definitions.

FAR 4.2001 provides the definitions used in this subpart for identifying prohibited Kaspersky-related items and entities in federal contracting. It defines two key terms: “Kaspersky Lab covered article” and “Kaspersky Lab covered entity.” The first term is broad and captures hardware, software, or services that are developed or provided by a covered entity, developed or provided in whole or in part by a covered entity, or that contain components using hardware or software developed in whole or in part by a covered entity. The second term defines the universe of entities tied to Kaspersky Lab, including Kaspersky Lab itself, successor entities, entities under common control, and entities in which Kaspersky Lab holds majority ownership. In practice, these definitions are important because they determine what products, services, and corporate affiliates fall within the subpart’s restrictions and screening requirements. Contractors, subcontractors, and contracting personnel must use these definitions carefully when evaluating supply chains, software provenance, and vendor relationships to avoid procuring or using covered items.

Prohibition.

FAR 4.2002 implements a statutory prohibition on the Government’s use of certain Kaspersky Lab products and on contractor use of those products in contract performance. It addresses two related topics: first, the Government may not use any hardware, software, or services developed or provided, in whole or in part, by a covered entity on or after October 1, 2018; second, contractors may not provide any Kaspersky Lab covered article that the Government will use on or after that date, and may not use any Kaspersky Lab covered article on or after that date when developing data or deliverables first produced under the contract. In practice, this section is a supply-chain and cybersecurity restriction that affects product selection, subcontracting, IT environments, and deliverable development. Its purpose is to prevent federal systems and contract outputs from relying on technology associated with a prohibited source. Contractors and contracting officers must therefore screen products and services carefully, confirm what will be used by the Government, and ensure contract performance environments are free of prohibited Kaspersky Lab articles where the rule applies.

Notification.

FAR 4.2003 is a very short implementation instruction that tells contracting personnel what to do when a contractor gives the government a notification under FAR 52.204-23. In practical terms, this section does not create a new substantive reporting requirement; instead, it directs the agency to use its own internal procedures for handling the contractor’s notice. The topic covered is therefore the post-notification response process: receiving the notice, routing it through the agency’s established channels, and taking whatever follow-up actions the agency procedures require. Its purpose is to ensure consistency, accountability, and proper internal coordination when a contractor reports an event or condition covered by the clause. For contractors, the key significance is that the notification is not the end of the matter; it triggers agency-specific handling that may affect contract administration, security, compliance, or other follow-up actions depending on the agency’s procedures.

Contract clause.

FAR 4.2004 is a mandatory prescription for using a specific contract clause that implements the government’s prohibition on acquiring certain hardware, software, and services associated with Kaspersky Lab covered entities. In practical terms, it tells contracting officers that the clause at FAR 52.204-23 must be included in every solicitation and every contract, without exception based on dollar value, contract type, or competition method unless another FAR provision specifically overrides it. The section is narrow but important: it is not itself the substantive prohibition, but the instruction to insert the clause that carries the prohibition into the procurement instrument. For contractors, this means the restriction is embedded in the solicitation and contract from the outset, so they must review their supply chain, software, and service offerings for any Kaspersky-related content or origin issues before bidding or performance. For agencies, it ensures uniform implementation of the government-wide restriction and reduces the risk of inadvertently awarding work that includes prohibited products or services. In practice, this section matters because failure to include the clause can create compliance, performance, and enforcement problems later in the acquisition lifecycle.

Scope of subpart.

FAR 4.2100 is a short scope provision that tells readers what this subpart is for: it implements paragraphs (a)(1)(A) and (a)(1)(B) of section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019. In practical terms, this means the subpart is part of the government’s supply-chain security framework and is aimed at restricting the federal government’s acquisition and use of certain covered telecommunications equipment and services. The section itself does not create the detailed prohibitions or procedures; instead, it identifies the statutory authority and signals that the subpart contains the rules contractors and contracting officers must follow. For contractors, this matters because compliance obligations in this area can affect representations, certifications, proposal preparation, subcontracting, and performance. For contracting officers and agencies, it establishes the legal basis for enforcing section 889-related restrictions in solicitations, awards, and contract administration.

Definitions.

FAR 4.2101 is the definitions section for the telecommunications supply-chain restrictions in this subpart, so it establishes the meaning of the terms that control when the government’s covered-telecom rules apply. It defines backhaul, covered foreign country, covered telecommunications equipment or services, critical technology, interconnection arrangements, reasonable inquiry, roaming, and substantial or essential component. These definitions matter because they determine what products, services, network relationships, and supplier sources are in scope for representation, disclosure, and compliance obligations elsewhere in the FAR. In practice, contractors and contracting officers use these terms to identify prohibited or high-risk telecom and video surveillance items, assess whether a supplier relationship triggers the rule, and decide what level of inquiry is required before certifying compliance. The section is especially important for firms that buy, integrate, resell, install, or operate telecommunications, network, cybersecurity, surveillance, or critical-technology systems, because the definitions are broad enough to capture both direct equipment purchases and services that use covered equipment. It also frames the compliance standard by clarifying that a reasonable inquiry is required, but not a full internal or third-party audit.

Prohibition.

FAR 4.2102 establishes the government-wide prohibition on buying from, or contracting with, entities that use covered telecommunications equipment or services in certain ways. It covers two separate prohibition dates: first, agencies may not procure or obtain equipment, systems, or services that use covered telecommunications equipment or services as a substantial or essential component or as critical technology in a system; second, agencies may not enter into, extend, or renew a contract with an entity that uses such equipment, systems, or services anywhere in its operations, even if the use is not in performance of the federal contract. The section also identifies two narrow exceptions: certain third-party connectivity services such as backhaul, roaming, or interconnection arrangements, and telecommunications equipment that cannot route, redirect, or inspect user data traffic. In addition, it ties the prohibition to contracting officer actions, including option exercises and other renewals, and explains that the relevant prohibitions are recorded in SAM, including special recording by DoD for certain entities identified under the definition of covered telecommunications equipment or services. In practice, this section is a key supply-chain and responsibility-screening rule: it requires agencies and contracting officers to avoid prohibited procurements and prohibited contractor relationships, and it requires contractors to understand that the restriction can apply based on their broader use of covered equipment or services, not just the specific contract being performed.

Procedures.

FAR 4.2103 explains the procedures contracting officers use when an offeror or contractor makes certain representations or reports related to prohibited telecommunications and video surveillance equipment and services. It covers how to handle “does not” and “does” answers in the representations at 52.204-26 and 52.212-3, when a contracting officer may rely on those answers, when the officer must follow agency procedures because there is reason to question them, and when additional representations or disclosures are required under 52.204-24. It also addresses what to do when a contractor submits a report under the clause at 52.204-25. In practice, this section is about screening, escalation, and documentation: the contracting officer can often accept a negative representation at face value, but affirmative answers trigger further required disclosures and agency review. The rule helps agencies identify supply chain and ownership risks tied to covered telecommunications and video surveillance equipment and ensure the government does not contract in violation of the prohibition. It also creates a clear workflow for contracting officers so they know when to rely on the offeror’s statement and when to route the matter through agency-specific procedures.

Waivers.

FAR 4.2104 explains when and how the government may waive the prohibitions in FAR 4.2102(a) on covered telecommunications equipment or services, including both the general waiver authority and the special rules for emergency acquisitions. It covers who may grant a waiver, the one-time nature of the executive agency waiver, the time limits tied to the two separate prohibitions in 4.2102(a)(1) and (a)(2), and the required showing of compelling justification, full and complete supply-chain laydown, and phase-out plan. It also addresses the extra prerequisites for waivers of 4.2102(a)(2), including designation of a senior agency official for supply chain risk management, participation in an information-sharing environment, and notice and consultation with ODNI and the Federal Acquisition Security Council. The section further sets out emergency waiver procedures when prior notice and consultation are impracticable, along with post-award notification requirements. Finally, it requires congressional notification for approved waivers and recognizes separate waiver authority for the Director of National Intelligence when the waiver is in the national security interests of the United States. In practice, this section is about tightly controlling exceptions to the telecom/video surveillance equipment prohibitions, documenting the risk, and ensuring senior-level and interagency oversight before the government proceeds.

Solicitation provisions and contract clause.

FAR 4.2105 tells contracting officers exactly when to include the government’s telecommunications and video surveillance screening provisions and prohibition clause in solicitations, orders, and contracts. It covers three related requirements: the representation at 52.204-24, the prohibition clause at 52.204-25, and the representation at 52.204-26. In practice, this section is part of the government’s supply-chain security controls and is designed to identify and block certain covered telecommunications and video surveillance services or equipment from being acquired or used in federal contracts. It applies broadly to solicitations for contracts, to notices of intent to place orders and order solicitations under indefinite-delivery contracts, and to all solicitations and contracts for the clause. For contractors, it means these representations and restrictions are not optional boilerplate; they can affect eligibility, proposal content, and compliance obligations. For contracting officers, it creates a mandatory insertion rule with no discretion to omit the required text when the section applies.

Definitions.

FAR 4.2201 provides the definitions used in this subpart, and it does two important things: it defines the term “covered application” and it incorporates the statutory definition of “information technology” from 40 U.S.C. 11101(6). In practice, these definitions determine when the subpart’s restrictions or requirements apply, especially in connection with the use of TikTok and related ByteDance applications and with federal agency use of information technology. The “covered application” definition is intentionally broad enough to include TikTok and any successor application or service developed or provided by ByteDance Limited or an entity owned by ByteDance Limited. The “information technology” definition is also broad, covering equipment and interconnected systems used to acquire, store, process, transmit, or manage data, and it expressly includes computers, peripherals, software, firmware, and related services. At the same time, the definition excludes equipment a Federal contractor acquires merely incidentally to a Federal contract, which helps limit the reach of the term to IT actually used in contract performance or agency operations. These definitions matter because they set the scope for compliance, acquisition planning, contract administration, and contractor internal controls whenever this subpart is implicated.

Prohibition.

FAR 4.2202 states the basic prohibition on TikTok and other covered applications in the federal contracting context. It ties together the statutory ban in section 102 of Division R of the Consolidated Appropriations Act, 2023, the No TikTok on Government Devices Act, and OMB Memorandum M-23-13, and explains that the ban is not limited to government-owned devices. The section covers the presence or use of a covered application on information technology owned or managed by the Government, as well as on information technology used or provided by a contractor under a contract, including contractor-furnished equipment and employee-owned equipment used for contract performance. It also recognizes that an exception may be granted under OMB’s implementing guidance, so the rule is a prohibition unless a valid exception applies. In practice, this section matters because contractors must control what apps are installed or used on devices that touch federal work, and contracting officers and agencies must understand that the restriction can reach contractor devices when they are used for contract performance.

Contract clause.

FAR 4.2203 is a simple but mandatory contract-clause prescription tied to the federal government’s restrictions on ByteDance covered applications, including TikTok and related applications identified by the government. This section tells contracting officers when they must insert FAR clause 52.204-27, Prohibition on a ByteDance Covered Application, into solicitations and contracts, and it also points to the only stated relief from that requirement: an exception granted under OMB Memorandum M-23-13. In practice, the rule is about ensuring the government’s cybersecurity, data protection, and supply-chain risk policies are reflected in procurement documents from the outset. It matters because the clause creates enforceable contractual obligations and notice to offerors and contractors that use of covered applications may be restricted or prohibited in connection with federal work. For contractors, this means they must review solicitation and contract terms carefully and ensure their internal IT, communications, and device-use practices do not conflict with the clause or any approved exception. For contracting officers, it means the clause is not optional unless a valid exception exists, and the exception must be grounded in the OMB memorandum rather than informal judgment.

Scope of subpart.

FAR 4.2300 is a scope statement, so it does not create detailed operating procedures by itself; instead, it tells readers what this subpart is for and how long its authority lasts. Specifically, it says the subpart implements the Federal Acquisition Supply Chain Security Act of 2018 (FASCSA), which is the statutory framework for federal supply chain security actions, and it also implements the Federal Acquisition Security Council (FASC) regulation at 41 CFR part 201-1. In practical terms, this means the subpart is the FAR’s bridge between procurement policy and the governmentwide supply chain security regime used to address risks from products, services, and sources that may threaten federal information systems or operations. The section also establishes a sunset date for the authority in this subpart—December 31, 2033—by cross-referencing 41 U.S.C. 1328, which matters because agencies and contractors must know that the authority is time-limited unless extended by law. For contracting officers, contractors, and acquisition personnel, this section signals that the subpart should be read together with the FASCSA statute and the FASC regulations, and that any actions taken under this subpart must fit within that broader legal framework.

Definitions.

FAR 4.2301 is the definitions section for the Federal Acquisition Supply Chain Security Act (FASCSA) framework in the FAR. It tells contracting officers, contractors, and agency personnel exactly what counts as a covered article, what a FASCSA order is, who can issue those orders (DHS, DoD, or DNI depending on the affected community), what the Federal Acquisition Security Council is, and how key national-security terms are used, including intelligence community, national security system, sensitive compartmented information, and sensitive compartmented information system. It also defines source, reasonable inquiry, supply chain risk, and supply chain risk information, which are central to identifying and responding to supply-chain threats in procurement and in agency information systems. In practice, these definitions determine when special supply-chain restrictions apply, what products or services may be removed or excluded, and how much diligence a contractor or agency must perform when a FASCSA order is in play. Because the definitions are broad and cross-reference multiple statutes and regulations, they are the foundation for compliance decisions, solicitation screening, contract performance, and system security actions.

Sharing supply chain risk information.

FAR 4.2302 explains how executive agencies must share supply chain risk information with the Federal Acquisition Security Council (FASC) when there is a reasonable basis to conclude that a substantial supply chain risk exists for a source or a covered article. The section ties the FAR to the FASC framework in 41 CFR 201–1.201 and makes clear that the trigger for sharing is an agency determination that the risk is substantial and supported by a reasonable basis. It also assigns a practical role to the contracting officer, who must coordinate with the program office or requiring activity under agency procedures to ensure relevant information about actual or potential supply chain risk identified during the procurement process is shared appropriately. In practice, this section is about moving risk information out of the acquisition process and into the governmentwide security-sharing process so agencies can help prevent risky sources or covered articles from entering or remaining in the supply chain. It matters because supply chain risk can affect mission assurance, cybersecurity, product integrity, and national security, and the rule is designed to ensure that relevant risk information is not siloed within a single procurement. For contractors, the section signals that supply chain concerns identified during source selection, evaluation, or contract administration may be elevated beyond the individual acquisition. For contracting officers and program offices, it creates a coordination and reporting obligation that must be handled consistently with agency procedures and the FASC information-sharing framework.

FASCSA orders.

FAR 4.2303 explains how Federal Acquisition Supply Chain Security Act (FASCSA) orders affect federal buying. It covers the basic prohibition on procuring, obtaining, extending, or renewing contracts for covered articles, or for products and services from prohibited sources, when an applicable FASCSA order has been issued by the Director of National Intelligence, the Secretary of Defense, or the Secretary of Homeland Security. It also addresses how governmentwide FASCSA orders are implemented in Federal Supply Schedules, Governmentwide Acquisition Contracts, and multi-agency contracts by removing covered articles or sources from those vehicles. Finally, it explains where contracting personnel find FASCSA orders, including in SAM, and notes that some orders may not appear in SAM and must instead be identified in the solicitation to be effective for a particular acquisition. In practice, this section is a screening and implementation rule: it requires agencies and contracting officers to check for applicable supply chain restrictions before award, extension, or renewal, and to coordinate with program offices to make sure the solicitation and contract reflect any applicable order.

Procedures.

FAR 4.2304 explains the procedures contracting officers must use to identify, apply, update, and document Federal Acquisition Supply Chain Security Act (FASCSA) orders in acquisitions. It covers how to determine which FASCSA orders apply based on the agency, funding source, and type of acquisition; how to handle Federal Supply Schedules, GWACs, and multi-agency contracts at either the contract level or order level; how to deal with collective orders issued by DHS, DoD, and the Director of National Intelligence; how to resolve interagency acquisition questions and inconsistencies between a basic contract and an order; and how to update solicitations or contracts when new orders are issued. It also addresses agency-specific procedures for orders not listed in SAM, offeror disclosures, waiver handling including partial waivers, and reporting by contractors. In practice, this section is the operational roadmap for making sure supply chain security restrictions are correctly flowed into solicitations, contracts, and orders, and that prohibited sources or covered articles are identified and removed when required. It matters because failure to apply the right order, update the contract on time, or document exceptions can create compliance gaps, award delays, or the need to modify existing contracts after award.

Waivers.

FAR 4.2305 explains how an executive agency can seek a waiver from a Federal Acquisition Supply Chain Security Act (FASCSA) order, either for the agency as a whole, for specific actions or classes of acquisitions, for a temporary period before compliance is practicable, or for other identified activities. It also tells agencies how to submit the waiver request, what information the request must contain, and who within the acquisition process must decide whether to pursue a waiver or instead make award to an offeror that does not trigger the order. In practice, this section is the formal exception process for situations where a FASCSA order would otherwise block or restrict an acquisition, but the agency believes mission needs, national interest, or other compelling reasons justify relief. It matters because a waiver is not automatic: the agency must build a written, well-supported case and obtain written approval from the issuing official before award can proceed if the waiver path is chosen. The section therefore connects supply chain security enforcement with mission continuity and acquisition planning, ensuring agencies can seek relief while still documenting risk and mitigation.

Solicitation provision and contract clauses.

FAR 4.2306 tells contracting officers exactly which solicitation provisions and contract clauses to include when applying Federal Acquisition Supply Chain Security Act (FASCSA) orders. It covers three related instruments: the clause at 52.204-28 for Federal Supply Schedules (FSS), Governmentwide acquisition contracts (GWACs), and multi-agency contracts (MACs) when FASCSA orders are applied at the order level; the provision at 52.204-29 for contractor representations and disclosures; and the clause at 52.204-30, including Alternates I and II, for prohibitions tied to FASCSA orders. The section also distinguishes between acquisitions where FASCSA orders are applied at the contract level versus the order level, and between ordinary solicitations and RFQs or notices of intent to place an order. In practice, this is a prescription section: it does not create the security restrictions itself, but tells the contracting officer how to flow them into the solicitation and contract structure so the government can identify covered products, obtain required representations, and enforce prohibitions. For contractors, it signals when they must make disclosures or comply with order-based restrictions; for contracting officers, it is a checklist for selecting the correct clause version and placing it in the correct document at the correct stage.