FAR 4.2302—Sharing supply chain risk information.
Plain-English Summary
FAR 4.2302 explains how executive agencies must share supply chain risk information with the Federal Acquisition Security Council (FASC) when there is a reasonable basis to conclude that a substantial supply chain risk exists for a source or a covered article. The section ties the FAR to the FASC framework in 41 CFR 201–1.201 and makes clear that the trigger for sharing is an agency determination that the risk is substantial and supported by a reasonable basis. It also assigns a practical role to the contracting officer, who must coordinate with the program office or requiring activity under agency procedures to ensure relevant information about actual or potential supply chain risk identified during the procurement process is shared appropriately. In practice, this section is about moving risk information out of the acquisition process and into the governmentwide security-sharing process so agencies can help prevent risky sources or covered articles from entering or remaining in the supply chain. It matters because supply chain risk can affect mission assurance, cybersecurity, product integrity, and national security, and the rule is designed to ensure that relevant risk information is not siloed within a single procurement. For contractors, the section signals that supply chain concerns identified during source selection, evaluation, or contract administration may be elevated beyond the individual acquisition. For contracting officers and program offices, it creates a coordination and reporting obligation that must be handled consistently with agency procedures and the FASC information-sharing framework.
Key Rules
Share when substantial risk exists
Executive agencies must share relevant supply chain risk information with the FASC when the agency has determined there is a reasonable basis to conclude that a substantial supply chain risk exists for a source or covered article. The rule is triggered by the agency’s risk determination, not by a formal enforcement action or contract award decision.
Use the FASC framework
The sharing requirement is tied to 41 CFR 201–1.201, which provides the governing framework for FASC-related supply chain risk information sharing. Agencies should follow that framework when deciding what information is relevant and how it should be transmitted.
Contracting officer coordination required
The contracting officer must work with the program office or requiring activity to support information sharing. This means the contracting officer is not acting alone; the acquisition team must coordinate to identify and package relevant information in accordance with agency procedures.
Share actual or potential risk information
The information to be shared includes relevant information on actual or potential supply chain risk determined during the procurement process. The rule is broad enough to cover risks identified before award, during evaluation, or through other procurement-related activities.
Follow agency procedures
The contracting officer’s coordination and the agency’s sharing of information must be done in accordance with agency procedures. Agencies may have internal thresholds, review steps, approval channels, or documentation requirements that govern how risk information is escalated and shared.
Responsibilities
Executive Agency
Determine whether there is a reasonable basis to conclude that a substantial supply chain risk exists for a source or covered article, and share relevant supply chain risk information with the FASC when that threshold is met.
Contracting Officer
Work with the program office or requiring activity to identify and share relevant information on actual or potential supply chain risk discovered during the procurement process, following agency procedures.
Program Office or Requiring Activity
Provide technical, operational, or mission-related information needed to assess supply chain risk and support the contracting officer in identifying relevant facts for sharing.
FASC
Receive supply chain risk information from executive agencies for governmentwide coordination and use under the applicable FASC information-sharing framework.
Agency Acquisition/Policy Officials
Establish and administer internal procedures for identifying, reviewing, documenting, and sharing supply chain risk information consistent with FAR and 41 CFR requirements.
Practical Implications
This section requires early coordination between contracting, program, security, and technical personnel when supply chain concerns arise, rather than waiting until after award or after a problem becomes severe.
A common pitfall is treating supply chain risk as only a cybersecurity issue; the rule applies broadly to sources and covered articles and can include manufacturing, provenance, integrity, and other supply chain concerns.
Contracting officers should document the basis for the risk determination and the information shared, because agency procedures will often require a clear record of what was known, when it was known, and why it was relevant.
Contractors may not be directly notified by this section, but information identified in the procurement process can affect eligibility, evaluation, award decisions, or later contract administration if the risk is escalated.
The practical goal is to prevent risky sources or covered articles from moving through the acquisition system without governmentwide awareness, so agencies should have a repeatable process for escalation and information sharing.
Official Regulatory Text
(a) Executive agencies are required to share relevant supply chain risk information with the FASC if the executive agency has determined there is a reasonable basis to conclude a substantial supply chain risk associated with a source or covered article exists (see 41 CFR 201–1.201 ). (b) In support of information sharing described in paragraph (a) of this section, the contracting officer shall work with the program office or requiring activity in accordance with agency procedures regarding the sharing of relevant information on actual or potential supply chain risk determined to exist during the procurement process.