FAR 52.204-28—Federal Acquisition Supply Chain Security Act Orders—Federal Supply Schedules, Governmentwide Acquisition Contracts, and Multi-Agency Contracts.
Plain-English Summary
FAR 52.204-28 implements the Federal Acquisition Supply Chain Security Act (FASCSA) framework for orders placed under Federal Supply Schedules, Governmentwide Acquisition Contracts (GWACs), and Multi-Agency Contracts (MACs). It tells contractors when they must comply with applicable FASCSA orders, how those orders are identified in schedule and task-order buying, and what happens if the government directs removal of a covered article or a product or service from a prohibited source. The clause also defines the key terms needed to apply the rule, including covered article, FASCSA order, source, intelligence community, national security system, sensitive compartmented information, and sensitive compartmented information system. In practice, this clause is a supply-chain security control: it allows the government to exclude risky products or suppliers and to require prompt remediation during performance. For contractors, the main significance is that compliance obligations can arise after award and may require rapid substitution, reconfiguration, or sourcing changes. For contracting officers, the clause provides the contractual mechanism to flow FASCSA order requirements into schedule, GWAC, and MAC ordering actions and to direct removal when an applicable governmentwide order exists.
Key Rules
Broad definition of covered article
The clause treats a wide range of items as covered articles, including IT and cloud services, telecommunications equipment and services, CUI-related processing on federal or non-federal systems, and hardware, systems, devices, software, or services with embedded or incidental IT. This broad scope means supply-chain restrictions can apply even when the IT component is not the primary purpose of the item or service.
Three types of FASCSA orders
The clause recognizes DHS, DoD, and DNI FASCSA orders, each tied to different agency or mission environments. DHS orders generally apply to civilian agencies, DoD orders apply to DoD and most national security systems, and DNI orders apply to the intelligence community and sensitive compartmented information systems, subject to the stated exceptions.
Orders may be identified at ordering stage
For schedule, GWAC, and MAC buys, the applicable FASCSA order(s) must be identified in the RFQ or in the notice of intent to place an order. This gives offerors and contractors notice of the supply-chain restrictions before the order is placed and helps ensure the ordering activity uses the correct security requirements.
Compliance during performance
Once performance begins, the contractor must comply with any applicable DHS, DoD, or DNI FASCSA orders that apply to the contract performance. The obligation is ongoing, not limited to award or initial delivery, so contractors must monitor for new or changed orders throughout performance.
Prompt removal when directed
If the contracting officer notifies the contractor that a governmentwide FASCSA order applies, the contractor must promptly make the necessary changes or modifications to remove the covered article or the product or service from the prohibited source. This can require replacement, substitution, or other corrective action without undue delay.
Governmentwide order linkage
The clause ties removal obligations to an applicable governmentwide FASCSA order as referenced in FAR 4.2303(b). That means the contractor’s duty to remove is triggered by the government’s formal supply-chain security determination, not by the contractor’s independent judgment alone.
Responsibilities
Contracting Officer
Identify the applicable FASCSA order(s) in the RFQ or notice of intent to place an order, notify the contractor when removal action is required, and ensure the ordering action reflects the correct supply-chain security restrictions.
Contractor
Comply during performance with any applicable DHS, DoD, or DNI FASCSA orders, monitor supply-chain sources and covered articles for compliance, and promptly remove or replace any covered article or prohibited-source product or service when directed by the contracting officer.
Ordering Activity / Agency
Apply the correct FASCSA order framework for the agency and mission environment, coordinate with security and supply-chain officials as needed, and ensure the order-level solicitation or notice includes the required identification of applicable orders.
Source / Supplier
Although not a direct contractual party under this clause, a source may be affected by exclusion from procurement actions if named in a FASCSA order, which can prevent its products or services from being used in covered acquisitions.
Practical Implications
Contractors should screen their supply chain early and continuously, because a prohibited source or covered article can surface after award and force immediate corrective action.
The clause is especially important for IT-heavy buys, cloud services, telecom, and products with embedded software or connectivity, where a seemingly non-IT item may still be a covered article.
Ordering offices must make sure the RFQ or notice of intent clearly identifies the applicable FASCSA order(s); missing that step can create confusion and compliance disputes later.
When the contracting officer directs removal, contractors should be prepared for rapid substitution costs, schedule impacts, and possible technical revalidation or cybersecurity review.
A common pitfall is assuming the clause only applies to the prime contractor’s direct suppliers; the definition of source reaches non-Federal suppliers at any tier, so subcontractor and upstream supplier risk matters too.
Official Regulatory Text
As prescribed in 4.2306 (a) , insert the following clause: Federal Acquisition Supply Chain Security Act Orders—Federal Supply Schedules, Governmentwide Acquisition Contracts, and Multi-Agency Contracts (Dec 2023) (a) Definitions. As used in this clause— Covered article as defined in 41 U.S.C. 4713(k) , means— (1) Information technology, as defined in 40 U.S.C. 11101 , including cloud computing services of all types; (2) Telecommunications equipment or telecommunications service, as those terms are defined in section 3 of the Communications Act of 1934 ( 47 U.S.C. 153 ); (3) The processing of information on a Federal or non-Federal information system, subject to the requirements of the Controlled Unclassified Information program (see 32 CFR part 2002 ); or (4) Hardware, systems, devices, software, or services that include embedded or incidental information technology. FASCSA order , means any of the following orders issued under the Federal Acquisition Supply Chain Security Act (FASCSA) requiring the removal of covered articles from executive agency information systems or the exclusion of one or more named sources or named covered articles from executive agency procurement actions, as described in 41 CFR 201–1.303(d) and (e) : (1) The Secretary of Homeland Security may issue FASCSA orders applicable to civilian agencies, to the extent not covered by paragraph (2) or (3) of this definition. This type of FASCSA order may be referred to as a Department of Homeland Security (DHS) FASCSA order. (2) The Secretary of Defense may issue FASCSA orders applicable to the Department of Defense (DoD) and national security systems other than sensitive compartmented information systems. This type of FASCSA order may be referred to as a DoD FASCSA order. (3) The Director of National Intelligence (DNI) may issue FASCSA orders applicable to the intelligence community and sensitive compartmented information systems, to the extent not covered by paragraph (2) of this definition. This type of FASCSA order may be referred to as a DNI FASCSA order. Intelligence community, as defined by 50 U.S.C. 3003(4) , means the following— (1) The Office of the Director of National Intelligence; (2) The Central Intelligence Agency; (3) The National Security Agency; (4) The Defense Intelligence Agency; (5) The National Geospatial-Intelligence Agency; (6) The National Reconnaissance Office; (7) Other offices within the Department of Defense for the collection of specialized national intelligence through reconnaissance programs; (8) The intelligence elements of the Army, the Navy, the Air Force, the Marine Corps, the Coast Guard, the Federal Bureau of Investigation, the Drug Enforcement Administration, and the Department of Energy (9) The Bureau of Intelligence and Research of the Department of State; (10) The Office of Intelligence and Analysis of the Department of the Treasury; (11) The Office of Intelligence and Analysis of the Department of Homeland Security; or (12) Such other elements of any department or agency as may be designated by the President, or designated jointly by the Director of National Intelligence and the head of the department or agency concerned, as an element of the intelligence community. National security system, as defined in 44 U.S.C. 3552 , means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency— (1) The function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions, but does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications); or (2) Is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy Sensitive compartmented information means classified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal access control systems established by the Director of National Intelligence. Sensitive compartmented information system means a national security system authorized to process or store sensitive compartmented information. Source means a non-Federal supplier, or potential supplier, of products or services, at any tier. (b) Notice. During contract performance, the Contractor shall be required to comply with any of the following that apply: DHS FASCSA orders, DoD FASCSA orders, or DNI FASCSA orders. The applicable FASCSA order(s) will be identified in the request for quotation (see 8.405-2 ), or in the notice of intent to place an order (see 16.505 (b)). FASCSA orders will be identified in paragraph (b)(1) of FAR 52.204-30 , Federal Acquisition Supply Chain Security Act Orders—Prohibition, with its Alternate II. (c) Removal. Upon notification from the contracting officer, during the performance of the contract, the Contractor shall promptly make any necessary changes or modifications to remove any covered article or any product or service produced or provided by a source that is subject to an applicable Governmentwide FASCSA order (see FAR 4.2303 (b)). (End of clause)