Federal Acquisition Security Council (FASC) Information Sharing Agency (ISA)

Our Mission

The Federal Acquisition Security Council (FASC), enacted as part of the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure (SECURE) Technology Act (P.L.115–390, December 21, 2018), aims to protect federal information communications technology (ICT) systems by recommending exclusion or removal of covered articles that pose too great a risk to the federal enterprise (§ 1323(c)). The FASC is responsible for identifying supply chain risk management standards and guidelines, identifying and developing criteria for sharing information, engaging with private sector and other non-government organizations (NGO) stakeholders, coordinating with interagency committees, and providing recommendations on exclusions and/or removal orders.

The FASC Information Sharing Agency (ISA) performs administrative information sharing functions on behalf of the FASC, as provided at 41 U.S.C. 1323(a)(3). The ISA facilitates and provides administrative support to a FASC supply chain and risk management Task Force, and serves as the liaison to the FASC on behalf of the Task Force, as the Task Force develops the processes under which the functions described in 41 U.S.C. 1323(a)(3) are implemented on behalf of the FASC. The ISA's administrative functions shall not be construed to limit or impair the authority or responsibilities of any other Federal agency with respect to information sharing.

Current FASCSA Orders

Statutes, Regulations, Policy

Because of the scale of supply chain risks faced by Government agencies, and the need for Government-wide coordination, Congress adopted new legislation in 2018 to improve executive branch coordination, supply chain information sharing, and actions to address supply chain risks.

Federal Acquisition Security Council Act of 2018

Federal Acquisition Security Council Rule

Various legislation have designated additional requirements to the FASC.

Secure and Trusted Communications Networks Act of 2019

2021 NDAA - 5G/6G wireless equipment

2023 NDAA Section 5949 - Semiconductor Analysis

2024 NDAA American Security Drones Act (ASDA)

Executive Order 14093

Executive Order 14017

Our Partners

Office of Management and Budget (OMB)

General Services Administration (GSA)

U.S. Department of Homeland Security seal

Department of Homeland Security (DHS)

Cybersecurity and Infrastructure Security Agency (CISA)

Director of National Intelligence (DNI)

National Counterintelligence Security Center (NCSC)

Department of Justice (DOJ)

Federal Bureau of Investigation (FBI)

Department of Defense (DOD)

National Security Agency (NSA)

Department of Commerce (DOC)

National Institute of Standards and Technology (NIST)

Important Definitions

Supply Chain Risk Management (SCRM)

SCRM is the management of the risk(s) that any person may sabotage, maliciously introduce unwanted functionality, extract data, or otherwise manipulate the design, integrity, manufacturing, production, distribution, installation, operation, maintenance, disposition, or retirement of covered articles so as to surveil, deny, disrupt, or otherwise manipulate the function, use, or operation of the covered articles or information stored or transmitted by or through covered articles.

Supply Chain Risk Information (SCRI)

SCRI includes, but is not limited to, information that describes or identifies:

(1) Functionality and features of covered articles, including access to data and information system privileges;
(2) The user environment where a covered article is used or installed;
(3) The ability of a source to produce and deliver covered articles as expected;
(4) Foreign control of, or influence over, a source or covered article ( e.g., foreign ownership, personal and professional ties between a source and any foreign entity, legal regime of any foreign country in which a source is headquartered or conducts operations);
(5) Implications to government mission(s) or assets, national security, homeland security, or critical functions associated with use of a source or covered article;
(6) Vulnerability of Federal systems, programs, or facilities;
(7) Market alternatives to the covered source;
(8) Potential impact or harm caused by the possible loss, damage, or compromise of a product, material, or service to an organization's operations or mission;
(9) Likelihood of a potential impact or harm, or the exploitability of a system;
(10) Security, authenticity, and integrity of covered articles and their supply and compilation chain;
(11) Capacity to mitigate risks identified;
(12) Factors that may reflect upon the reliability of other supply chain risk information; and
(13) Any other considerations that would factor into an analysis of the security, integrity, resilience, quality, trustworthiness, or authenticity of covered articles or sources.

Covered Article

Covered article means any of the following:

(1) Information technology, as defined in 40 U.S.C. 11101, including cloud computing services of all types;
(2) Telecommunications equipment or telecommunications service, as those terms are defined in section 3 of the Communications Act of 1934 (47 U.S.C. 153);
(3) The processing of information on a Federal or non-Federal information system, subject to the requirements of the Controlled Unclassified Information program or subsequent U.S. Government program for controlling sensitive unclassified information; or
(4) Hardware, systems, devices, software, or services that include embedded or incidental information technology.

CISA Resources

FASCSA Orders Slick Sheet.pdf(PDF, 354.96 KB )

Voluntary Information Submission

All Federal and non-Federal entities may voluntarily submit to the FASC information relevant to SCRM, covered articles, sources, or covered procurement actions.

Submit Supply Chain Risk Information (SCRI)

Federal Acquisition Security Council Information Sharing Agency

Statutes, Regulations, Policy

Our Partners

Important Definitions

CISA Resources

Voluntary Information Submission