The wait is over – on September 18, 2025, almost 2 years after implementing the Interim Rule, the Office of the Director of National Intelligence ("ODNI") issued a Federal Acquisition Supply Chain Security Act ("FASCSA") order to remove and exclude products and services from Acronis AG, a Swedish cybersecurity and data protection company. Although the FASCSA FAR clauses were implemented in December 2023, this is the first FASCSA order issued by a federal agency. Below is a brief refresher on FASCSA and a reminder on the affirmative steps contractors must take in light of the FASCSA order.
FASCSA Refresher
The Information and Communications Technology Services ("ICTS") industry, which encompasses technologies and services like wireless networks, satellite systems, artificial intelligence, cloud computing services, cellphones, computers, and tablets, has played a critical role in supporting the United States' economic growth and national security. However, because of its importance, ICTS also has been a primary target of foreign adversaries seeking to exploit vulnerabilities and commit cybercrimes, posing significant security risks to the United States. To mitigate these risks, Title II of the SECURE Technology Act—also known as the Federal Acquisition Supply Chain Security Act of 2018 (FASCSA, 41 U.S.C. 1321-1328) was enacted on December 21, 2018. Among other things, FASCSA established the Federal Acquisition Security Council (the "FASC"), an interagency body responsible for evaluating threats to federal ICT supply chains.
In August 2021, the FASC issued a Final Rule adding the new 41 C.F.R. part 201-1, which implemented the FASCSA. The Final Rule outlined the procedures for the FASC's to issue the recommendations for issuing orders requiring the removal of certain products from government information systems ("removal orders") or exclusion of specific sources from government procurement actions ("exclusion orders"). Under the Final Rule, the FASC assesses sources based on specified non-exclusive factors and coordinates with the intelligence community to evaluate threats. When FASC decides to issue a recommendation, the recommendation must provide relevant information and analysis for the Secretary or Homeland Security, the Secretary of Defense, and/or the Director of National Intelligence to consider whether to issue an FASCSA order.
In October 2023, the FAR Council released an Interim Rule on the Implementation of FASCSA Orders (which we previously covered here) effective December 4, 2023. The Interim Rule implemented requirements from Section 202 of FASCSA, which require federal contractors to ensure certain products and services are excluded from the federal supply chain as directed by the FASC. The Interim Rule also introduced three new FAR clauses (FAR 52.204-28, FAR 52.204-29, and FAR 52.204-30) that must be included in all solicitations and contracts (including orders and modifications) issued after December 4, 2023. The FAR Council currently is drafting the Final Rule, Implementation of Federal Acquisition Supply Chain Security Act (FASCSA) Orders (FAR Case 2020-011), which is in the "Final Rule Stage" and may be released this year (we've provided a brief overview of this open FAR Case here).
Yet, since the release of the October 2023 Interim Rule, no FASCSA exclusion or removal orders had been announced. This changed on September 18, 2025.
The Acronis AG FASCSA Order
On September 18, 2025, ODNI published the Acronis AG FASCSA Order to SAM.gov.1 The FASCSA Order is sparce and does not include a reason for the exclusion. The FASCSA Interim Rule provided the following possible reasons to exclude an entity:
"Initiation of the process can begin either by referral of the FASC or any member of the FASC; upon the written request of any U.S. Government body; or based on information submitted to the FASC by any individual or non-Federal entity that the FASC determines to be credible."2
The Acronis AG FASCSA Order states the exclusion is indefinite.
Since ODNI issued this particular FACSCA Order, the prohibition applies to the "intelligence community and sensitive compartmented information systems."3 Under FAR 52.204-30, any Federal contractor performing under intelligence community awards or classified work "shall conduct a reasonable inquiry to identify whether a covered article or product or service produced or provided by a source subject to the FASCSA order(s) was provided to the Government or used during contract performance." That language should sound familiar – a "reasonable inquiry" also is required under the Section 889 FAR clauses with respect to certain Chinese entities. The same "reasonable inquiry" standard applies to FASCSA orders. The review need not be a formal internal or third-party audit, but must be an "inquiry designed to uncover any information in the entity's possession" about the use of Acronis AG products/services.
If the contractor identifies any Acronis AG products or services during the reasonable inquiry, then the contractor is required to submit a report to the appropriate Contracting Officer within 3 business days (including the information required under FAR 52.204-30(c)(4)(i)), with a follow-up report required 10 days thereafter (including the information required under FAR 52.204-30(c)(4)(ii)). While the responsible Contracting Officer may grant a contract-specific waiver to permit the contractor to continue using the Acronis AG products/services, contractors with multi-agency contracts (including GSA Schedule Contracts) must, upon notice from the Contracting Officer, "promptly make any necessary changes or modifications to remove any product or service produced or provided by a source that is subject to an applicable FASCSA order."
One final note on the reasonable inquiry. While it's easy to determine whether a contractor is selling Acronis AG products/services to the Federal Government, the scope of the "use" prohibition is not yet known. That's because the statute, the Interim Rule, and the applicable regulations do not describe what "used in performance of a contract" means. Our friends at the Coalition for Common Sense in Government Procurement submitted a comment to the FAR Council on this issue, so we hope the FAR Council will issue more granular guidance when issuing the Final Rule. Unless and until the FAR Council addresses the issue, contractors are left to speculate what constitutes prohibited "use" under FAR 52.204-30 and whether discovered "use" is required to be reported until FAR 52.204-30.
What Should I Do Now?
So, what does the Acronis AG FASCSA Order mean for Federal contractors? Below are a few recommendations for ensuring you and your supply chain are aware of the FASCSA order and comply with the exclusion.
- First, determine whether your company performs any work subject to the FASCSA order (i.e., intelligence community contracts or classified work). Some contractors may receive a notice from their contracting officer stating the FASCSA Order applies (we have seen this already from GSA).
- Second, perform a reasonable inquiry to determine whether your company sells or uses products or services from Acronis AG.
- Third, determine whether the use of the Acronis AG products/services relates to your Federal contracts (i.e., is the company providing to the Federal Government those products/services under a Federal award or using those products/services in the performance of a Federal award). Again, the scope of the prohibition here is unknown pending additional guidance in the Final Rule. Accordingly, most companies will have to engage in some risk balancing at this juncture.
- Fourth, if your company is performing work covered by the FASCSA order, is using Acronis AG products/services, and that use relates to Federal contracts, then you must submit the report required under FAR 52.204-30(c)(4).
If the FASCSA order applies to your contract(s), then the company is required to notify all subcontractors of the FASCSA order to ensure they perform the required reasonable inquiry as well (and take the necessary remedial actions, if any).
Finally, don't forget that FAR 52.204-30 requires contractors to check SAM.gov at least every 3 months for additional FASCSA orders. Although this was the first FASCSA order, it certainly will not be the last. Contractors should ensure their compliance policies designate an employee responsible for ensuring the required SAM.gov check is performed.
FFootnotes
1 Although the FASCSA Order was created on September 15, 2025 and was published on September 18, 2025, it appears the Order has been active since July 11, 2025. The reason for delaying the issuance of the FASCSA order is unclear.
2 See FASCSA Interim Rule.
3 FAR 52.204-30 defines "Intelligence community" as the following agencies/offices: "(1) The Office of the Director of National Intelligence; (2) The Central Intelligence Agency; (3) The National Security Agency; (4) The Defense Intelligence Agency; (5) The National Geospatial-Intelligence Agency; (6) The National Reconnaissance Office; (7) Other offices within the Department of Defense for the collection of specialized national intelligence through reconnaissance programs; (8) The intelligence elements of the Army, the Navy, the Air Force, the Marine Corps, the Coast Guard, the Federal Bureau of Investigation, the Drug Enforcement Administration, and the Department of Energy; (9) The Bureau of Intelligence and Research of the Department of State; (10) The Office of Intelligence and Analysis of the Department of the Treasury; (11) The Office of Intelligence and Analysis of the Department of Homeland Security; or (12) Such other elements of any department or agency as may be designated by the President, or designated jointly by the Director of National Intelligence and the head of the department or agency concerned, as an element of the intelligence community."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
