FASC Issues First FASCSA Exclusion Order: Implications for Federal Contractors and ICTS Supply Chains

The Office of the Director of National Intelligence has issued the first-ever Federal Acquisition Supply Chain Security Act order, excluding Acronis AG and its affiliates from certain federal contracts. This order marks a critical development in federal supply chain security enforcement and may have far-reaching implications for contractors, the information and communications technology services industry, and national security.

Contractors would be well advised to assess their supply chains to ensure that they do not incorporate materials covered by the Federal Acquisition Supply Chain Security Act (FASCSA) (including from prohibited sources) and otherwise consider their supply chain practices to confirm they align with the continued scrutiny for potential national security vulnerabilities.

BACKGROUND AND OVERVIEW OF FASCSA AND THE ODNI ORDER 

FASCSA was enacted to empower the federal government to address supply chain risks in information and communications technology services (ICTS) and other sensitive sectors that can introduce risk to the information technology supply chain. FASCSA established the Federal Acquisition Security Council (FASC), an interagency body tasked with protecting federal supply chains from threats posed by covered articles and suppliers. 

The FASC’s recommendations to remove or exclude a company, its products, or its services can be adopted and issued as orders by the secretaries of defense and homeland security, and by the director of national intelligence, as discussed in a prior LawFlash.

On September 18, 2025, the Office of the Director of National Intelligence (ODNI) published its first FASCSA order on SAM.gov, excluding Acronis AG and related parties from federal contracts involving the intelligence community (IC) and sensitive compartmented information (SCI) systems. The order, which went into effect on July 11, 2025, is indefinite and marks a significant milestone in federal supply chain security enforcement.

SCOPE AND NATURE OF THE EXCLUSION AND REMOVAL ORDER 

The exclusion and removal order issued by ODNI applies to Acronis AG, including its parent, affiliates, and all subordinate organizations. The order designates “covered articles” as all Acronis products and services. It bars use of covered products and services by intelligence agencies and requires those agencies and contractors that support them to remove such items from their supply chains.

This prohibition reflects the broad ramifications of FASCSA orders. Because the order was issued by ODNI, it affects the intelligence community and contractors supporting SCI systems, emphasizing the heightened scrutiny and risk mitigation efforts in sectors critical to national security.

The General Services Administration (GSA) responded by removing Acronis products and services from GSA Advantage and announcing that it will issue contract modifications to remove Acronis AG–covered articles from Multiple Award Schedule (MAS) contracts. In a notice published on the GSA’s MAS blog, the GSA directed MAS contractors to review their contracts and catalogs to ensure that no Acronis items or services are awarded or used in the performance of a contract. The GSA also directed contractors to create a plan to streamline regular communications with subcontractors to ensure compliance with FASCSA requirements.

IMPLEMENTATION REQUIREMENTS FOR FEDERAL CONTRACTORS 

Generally, federal contractors and subcontractors are barred from providing or using any products or services subject to an applicable FASCSA order to support a federal contract. That requirement stems from Federal Acquisition Regulation (FAR) 52.204-30, which implements FASCSA restrictions.

During contract performance, contractors and subcontractors must monitor SAM.gov for new FASCSA orders at least every three months, or more frequently if directed to do so by a contracting officer. If a contractor identifies a new FASCSA order that could impact its supply chain, it must conduct a “reasonable inquiry” to identify whether a covered article, product, or service produced or provided by a source subject to the FASCSA order was provided to the government or used during contract performance. If any use or provision of a covered article, product, or service is identified, the contractor must provide an initial report on that use or provision to the contracting agency within three business days.

Within 10 business days of submitting that initial notice, the contracting officer must provide an additional report describing any further information about mitigation efforts and efforts to prevent submission or use of the covered article, product, or service in the future.

PRACTICAL IMPLICATIONS FOR CONTRACTORS

This first FASCSA order highlights the federal government’s determination to mitigate supply-chain threats to critical systems and sensitive data. Its indefinite duration and expansive reach show how seriously agencies view these supply chain risks. While this is the first issued order, more FASCSA exclusion actions are likely, particularly in the information and communications technology sector.

To ensure compliance with FASCSA exclusion requirements, contractors supporting the IC or SCI systems should immediately review whether they or their subcontractors use or resell any covered products or services to support federal customers and take steps to remove covered products or services if present.

Contractors should also use this as an opportunity to confirm that their internal supply-chain protocols align with the requirements of FAR 52.204-30 and continue to monitor federal guidance and the FASCSA exclusion listing on SAM.gov for future developments.

Stay Informed

Visit our US Administration Policies and Priorities resource center and subscribe to our mailing list for the latest on programming, guidance, and current legal and business developments.