2025年10月02日

DNI Issues First FASCSA Exclusion and Removal Order Against Acronis AG

分享

On September 15, 2025, the Office of the Director of National Intelligence (“DNI”) published the first exclusion and removal order (“Order”) under the Federal Acquisition Supply Chain Security Act of 2018 (“FASCSA”).1 The Order prohibits the procurement and use of products and services from Acronis AG (“Acronis”)—a Swiss cybersecurity and data protection technology company—by the Intelligence Community (“IC”). It also requires the removal of existing Acronis products and services from IC information systems and sensitive compartmented information (“SCI”) systems. Following the Order, the General Services Administration (“GSA”) issued an update on September 18 stating that it removed Acronis products and services from GSA Advantage and reminding federal contractors of applicable prohibitions (FAR 52.204-30) on using products and services provided by a source subject to a FASCSA order.

While the Order carries immediate implications for federal contractors that rely on integrated Acronis products or services, more broadly, the Order signals the end of a prolonged period of inactivity by the Federal Acquisition Security Council (“FASC”) and implementing agencies.2 In addition, the action is likely to prompt further scrutiny from other executive agencies such as the Department of Commerce, using its ICTS authorities, and the Federal Communications Commission (“FCC”), which is required by law to update its Covered List to reflect a “specific determination” by the FASC.3

FASCSA Background

FASCSA was enacted to address the growing risk that vulnerabilities in the information and communications technology supply chain could compromise federal systems. Growing out of the Department of Homeland Security’s 2017 binding operational directive, barring executive branch agencies from using Kaspersky products, the statute established the FASC, a multi-agency body responsible for identifying supply chain risks and recommending corrective actions, including the exclusion (i.e., prohibition on procurement) or removal (i.e., replacement) of vendors and products deemed to pose unacceptable risks to federal systems.

The FASC is empowered to investigate and make recommendations regarding the exclusion and removal of products and services, and the sources that provide them. Recommendations are directed to the following officials: the Director of National Intelligence issues orders for IC systems, the Secretary of the Department of Homeland Security addresses civilian agencies, and the Secretary of Defense oversees defense systems.  Each of these officials has independent authority to adopt and issue the orders recommended by the FASC (either as recommended or in modified form), or to decline to adopt the recommendation. The FASC’s recommendations are not published, but the resulting exclusion and removal orders are published. 

When the FASC issues a recommendation, it also notifies affected parties, which have a 30-day period to respond, unless an extension is granted. The FASC and the implementing agencies have discretion to consider arguments supporting rescission or amendment of the recommendation, but may act at any time after the response period has closed. Affected parties have a right of appeal to the U.S. Court of Appeals for the D.C. Circuit within 60 days after notice of issuance of the relevant order(s) by one or more of the agencies.

Federal contractors performing under contracts including FAR clause 52.204‑30 are obligated to monitor for FASCSA orders, conduct a reasonable inquiry into the use of covered products and services, and notify contracting officers promptly, while implementing applicable mitigation measures, if prohibited products or services are identified in the delivery of a federal contract.

FASCSA Order against Acronis AG

The Order, posted on SAM.gov on September 15, excludes Acronis and all “subordinate, subsidiary, or affiliated organizations” from IC executive agency procurement actions. It also requires the removal of Acronis products and services from IC information systems and SCI systems. The Order does not provide findings or rationale to support its directives, which may underscore the classified nature of such information.4

In response, GSA has removed Acronis products and services from GSA Advantage and intends to modify Multiple Award Schedule contracts to ensure compliance. The Order imposes immediate compliance responsibilities on contractors and subcontractors engaged with IC contracts and/or contracts that incorporate relevant provisions of FAR clause 52.204‑30. To comply with these provisions, contractors must conduct a prompt and thorough review of their systems and supply chains to determine whether Acronis products or services have been deployed as part of the performance of a contract. Any use must be reported within three business days, followed by submission within ten business days of information regarding mitigation actions undertaken by the contractor.

Contractors should review their government contracts to determine if they include FAR 52.204-30 and, if so, which version of the clause applies. For those contracts that include the Alternate I or II version, the contracting officer should have checked a box indicating which types of FASCSA orders apply to the contract. Contractors should seek clarification from their contracting officer as needed.

The Order also has operational and financial implications. The removal or replacement of Acronis products and services may potentially result in additional costs, schedule delays, and other contractual impacts. Notably, FAR 52.204-30 does not contemplate the contractor receiving an equitable adjustment in the event it incurs additional costs or needs additional time to perform as a result of FASCSA orders issued after contract award. Contractors should proactively address any contractual impacts with their contracting officers and, if necessary, seek an equitable adjustment under the Changes clause (FAR 52.243-1).  

Further Considerations for Contractors and Government Partners

Contractors should prioritize evaluating both current and prospective contracts to identify any exposure to Acronis products or services, regardless of whether they are formally subject to the Order. Subsequent actions by other regulatory bodies, including other FASCSA implementing agencies, the Department of Commerce, or the FCC, may further broaden the scope of affected contracts and could result in more restrictions on the availability of Acronis products and services within the United States.

The Order also establishes a precedent for more frequent use of FASCSA enforcement mechanisms, suggesting that contractors should anticipate increased scrutiny of their technology supply chains and supplier risk profiles. Contractors should routinely monitor SAM.gov for FASCSA orders and incorporate periodic supply chain risk assessments into standard compliance processes. Last, contractors should document remediation steps carefully to mitigate potential disputes over costs, schedule impacts, or compliance obligations.

 


 

1 While posted to SAM.gov on September 15, 2025, the Order specifies July 11, 2025, as the “active date.”

2 The Secretary of Homeland Security, Secretary of Defense, and Director of National Intelligence may issue exclusion and removal orders pursuant to FASC recommendations. 41 U.S.C. § 1323(c)(5).  

3 The Secured and Trusted Communications Networks Act provides that the FCC “shall place on the list any communications equipment or service . . . based solely on . . . [a] specific determination” by the FASC, among others.  47 U.S.C. § 1601(c)(1). The statute does not define “specific determination,” but it appears likely that the FCC will consider a recommendation issued by the FASC to be a “specific determination.” See Federal Communications Commission, Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs, 86 Fed. Reg. 2904, 2916 (Jan. 13, 2021) (“The Commission interprets the Secure Networks Act to require ‘specific determinations’ to have a level of specificity sufficient to allow the Commission to incorporate the determination onto the Covered List.”).

4 The Order directs those with access to the NRO JWICS Acquisition Research Center Dashboard to view additional information.

及时掌握我们的最新见解

见证我们如何使用跨学科的综合方法来满足客户需求
[订阅]