On February 17, 2026, the Federal Acquisition Regulatory Council released a Notice of Proposed Rulemaking, proposing amendments to the FAR to implement Section 5949 of the FY23 National Defense Authorization Act (“NDAA”).  Section 5949 prohibits executive agencies from obtaining semiconductor parts, products, or services traceable to certain named Chinese companies – currently, Semiconductor Manufacturing International Corporation (“SMIC”), ChangXin Memory Technologies (“CXMT”), and Yangtze Memory Technologies Corp (“YMTC”) – subject to limited exceptions.  In accordance with the statute, the proposed amendments to the FAR would become effective on December 23, 2027.  The proposed rule is not yet final and is open for public comment until April 20, 2026. 

Prohibition and Definitions

The proposed rule builds upon an Advanced Notice of Rulemaking (“ANPRM”) from May 2024, which we discussed in a previous post.  As expected, the proposed rule would implement two prohibitions under Section 5949(a)(1), Part A and Part B:

  • Under Part A, executive branch agencies may not procure or obtain any electronic parts, products, or services that include covered semiconductor products or services; and 
  • Under Part B, which applies only to critical systems, executive branch agencies may not procure or obtain an electronic product or service that uses any electronic products that include covered semiconductor products or services. 

“Covered semiconductor product or service” is defined to include semiconductors, products that incorporate a semiconductor product, or services that utilize a semiconductor product, that are designed, produced, or provided by SMIC, CXMT, YMTC, or any of their affiliates, subsidiaries, or successors.  In addition, the Secretary of Defense or the Secretary of Commerce, in consultation with the Director of National Intelligence or the Director of the FBI, can prohibit semiconductors that are designed, produced, or provided by other companies upon a determination that those companies are owned, controlled by, or otherwise connected to the governments of so-called “semiconductor foreign countries of concern.”  Currently, “foreign countries of concern” include North Korea, China, Russia, and Iran.  According to the proposed rule, the Department of Commerce will publish a list of any such newly designated entities in the Federal Register.  No entities other than SMIC, CXMT, and YMTC have yet been designated.

The proposed rule is notable for its scope.  The rule would apply to procurements below the Micro Purchase Threshold (i.e., below $15,000).  The rule also would apply to commercial products, including commercially available off-the-shelf (COTS) items, and to commercial IT and telecommunication services.  The combination of these two scoping decisions, which the FAR Council indicated were made in the interests of national security, means that the rule is likely to apply to a broad swath of procurements by executive branch agencies. 

Notwithstanding the generally broad application of the requirements, the rule does contain a meaningful carveout for commercial services contracts, except commercial IT and telecommunications services.  In explaining this carveout, the FAR Council specifically noted the potential for overly broad application of the requirements in contexts where covered semiconductors present relatively limited risk to the Government and where the Government may only represent a fragment of the overall market.  Additionally, as discussed further below, there is a meaningful grandfathering provision for covered semiconductors present in existing equipment prior to December 23, 2027.

Although Part B has the potential to reach further into the supply chain than Part A, Part B is limited only to “critical systems.”  The proposed rule does not further define “critical systems” beyond a citation to the underlying statute, which defines a critical system to be the same as a “national security system” in 40 U.S.C. § 11103.[1]  The proposed rule provides two illustrative examples of use cases that would be prohibited under Part B: (1) “a control panel within a critical system that enables an Internet of Things (IoT) device that includes a covered semiconductor product or service,” or (2) “an unmanned aircraft ground control station that controls an unmanned aircraft that includes a covered semiconductor product or service.”  The first example appears to be a modified version of what was contemplated in the ANPRM, while the second example is entirely new.  The proposed rule also provides that contracting officers are required to identify any requirements associated with critical systems in a relevant solicitation.

Notable Aspects

Other notable aspects of the proposed rule include the following:

  • Reasonable Inquiry and Offeror Certification:  Offerors would need to conduct a reasonable inquiry to determine whether the electronic products or electronic services they provide to the Government include covered semiconductor products or services, or (for critical systems) use electronic products that include covered semiconductor products or services.  The inquiry must be intended to uncover any information in the offeror’s possession, including information from external sources.  The proposed rule explains that this inquiry may involve identifying the source of semiconductor products or services, consulting the Department of Commerce list of entities determined to be owned or controlled by the government of a semiconductor foreign country of concern, searching supplier websites, or using other supply chain due diligence tools.  The proposed rule also notes that contractors may reasonably rely on the certifications of compliance from covered entities and subcontractors who supply electronic products or services, and that a reasonable inquiry does not require an independent audit or formal review.  Offerors would also be required to certify that they have conducted a reasonable inquiry and that they will not provide products or services prohibited under the proposed rule.  The FAR Council determined that offerors will not need to submit proof of compliance with the requirements at this time, such as by providing a bill of materials to the Government.
  • Disclosure and Safe Harbor Provision:  The proposed rule provides a safe harbor provision for contractors or suppliers that provide a disclosure regarding covered semiconductor products or services in electronic products that are manufactured or assembled by an entity other than the offeror or lower-tier supplier.  This disclosure would shield contractors and suppliers from civil liability and present responsibility risks that relate to the disclosure. 
  • Flowdown:  Prime contractors will be required to flow down the prohibitions in all subcontracts for the supply of any electronic products and services.

Exceptions and Waivers

However, the proposed rule provides the following exceptions and waiver authorities:

  • Grandfathering exception:  The prohibition does not require a contractor to remove or replace any products or services resident in existing equipment, systems, or services, that were acquired before December 23, 2027, and proposed as part of performance of the contract.  Contractors are also not required to prohibit or limit the utilization of covered semiconductor products or services throughout the lifecycle of existing equipment that was acquired before December 23, 2027, and proposed as part of performance of the contract.
  • Waiver process:  Heads of agencies can issue a two-year renewable waiver of the prohibition through interagency process, based on (1) a determination that no compliant product or service is available at U.S. market prices or at a price not prohibitively expensive, or (2) a determination that the waiver could not reasonably be expected to compromise critical national security interests.  In addition, select agency heads can issue a waiver for any executive agency upon determining that a waiver is in the critical national security interests of the United States. 
  • Limited and temporary exception for commercial items:  For commercial products or commercial IT and telecommunication services, the proposed rule does not apply until December 23, 2028 if there are no available alternative sources.  The rule does not clarify how this determination will operate in practice or who will make the availability determination.

Takeaways

If adopted, the proposed rule will impose significant new compliance requirements on contractors.  At the same time, the proposed rule reflects several clarifications of the ANPRM, which offer guidance on best practices for implementation.  These include new illustrative examples of the Section 5949(a)(1)(B) prohibition, clarification that contractors have no affirmative obligation to provide proof of compliance, and exceptions for many types of commercial services.  Still, there are aspects of the proposed rule that raise questions or otherwise may be susceptible to more than one interpretation. 

Interested parties who wish to be heard on these points are encouraged to submit comments by April 20, 2026, to be considered in the final rulemaking process.

We will continue to monitor the development of this rule.  If you have any questions concerning the material discussed in this post, please contact the members of our Public Policy, Cybersecurity, and Government Contracts groups.

[1] The term “national security system” means “a telecommunications or information system operated by the Federal Government, the function, operation, or use of which – (A) involves intelligence activities; (B) involves cryptologic activities related to national security; (C) involves command and control of military forces; (D) involves equipment that is an integral part of a weapon or weapons system; or (E) subject to paragraph (2), is critical to the direct fulfillment of military or intelligence missions.”

Tags: Cybersecurity, Semiconductors, Supply Chain
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael Wagner Michael Wagner

Mike Wagner represents companies and individuals in complex compliance and enforcement matters arising in the public procurement context. Combining deep regulatory expertise and extensive investigations experience, Mike helps government contractors navigate detailed procurement rules and achieve the efficient resolution of government investigations and…

Mike Wagner represents companies and individuals in complex compliance and enforcement matters arising in the public procurement context. Combining deep regulatory expertise and extensive investigations experience, Mike helps government contractors navigate detailed procurement rules and achieve the efficient resolution of government investigations and enforcement actions.

Mike regularly represents contractors in federal and state compliance and enforcement matters relating to a range of procurement laws and regulations. He has particular experience handling investigations and litigation brought under the civil False Claims Act, and he routinely counsels government contractors on mandatory and voluntary disclosure considerations under the FAR, DFARS, and related regulatory regimes. He also represents contractors in high-stakes suspension and debarment matters at the federal and state levels, and he has served as Co-Chair of the ABA Suspension & Debarment Committee and is principal editor of the American Bar Association’s Practitioner’s Guide to Suspension & Debarment (4th ed.) (2018).

Mike also has extensive experience representing companies pursuing and negotiating grants, cooperative agreements, and Other Transaction Authority agreements (OTAs). In this regard, he has particular familiarity with the semiconductor and clean energy industries, and he has devoted substantial time in recent years to advising clients on strategic considerations for pursuing opportunities under the CHIPS Act, Inflation Reduction Act, and Bipartisan Infrastructure Law.

In his counseling practice, Mike regularly advises government contractors and suppliers on best practices for managing the rapidly-evolving array of cybersecurity and supply chain security rules and requirements. In particular, he helps companies assess and navigate domestic preference and country-of-origin requirements under the Buy American Act (BAA), Trade Agreements Act (TAA), Berry Amendment, and DOD Specialty Metals regulation. He also assists clients in managing product and information security considerations related to overseas manufacture and development of Information and Communication Technologies & Services (ICTS).

Mike serves on Covington’s Hiring Committee and is Co-Chair of the firm’s Summer Associate Program. He is a frequent writer and speaker on issues relating to procurement fraud and contractor responsibility, and he has served as an adjunct professor at the George Washington University Law School.

Read more about Michael WagnerEmail
Show more Show less
Photo of Susan B. Cassidy Susan B. Cassidy

Susan Cassidy co-chairs Covington’s Aerospace and Defense Industry Group, and has been advising government contractors for more than 35 years on the requirements imposed on companies contracting with the U.S. Government.

Susan’s practice focuses on the intersection of cybersecurity, national security, and supply…

Susan Cassidy co-chairs Covington’s Aerospace and Defense Industry Group, and has been advising government contractors for more than 35 years on the requirements imposed on companies contracting with the U.S. Government.

Susan’s practice focuses on the intersection of cybersecurity, national security, and supply chain risk management for companies that sell products and services to the U.S. Government. Susan advises contractors at all phases of the procurement cycle, and regularly:

advises clients on compliance obligations imposed by the FAR, DFARS, and other agency regulatory requirements;
leads internal and government False Claims Act (FCA) investigations addressing allegations of violations of government cybersecurity, national security, supply chain, quality, and MIL-SPEC requirements; and
advises clients who have suffered a cyber breach where U.S. government information may have been impacted.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 252.204-7012, FedRAMP, controlled unclassified information (CUI), and NIST SP 800-171 requirements;
Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 semiconductor product and service restrictions, and limitations on sourcing a variety of products from China; and
Federal Acquisition Security Council (FASC) regulations and product exclusions.

 

Susan previously served as senior in-house counsel for two major defense contractors (Northrop Grumman Corporation and Motorola Incorporated) and is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. Chambers USA has quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Susan’s pro-bono work extends to assisting veterans in a variety of matters, as well as providing advice to elderly clients on their wills and other end-of-life planning documents.

Read more about Susan B. CassidyEmail
Show more Show less
Photo of Ryan Burnette Ryan Burnette

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain…

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain, artificial intelligence, and software development requirements.

Ryan also advises on Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) compliance, public policy matters, agency disputes, and government cost accounting, drawing on his prior experience in providing overall direction for the federal contracting system to offer insight on the practical implications of regulations. He has assisted industry clients with the resolution of complex civil and criminal investigations by the Department of Justice, and he regularly speaks and writes on government contracts, cybersecurity, national security, and emerging technology topics.

Ryan is especially experienced with:

Government cybersecurity standards, including the Federal Risk and Authorization Management Program (FedRAMP); DFARS 252.204-7012, DFARS 252.204-7020, and other agency cybersecurity requirements; National Institute of Standards and Technology (NIST) publications, such as NIST SP 800-171; and the Cybersecurity Maturity Model Certification (CMMC) program.
Software and artificial intelligence (AI) requirements, including federal secure software development frameworks and software security attestations; software bill of materials requirements; and current and forthcoming AI data disclosure, validation, and configuration requirements, including unique requirements that are applicable to the use of large language models (LLMs) and dual use foundation models.
Supply chain requirements, including Section 889 of the FY19 National Defense Authorization Act; restrictions on covered semiconductors and printed circuit boards; Information and Communications Technology and Services (ICTS) restrictions; and federal exclusionary authorities, such as matters relating to the Federal Acquisition Security Council (FASC).
Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
Federal Cost Accounting Standards and FAR Part 31 allocation and reimbursement requirements.

Prior to joining Covington, Ryan served in the Office of Federal Procurement Policy in the Executive Office of the President, where he focused on the development and implementation of government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year.  While in government, Ryan helped develop several contracting-related Executive Orders, and worked with White House and agency officials on regulatory and policy matters affecting contractor disclosure and agency responsibility determinations, labor and employment issues, IT contracting, commercial item acquisitions, performance contracting, schedule contracting and interagency acquisitions, competition requirements, and suspension and debarment, among others.  Additionally, Ryan was selected to serve on a core team that led reform of security processes affecting federal background investigations for cleared federal employees and contractors in the wake of significant issues affecting the program.  These efforts resulted in the establishment of a semi-autonomous U.S. Government agency to conduct and manage background investigations.

Read more about Ryan BurnetteEmail
Show more Show less
Photo of Eunsun Cho Eunsun Cho

Eunsun Cho is an associate in the Government Contracts Practice Group. She assists clients on a range of regulatory and compliance issues.

Eunsun also maintains an active pro bono practice.

Email