Navigating FAR Part 40 and Supply Chain Security

Paul Netopski

Welcome back, everyone, to FAR & DFARS: Procurement Power. Today’s episode is a big one—we’re diving straight into the new framework: FAR Part 40. Now, if you’re just catching up, FAR Part 40 is the result of a consolidation effort led by DoD, GSA, and NASA, aiming to bring all the scattered information and supply chain security requirements under one roof. The main rationale here is clear: give the acquisition workforce and contractors a central spot to understand and implement security requirements instead of making them chase down scattered references in a dozen different parts of the FAR.

Eric Marquette

Yeah, Paul, and that point about consolidation really hits home for anyone who's actually had to keep track of all these shifting parts. Like, I remember a media project I was involved with—we had to follow evolving copyright and privacy rules, and just finding a single source was half the battle. I can only imagine what it’s like if you’re running compliance for a major contractor. So, give us the lay of the land: what actually falls under FAR Part 40, especially compared to something like Part 39, which was all ICT-focused, or even Part 23 which covers environmental objectives? For example, Section 889 has long restricted using certain adversary-based tech—where’s the line drawn with Part 40?

Paul Netopski

Great questions. Here’s how the new structure works: if a regulation addresses broad security objectives—not just ICT stuff—then it’s a candidate for Part 40. But if the rule is only about ICT acquisitions, it stays in Part 39. Think of Part 40 like this big umbrella, covering security requirements that go beyond things like computers and telecom, so it could include cyber supply chain risk, prohibitions on foreign sources, even certain regulatory exclusions that impact everything from hardware to information sharing. Section 889—the one restricting telecom from specific adversarial nations—is a good example of something that fits inside Part 40’s broader intent, because it’s about bolstering national security, not just technical specs. The hope is to do for security requirements what Part 23 did for environmental requirements—make them easier to find, understand, and actually apply.

Eric Marquette

Got it, so it’s kind of like, if you’re operating in that space between technology and national security—which is a growing chunk of federal procurement—now there’s finally a single stop for those overarching rules. Seriously, the timesaving alone must be huge, right? I mean, streamlining is great, but I guess there’s always the adventure of seeing how well that consolidation works in practice.

Paul Netopski

Exactly. And, as this is still rolling out, the agencies want feedback—they’re actively soliciting comments to help shape which requirements will end up in Part 40. Contractors and stakeholders are in a position now to help make sure the framework works for both security and practical compliance, not just the top-down intent. It’s a work in progress, but the clarity it promises is a big win compared to the old “scavenger hunt” approach.

Paul Netopski

Now, let’s get specific about what’s moving under the Part 40 umbrella. One of the headline changes is pulling together major prohibitions, like those on using products from Kaspersky Lab, Huawei, and even ByteDance, which covers apps like TikTok. And not to forget, there’s also a prohibition on certain unmanned aircraft systems from covered foreign entities. For contractors, that means no more cherry-picking which clauses matter—they’re all centralized, so compliance is much less about hoping you didn’t miss something buried deep in a subpart.

Eric Marquette

And Paul, that centralization piece, does it also cover how you’re supposed to safeguard sensitive data? I’m thinking not just about classified stuff, but also Controlled Unclassified Information—or CUI—which is popping up everywhere after FAR case 2017-016. There are all these new bars set for cybersecurity posture… does Part 40 actually raise those expectations throughout the supply chain because everything’s easier to track?

Paul Netopski

Exactly. Subpart 40.3 is where you’ll see the focus on safeguarding information—everything from handling classified materials to the minimum security controls for contractor information systems and CUI. FAR 4.4 and the CUI rules are now referenced centrally, which not only raises the stakes in terms of compliance, but also means the government’s expectations are uniform and visible. In practice, if you’re a defense contractor and you used to rely on piecemeal training and scattered vendor certifications, now you need to bring internal processes up to date—comprehensively. I’ve seen this play out: one defense firm I consulted had to switch suppliers after learning a component was sourced from a country on the new prohibited list. That wasn’t just a paperwork shuffle—it actually triggered a complete audit of their procurement and internal training, just to stay inside the new basic safeguarding requirements.

Eric Marquette

That’s wild. Just thinking about how much more proactive these organizations have to be now. And, tying it back to an earlier episode—we talked a lot about supplier vetting and risk assessment tools. This feels like it’s turning that from best practice into a non-negotiable baseline. There’s no longer room for ignorance or “oops, missed that vendor...” because the government can point to a clear, consolidated rule set in Part 40.

Paul Netopski

Absolutely. It also means oversight is more transparent—both for agencies and for contractors needing to justify their choices. It aligns expectations up and down the chain, which ultimately should drive stronger security outcomes for everyone involved. But of course, that comes at a cost, which ties right into our next point...

Eric Marquette

Right—the costs. So, even though it sounds like a win for clarity and national security, the reality for a lot of businesses is: implementing these consolidated rules isn’t free. There’s the upfront work of updating every process, retraining staff, maybe swapping out legacy systems for something more secure… that’s a lot to take on, especially for smaller primes or subs who don’t have—what’s the phrase—“compliance teams on call.”

Paul Netopski

Yeah, no question—there’s a real overhead here. And agencies know it, too. If you look at the recent request for information, they’re actively asking industry to send feedback about exactly these economic and operational impacts, the positives and the pain points. That covers everything from training investments and potential delays to the benefits like easier audits or fewer disputes about “which rule applies where.” They want real examples, both quantitative and qualitative, for exactly that reason.

Eric Marquette

So, it’s not just a “deal with it” mandate—they’re actually inviting the whole ecosystem to weigh in on what works and what feels like a headache. Which kind of leads to the big question: is it worth it? Are the gains in national security and unified compliance strong enough that it makes sense, even for those small- and medium-sized businesses who are feeling the weight right now?

Paul Netopski

I think it comes down to your perspective. If you look big-picture, there’s an argument that robust supply chain security is worth some upfront cost, since a single weak link could have major national implications. But if you're a small business, even minor regulatory shifts can shake up your whole operation. I’d say—in my experience—more consistent requirements do reduce the chance of surprise audits or after-action headaches, so in theory, everyone should benefit. But there needs to be some give on minimizing unnecessary administrative burden, especially as new rules get finalized and implemented.

Eric Marquette

And, I mean, as we covered in our last episode around small business participation, that balance between opportunity and overhead is always in play. The feedback loop seems like the smart way forward—but let’s see if the agencies keep listening as contractors start operating under the new framework.

Paul Netopski

We’ll keep following it here. And for our listeners—if your organization’s already navigating this, don’t wait; send your feedback in while the agencies are still refining these rules. Thanks for joining us for another deep dive into FAR & DFARS. Eric, anything else before we wrap?

Eric Marquette

Just a big thanks for tuning in—there’s a lot more to come as these regulations continue to evolve. Paul, always great riffing with you. Let’s keep the conversation going next time. See you all on the next episode of Procurement Power!

Paul Netopski

Thanks, Eric. Take care, everyone.