(a) Requirements for submission of information. All submissions of information to the FASC must be accomplished through the processes and procedures approved by the FASC pursuant to § 201-1.200. Any information submission to the FASC must comply with information sharing protections described in this subpart and be consistent with applicable law and regulations.
(b) Mandatory information submission requirements. Executive agencies must expeditiously submit supply chain risk information to the ISA in accordance with guidance approved by the FASC pursuant to § 201-1.200 when:
(1) The FASC requests information relating to a particular source, covered article, or covered procurement; or
(2) An executive agency has determined there is a reasonable basis to conclude that a substantial supply chain risk exists in connection with a source or covered article. In such instances, the executive agency shall provide the FASC with relevant information concerning the source or covered article, including:
(i) Supply chain risk information identified in the course of the agency's activities in furtherance of identifying, mitigating, or managing its supply chain risk;
(ii) Supply chain risk information regarding any covered procurement actions by the agency under 41 U.S.C. 4713; and
(iii) Supply chain risk information regarding any orders issued by the agency under 41 U.S.C. 1323.
(c) Voluntary information submission. All Federal and non-Federal entities may voluntarily submit to the FASC information relevant to SCRM, covered articles, sources, or covered procurement actions.
(d) Information protections - Federal agency submissions. To the extent that the law requires the protection of information submitted to the FASC, agencies providing such information must ensure that it bears proper markings to indicate applicable handling, dissemination, or use restrictions. Agencies shall also comply with any relevant handling, dissemination, or use requirements, including but not limited to the following:
(1) For classified information, the transmitting agency shall ensure that information is provided to designated ISA personnel who have an appropriate security clearance and a need to know the information. The ISA, Task Force, and the FASC will handle such information consistent with the applicable restrictions and the relevant processes and procedures adopted pursuant to § 201-1.200.
(2) With respect to controlled unclassified or otherwise protected unclassified information, the transmitting agency, the FASC, the ISA, and the Task Force will handle the information in a manner consistent with the markings applied to the information and the relevant processes and procedures adopted pursuant to § 201-1.200.
(e) Information protections - submissions by non-Federal entities. Information voluntarily submitted to the FASC by a non-Federal entity shall be subject to the following provisions:
(1) Supply chain risk information not otherwise publicly or commercially available that is voluntarily submitted to the FASC by non-Federal entities and marked “Confidential and Not to Be Publicly Disclosed” will not be released to the public, including pursuant to a request under 5 U.S.C. 552, except to the extent required by law.
(2) Notwithstanding paragraph (e)(1) of this section, the FASC may, to the extent permitted by law, and subject to appropriate handling and confidentiality requirements as determined by the FASC, disclose the supply chain risk information referenced in paragraph (e)(1) in the following circumstances:
(i) Pursuant to any administrative or judicial proceeding;
(ii) Pursuant to a request from any duly authorized committee or subcommittee of Congress;
(iii) Pursuant to a request from any domestic governmental entity or any foreign governmental entity of a United States ally or partner, but only to the extent necessary for national security purposes;
(iv) Where the non-Federal entity that submitted the information has consented to disclosure; or
(v) For any other purpose authorized by law.
(3) This paragraph (e) shall continue to apply to supply chain risk information referenced in paragraph (e)(1) even after the FASC issues a recommendation for exclusion or removal pursuant to 41 U.S.C. 1323.
(f) Dissemination of information by the FASC. The FASC may, in its sole discretion, disclose its recommendations and any supply chain risk information relevant to those recommendations to Federal or non-Federal entities if the FASC determines that such sharing may facilitate identification or mitigation of supply chain risk, and disclosure is consistent with the following paragraphs:
(1) The FASC may maintain its recommendations and any supply chain risk information as nonpublic, to the extent permitted by law, or release such information to impacted entities and appropriate stakeholders. The FASC shall have discretion to determine the circumstances under which information will be released, as well as the timing of any such release, the scope of the information to be released, and the recipients to whom information will be released.
(2) Any release by the FASC of recommendations or supply chain risk information will be in accordance title 41 U.S.C. 1323 and the provisions of this subpart.
(3) The FASC will not release a recommendation to a non-Federal entity, other than a source named in the recommendation, unless an exclusion or removal order has been issued based on that recommendation, and the named source has been notified.
(4) The FASC (including the ISA, Task Force, and any other FASC constituent bodies) shall comply with applicable limitations on dissemination of supply chain risk information submitted pursuant to this subpart, including but not limited to the following restrictions:
(i) Controlled Unclassified Information, such as Law Enforcement Sensitive, Proprietary, Privileged, or Personally Identifiable Information, may only be disseminated in compliance with the restrictions applicable to the information and in accordance with the FASC's processes and procedures for disseminating controlled unclassified information as required by this part.
(ii) Classified Information may only be disseminated consistent with the restrictions applicable to the information and in accordance with the FASC's processes and procedures for disseminating classified information as required by this part.