(a) Referral procedure. The FASC may commence an evaluation of a source or covered article in any of the following ways:
(1) Upon the referral of the FASC or any member of the FASC;
(2) Upon the request, in writing, of the head of an executive agency or a designee, accompanied by a submission of relevant information; or
(3) Based on information submitted to the FASC by any Federal or non-Federal entity that the FASC deems, in its discretion, to be credible.
(b) Relevant factors. In evaluating sources and covered articles, the FASC will analyze available information and consider, as appropriate, any relevant factors contained in the following non-exclusive list:
(1) Functionality and features of the covered article, including the covered article's or source's access to data and information system privileges;
(2) The user environment in which the covered article is used or installed;
(3) Security, authenticity, and integrity of covered articles and associated supply and compilation chains, including for embedded, integrated, and bundled software;
(4) The ability of the source to produce and deliver covered articles as expected;
(5) Ownership of, control of, or influence over the source or covered article(s) by a foreign government or parties owned or controlled by a foreign government, or other ties between the source and a foreign government, which may include the following considerations:
(i) Whether a Federal agency has identified the country as a foreign adversary or country of special concern;
(ii) Whether the source or its component suppliers have headquarters, research, development, manufacturing, testing, packaging, distribution, or service facilities or other operations in a foreign country, including a country of special concern or a foreign adversary;
(iii) Personal and professional ties between the source - including its officers, directors or similar officials, employees, consultants, or contractors - and any foreign government; and
(iv) Laws and regulations of any foreign country in which the source has headquarters, research development, manufacturing, testing, packaging, distribution, or service facilities or other operations.
(6) Implications for government missions or assets, national security, homeland security, or critical functions associated with use of the source or covered article;
(7) Potential or existing threats to or vulnerabilities of Federal systems, programs or facilities, including the potential for exploitability;
(8) Capacity of the source or the U.S. Government to mitigate risks;
(9) Credibility of and confidence in available information used for assessment of risk associated with proceeding, with using alternatives, and/or with enacting mitigation efforts;
(10) Any transmission of information or data by a covered article to a country outside of the United States; and
(11) Any other information that would factor into an assessment of supply chain risk, including any impact to agency functions, and other information as the FASC deems appropriate.
(c) Foreign Ownership. Nothing in this section shall be construed to authorize the issuance of an exclusion or removal order based solely on the fact of the foreign ownership of a potential procurement source that is otherwise qualified to enter into procurement contracts with the Federal Government.
(d) Due Diligence. As part of the analysis performed pursuant to paragraph (b) of this section, the FASC will conduct appropriate due diligence. Such due diligence may include, but need not be limited to, the following actions:
(1) Reviewing any information the FASC considers appropriate; and
(2) Assessing the reliability of the information considered.
(e) Consultation with NIST. NIST will participate in FASC activities as a member and will advise the FASC on NIST standards and guidelines issued under 40 U.S.C. 11331.