View or download as a PDF. [PDF - 905 KB]
MV-2022-06 with supplement 1
Date of latest supplement: December 12, 2023
MEMORANDUM FOR THE PBS LEASING CONTRACTING WORKFORCE
FROM AND DIGITALLY SIGNED BY: Jeffrey A. Koses, Senior Procurement Executive, Office of Acquisition Policy
SUBJECT: Cyber-supply chain risk management (C-SCRM) requirements for leasing
On this page
- Supplement 1 to MV-2022-06
- Background
- New C-SCRM rules impacting lease acquisitions
- Existing leases
- NOL reporting requirements for leases of FSL III, IV, and V space
- Attachment A
- MV-2022-06
- Purpose
- Background
- Effective date
- Applicability
- Requirements
- Additional references, resources, and guidance
- Points of contact
- Attachment A
- Attachment B
- Attachment C
Supplement 1 to MV-2022-06
Issued 12/12/2023
1. Background
On September 16, 2022, GSA Acquisition Letter (AL) MV-2022-06 was issued to clarify C-SCRM requirements, including provisions and clauses, that must be considered for inclusion in the acquisition of leasehold interests in real property (lease acquisitions).
The AL contemplated future supplements to:
- Reflect new C-SCRM rules impacting lease acquisitions; and
- Reflect guidance for all existing leases.
That supplemental information is here:
2. New C-SCRM rules impacting lease acquisitions
Attachment A provides instructions for GSA’s implementation in the leasing of real property to add one new provision and two new clauses based on the following FAR amendments:
- Prohibition on a ByteDance Covered Application, FAR Case 2023-010 (effective 06/02/2023) [1]
- FAR clause 52.204-27, Prohibition on a Bytedance Covered Application
- Implementation of FASCSA Orders, FAR Case 2020-011 (effective 12/04/2023) [2]
- FAR provision 52.204-29, Federal Acquisition Supply Chain Security Act Orders-Representation and Disclosures
- FAR clause 52.204-30, Federal Acquisition Supply Chain Security Act Orders-Prohibition
3. Existing leases
The provisions and clauses listed in Attachment A, as well as the considerations in Attachment B, are required, as applicable, in all existing lease contracting actions (including leasing activities delegated by GSA to other Federal agencies) using the following timeline:
- For leases of Facility Security Level (FSL) I or II space for customer agencies other than the Federal Bureau of Investigation (FBI), incorporate the applicable clauses no later than the next option [3] to extend the period of performance of the lease.
- For leases of FSL III, IV, or V space for customer agencies other than the FBI, prior to the next option, but no later than April 30, 2024, the National Office of Leasing (NOL), with support from the lease contracting officer as necessary, must make a risk assessment (to be developed and issued by NOL by January 2, 2024) to determine if it’s in GSA’s (or the tenant’s) best interest to modify the lease to add the applicable clauses into the lease before the end of the current option.
- When the assessment reflects there is no need to immediately modify the lease, the applicable clauses must be incorporated no later than the next option to extend the period of performance of the lease.
- When the assessment reflects there is an immediate need to modify the lease, the applicable clauses must be incorporated no later than the next option to extend the period of performance of the lease or by July 31, 2024 (whichever is sooner).
- For leases for the FBI, the applicable clauses must be incorporated no later than the next option to extend the period of performance of the lease or by July 31, 2024 (whichever is sooner).
- No risk assessment is required for FBI leases.
4. NOL reporting requirements for leases of FSL III, IV, and V space
- Starting May 1, 2024, NOL must report the number of risk assessments required (i.e., the total number of leases for FSL III, IV, or V space), the number of risk assessments completed, and the number of leases identified that require immediate modification due to the risk assessment findings to spe.request@gsa.gov.
- Starting August 1, 2024, NOL must report in the same manner the number of existing leases modified as a result of the risk assessments and provide any updates to the data reported above.
- Starting September 1, 2024, NOL must provide monthly updates to all of the above data until all necessary risk assessments have been completed and all leases have been modified as required by the result of the risk assessments (or as agreed upon by OGP).
5. Attachment A: C-SCRM provisions and clauses for leasing contracts
Attachment A is updated as follows:
The following C-SCRM provisions and clauses, as applicable, must be included in leasing solicitations and/or contracts. The list below does not reflect the representations and certifications captured through the System for Award Management (SAM.gov) (e.g., FAR provision 52.204-7, System for Award Management, FAR provision 52.204-8, Annual Representations and Certifications, or FAR clause 52.204-19, Incorporation by Reference of Representations and Certifications).
Additions via this supplement are indicated by [bold text in brackets].
FAR provisions and clauses| Title | Provision/clause | Where prescribed |
|---|
| 52.204-2, Security Requirements | Clause | 4.404(a) |
| 52.204-9, Personal Identity Verification of Contractor Personnel | Clause | 4.1303 |
| 52.204-21, Basic Safeguarding of Covered Contractor Information Systems | Clause | 4.1903 |
| 52.204-23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities | Clause | 4.2004 |
| 52.204-24, Representation Regarding Certain Telecommunications and Video Surveillance Services or Equipment | Provision | 4.2105(a) (see also LA-20-11) |
| 52.204-25, Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment | Clause | 4.2105(b) (see also LA-20-11) |
| 52.204-26, Covered Telecommunications Equipment or Services-Representation | Provision | 4.2105(c) (see also LA-20-11) |
| [52.204-27, Prohibition on a ByteDance Covered Application | Clause | 4.2203 |
| 52.204-29, Federal Acquisition Supply Chain Security Act Orders-Representation and Disclosures | Provision | 4.2306 |
| 52.204-30, Federal Acquisition Supply Chain Security Act Orders-Prohibition [4] | Clause | 4.2306] |
GSAM/R provisions and clauses| Title | Provision/clause | Where prescribed |
|---|
| 552.204-9, Personal Identity Verification Requirements | Clause | 504.1303 |
| 552.270-33, Foreign Ownership and Financing Representation for High-Security Leased Space | Clause | 570.703(c) |
| 552.270-34, Access Limitations for High-Security Leased Space | Clause | 570.703(d) |
Questions regarding this supplement may be directed to GSARPolicy@gsa.gov.
[1] 88 FR 36430
[2] 88 FR 69503
[3] As used in GSAM 570.401.
[4] FAR 4.2306 and 52.204-29 and 52.204-30 are effective 12/04/2023. See 88 Fed. Reg. 69503 (Oct. 5, 2023).
MV-2022-06
Issued 09/16/2022
1. Purpose
The purpose of this acquisition letter (AL) is to clarify the C-SCRM requirements, including provisions and clauses, that must be considered for inclusion in the acquisition of leasehold interests in real property [1] (lease acquisitions).
2. Background
Almost all of GSA’s procurements, including lease acquisitions, can introduce cybersecurity risks to the Government. For example, Federally leased-facilities may contain building and access control systems—computers that monitor and control building operations such as elevators, electrical power, and heating, ventilation, and air conditioning—that are increasingly being connected to other information systems and the Internet.
Further, the adoption and integration of Internet of Things (IoT) and Industrial Internet of Things (IIoT) devices have led to an increasingly interconnected mesh of systems–not just building and access control systems–which expands the attack surface and blurs the once clear functions of cybersecurity and physical security. [2]
The increased connectivity heightens PBS-leased facilities’ vulnerability to cyber attacks, which could compromise security measures, hamper our Federal tenant agencies’ ability to carry out their missions, or cause physical harm to the facilities or their occupants.
Additionally, as noted in previous GSA Orders [3], a series of recent Government-wide and GSA-specific policy changes have highlighted the importance of the Federal Government’s goal to improve its focus on C-SCRM acquisition and considerations.
This AL supplements those policies by addressing the growing nature of cyber-supply chain risks that must be considered during the pre-award and post-award phases by the lease contracting officer and any other members of the leasing acquisition team.
3. Effective date
This AL is effective immediately and remains in effect until rescinded or incorporated into the General Services Acquisition Regulation (GSAR).
GSA is also aware of C-SCRM-related cases on the Regulatory Agenda [4] that will impact GSA, and may be applicable to lease acquisitions. This AL, or the GSAR, may be updated in the future to account for C-SCRM rules impacting lease acquisitions.
4. Applicability
New lease contracting actions
Beginning on 10/01/2022, the provisions and clauses listed in Attachment A, as well as the requirement considerations in Attachment B, are required, as applicable, to all new lease contracting actions (including leasing activities delegated by GSA to other Federal agencies). Specifically:
- For any open solicitation, the solicitation must be either amended prior to close or the clauses incorporated into the award prior to signature.
- For any future solicitation, the solicitation must be amended prior to award.
Existing leases
- Existing FBI leases
- By 05/01/2023, existing Federal Bureau of Investigation (FBI) leases must be bilaterally modified to include the required clauses and requirements listed in Attachment A and Attachment B.
- Existing leases for all other agencies
- The modification of existing leases for all agencies other than the FBI will be addressed in a future supplement to this AL.
Updating leasing templates
Beginning 10/01/2022, the following leasing templates (as well as any future relevant documents) must be updated to reflect the provisions, clauses, and requirements listed in Attachment A and Attachment B.
- General Clauses Template 3517A and 3517B
- Lease Contract Templates
- Request for Lease Proposal Templates
The templates must be further updated as additional C-SCRM related laws, statutes, regulations and/or policies are issued to meet deadline dates listed throughout this AL.
In addition, the Office of Leasing shall work expeditiously to revise appropriate policy and templates relevant to the requirements listed under Attachment B, as well as update its policy (e.g., Leasing Alerts (LA), Leasing Desk Guide (LDG)) and templates to reflect any new applicable C-SCRM related laws, statutes, regulations issued, or best practices and recommendations as issued by other GSA offices or agencies.
5. Requirements
Acquisition planning
- When the lease involves or may involve information technology or connected building systems (e.g., connected systems listed in Attachment C) the customer agency is responsible for the required information technology coordination and approval. As the servicing agency, GSA should ensure the CIO coordination is appropriately documented. It may be documented in the tenant occupancy agreement or a separate document, such as the Client Project Agreement. The Office of Leasing will work with relevant PBS offices (e.g., Office of Portfolio and Customer Engagement) to communicate such requirements.
- Future acquisition plans for new leases must include discussion of the reasoning when any C-SCRM-related provision or clause listed in Attachment A will not be included in the planned solicitation and resultant lease award. Such determinations shall be provided to the National Office of Leasing.
- Lease acquisition team members, including the HCA of the leasing contracting activity, must review General Services Acquisition Manual (GSAM) 504.470 for acquisitions involving classified information before accepting a reimbursable agreement for a requirement involving classified information.
- Though not required, leasing acquisition team members are not precluded from using the C-SCRM considerations outlined at GSAM 504.7004.
- Lease acquisition team members may review additional resources highlighted in Section 6 of this AL.
Solicitation and contract award
- Lease contracting officers must ensure that all C-SCRM-related provisions and clauses listed in Attachment A and the requirements and considerations of Attachment B are incorporated into solicitations and awards for new lease contracts when required by the prescription and as documented in the acquisition plan. Any C-SCRM-related representation clause requiring review (e.g., “FAR 52.204-24, Representation Regarding Certain Telecommunications and Video Surveillance Services or Equipment”) must be completed as a condition for award.
- Lease acquisition team members should communicate and highlight the applicable provisions, clauses, and requirements to potential offerors as part of the market outreach/survey process.
- In collaboration with the customer agency, lease acquisition teams should consider utilizing a C-SCRM related evaluation factor as part of the source selection process including for low-priced technically acceptable offers. For example, a factor could consider the cyber protection measures used to safeguard facilities and occupants by the lessors. Depending on the requirements and mission of the customer agency, this type of factor may be helpful in supporting a trade-off between lessors prioritizing cyber-hygiene and lessors that are not.
Pre and post-award
- For any potential cyber-supply chain event, including occurrence of an IT security incident, discovery of a prohibited article or source (e.g., an affirmative response under FAR 52.204-24 or 52.204-26), or identification of supply chain risk information, the lease contracting officer or another acquisition team member must contact the GSA IT Service Desk by phone at 866-450-5250 or by email at ITServiceDesk@gsa.gov [5].
- he lease contracting officer must review C-SCRM related representations and certifications prior to exercising options, or extensions or renewals, or at least annually when applicable (e.g. GSAR 552.270-33, Foreign Ownership and Financing Representation for High-Security Leased Space).
The FAR or GSAR provisions or clauses must not include any deviations unless an approved deviation specific to the relevant provision or clause is signed by the GSA Senior Procurement Executive. Active deviations can be found on GSA InSite’s Acquisition Policy Library.
6. Additional references, resources, and guidance
7. Points of contact
- For any general policy questions regarding this AL, questions may be directed to GSARPolicy@gsa.gov.
- For any specific questions regarding implementing the requirements of this AL, questions should be directed to ASKPR@gsa.gov.
8. Attachment A: C-SCRM provisions and clauses for leasing contract
The following provisions and clauses, as applicable, must be included in leasing solicitations and/or contracts. The list below does not reflect the representations and certifications captured through FAR provision 52.204-7, System for Award Management, FAR provision 52.204-8, Annual Representations and Certifications, or FAR clause 52.204-19, Incorporation by Reference of Representations and Certifications.
FAR provisions and clauses| Title | Provision/clause | Where prescribed |
|---|
| 52.204-2, Security Requirements | Clause | 4.404(a) |
| 52.204-9, Personal Identity Verification of Contractor Personnel | Clause | 4.1303 |
| 52.204-21, Basic Safeguarding of Covered Contractor Information Systems | Clause | 4.1903 |
| 52.204-23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities | Clause | 4.2004 |
| 52.204-24, Representation Regarding Certain Telecommunications and Video Surveillance Services or Equipment | Provision | 4.2105(a) (see also LA-20-11) |
| 52.204-25, Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment | Clause | 4.2105(b) (see also LA-20-11) |
| 52.204-26, Covered Telecommunications Equipment or Services-Representation | Provision | 4.2105(c) (see also LA-20-11) |
GSAM/R provisions and clauses| Title | Provision/clause | Where prescribed |
|---|
| 552.204-9, Personal Identity Verification Requirements | Clause | 504.1303 |
| 552.270-33, Foreign Ownership and Financing Representation for High-Security Leased Space | Clause | 570.703(c) |
| 552.270-34, Access Limitations for High-Security Leased Space | Clause | 570.703(d) |
9. Attachment B: GSA policies and requirements related to C-SCRM
| Policy/reference | GSA Order PBS 3490.3 CHGE 1 |
|---|
| Title | Security for Sensitive Building Information Related to Federal Buildings, Grounds, or Property |
|---|
| Notes | This Order applies to all entities that handle, receive, and store CUI building information related to GSA-controlled space, as well as to the access to and generation, dissemination, storage, transfer, and disposal of all such information. It also applies to procurements to acquire, alter, or manage space, either Government-owned or leased, including GSA space that is delegated to other Federal agencies. Appendix C (within the Order) includes CUI language for all solicitations containing CUI information (including Requests for Lease Proposals). |
|---|
| See also | GSA Order CIO 2103.2, Controlled Unclassified Information (CUI) Policy |
|---|
| Policy/reference | LA-18-05 |
|---|
| Title | Cybersecurity Measures for Leased Facilities |
|---|
| Notes | This leasing alert provides required and recommended measures for lessors related to cybersecurity protections and precautions in leased facilities. Section 2 (within the LA) provides required measures and recommended guidance, and Attachment 1 provides cybersecurity language that was added to Federal Security Level (FSL) templates. |
|---|
10. Attachment C: Examples of connected systems in buildings [6]
PBS-leased facilities may include various types of connected systems, such as parts, equipment, services, and technologies that can be a target for cyber-events. Below is a sample list of some of those connected systems. Understanding the needs and mission of your customer agency, as well as any Office of the Chief Information Officer (OCIO) (or similar office) policy the customer may have, can help mitigate C-SCRM risk.
| Common systems in federal facilities | Connected systems |
|---|
| Closed circuit camera systems | Cameras, televisions or monitors, and recording equipment, and provide video surveillance capabilities. |
| Access control systems | Card readers, control panels, access control servers, and infrastructure such as door actuators and communications lines, which restrict access to authorized persons. |
| Fire annunciation and suppression systems | Fire alarms, emergency communication equipment, and water-based or nonwater- based suppression systems, designed to prevent, extinguish, or control a fire or other life safety event. |
| Building automation systems (commonly manages the HVAC) | Also known as energy management control systems, provide centralized control—through the use of software and hardware (e.g., computer, modems, sensors, controllers, and printers)—to monitor and adjust building systems (e.g., temperature settings and schedules for running equipment)—such as a building’s cooling systems. |
| Power and lighting control systems | Lighting devices and their controls, advanced-metering controls, power distribution systems, and emergency power or lighting systems, which are also often managed through a building automation system. |
| Elevator control systems | Operating machinery, safety systems, and a control system or panel. |
[1] Except as noted at GSAR 570.101
[2] Cybersecurity and Physical Security Convergence [PDF], Cybersecurity & Infrastructure Security Agency (CISA)
[3] GSAM Case 2021-G511 [PDF] and GSAM Case 2021-G512 [PDF]
[4] Unified Agenda of Regulatory and Deregulatory Actions (Agenda) reports on the actions administrative agencies plan to issue in the near and long term. Released by the Office of Information and Regulatory Affairs, the Agenda provides important public notice and transparency about proposed regulatory and deregulatory actions within the Executive Branch.
[5] GSAM 504.7005
[6] Table in Attachment C are adapted from GAO-15-6
U.S. General Services Administration