FASCSA Enforcement Begins: What the Acronis Order Means for Federal Contractors
The Federal Supply Chain Just Changed
If you’ve been keeping an eye on federal acquisition compliance, you know the government has been tightening its grip on supply chain security. But this fall, something significant happened: the first enforcement action under the Federal Acquisition Supply Chain Security Act (FASCSA) was officially published on SAM.gov.
The Office of the Director of National Intelligence (ODNI) issued the first-ever FASCSA Order in September 2025, effectively banning Acronis AG—a Swiss-based cybersecurity firm—from all procurement actions involving the Intelligence Community (IC).
This isn’t just a one-company issue.
It’s not just a warning shot to the entire federal contracting community. It’s a potential game-changer for your work.
What Exactly Is a FASCSA Order?
Let’s break it down in simple terms.
Under the Federal Acquisition Supply Chain Security Act of 2018, federal agencies can prohibit the procurement or use of certain products, software, or services if they pose a risk to national security or supply chain integrity.
A FASCSA Order does three main things:
- Blocks new purchases from a named company or source.
- Prohibits contract renewals or extensions involving that source.
- Requires removal of existing "covered articles" (hardware, software, or services) provided by that source from government systems.
In the Acronis case, the ODNI determined that the company’s products created an unacceptable risk to National Security, leading to an exclusion order that applies across all IC agencies.
Why This Order Matters to Every Federal Contractor
Even if you’re not in cybersecurity, this sets a powerful precedent. Here’s why federal contractors should pay attention:
- Precedent for Enforcement: This is the first official enforcement of FASCSA — meaning the law isn't just theoretical anymore. Agencies are actively identifying and banning risky suppliers.
- Expanding Scope: The ODNI's order may be just the beginning. Similar orders could follow from the Department of Defense (DoD), DHS, or other executive agencies, especially as scrutiny of foreign software vendors intensifies.
- Contract Risk: If your contracts—even indirectly—use a prohibited product, you could face termination for default, bid disqualification, or even False Claims Act exposure if you certify compliance inaccurately. These consequences can significantly impact your business operations and reputation, making it crucial to ensure FASCSA compliance.
- Increased Supply Chain Audits: Expect agencies and primes to demand deeper visibility into subcontractor sources, software dependencies, and third-party vendors.
What You Should Do Now
Here are practical steps to take—right now to stay ahead and compliant:
1. Identify and Assess Your Supply Chain Dependencies
- Conduct a comprehensive inventory of your hardware, software, and cloud tools.
- Check whether any of your vendors—or your vendors' vendors—are on the SAM.gov exclusion list or mentioned in a FASCSA Order.
- Pay special attention to IT, cybersecurity, and data storage tools.
2. Update Procurement and Subcontracting Clauses
- Insert FASCSA compliance language into your subcontracts and supplier agreements.
- Require vendors to certify that they do not provide covered articles identified under any FASCSA Order.
3. Establish an Internal Compliance Monitoring Program
- Designate a Supply Chain Security Officer or assign FASCSA oversight responsibilities within your compliance or contracting team.
- Integrate periodic risk scans and vendor reviews into your procurement workflow.
4. Coordinate with Your Contracting Officer (CO)
- If you suspect your products or services may be impacted, proactively communicate with your CO.
- Transparency helps protect your record and demonstrates good faith compliance.
5. Stay Updated
- Bookmark the SAM.gov Exclusions and Federal Register pages.
- Follow updates from ODNI, DHS, and GSA. These agencies coordinate closely under the FASCSA Council.
Reading Between the Lines: The Bigger Trend
This isn’t an isolated compliance story it’s part of a broader federal shift toward proactive cyber and supply chain defense. Recent years have brought:
- CMMC 2.0 for DoD contractors,
- NIST SP 800-171 enforcement in civilian contracts,
- Software Bill of Materials (SBOM) requirements, and
- Now, FASCSA enforcement targets vendors at the root of potential risks.
Together, these signals indicate that the federal government is hardening its supply chain end-to-end. For contractors, the message is clear:
Security and transparency are no longer optional—they’re contractual.
Final Thoughts
The Acronis case won’t be the last FASCSA Order. It’s the start of a new chapter where supply chain transparency becomes mission-critical for every federal contractor. If your systems, tools, or partners haven’t been reviewed recently, now’s the time. A proactive audit today could save you from a costly compliance setback tomorrow.