Class Deviation RFO-2025-40: FAR Class Deviation for FAR Part 40 in Support of Executive Order 14275, Restoring Common Sense to Federal Procurement

Class Deviation RFO-2025-40
August 11, 2025
MEMORANDUM FOR GSA CONTRACTING ACTIVITIES
FROM AND DIGITALLY SIGNED BY: Jeffrey A. Koses, Senior Procurement Executive, Office of Acquisition Policy (MV)
SUBJECT: FAR Class Deviation for FAR Part 40 in Support of Executive Order 14275, Restoring Common Sense to Federal Procurement

On this page:

Purpose
Background
Summary of changes
Instructions
Applicability
Authority
Effective date
Have a question?

1. Purpose

This memorandum approves a class deviation to Federal Acquisition Regulation (FAR) part 40 for purposes of implementing the FAR Council’s model deviation to FAR part 40.

2. Background

Executive Order (E.O.) 14275, Restoring Common Sense to Federal Procurement, signed April 15, 2025, mandates a comprehensive review and simplification of the Federal Acquisition Regulation.

The FAR is being updated to:

Eliminate non-statutory language.
Remove redundant or obsolete language.
Enhance clarity through plain language.
Align with the new FAR framework.
Preserve essential governmentwide acquisition standards.

This project is referred to as the Revolutionary FAR Overhaul (RFO) initiative. This initiative will make the FAR more concise, understandable, and focused on core procurement requirements.

3. Summary of changes

Instead of navigating a patchwork of multiple subparts throughout the FAR and over a dozen different provisions and clauses to understand security requirements, readers can now refer to a single, logically organized part of the FAR, part 40, Information Security and Supply Chain Security.

Simplified: FAR part 40 is reorganized into three key subparts:
- Subpart 40.1 - Processing Supply Chain Risk Information (previously reserved)
- Subpart 40.2 - Security Prohibitions and Exclusions
- Subpart 40.3 - Safeguarding Information (previously reserved)
Consolidated:
- Regulatory requirements previously found at FAR subparts 4.4, 4.19 through 4.23, and 25.7 have been moved into part 40.
- More than a dozen separate provisions (5) and clauses (9) have been merged into 4 (1 provision and 3 clauses).

Statutory requirements retained in the RFO FAR part 40 model deviation include, but may not be limited to, the following:

41 U.S.C. §§ 1321 et seq, Federal Acquisition Supply Chain Security Act (FASCSA)
41 U.S.C. § 4713, Authorities Related to Mitigating Supply Chain Risks in the Procurement of Covered Articles
44 U.S.C. §§ 3501 et seq, Federal Information Policy
Pub. L. 115-91 Section 1634, Prohibition on Use of Products and Services Developed or Provided by Kaspersky Lab
Pub. L. 115-232 Section 889, Prohibition on Certain Telecommunications and Video Surveillance Services or Equipment
Pub. L. 115-232 Section 1758, Requirements to Identify and Control the Export of Emerging and Foundational Technologies
Pub. L. 115-390, Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act (SECURE Technology Act)
Pub. L. 117-328 Div R Section 102, Prohibition on the Use of TikTok
Pub. L. 118-31 Section 1823, Prohibition on Procurement of Covered Unmanned Aircraft Systems from Covered Foreign Entities.

Change	Description
Retained	New subpart 40.1 incorporates: Sharing Supply Chain Risk Information (from FAR 4.2302): The requirement to share relevant supply chain risk information with the Federal Acquisition Security Council when applicable is moved to FAR 40.102. Subpart 40.2 incorporates: Kaspersky Lab (from FAR 4.20): The prohibition on hardware, software, and services from Kaspersky Lab and its affiliates is now at FAR 40.202(b). Its definitions (Kaspersky Lab covered article, Kaspersky Lab covered entity) have been moved to the new definitions section at FAR 40.201. Section 889 (from FAR 4.21): The prohibition on contracting for certain Chinese telecommunications and video surveillance equipment and services is now located at FAR 40.202(d). The definitions are centralized at FAR 40.201. ByteDance/TikTok (from FAR 4.22): The prohibition on the presence or use of TikTok applications or services on government and contractor information technology is now located at FAR 40.202(a). The definitions are centralized at FAR 40.201. Federal Acquisition Supply Chain Security Act (FASCSA) (from FAR 4.23): The prohibition on violating an applicable FASCSA order is now located at FAR 40.202(e). Key definitions are centralized at FAR 40.201. The requirements for implementing FASCSA exclusion and removal orders have been streamlined and moved to FAR 40.204-1. Prohibited Foreign Sources (from FAR 25.7): The prohibitions related to Office of Foreign Assets Control (OFAC) restrictions, as well as specific prohibitions against contracting with entities doing business in Sudan and Iran now reside at 40.202(f), (g), and (h). New subpart 40.3 incorporates: Safeguarding Classified Information within Industry (from FAR 4.4): The policies and procedures for safeguarding classified information within industry, rooted in Executive Order 12829 and the National Industrial Security Program (NISP), have been moved to the new section 40.302. Basic Safeguarding of Covered Contractor Information Systems (from FAR 4.19): The requirements for the basic safeguarding of covered contractor information systems that contain Federal Contract Information (FCI) are retained and moved to the new section 40.303. Provision and clauses consolidated to the following: New provision 52.240-90, Security Prohibitions and Exclusions Representations and Certifications, replaces the following provisions: 52.204-24, Representation Regarding Certain Telecommunications and Video Surveillance Services or Equipment 52.204-26, Covered Telecommunications Equipment or Services—Representation 52.204-29, Federal Acquisition Supply Chain Security Act Orders—Representation and Disclosures. 52.225-20, Prohibition on Conducting Restricted Business Operations in Sudan—Certification. 52.225-25, Prohibition on Contracting with Entities Engaging in Certain Activities or Transactions Relating to Iran— Representation and Certifications. New clause 52.240-91, Security Prohibitions and Exclusions, replaces the following clauses: 52.204-23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab Covered Entities 52.204-25, Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment. 52.204-27, Prohibition on a ByteDance Covered Application. 52.204-28, Federal Acquisition Supply Chain Security Act Orders—Federal Supply Schedules, Governmentwide Acquisition Contracts, and Multi-Agency Contracts. 52.204-30, Federal Acquisition Supply Chain Security Act Orders—Prohibition. 52.225-13, Restrictions on Certain Foreign Purchases. 52.240-1, Prohibition on Unmanned Aircraft Systems Manufactured or Assembled by American Security Drone Act—Covered Foreign Entities. New clause 52.240-92, Security Requirements, replaces the following clause: 52.204-2, Security Requirements. New clause 52.240-93, Basic Safeguarding of Covered Contractor Information Systems, replaces the following clause: 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.
Removed	Part 40 has been streamlined by merging and consolidating content from parts 4 and 25, removing redundancies, and improving clarity.

Change

Description

Retained

New subpart 40.1 incorporates:
- Sharing Supply Chain Risk Information (from FAR 4.2302): The requirement to share relevant supply chain risk information with the Federal Acquisition Security Council when applicable is moved to FAR 40.102.
Subpart 40.2 incorporates:
- Kaspersky Lab (from FAR 4.20): The prohibition on hardware, software, and services from Kaspersky Lab and its affiliates is now at FAR 40.202(b). Its definitions (Kaspersky Lab covered article, Kaspersky Lab covered entity) have been moved to the new definitions section at FAR 40.201.
- Section 889 (from FAR 4.21): The prohibition on contracting for certain Chinese telecommunications and video surveillance equipment and services is now located at FAR 40.202(d). The definitions are centralized at FAR 40.201.
- ByteDance/TikTok (from FAR 4.22): The prohibition on the presence or use of TikTok applications or services on government and contractor information technology is now located at FAR 40.202(a). The definitions are centralized at FAR 40.201.
- Federal Acquisition Supply Chain Security Act (FASCSA) (from FAR 4.23): The prohibition on violating an applicable FASCSA order is now located at FAR 40.202(e). Key definitions are centralized at FAR 40.201. The requirements for implementing FASCSA exclusion and removal orders have been streamlined and moved to FAR 40.204-1.
- Prohibited Foreign Sources (from FAR 25.7): The prohibitions related to Office of Foreign Assets Control (OFAC) restrictions, as well as specific prohibitions against contracting with entities doing business in Sudan and Iran now reside at 40.202(f), (g), and (h).
New subpart 40.3 incorporates:
- Safeguarding Classified Information within Industry (from FAR 4.4): The policies and procedures for safeguarding classified information within industry, rooted in Executive Order 12829 and the National Industrial Security Program (NISP), have been moved to the new section 40.302.
- Basic Safeguarding of Covered Contractor Information Systems (from FAR 4.19): The requirements for the basic safeguarding of covered contractor information systems that contain Federal Contract Information (FCI) are retained and moved to the new section 40.303.
Provision and clauses consolidated to the following:
- New provision 52.240-90, Security Prohibitions and Exclusions Representations and Certifications, replaces the following provisions:
  - 52.204-24, Representation Regarding Certain Telecommunications and Video Surveillance Services or Equipment
  - 52.204-26, Covered Telecommunications Equipment or Services—Representation
  - 52.204-29, Federal Acquisition Supply Chain Security Act Orders—Representation and Disclosures.
  - 52.225-20, Prohibition on Conducting Restricted Business Operations in Sudan—Certification.
  - 52.225-25, Prohibition on Contracting with Entities Engaging in Certain Activities or Transactions Relating to Iran— Representation and Certifications.
- New clause 52.240-91, Security Prohibitions and Exclusions, replaces the following clauses:
  - 52.204-23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab Covered Entities
  - 52.204-25, Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment.
  - 52.204-27, Prohibition on a ByteDance Covered Application.
  - 52.204-28, Federal Acquisition Supply Chain Security Act Orders—Federal Supply Schedules, Governmentwide Acquisition Contracts, and Multi-Agency Contracts.
  - 52.204-30, Federal Acquisition Supply Chain Security Act Orders—Prohibition.
  - 52.225-13, Restrictions on Certain Foreign Purchases.
  - 52.240-1, Prohibition on Unmanned Aircraft Systems Manufactured or Assembled by American Security Drone Act—Covered Foreign Entities.
- New clause 52.240-92, Security Requirements, replaces the following clause:
  - 52.204-2, Security Requirements.
- New clause 52.240-93, Basic Safeguarding of Covered Contractor Information Systems, replaces the following clause:
  - 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.

Removed

Part 40 has been streamlined by merging and consolidating content from parts 4 and 25, removing redundancies, and improving clarity.

This table is not an exhaustive list.

4. Instructions

The GSA acquisition workforce must follow the RFO part 40 and corresponding 52 model deviation text instead of FAR part 40 as codified at 48 CFR Chapter 1. The Council’s RFO part 40 model deviation text is available at Acquisition.gov/far-overhaul, and is incorporated into this class deviation.
For new solicitations or contracts, when using any provisions or clauses that have been revised, utilize the RFO model deviation language at RFO FAR part 52. Do not include any of the removed provisions or clauses in future solicitations and contracts.
For open solicitations or awarded contracts, the contracting officer has discretion regarding the need to enforce or amend the provisions or clauses. Note that without some of the removed provisions or clauses, the contracting officer may be required to separately address certain aspects in the contract.
For any solicitation or contract using RFO provisions or clauses, contracting officers may include the following language:
“System updates may lag policy updates. The System for Award Management (SAM) may continue to require entities to complete representations based on provisions that are not included in this solicitation. Contracting officers will rely on representations from offers based on provisions in the solicitation. Entities are not required to, nor are they able to, update their entity registration to remove these representations in SAM.”
Contracting activities must review templates and related standard operating procedures to align with this class deviation and remove unnecessary processes and steps.

5. Applicability

This class deviation applies to all GSA procurements.

6. Authority

This class deviation is issued under the authority of EO 14275, OMB Memo M-25- 26 [PDF], 48 CFR 1.4, and RFO FAR 1.304.

7. Effective date

This class deviation is effective November 3, 2025 and remains in effect until rescinded or incorporated into the FAR.

8. Have a question?

Try asking GSAi first (upload the new RFO language and GSA’s implementing deviation, then ask your question. Please note, GSAi is accessible to GSA employees only). If you still need clarification, email the GSA Acquisition Policy Division at GSARPolicy@gsa.gov.