The federal government recently undertook a supply chain protection action involving Acronis, a Swiss global technology company specializing in cybersecurity and data protection software.
On September 15, 2025, the Director of the Office of National Intelligence (DNI) upon recommendation from the Federal Acquisition Security Council (FASC) issued a Federal Acquisition Supply Chain Act (FASCA) order against Acronis AG and its subsidiaries and affiliates (Acronis). The order is effective as of July 11, 2025, and impacts companies that sell to the Intelligence Community (IC). The FASCA order excludes Acronis from IC contracts and directs the removal of Acronis equipment, technology, and services from IC information systems and sensitive compartmented information systems.
Specifically, the order states:
FASCA Order—Acronis and all subordinate, subsidiary, or affiliated organizations doing business under various names in support of the parent company, Acronis AG (Acronis), that the DNI has issued an order to exclude Acronis from all Intelligence Community (IC) executive agency procurement actions. It further orders the removal of covered articles provided by Acronis from information systems applicable to the IC and sensitive compartmented information systems. This order was issued pursuant to the Federal Acquisition Supply Chain Security Act of 2018, Pub. L. No. 115-390, title II; codified at 41 U.S.C. §§ 1321-1328. The basis for this order pertains to information as was relayed to Acronis in the Notice to Source document. Additional information is available in an Announcement on the NRO JWICS Acquisition Research Center Dashboard, search Acronis.
In addition, the General Services Administration (GSA) has removed Acronis products from GSA Advantage and directed GSA-schedule contractors to take such actions as to review their contracts for Acronis products and services, report any Acronis product they provided to the government, and ensure subcontractors comply with the FASCA order.
Brief FASCA Overview
The FASCA established the FASC as part of the executive branch. The FASC meets on a quarterly basis and consists of representatives from the Office of Management and Budget, GSA, Office of the Director of National Intelligence, and U.S. Departments of Homeland Security, Justice, Defense, and Commerce. It seeks to mitigate supply chain risk of “covered articles” in federal government acquisitions. Covered articles are defined as:
- information technology (to include cloud computing);
- telecommunications equipment and services;
- information processing on information systems; and
- hardware, systems, devices, software, or services that include embedded or incidental information technology.
The FASC has the authority to recommend exclusion of sources and covered articles when it determines there is a risk. The actual authority to issue an exclusion order (i.e., FASCA order) is with the Secretary of Homeland Security, Secretary of Defense, or Director of National Intelligence.
FASCA orders apply to contractors through the clause at FAR 52.204-30. Under the clause, contractors shall not provide or use during contract performance a covered article identified in a FASCA order. The clause requires contractors to review www.sam.gov every three months for any FASCA orders and should there be one, conduct a “reasonable inquiry to identify whether a covered article or product or service” was provided to the government or used in performing the contract, to include by subcontractors at any tier. The contractor must notify the contracting officer within three business days if it has provided or used a covered article, and disclose, among other information, the name of the product or service provided or used, name of the vendor (if applicable), and any mitigation actions taken. Within 10 business days of the initial notification, the contractor must disclose any additional information about mitigation actions and efforts taken to prevent future submission or use of the covered article. Upon notification from the contracting officer, the contractor may be required to remove any product or service produced or provided by a source identified in a FASCA order.
Next Steps
The FASCA order against Acronis applies to the IC, which consists of 18 agencies. Companies doing business with any of these entities should review their contracts to see if they include FAR 52.204-30. If they do, the company must conduct a reasonable inquiry to determine whether it or a subcontractor has provided or used Acronis technology in performing the contract and make the required three-day and ten-day notifications if applicable. Additionally, companies with GSA-schedule contracts should review the direction from GSA. Companies should stay engaged with their contracting officers to ensure transparency, timely sharing of information, and compliance.
Furthermore, as a result of the FASCA order, Acronis may be added to the Federal Communications Commission’s (FCC) Covered List. Maintained under the Secure and Trusted Communications Networks Act, the Covered List includes “any communications equipment or service that poses an unacceptable risk to the national security of the United States.” Determinations by both the FASC and the DNI are among the sources the FCC may rely on when updating the Covered List. If the FCC concludes that Acronis products or services qualify as “communications equipment or services,” the company could be added.
If listed, Acronis would be prohibited from receiving FCC equipment authorizations and face broader restrictions within the communications supply chain. Companies that use or integrate Acronis technologies should therefore monitor FCC updates and prepare to adjust compliance and procurement practices accordingly.
This is the first FASCA order ever issued, so there may be lessons learned for both the government and industry as it is implemented.
