Subject to 239.7304, the individuals authorized in 239.7303 may, in the course of procuring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system—
(a) Exclude a source that fails to meet qualification standards established in accordance with the requirements of 10 U.S.C. 2319, for the purpose of reducing supply chain risk in the acquisition of covered systems;
(b) Exclude a source that fails to achieve an acceptable rating with regard to an evaluation factor providing for the consideration of supply chain risk in the evaluation of proposals for the award of a contract or the issuance of a task or delivery order;
(c) Withhold consent for a contractor to subcontract with a particular source or direct a contractor for a covered system to exclude a particular source from consideration for a subcontract under the contract; and
(d) Limit, notwithstanding any other provision of law, in whole or in part, the disclosure of information relating to the basis for carrying out any of the actions authorized by paragraphs (a) through (c) of this section, and if such disclosures are so limited—
(1) No action undertaken by the individual authorized under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court; and
(2) The authorized individual shall—
(i) Notify appropriate parties of action taken under paragraphs (a) through (d) of this section and the basis for such action only to the extent necessary to effectuate the action;
(ii) Notify other Department of Defense components or other Federal agencies responsible for procurements that may be subject to the same or similar supply chain risk, in a manner and to the extent consistent with the requirements of national security; and
(iii) Ensure the confidentiality of any such notifications.
[78 FR 69271, Nov. 18, 2013, as amended at 80 FR 67251, Oct. 30, 2015]