Sponsors
The bill tightens sourcing rules to better protect federal and citizen data and increases oversight and enforcement, but does so at the cost of narrowing the vendor pool, raising procurement costs, and risking rushed implementation.
Federal employees and taxpayers: sensitive federal and citizen data (e.g., SSNs, medical records, PII) would be less likely stored with majority-foreign-owned software firms, reducing risk of foreign access, espionage, and identity-related harms.
Taxpayers and Congress: agencies must report national-security waivers to Congress within 30 days, increasing transparency and congressional oversight of exceptions to sourcing restrictions.
Government contractors and taxpayers: false certifications or violations would enable contract termination and contractor debarment, strengthening enforcement and accountability for misrepresented ownership.
Agencies and taxpayers: the ownership-based exclusion could block access to competitively priced or specialized software and reduce availability of innovative vendors, raising costs and slowing deployments.
Government contractors, U.S.-based subsidiaries, and tech workers: certification under penalty of perjury and debarment risk may deter foreign-owned U.S. subsidiaries, complicate procurement, and narrow the vendor pool.
Federal employees, contractors, and program managers: the short 180-day deadline to amend the Federal Acquisition Regulation could rush implementation, cause procurement disruptions, and lead to inconsistent agency interpretations.
Based on analysis of 2 sections of legislative text.
Bars federal contracts for software systems holding sensitive data on 500+ federal employees with companies majority‑owned by non‑U.S. citizens, with limited national security waivers.
Introduced February 20, 2026 by Lauren Boebert · Last progress February 20, 2026
Prohibits federal agencies from entering into, renewing, or extending contracts for software systems that store, process, or provide access to sensitive personal information if the vendor is majority‑owned by non‑U.S. citizens. Offerors must certify under penalty of perjury that they are not majority‑owned by non‑U.S. citizens; agencies may grant national security waivers but must justify them in writing to congressional committees within 30 days. Violations or false certifications permit contract termination and administrative remedies such as debarment or suspension. The Federal Acquisition Regulation (FAR) must be updated within 180 days to implement the rule. Covered systems are those that handle sensitive personal information for 500 or more federal employees or officers; "sensitive personal information" is defined to include Social Security numbers, medical/health records, personally identifiable information, and other data that could lead to identity theft, personal harm, or national security risk.