The bill prohibits executive agencies from entering into, renewing, or extending contracts for "covered software systems" with any company that is majority‑owned by non‑U.S. citizens. It requires offerors to certify under penalty of perjury that they are not an "internationally owned software company," authorizes agency heads to waive the prohibition for national‑security reasons with a 30‑day congressional notification, and allows contract termination and debarment for violations or false certifications.
The statute directs a FAR update within 180 days and defines key terms, including covered systems (those that store or process sensitive personal information for 500 or more federal employees/officers) and sensitive personal information (Social Security numbers, medical records, PII, or other data that could cause identity theft or national‑security risk).
This is a procurement‑centric national‑security provision that reshapes which software vendors are eligible to supply systems containing sensitive federal personnel data. For procurement teams, vendors, and compliance officers it creates new screening, certification, and contract‑monitoring tasks; for vendors it can remove access to a sizeable portion of the federal market unless ownership structures are altered or waivers granted.
The bill also creates potential operational and legal friction points — ownership verification, subsidiary arrangements, and the short FAR‑update deadline are likely to drive immediate policy and operational work across agencies and industry.
At a Glance
What It Does
The bill bars agencies from awarding, renewing, or extending contracts for software systems that handle sensitive personal information for 500+ federal employees if the contractor is majority‑owned by non‑U.S. citizens. It mandates per‑contract, per‑offeror certifications under penalty of perjury, permits case‑by‑case national‑security waivers with written congressional notice, and authorizes termination and debarment for breaches.
Who It Affects
Federal procurement officers, contracting officers and FAR practitioners; software vendors that process federal personnel data (including cloud and SaaS providers); U.S. subsidiaries of foreign parents and compliance/legal teams that advise ownership structuring and vendor due diligence.
Why It Matters
It shifts procurement eligibility from capability‑based tests to ownership‑based exclusions for a class of systems, forcing agencies and bidders to add ownership vetting to their acquisition lifecycle. The short FAR amendment clock and civil/criminal exposure for false certifications raise compliance and program‑continuity stakes.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The core operative rule is straightforward on paper: agencies cannot contract for covered software systems with a company that is majority‑owned by non‑U.S. citizens. "Covered software systems" are those that store, process, or provide access to sensitive personal information for 500 or more federal employees or officers. Because the prohibition applies to entering into, renewing, or extending contracts, existing relationships are at risk at each contract milestone.
The bill forces a new, affirmative step in procurement: every offeror for a covered system contract must certify — under penalty of perjury — that it is not an internationally owned software company. That certification is a legal instrument: the agency can terminate a contract and pursue remedies, including debarment, if it later finds a violation or a false statement.
The perjury framing raises the stakes for corporate officers and legal representatives who sign bid documents.There is a waiver pathway: agency heads may waive the prohibition and the certification requirement when they conclude a waiver is necessary for national security, but they must submit a written justification to the appropriate congressional committees within 30 days of granting the waiver. This creates a clear oversight trigger: waivers are permitted, but they carry a formal notice requirement that committees can scrutinize.The bill also requires the FAR to be amended within 180 days to implement these rules.
That timeline compels procurement policy teams to draft new clauses, reporting and vetting procedures quickly. Finally, the definitions matter in practice: "internationally owned" hinges on majority ownership by non‑U.S. citizens and explicitly includes subsidiaries; "sensitive personal information" includes SSNs, medical records, PII, and a catch‑all for information that could reasonably lead to identity theft, personal harm, or national‑security risk.
Those definitions will drive many of the compliance and legal questions about scope, vendor eligibility, and how agencies assess ownership.
The Five Things You Need to Know
Covered software systems are defined by a 500+ federal employees/officers threshold — the prohibition applies only when such systems store/process/access sensitive personal information for that population size.
An "internationally owned software company" is any company (or subsidiary) with majority ownership held by individuals who are not U.S. citizens — ownership percentage, control mechanisms, and holding structures will be decisive.
Offerors must certify under penalty of perjury that they are not internationally owned; a false certification can trigger contract termination, suspension, debarment, and other legal remedies.
Agency heads can waive the prohibition for national‑security reasons, but must submit a written justification to appropriate congressional committees no later than 30 days after granting the waiver.
The bill requires updating the Federal Acquisition Regulation within 180 days of enactment to add contract clauses, verification steps, and enforcement mechanisms implementing the statute.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Provides the Act's official name, "Contracting America First Act." This is a conventional drafting element but signals legislative intent to prioritize domestic ownership in federal contracting for the specified systems.
Ban on contracts with internationally owned software companies
Directs agency heads not to enter into, renew, or extend contracts for covered software systems with companies that are majority‑owned by non‑U.S. citizens. Practically, this creates an ownership‑based exclusion that applies at contract initiation and at renewal points, meaning contracting officers must screen for ownership early in source selection and again during options/renewals.
Per‑contract per‑offeror certification under penalty of perjury
Requires that solicitations for covered software systems include a requirement that offerors certify, under penalty of perjury, that they are not internationally owned. This moves ownership verification into the offer/submission stage and makes a corporate representative legally accountable for the truthfulness of the statement, exposing signatories to criminal/perjury risk if false.
National‑security waiver with congressional notice
Allows agency heads to waive the prohibition and certification requirement when necessary in the interest of national security, but conditions the waiver on a written justification sent to relevant congressional committees within 30 days. The mechanics set up an administrative discretion plus an accountability path for oversight committees to review or query waiver decisions.
Contract remedies, FAR implementation, and key definitions
Gives agencies authority to terminate contracts for default or convenience and to pursue remedies including debarment when the prohibition is violated or a certification is knowingly false. Requires the FAR to be amended within 180 days, forcing rapid clause development and verification procedures. Defines central terms: covered software system (sensitive data for 500+ employees/officers), internationally owned (majority non‑U.S. citizen ownership, including subsidiaries), and sensitive personal information (SSN, medical records, PII, or other data that could cause identity theft, personal harm, or national‑security risk). These definitions will shape scope disputes and compliance designs.
This bill is one of many.
Codify tracks hundreds of bills on Government across all five countries.
Explore Government in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Federal employees and officers whose sensitive data the bill aims to protect — the ownership restriction is intended to reduce the risk that foreign‑controlled companies could access or exfiltrate personnel data.
- Federal cybersecurity and privacy teams — agencies gain an ownership‑centric policy tool to exclude vendors judged higher‑risk, simplifying a portion of supply‑chain risk management for covered personnel systems.
- U.S.-owned software vendors and domestic builders — the exclusion reduces foreign competition for a defined class of federal contracts, potentially expanding addressable market share for domestic providers.
Who Bears the Cost
- Internationally owned software companies and foreign‑controlled vendors — they lose eligibility for covered system contracts unless they restructure ownership or secure a waiver, which can cut off a portion of the federal market.
- Contracting officers and agency acquisition teams — agencies must implement ownership verification processes, update solicitations and contract clauses, and manage waiver justifications, adding procurement workload and legal vetting needs.
- U.S. subsidiaries of foreign parents that do business in the U.S. — these entities may be caught by the majority‑ownership test despite being operationally U.S.-based, creating compliance and market‑access headaches.
- Program offices that rely on specific vendors — rapid FIR (FAR) changes and contract terminations risk program continuity and could force costly migrations if a vendor is later found ineligible or is debarred.
Key Issues
The Core Tension
The bill pits a clear national‑security and data‑protection objective — keeping sensitive federal personnel data out of companies majority‑owned by non‑U.S. citizens — against the procurement tradeoffs of reduced competition, possible higher costs, and practical difficulties verifying ownership and corporate structures; choosing strict ownership screening improves one dimension of risk while likely creating new operational and capability risks for federal programs.
The statute's practical effect depends on contested and operationally heavy definitions. "Majority ownership" can be straightforward for publicly traded companies but murky for multi‑tiered holding structures, dual‑nationality founders, or private equity portfolios. The inclusion of subsidiaries in the definition broadens coverage but creates edge cases where a U.S. subsidiary has independent management and operations despite a foreign parent.
Agencies will need a methodology to assess beneficial ownership, control, and indirect ownership that stands up to both litigation and commercial reality.
The certification‑plus‑perjury approach increases the legal risk for corporate signatories but is only as effective as the agency's ability to validate ownership claims. False certifications may be discovered months or years after contract award, and termination or debarment remedies could disrupt mission operations.
The 180‑day FAR amendment deadline compresses rulemaking and administrative drafting, likely producing terse clauses that agencies must operationalize with guidance, vetting templates, and possibly additional resource investments. The broad residual category for "sensitive personal information" and the 500‑employee cutoff create potential arbitrage: vendors may split systems or argue narrow applicability to avoid the rule, and agencies may face litigation over whether a given system meets the covered threshold.
Last, the policy trades off supply‑chain security against procurement competition and capability. Excluding foreign‑owned suppliers may reduce certain geopolitical risks but could also reduce competition, increase costs, and limit access to specialized cloud or analytics capabilities where U.S. alternatives are immature.
Waivers provide a backstop for national‑security needs, but the written‑justification process sets up political and oversight scrutiny that could deter agencies from using the waiver except in obvious cases.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.