Homeland Security Acquisition Regulation (HSAR)
Homeland Security Acquisition Regulation (HSAR): the FAR supplement for the Department of Homeland Security, codified at 48 CFR Chapter 30, governing DHS-specific contracting requirements.
What Is the Homeland Security Acquisition Regulation?
HSAR is the body of DHS-specific acquisition regulations that supplement the FAR. Just as DFARS supplements the FAR for defense contracts and FAR Part 12 (Acquisition of Commercial Items) applies across agencies, HSAR provides DHS-specific guidance that supplements the broader FAR framework.
HSAR addresses topics including: HSAR Part 3024 (Information Security) covering sensitive information handling; HSAR Part 3032 (Contract Financing) covering DHS-specific financing approaches; HSAR Part 3052 (Solicitation Provisions and Contract Clauses) including HSAR clauses incorporated into DHS contracts; and many other DHS-specific requirements. DHS components implement HSAR through their own contracting offices and procurement systems.
Major DHS contract vehicles (e.g., DHS EAGLE II for IT services, FirstSource for diverse contracting needs) operate under HSAR overlays on the underlying FAR framework. Contractors must comply with both FAR and HSAR requirements when performing DHS contracts.
Key Characteristics
HSAR has several defining attributes. It supplements the FAR: HSAR does not replace FAR; it adds DHS-specific requirements on top of FAR baseline.
It applies to all DHS components: every DHS contracting office uses HSAR alongside FAR. It is cybersecurity-intensive: DHS's national cybersecurity mission drives substantial HSAR cybersecurity requirements, particularly for contracts handling sensitive information.
It addresses foreign ownership: HSAR includes specific provisions for critical infrastructure contracts requiring foreign ownership review. It is regularly updated: HSAR is periodically revised through formal rulemaking.
It is published in the CFR: codified at 48 CFR Chapter 30, available on eCFR. Each characteristic shapes how contractors comply with HSAR on DHS contracts.
How It Works in Government Contracting
HSAR operates as the DHS-specific overlay on FAR-based federal contracting. First, during proposal preparation, contractors pursuing DHS contracts must review both FAR and HSAR for applicable clauses and requirements. The solicitation typically incorporates both FAR and HSAR clauses by reference.
Second, contractors structure their proposals to comply with HSAR-specific requirements: information security plans for HSAR 3024-applicable contracts; foreign ownership disclosures for critical infrastructure contracts; specific certifications and representations required by HSAR.
Third, during contract performance, contractors must comply with HSAR-incorporated clauses, which may include enhanced cybersecurity requirements, sensitive information handling protocols, and DHS-specific reporting requirements. Fourth, DHS contracting officers and contracting officer's representatives oversee HSAR compliance throughout performance.
Fifth, DHS audits and reviews assess HSAR compliance alongside FAR compliance. Non-compliance with HSAR can result in cost disallowance, contract performance issues, or in extreme cases termination.
Real-World Example
A federal contractor pursues a $20 million DHS IT services contract involving sensitive but unclassified information handling. The solicitation incorporates both FAR clauses (FAR 52.204 series, FAR 52.227 series) and HSAR clauses (HSAR 3052.204-71 Contractor Employee Access, HSAR 3052.204-72 Safeguarding of Controlled Unclassified Information).
The contractor's proposal includes: standard FAR-required certifications and representations; HSAR-required information security plan describing the contractor's CUI handling procedures; HSAR-required employee access procedures including suitability screening; and FAR-required small business utilization plan.
After award, the contractor performs the contract with HSAR-compliant CUI handling, employee access management, and cybersecurity controls. During DHS contract administration reviews, the contractor demonstrates compliance with both FAR and HSAR requirements. The contract earns positive CPARS ratings, which the contractor cites in subsequent DHS pursuits.
The HSAR compliance discipline becomes a competitive moat: contractors that handle HSAR well differentiate themselves in DHS source selection.
Regulatory Framework
The Homeland Security Acquisition Regulation is codified at 48 CFR Chapter 30 (HSAR), which supplements 48 CFR Chapter 1 (FAR). HSAR is issued and maintained by the DHS Office of the Chief Procurement Officer.
Updates are made through formal rulemaking under 5 USC § 553 (Administrative Procedure Act). HSAR works in conjunction with the FAR: FAR Part 1.301 establishes that agency supplements like HSAR may add to but not contradict FAR requirements.
HSAR addresses topics where DHS has specific statutory authority or operational requirements warranting agency-specific guidance. DHS cybersecurity requirements under HSAR intersect with broader federal cybersecurity policy including NIST SP 800-171 (for CUI handling), the Federal Information Security Modernization Act (FISMA), and DHS-specific cyber directives. Bid protests of DHS contracts follow FAR 33.103 and 41 USC 3553.
Why It Matters for Contractors
For contractors pursuing DHS work, HSAR compliance is essential and a competitive differentiator. Contractors that handle HSAR-specific requirements well (cybersecurity, sensitive information handling, foreign ownership) capture DHS contracts more reliably than contractors that focus only on FAR baseline compliance.
HSAR engagement interacts with NIST SP 800-171 (the cybersecurity controls underlying many HSAR cybersecurity requirements), with USSS TISS and other DHS contract vehicles (which operate under HSAR overlays), with Industrial Security Committee engagement (for classified DHS work), with past performance (DHS-specific CPARs reflect HSAR compliance performance), and with Federally Funded R&D Centers (DHS FFRDCs operate within HSAR framework). Contractors that develop sustained DHS practices treat HSAR mastery as a core capability.
Common Misconceptions
HSAR replaces the FAR for DHS contracts.
HSAR supplements the FAR; DHS contracts must comply with both FAR and HSAR. HSAR does not replace baseline FAR requirements; it adds DHS-specific requirements on top.
All DHS components use the same procurement processes.
Largely yes (HSAR applies across components), but individual components have specific procurement practices, vehicle ecosystems, and contracting office structures. TSA procurement looks different from USSS procurement despite both being governed by HSAR.
HSAR cybersecurity requirements are the same as FAR cybersecurity requirements.
Often more rigorous. HSAR cybersecurity provisions, particularly HSAR 3052.204-72 (Safeguarding of CUI), often establish enhanced requirements specific to DHS's cybersecurity mission and the sensitive nature of DHS operations.
Frequently Asked Questions
Where can I find HSAR clauses?
48 CFR Chapter 30 (HSAR), available through the eCFR. Specific clauses are at HSAR Part 3052 (Solicitation Provisions and Contract Clauses). The DHS Office of the Chief Procurement Officer publishes additional guidance.
Does HSAR apply to subcontracts under DHS prime contracts?
Many HSAR clauses include flow-down requirements, particularly cybersecurity and sensitive information provisions. The specific HSAR clauses incorporated into the prime contract determine the subcontract flow-down obligations.
How does HSAR address foreign ownership?
HSAR includes provisions requiring foreign ownership disclosure and review for contracts involving critical infrastructure, sensitive information, or national security considerations. Specific HSAR clauses (e.g., HSAR 3052.219 series) address foreign ownership considerations.
Is HSAR updated frequently?
Periodically through formal rulemaking. Major updates respond to evolving cybersecurity threats, statutory changes, or operational requirements. Contractors should monitor HSAR updates through the eCFR and DHS procurement notices.
Related Government Contracting Topics
NIST SP 800-171: Cybersecurity controls underlying many HSAR cybersecurity requirements.
USSS TISS: USSS IT services contract vehicle operating under HSAR overlay.
Industrial Security Committee: Forum for cleared contractor policy engagement; relevant to classified DHS work.
Federally Funded R&D Center (FFRDC): DHS FFRDCs operate within HSAR framework.
Past Performance: DHS-specific CPARs reflect HSAR compliance performance.
How LotusPetal AI Helps
LotusPetal AI's capture and proposal automation platform helps federal contractors manage HSAR compliance, DHS contract pursuit, and component-specific procurement strategy with the same discipline as the largest primes. The platform combines compliance automation, AI-assisted proposal drafting, and structured capture workflows so teams capture the right opportunities, write compliant proposals, and protect their win rate.