In the face of rising uncertainty over data security and surveillance by foreign adversaries, the FAR Council released an interim final rule on August 13, 2019, banning Federal agencies from purchasing telecommunications and video surveillance equipment or services from certain Chinese entities. This “Phase One” rule implements paragraph (a)(1)(A) of Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019.

Phase One of Section 889 Implementation: Section 889(a)(1)(A)
Phase One, effective August 13, 2019, bans purchases of covered equipment, applications, and services from five Chinese tech giants – including, most notably, Huawei Technologies Company and ZTE Corporation. The prohibition on Huawei products in particular, is expected to impact federal contractors because it has been ranked as the world’s top telecommunications supplier and number two phone manufacturer.

The ban casts a wide net covering items and services that are “a 
substantial or essential component of any system, or as critical technology as part of any system”. Additionally, the rule requires companies to provide a disclosure of the presence of the banned items in their supply chain (including subcontractors / suppliers at any tier), applies below and above the simplified acquisition threshold, and covers purchases of commercial off-the-shelf items (COTs). Contracting Officers have already begun implementing the FAR provision in new contract solicitations to implement the prohibitions, including solicitations slated for award on or after August 13th. Those new provisions are:
• FAR 52.204-24 “Representation Regarding Certain Telecommunications and Video Surveillance Services or Equipment,” and
        • FAR 52.204-25 “Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment.

We know that PSC submitted extensive comments on this interim rule.

But that’s not all.

Phase Two of Section 889 Implementation: Section 889(a)(1)(B)
Phase Two, slated to go into effect on August 13, 2020, requires separate rulemaking, but is intended to extend these prohibitions to contractors themselves. This means that the federal government will be prohibited from contracting with organizations that use these banned items or services as a substantial or essential component of any system, or as critical technology as part of any system.

Given the prevalence of sourced components and technologies from 
companies concentrated in China, federal contractors, particularly in the information technology and telecommunications space, should carefully consider vendor management practices and any exposure of their supply chains to these prohibited sources.

But where should they begin?

Getting Ahead of Curve on Phase Two: Driving Action Based on Risk
How federal contractors respond to the upcoming regulation is challenging because of the ubiquity of the prohibited items. Even organizations with tight control and visibility into their suppliers may have difficulty knowing whether prohibited items are in use if they are purchasing items where a prohibited source is an Original Equipment Manufacturer (OEM) or if an item has been “white labeled” and repackaged under a different brand.

Contractors will want to consider a risk-based approach calibrated to the unique characteristics of their supply chain and contractual requirements in scoring their review. For instance, contractors may want to examine the frequency by which they engage in projects that may rely on covered telecommunications equipment, applications or services to support contract performance. The greater the frequency, the higher the risk, and the more important careful due diligence becomes. Several recommended activities for contractors investigating the presence of covered telecommunications and surveillance equipment in their own supply chain and/or business infrastructure include:

Supplier Expenditure Review: Federal contractors may find value in examining supplier expenditures over a specified period of time (for example, a 12 to 24 month period) to uncover specific banned equipment or sources that are considered to be higher risk (distributors or resellers with ties to the specified banned Chinese entities). Shipping records and invoices can also be helpful in identifying OEM relationships where they are not apparent, and inventory records can help isolate higher risk equipment. Additionally, some MAC Address and OUI lookup applications can be used to identify the manufacturer associated with certain kinds of equipment (for example, IP cameras).

Vendor Agreement Review: At this point it is difficult to know precisely what Phase Two rulemaking will look like. But assuming there are similar representations to those required in FAR 52.204-
24, from the August 13, 2019 interim rule, contractors should talk to their suppliers and service providers around the presence of covered equipment in their supply chains. Building ‘right to audit’
considerations into their purchasing process and requiring suppliers and services providers to behave similarly may also be worthy of consideration. Keep in mind that the Phase One rule effectively flows down to all tiers, and suppliers should be encouraged and expected to be active participants in securing the supply chain. Mandatory monitoring activities and reporting to the prime may also be helpful in supporting the prime contractor’s responsibilities in this area.

Supply Chain Remediation and Transition Plan: Given the possible reporting responsibilities, primes and higher-tier contractors should be ready to take remedial action to change vendors should
it be discovered that it is purchasing critical technologies or services from a banned source, or from a subcontractor who is using covered equipment. In some cases this may mean engaging with
a subcontractor or supplier while working to identify a different vendor. However, organizations would be wise to think about modeling the impact to service delivery (delays and shortages) and
potential impacts to cost, while outlining a tactical plan for handling transitions (linkages to logistics and communications systems, transfer of information, and training), should a new supplier or subcontractor need to be identified and integrated quickly.

In addition to these recommendations, contractors should take steps to assess their own telecommunications and video surveillance infrastructure to identify equipment from banned sources. This way they are prepared to make representations should they be required under Phase Two rulemaking.

Tracking Compliance Cost:
As effective control and 
oversight of supply chain becomes increasingly difficult for federal contractors, an appropriately designed gap assessment could provide additional assurance and help prevent threats to business continuity. Federal contractors with significant risk in this area may want to consider this framework. Contractors should also carefully track the compliance and implementation costs of adhering to these new requirements as they may be reimbursable on fixed-price and cost-reimbursement contracts.

As cybersecurity and surveillance threats become more ever-present, 
contractors should expect to see increasingly strict federal government requirements to secure and strengthen the federal supply chain. The key is to understand the regulations, suppliers and service providers, and remain vigilant about the central role the prime contractor plays in this area. By assessing the impact early on and having an ‘eyes-wideopen’ approach to the Section 889 requirements, contractors can avoid disruption, minimize compliance risk, and best position themselves to continue delivering value to the federal buyer. 

###

This article was published October 30, 2019 in the Fall 2019 edition of PSC's Service Contractor Magazine.

In this context, an OEM is defined as an organization that produces equipment or components that are ultimately marketed by another manufacturer (selling the finished item to end users).

Organizational Unique Identifier (OUI), assigned by the Institute of Electrical and Electronics Engineers (IEEE), is the first 24 bits of a MAC address for a network-connected device, which indicate the specific vendor for that device.