Industry coalition calls for 'annual certification' in federal ban on China-based IT products

Inside Cybersecurity  | Rick Weber
October 22, 2019

A coalition of industry groups is urging the Defense Department, General Services Administration and NASA to revise a federal acquisition rule issued this summer that bans the government from purchasing IT and video surveillance products from China, calling for an “annual certification” process to assist small businesses and other steps in providing greater specificity to the requirements.

“This regulation has far reaching consequences for the federal contractor community, and given that the rule was effective on the day it was published, our members were not provided much time to prepare,” Professional Services Council executive vice president Alan Chvotkin said in a statement issued Monday.

“Adoption of our recommendations would greatly ease the administrative and logistical burdens imposed by the new rule and ensure that companies are not risking compliance or false representation based on vague definitions and unclear applications,” Chvotkin said.

Specifically, PSC is calling on the federal government to establish a certification process that would allow contractors to attest each year that they do not use any China-based products covered by the purchasing ban.
“We urge the government to act expeditiously to implement an annual certification through the System for Award Management (SAM) database, as referenced in the supplemental information accompanying the rule,” writes PSC in its Oct. 15 comments to DOD, GSA and NASA in response to an interim rule issued in August.

The rule was required by the fiscal 2019 National Defense Authorization Act to ban the government's use of products and services from China-based tech companies such as Huawei and ZTE. The interim rule is focused on purchases by the federal agencies, but the ban will be extended to the private sector next summer for companies that want to do business with the federal government.

Possible revisions
The industry comments submitted last week offer an initial insight into the pressures faced by DOD and the civilian agencies for revising the rule which is at the forefront of the federal government's efforts to secure the supply chains of critical services and operations from foreign threats.

“Many of our associations’ companies, and others in the federal market, may not be impacted by this regulation’s prohibition on the covered telecommunications equipment and services, but will be impacted by the administration of implementing this prohibition,” says PSC in arguing for an annual attestation by contractors of not using Huawei, ZTE or other Chinese products covered by the rule.

“For these companies, a one-time, annual certification, rather than offer-by-offer representation, would dramatically reduce the administrative burden on, and the compliance costs for, both the government and federal contracting community,” writes PSC in its comments along with several other contractor groups.

The groups also call on the federal agencies to clarify the rule's definition of components and services covered by the purchasing ban, to ensure consistent implementation across the government.

“We urge the government to better clarify and ensure a consistent application of the rule’s circular definition of 'substantial or essential,'” writes PSC in its comments laying out eight recommendations for revising the interim rule.

The current definition, “coupled with the authority of individual agencies to determine if a component meets these criteria, lacks certainty for offerors and contractors and could result in inconsistent application of the coverage and of waivers across the government,” according to PSC. “Our associations urge the government to clarify this critical definition and also ensure consistent application government-wide to avoid confusion among the contractor community (including between similar contracts) as to what specific components or services are covered by the prohibition.”

The call for greater specificity in the rule was echoed by other business and defense industry groups.

The Aerospace Industries Association says the “vagueness” of the rule leaves contractors in the dark about how to mitigate risks to their own supply chains.

“The vagueness of the interim rule regarding what it means to provide a service that 'uses' covered telecommunications equipment introduces substantial risk of inadvertent non-compliance,” according to AIA. “A definition or example would be helpful,” the defense industry group asserts in its Oct. 15 comments.
Without such clarity, the aerospace group says contractors will have difficulty in figuring out from whom to purchase equipment. “How will contractors know which entities this covers? Will DOD maintain a publicly-available list, or will entities be identified in RFPs, or in some other way? Alternatively, will DOD maintain a list of approved [original equipment manufacturers] or vendors?” the group asks.

“AIA suggests that this requirement be implemented in a way that gives industry sufficient notice if an entity is covered, to allows industry to investigate and remediate the impact to its supply chain.”

Call for 'standardized' reporting
The U.S. Chamber of Commerce also raises concerns about the impact of the rule on businesses, and calls for greater certainty about reporting requirements.
“The rule subjects businesses to an untested compliance regime, raising understandable concerns from many in industry about the effectiveness of their due diligence programs,” according to the Chamber, while urging “DOD et al. to take the following issues into account as they modify the rule,” including a standardized form for contractors to certify compliance.

“The Chamber believes that the rule should provide for standardized language regarding making representations. A model form, for example, could be used by offerors to voluntarily self-certify they will or will not provide covered equipment to the government in the performance of a contract or a related solicitation,” according to the business group's Oct. 15 comments.

“A standard document should include citations to relevant statutes and regulations. Indeed, the government has provided standardized approaches to meeting certifications in other situations (e.g., the Buy American Act),” the Chamber argues. “In sum, the inclusion of a uniform document could contribute to greater accuracy and consistency in the representations and disclosures that contractors and subcontractors are called on to make.”

The interim final rule was published by DOD, the General Services Administration and NASA in the Federal Register on Aug. 13, adopting requirements spelled out in section 889 of the fiscal 2019 National Defense Authorization Act.
The rule takes a far-reaching approach to the types of IT and video surveillance products covered by the restrictions, saying commercially available off-the-shelve items would pose a security threat to government systems even though they remain widely available in the marketplace.

"While the law does not specifically address acquisitions of commercial items, including COTS items, there is an unacceptable level of risk for the Government in buying equipment, systems, or services that use covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system," according to the rule.

The regulation, however, does allow for exceptions, a provision that has attracted the attention of industry officials who worry about the potential disruptive effects of the rule on the nation's IT and communications supply chain.