Skip to main content
Loading
POWERED BY
Toggle search
Toggle navigation
Keyword Search
Sign In
Issue Areas
Toggle
Acquisition & Contracting
Appropriations & Budget
Congress & Legislative Affairs
Ethics & Compliance
Federal Health
Financial, Accounting & Auditing
Industrial Base & Competition
Information Technology
International Development & Foreign Assistance
Labor Policy
Small Business
Tax Policy
Workforce
Share on Facebook
Share on Twitter
Share on LinkedIn
Email
More options
Bookmarks
Google+
MySpace
Reddit
StumbleUpon
Tumblr
Yammer
I
n the face of rising uncertainty over data security and surveillance by foreign adversaries, the FAR Council released an interim final rule on August 13, 2019, banning Federal agencies from purchasing
telecommunications and video surveillance equipment or services from certain Chinese entities. This “Phase One” rule implements paragraph (a)(1)(A) of Section 889 of the John S. McCain National
Defense Authorization Act (NDAA) for Fiscal Year 2019.
Phase One of Section 889 Implementation: Section 889(a)(1)(A)
Phase One, effective August 13, 2019, bans purchases of covered equipment, applications, and services from five Chinese tech giants – including, most notably, Huawei Technologies Company and ZTE Corporation. The prohibition on Huawei products in particular, is expected to impact federal contractors because it has been ranked as the world’s top telecommunications
supplier
and number two
phone
manufacturer
.
The ban casts a wide net covering items and services that are “a
substantial or essential component of any system, or as critical technology
as part of any system”. Additionally, the rule requires companies to
provide a disclosure of the presence of the banned items in their supply
chain (including subcontractors / suppliers at any tier), applies below
and above the simplified acquisition threshold, and covers purchases
of commercial off-the-shelf items (COTs). Contracting Officers have
already begun implementing the FAR provision in new contract
solicitations to implement the prohibitions, including solicitations
slated for award on or after August 13th. Those new provisions are:
• FAR 52.204-24 “Representation Regarding Certain
Telecommunications and Video Surveillance Services or
Equipment,” and
• FAR 52.204-25 “Prohibition on Contracting for Certain
Telecommunications and Video Surveillance Services or
Equipment.
We know that
PSC submitted extensive comments
on this
interim rule.
But that’s not all.
Phase Two of Section 889 Implementation: Section 889(a)(1)(B)
Phase Two, slated to go into effect on August 13, 2020, requires
separate rulemaking, but is intended to extend these prohibitions
to contractors themselves. This means that the federal government
will be prohibited from contracting with organizations that use these
banned items or services as a substantial or essential component of any
system, or as critical technology as part of any system.
Given the prevalence of sourced components and technologies from
companies concentrated in China, federal contractors, particularly in
the information technology and telecommunications space, should
carefully consider vendor management practices and any exposure of
their supply chains to these prohibited sources.
But where should they begin?
Getting Ahead of Curve on Phase Two: Driving Action Based on Risk
How federal contractors respond to the upcoming regulation is
challenging because of the ubiquity of the prohibited items. Even
organizations with tight control and visibility into their suppliers may
have difficulty knowing whether prohibited items are in use if they are
purchasing items where a prohibited source is an Original Equipment
Manufacturer (
OEM
) or if an item has been “white labeled” and
repackaged under a different brand.
Contractors will want to consider a risk-based approach calibrated
to the unique characteristics of their supply chain and contractual
requirements in scoring their review. For instance, contractors may
want to examine the frequency by which they engage in projects that
may rely on covered telecommunications equipment, applications
or services to support contract performance. The greater the f
requency, the higher the risk, and the more important careful due
diligence becomes. Several recommended activities for contractors
investigating the presence of covered telecommunications and
surveillance equipment in their own supply chain and/or business
infrastructure include:
Supplier Expenditure Review:
Federal contractors may find
value in examining supplier expenditures over a specified period of
time (for example, a 12 to 24 month period) to uncover specific
banned equipment or sources that are considered to be higher risk
(distributors or resellers with ties to the specified banned Chinese
entities). Shipping records and invoices can also be helpful in
identifying OEM relationships where they are not apparent, and
inventory records can help isolate higher risk equipment. Additionally,
some MAC Address and OUI lookup
applications
can be used to
identify the manufacturer associated with certain kinds of equipment
(for example, IP cameras).
Vendor Agreement Review:
At this point it is difficult to know
precisely what Phase Two rulemaking will look like. But assuming
there are similar representations to those required in FAR 52.204-
24, from the August 13, 2019 interim rule, contractors should
talk to their suppliers and service providers around the presence of
covered equipment in their supply chains. Building ‘right to audit’
considerations into their purchasing process and requiring suppliers
and services providers to behave similarly may also be worthy of
consideration. Keep in mind that the Phase One rule effectively flows
down to all tiers, and suppliers should be encouraged and expected
to be active participants in securing the supply chain. Mandatory
monitoring activities and reporting to the prime may also be helpful
in supporting the prime contractor’s responsibilities in this area.
Supply Chain Remediation and Transition Plan:
Given the
possible reporting responsibilities, primes and higher-tier contractors
should be ready to take remedial action to change vendors should
it be discovered that it is purchasing critical technologies or services
from a banned source, or from a subcontractor who is using
covered equipment. In some cases this may mean engaging with
a subcontractor or supplier while working to identify a different
vendor. However, organizations would be wise to think about
modeling the impact to service delivery (delays and shortages) and
potential impacts to cost, while outlining a tactical plan for handling
transitions (linkages to logistics and communications systems, transfer
of information, and training), should a new supplier or subcontractor
need to be identified and integrated quickly.
In addition to these recommendations, contractors should take
steps to assess their own telecommunications and video surveillance
infrastructure to identify equipment from banned sources. This way
they are prepared to make representations should they be required
under Phase Two rulemaking.
Tracking Compliance Cost:
As effective control and
oversight of supply chain becomes increasingly difficult for federal
contractors, an appropriately designed gap assessment could
provide additional assurance and help prevent threats to business
continuity. Federal contractors with significant risk in this area may
want to consider this framework. Contractors should also carefully
track the compliance and implementation costs of adhering to
these new requirements as they may be reimbursable on fixed-price
and cost-reimbursement contracts.
As cybersecurity and surveillance threats become more ever-present,
contractors should expect to see increasingly strict federal government
requirements to secure and strengthen the federal supply chain. The
key is to understand the regulations, suppliers and service providers,
and remain vigilant about the central role the prime contractor plays
in this area. By assessing the impact early on and having an ‘eyes-wideopen’
approach to the Section 889 requirements, contractors can avoid
disruption, minimize compliance risk, and best position themselves to continue delivering value to the federal buyer.
###
This article was published October 30, 2019 in the
Fall 2019 editio
n of PSC's
Service Contractor
Magazine.
Click here to view a PDF of this article.
I
n this context, an OEM is defined as an organization that produces equipment or components that are ultimately marketed by another manufacturer (selling the finished item to end users).
Organizational Unique Identifier (OUI), assigned by the Institute of Electrical and Electronics Engineers (IEEE), is the first 24 bits of a MAC address for a network-connected device, which indicate the specific vendor for that device.
Issue Areas
{1}
##LOC[OK]##
{1}
##LOC[OK]##
##LOC[Cancel]##
{1}
##LOC[OK]##
##LOC[Cancel]##