Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Sunday, 29 January, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Section 889: the US Regulation that extends far beyond the US

Andy Norton, chief cyber risk officer at Armis explains how manufacturers must pay attention to US regulation which extends beyond US borders and even into people's homes

by Guru Writer
October 14, 2021
in News
Orange caution sign
Share on FacebookShare on Twitter

One of the largest security threats that countries face is the breach of sensitive government systems and data. With the world constantly developing and undergoing digital transformation, the devices we all rely on for both our personal and work lives are increasingly manufactured in countries considered potentially or even actively hostile toward our national interests. The U.S. Department of Defense (DoD) took a step toward combating this threat by issuing an interim Rule. The new ruling amends the Federal Acquisition Regulation (FAR) to implement section 889 of the John S. McCain National Defense Authorization Act (NDAA). It went into effect on 13th August 2020 and addresses the new prohibition on the use of banned telecommunications equipment and services, while also clarifying the ban from 2019 on buying such equipment. The end goal is to combat the threat that potential cyber-attacks pose to our national security.  

In effect, the section 889 ban prohibits federal agencies from doing business with any entity that provides telecommunications and video surveillance services, or equipment that is manufactured or provided by certain companies or any subsidiaries or affiliates with known connections to China. Essentially, this Rule was put in place to prevent any efforts from threat actors to exfiltrate information and intellectual property that pose potential risks to the U.S. government and industry.  

There are five specific companies that fall under the category of ‘Prohibited Technology’. These restrictions are in place for the purpose of public safety, the security of government facilities, the physical security surveillance of critical infrastructure along with other national security purposes. More specifically the restrictions are aimed at the telecommunication equipment and services produced by Huawei Technologies, ZTE Corporation or any subsidiary or affiliate of both. Additionally, any video surveillance and telecommunications equipment and services produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company or Dahua Technology Company or any affiliates or subsidiaries are implicated. There are no exemptions for commercial item contracting and applies to all purchases regardless of the contract size or order. The Secretary of Defense also has the right to reject any working orders with any entity they believe to be owned or controlled by or connected to the government of a covered foreign country. 

 

What are the implications? 

The new ruling implicates a wide range of sectors and companies. It encompasses all sectors, including banking, healthcare, information technology, higher education, travel and transportation and applies to both federal and commercial business. While Section 889 is a U.S. Regulation, it extends far beyond U.S. borders, and even into people’s homes as any technology used by employees who work from home are not exempt.   

The Rule encompasses prime contractors along with their subcontractors, with the prime contractor holding the responsibility for both parties and extends to other contractual agreements that are connected to a government contract. It’s extremely important to note that this ruling doesn’t only impact contractors or suppliers that work directly for the DoD, GSA or NASA. As a matter of fact, there are three specific FAR clauses in place to implement these prohibitions which must be complied to.  

Under the FAR clauses, prime contractors must make a “reasonable inquiry” before submitting any offers for work regarding its own use of prohibited equipment or services. This inquiry is specifically “designed to uncover any information in the entity’s possession about the identity of the producer or provider of covered telecommunications equipment or services”. In addition to this, they must identify and report any previously undisclosed use of prohibited equipment or services within one day of identification. Any basic ordering agreements must contain a clause in which contractors are obligated to report any use of covered telecommunications equipment or services discovered during the performance of the contract, within 10 days. There is no specific requirement in regards to connectivity. As a matter of fact, any equipment may still be covered if it has the potential to transmit data when connected to the internet, even if it is installed on a closed network.  

Under the covered technology, any public and private organisation that deals with these agencies may be considered a contractor or subcontractor and, is therefore, implicated. Healthcare contractors, payors or providers paid by the U.S. government fall under this category as well. This includes contractors for the National Institutes of Health (NIH), the Defense Health Administration (DHA) and the Department of Veterans Affairs (VA). To complicate matters further, the definition of ‘use’ is ambiguous to say the least. The rule defines it as any use, “regardless of whether that use is under a Federal contract.” Consequently, both contractors and suppliers must be fully aware of the telecommunications and video surveillance services or equipment they work with.  Breaching a contract by failing to submit an accurate representation or to provide an acceptable product can lead to a cancellation or termination along with hefty fines.  

 

Planning on working with a U.S. Government Agency? 

 With the implications of the Section 889 ban extending far beyond the United States, any company that either already has a contract with a U.S. government agency or is planning to submit a proposal for work should be mindful of certain things. It is vital that a company reviews its IT asset inventory and supplier agreements before beginning to work with or for a U.S. government agency. They must determine whether they or any of their subcontractors use any equipment or services that fall under the category of “prohibited technology.” Along with this, contractors must build a “reasonable inquiry” regarding any banned equipment or services, and additionally have any documentation that supports this inquiry available. It is essential that companies identify equipment that can potentially be replaced or isolated from their contracted work.  

Finally, companies are advised to implement risk-based mechanisms that can help them comply with this rule. This includes alerting the authorities of any banned equipment that they used during contract performance.  

It is vital to protect the national security from any potential threats, which is why compliance with the Section 889 ban must be considered a priority. To avoid non-compliance, contractors must be aware of how their contractors and subcontractors could be affected by the new Rule and take extra measures to ensure their telecommunications services and equipment are up to date and don’t fall under the category of ‘prohibited technology’. U.S. businesses aren’t the only ones who will need to take extra precaution when working with third party vendors or manufacturers. Businesses beyond U.S. borders need to keep the section 889 ban in mind if they, or any of their subcontractors, plan on working with a U.S. government agency and ensure compliance to avoid penalties for non-compliance.  

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Security Serious: Organizers aim to set new Guinness World Records® title for Viewership of an Online Security Lesson

Next Post

AT&T announces free virtual Business Summit

Recent News

Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023
Lupovis eliminates false positive security alerts for security analysts and MSSPs

Lupovis eliminates false positive security alerts for security analysts and MSSPs

January 26, 2023
Threat actors launch one malicious attack every minute

Threat actors launch one malicious attack every minute

January 25, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information