One of the largest security threats that countries face is the breach of sensitive government systems and data. With the world constantly developing and undergoing digital transformation, the devices we all rely on for both our personal and work lives are increasingly manufactured in countries considered potentially or even actively hostile toward our national interests. The U.S. Department of Defense (DoD) took a step toward combating this threat by issuing an interim Rule. The new ruling amends the Federal Acquisition Regulation (FAR) to implement section 889 of the John S. McCain National Defense Authorization Act (NDAA). It went into effect on 13th August 2020 and addresses the new prohibition on the use of banned telecommunications equipment and services, while also clarifying the ban from 2019 on buying such equipment. The end goal is to combat the threat that potential cyber-attacks pose to our national security.
In effect, the section 889 ban prohibits federal agencies from doing business with any entity that provides telecommunications and video surveillance services, or equipment that is manufactured or provided by certain companies or any subsidiaries or affiliates with known connections to China. Essentially, this Rule was put in place to prevent any efforts from threat actors to exfiltrate information and intellectual property that pose potential risks to the U.S. government and industry.
There are five specific companies that fall under the category of ‘Prohibited Technology’. These restrictions are in place for the purpose of public safety, the security of government facilities, the physical security surveillance of critical infrastructure along with other national security purposes. More specifically the restrictions are aimed at the telecommunication equipment and services produced by Huawei Technologies, ZTE Corporation or any subsidiary or affiliate of both. Additionally, any video surveillance and telecommunications equipment and services produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company or Dahua Technology Company or any affiliates or subsidiaries are implicated. There are no exemptions for commercial item contracting and applies to all purchases regardless of the contract size or order. The Secretary of Defense also has the right to reject any working orders with any entity they believe to be owned or controlled by or connected to the government of a covered foreign country.
What are the implications?
The new ruling implicates a wide range of sectors and companies. It encompasses all sectors, including banking, healthcare, information technology, higher education, travel and transportation and applies to both federal and commercial business. While Section 889 is a U.S. Regulation, it extends far beyond U.S. borders, and even into people’s homes as any technology used by employees who work from home are not exempt.
The Rule encompasses prime contractors along with their subcontractors, with the prime contractor holding the responsibility for both parties and extends to other contractual agreements that are connected to a government contract. It’s extremely important to note that this ruling doesn’t only impact contractors or suppliers that work directly for the DoD, GSA or NASA. As a matter of fact, there are three specific FAR clauses in place to implement these prohibitions which must be complied to.
Under the FAR clauses, prime contractors must make a “reasonable inquiry” before submitting any offers for work regarding its own use of prohibited equipment or services. This inquiry is specifically “designed to uncover any information in the entity’s possession about the identity of the producer or provider of covered telecommunications equipment or services”. In addition to this, they must identify and report any previously undisclosed use of prohibited equipment or services within one day of identification. Any basic ordering agreements must contain a clause in which contractors are obligated to report any use of covered telecommunications equipment or services discovered during the performance of the contract, within 10 days. There is no specific requirement in regards to connectivity. As a matter of fact, any equipment may still be covered if it has the potential to transmit data when connected to the internet, even if it is installed on a closed network.
Under the covered technology, any public and private organisation that deals with these agencies may be considered a contractor or subcontractor and, is therefore, implicated. Healthcare contractors, payors or providers paid by the U.S. government fall under this category as well. This includes contractors for the National Institutes of Health (NIH), the Defense Health Administration (DHA) and the Department of Veterans Affairs (VA). To complicate matters further, the definition of ‘use’ is ambiguous to say the least. The rule defines it as any use, “regardless of whether that use is under a Federal contract.” Consequently, both contractors and suppliers must be fully aware of the telecommunications and video surveillance services or equipment they work with. Breaching a contract by failing to submit an accurate representation or to provide an acceptable product can lead to a cancellation or termination along with hefty fines.
Planning on working with a U.S. Government Agency?
With the implications of the Section 889 ban extending far beyond the United States, any company that either already has a contract with a U.S. government agency or is planning to submit a proposal for work should be mindful of certain things. It is vital that a company reviews its IT asset inventory and supplier agreements before beginning to work with or for a U.S. government agency. They must determine whether they or any of their subcontractors use any equipment or services that fall under the category of “prohibited technology.” Along with this, contractors must build a “reasonable inquiry” regarding any banned equipment or services, and additionally have any documentation that supports this inquiry available. It is essential that companies identify equipment that can potentially be replaced or isolated from their contracted work.
Finally, companies are advised to implement risk-based mechanisms that can help them comply with this rule. This includes alerting the authorities of any banned equipment that they used during contract performance.
It is vital to protect the national security from any potential threats, which is why compliance with the Section 889 ban must be considered a priority. To avoid non-compliance, contractors must be aware of how their contractors and subcontractors could be affected by the new Rule and take extra measures to ensure their telecommunications services and equipment are up to date and don’t fall under the category of ‘prohibited technology’. U.S. businesses aren’t the only ones who will need to take extra precaution when working with third party vendors or manufacturers. Businesses beyond U.S. borders need to keep the section 889 ban in mind if they, or any of their subcontractors, plan on working with a U.S. government agency and ensure compliance to avoid penalties for non-compliance.