Second supply chain risk management rule drops putting agencies, vendors on notice

Starting Aug. 13, agencies will no longer be able to contract with companies using Chinese-made telecommunications products or services in their supply chains.

A new rule from the Federal Acquisition Regulatory Council prohibits agencies from buying products or services from companies which use Huawei, ZTE or other prohibited products from Chinese companies. The prohibition applies to the use of telecommunications equipment or services, whether or not it is used in the performance of work under a federal contract.

The one exception is if the agency’s secretary issues a waiver for the contract.

“The statute is not limited to contracting with entities that use end-products produced by those companies; it also covers the use of any equipment, system or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system,” the council stated.

The rule also “requires submission of a representation with each offer that will require all offerors to represent, after conducting a reasonable inquiry, whether covered telecommunications equipment or services are used by the offeror. DoD, GSA, and NASA [the FAR Council] recognize that some agencies may need to tailor the approach to the information collected based on the unique mission and supply chain risks for their agency.”

“The danger our nation faces from foreign adversaries like China looking to infiltrate our systems is great,” said Russ Vought, the acting director of the Office of Management and Budget, in a statement. “The Trump administration is keeping our government strong against nefarious networks like Huawei by fully implementing the ban on federal procurement.”

The interim rule, which implements the second half of Section 889 of the 2019 National Defense Authorization Act, goes into effect on Aug. 13, but the council will accept comments for 60 days after the release. The effect date is for contracting officers to begin including clauses in new or modified contracts.

The FAR Council issued the first interim rule under Section 889 in August 2019, which prohibited agencies from buying telecommunications and related products from these Chinese firms and required vendors to report if they are using these products.

Reuters first reported the details of the new final rule on July 9.

Flow down to primes only

“We share the government’s legitimate concerns about the risk of technology associated with near peer adversaries,” said Roger Waldron, the president of the Coalition for Government Procurement. “As we work toward the shared goal of mitigating that risk expeditiously, we are moving apace to review the rule, understand its implications and assist our members as they work to comply with it.”

One interesting twist in the interim rule is the council recognized the challenges of immediately implementing it so they are not requiring a flow down below the prime contractor level in the first year.

“This prohibition applies at the prime contract level to an entity that uses any equipment, system or service that itself uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system, regardless of whether that usage is in performance of work under a federal contract,” the council stated.

Read more: Acquisition News

The interim rule further stated, the prohibition “will not flow down because the prime contractor is the only ‘entity’ that the agency ‘enters into a contract’ with, and an agency does not directly ‘enter into a contract’ with any subcontractors, at any tier.”

Another interesting aspect of the interim rule is the requirement for contracts for commercial off-the-shelf products and services, and those at or below the micro-purchase threshold.

“The regulation, which is just a month from implementation, will impact a wide swath of companies across the country because it includes readily available commercial items (commonly known as COTS items) and purchases of all values including those below the micro-purchase threshold,” said Eric Crusius, a federal procurement attorney and partner with Holland & Knight, in an email to Federal News Network. “While there is no doubt that the government should and must protect itself from technologies that threaten national security, this rule will be a tremendous burden on companies across all sectors, including those that do not traditionally think of themselves as government contractors.”

Waiver process laborious?

The council also is working to update the System for Award Management (SAM) to let vendors enter their representations and certifications as well as make it easier for agencies to ensure contractors are complying with the law.

“An entity may represent that it does not use covered telecommunications equipment or services, or use any equipment, system or service that uses covered telecommunications equipment or services within the meaning of this rule, if a reasonable inquiry by the entity does not reveal or identify any such use,” the interim rule states. “A reasonable inquiry is an inquiry designed to uncover any information in the entity’s possession about the identity of the producer or provider of covered telecommunications equipment or services used by the entity. A reasonable inquiry need not include an internal or third-party audit.”

The interim rule details the waiver process in case an agency has a mission requirement. The council states obtaining a waiver may take several weeks, and is only for the specific procurement, not across the agency or government.

Read more: Technology News

Among the most significant steps to obtain a waiver will be the need to consult with ODNI about any risks associated with the product and must notify the Federal Acquisition Security Council among others.

“There is a waiver process available, but it is laborious and I expect such waivers will be hard to come by based on the administration’s priority in advancing this rule,” Crusius said. “It is important to keep in mind that this applies no matter whether the contractor’s use of the offending technology is connected with a government contract.”

NTIA’s new partnership

This final rule is one of several actions the Trump administration is taking or expected to take in the coming months.

Along with the final rule, the National Telecommunications and Information Administration in the Commerce Department issued a notice in the Federal Register establishing a new communications supply chain risk information partnership.

NTIA along with the Office of the Director of National Intelligence and the Homeland Security Department will work with “trusted small and rural communications providers and equipment suppliers, with the goal of improving their access to risk information about key elements in their supply chain.”

The program will provide regular briefings that will identify supply chain risks initially using declassified information and then eventually expanding to more sensitive data.

The third action coming will be from the Federal Acquisition Security Council, which Congress passed and President Donald Trump signed into law in December 2018.

Grant Schneider, the federal chief information security officer, said in an interview in June that one major priority is to implement the powers given to the FASC by Congress.

Read more: Congressional News

“We have delivered to Congress the strategic plan and the charter for the FASC,” he said. “The most important thing we are working on right now is the interim final rule, which will lay out the processes and procedures for how the council will do a couple of things. One of our tasks is to share supply chain risk management information in the government and with industry, where appropriate. Another task is to perform assessments and evaluate potentially covered articles and then make recommendations to DHS, DoD and ODNI on whether or not they should issue a removal or exclusion order.”

He said the FASC is following what the DoD is doing with the Cybersecurity Maturity Model Certification (CMMC) framework.

“I’m very interested to see how it progresses and the outcomes that are able to be achieved. We’re certainly not at the point to know that we would or wouldn’t want to apply this more broadly across the government,” Schneider said.

Congress continues to weigh in

Congress is also weighing in on supply chain issues from China. In both the House and Senate versions of the 2021 NDAA, lawmakers included provisions for the Defense Department to report and brief committees.

In the Senate version of the NDAA, lawmakers said they are requiring the “Secretary of Defense to take security risks posed by at-risk vendors such as Huawei and ZTE into account when making overseas stationing decisions.”

Additionally, Senators want DoD to submit a report on the risk to personnel, equipment and operations due to Huawei’s 5G architectures in host countries.

The report would assess:

  • The risk to personnel, equipment and operations of the Defense Deparment in host countries posed by the current or intended use by such countries of a 5G telecommunications architecture provided by Huawei Technologies Co., Ltd.;
  • Measures required to mitigate this risk, including the merit and feasibility of the relocation of certain personnel or equipment of the Defense Department to another location without the presence of a 5G telecommunications architecture provided by Huawei Technologies Co., Ltd.

The House version of the NDAA calls on DoD to provide the House Armed Services Committee with a briefing no later than Dec. 1 on Section 889 implementation.

“The committee reaffirms its ongoing national security concerns about proliferation of video surveillance or telecommunications equipment in the federal and commercial space produced by Huawei, ZTE, Hytera, Hikvision or Dahua, as defined in section 889 of the National Defense Authorization Act for Fiscal Year 2019 (Public Law 115-232),” the committee stated.

The committee said the briefing should address:

  • Whether the final implementing regulation has been issued and, if not, why;
  • Whether the interim rule prohibits “covered” equipment/services only if they are a “substantial or essential component of any system,” or as “critical technology as part of any system;”
  • Clarify how the departments interpret “substantial or essential” as well as “critical;”
  • How the Commerce Department determines which “affiliates and subsidiaries” are on the covered list;
  • The amount and type of exceptions and waivers that have been granted to date, as allowed in section 889;
  • Whether the departments plan to seek a delay to the August 2020 mandate, which bans agencies from contracting with a company that uses covered equipment and services;
  • How the secretary of Defense, in consultation with the director of National Intelligence and the director of the Federal Bureau of Investigation, would designate additional entities believed to be owned or controlled by a foreign government as authorized; and
  • Whether the departments plan to make funds available for the replacement of the prohibited covered equipment.

Related Stories

Comments

Sign up for breaking news alerts