The second and more arduous deadline for agencies and vendors to ensure they are no longer using certain Chinese made telecommunications products and services is here, and few are happy about it.
Industry and agencies alike continue to sound the alarm about the potential and real impacts of the interim rule implementing part B of Section 889 of the 2019 National Defense Authorization Act.
“There is likely going to be significant impacts that will be felt across the federal sector,” said one government official, who requested anonymity in order to talk more candidly about the interim rule. “It’s very clear that the Defense Department and other agencies fully support the intent of the rule. We all know there is a lot of information about how China transmitted data and stole intellectual property so the intent of the rule is to protect our national security is good. But there will be unintended consequences because of how the specific language was written.”
Insight by Carahsoft: Learn how the FedRAMP PMO and its partners believe the end result of many of ongoing initiatives is a better, faster and cheaper cloud security program by downloading this exclusive ebook.
Under the interim rule, which remains open for comments through mid-September, agencies cannot award new contracts, task orders or modify existing contracts to any vendor who doesn’t self-certify that they are not using products from Chinese companies like ZTE and Huawei.
The word “use” is at the heart of the issue.
This is because the interim rule hasn’t adequately defined the term. In the interim rule, the Federal Acquisition Regulations Council stated that a contractor must make a “reasonable inquiry” to uncover any information — primarily documentation or other records — about the identity of the producer or provider the certain telecommunications equipment or services used by the entity.
Kea Matory, the director of legislative policy for the National Defense Industrial Association, said the legislation is so broad and the rule doesn’t have a narrow definition, leaving a lot of questions about what does “use” really mean.
Does “use” mean everyday use? Does it mean in use of fulfilling the government contract? Or does it mean used anywhere in their supply chain even down to the subcontractor levels? What about the telecommunications network that your company uses to send email?
The government official pointed out that there are 12 states where the carriers rely on Huawei routers in the rural parts of the state. So if a vendor has an office in those locations and that’s their only access to the internet or voice communications, are they prohibited from working for the government?
Or what about companies with offices in the UK where the Royal Mail uses Huawei equipment — does that disqualify them?
“The interpretation of the interim rule has been an issue,” Matory said. “In talking to different general counsels and consultants, there are different interpretations due to the broadness of legislation, and you see that in rule itself. And because it took the Office of Management and Budget so long to get to the interim rule, companies now have a short time to implement the rule.”
This lack of clarity is forcing the Defense Department to request a broad waiver from the Office of the Director of National Intelligence. Agencies can seek waivers either from ODNI or through an internal process, which most experts say is more arduous.
While the ODNI waiver process isn’t completed or at least public as of Aug. 12, DoD plans to submit requests for 1,500 to 2,000 “green list” or low risk products like office supplies, lawn mowing services, food services and the like.
But other things like laptops, desktops or cell phones are considered high risk, or on the red list, because they transmit data and a waiver would be harder to get.
Weapons systems are an entirely different challenge, said the government official, who said a lot of the “red list” requests will be dealt with on a case-by-case basis. This may be a more serious challenge for many big prime contractors because of how deep their supply chains go.
DoD also is setting up a task force that includes all the services and Defense agencies that includes acquisition and cybersecurity experts to ensure coordination for issuing waivers.
The government official said such a task force is not about stopping the services or Defense agencies from issuing waivers, but ensuring consistency so one service doesn’t issue one, but another denies a request.
Additionally in preparation for the interim rule taking effect, the National Counterintelligence and Security Center (NCSC) has been providing classified briefings and other assistance to federal procurement executives, chief information officers and chief information security officers from across the government on supply chain threats and risks stemming from contracting with the five Chinese companies over the last two weeks.
NDIA, the Professional Services Council, the Coalition for Government Procurement, the U.S. Chamber of Commerce and a host of other associations have written letters and met with lawmakers trying to convince them to extend the compliance deadline.
But despite Sen. Ron Johnson (R-Wis.) and Reps. Vicky Hartzler (R-Mo.) and Virginia Foxx (R-Va.) attempts to put provisions in the fiscal 2021 NDAA, no one in Congress wanted to “look weak on China” and vote for the amendments, according to industry officials.
Ellen Lord, the undersecretary of defense for acquisition and sustainment, also rang similar alarm bells in early June. She told House lawmakers that the provision under Section 889 is critically important but DoD is concerned particularly about the defense industrial base.
“While what we find is if you look all the way down the supply chain, it is a heavy lift to find all of this equipment everywhere. And the thought that somebody in six or seven levels down in the supply chain could have one camera in a parking lot and that would invalidate one of our major primes being able to do business with us gives us a bit of pause,” Lord said. “So, we are very supportive of it, but I believe we need to extend it in terms of the time for compliance so that we don’t have unintended consequences.”
Bill Wanamaker, the executive director of the Government Freight Conference, said without help, it will be nearly impossible for his members to identify when there are prohibited products present.
“Today’s modern trucking industry is one of the most interconnected service industries and that requires vast amounts of electronic systems and support. So the trucking industry is going to ask Congress to authorize a technology ‘clearing house’ to be maintained by the Federal Acquisition Security Council (FASC) where any item subject to 889 scrutiny could be searched by any federal agency or contractor to help them achieve meaningful and effective compliance,” Wanamaker said. “After all, that is the whole idea of 889, and we want it to succeed. A clearing house is absolutely essential to achieve this. Today’s trucking industry moves everything our warfighters use to project force, making 889 a paramount military readiness issue.”
With Congress deciding not to act, agencies and contractors must now figure out how to meet the goals of the interim rule.
Agencies will begin including the 889 language in any task order, modification or new solicitation. In fact, the General Services Administration alerted its schedule contract holders earlier this week that they must modify their contracts or they will not be eligible for award starting Aug. 13.
“After Aug.13, no new orders can be placed against GSA FAS acquisition vehicles until FAR Clause 52.204-25 (AUG 2020) is modified in the master contract,” wrote Skip Jentsch, a cloud product specialist on the Cloud Acquisition Team within GSA’s Federal Acqusition Service, in an email obtained by Federal News Network. “No modifications to extend period of performance and exercise of an option until FAR Clause 52.204-25 (AUG 2020) is modified into the order.”
Vendors also have to go into the System for Award Management portal (SAM.gov) and certify they’ve done their due diligence on the anniversary of their registration.
Nick Jones, the director of regulatory policy at NDIA, said some companies were trying to recertify their SAM.gov certification before Aug. 13 because then they have a year until they have to re-certify and tell the government they meet 889 requirements.
“For small companies without a lawyer or a general counsel, this may take a lot of time to figure out what this rule means,” Jones said.
Jones added NDIA still plans to submit comments on the interim rule about the impact its members are experiencing.