Having, hopefully, caught our collective breath from a tumultuous 2019, the New Year has much in store for federal contractors and suppliers. While we wait for 2020 to deliver on the numerous initiatives kicked-off in 2019, a handful of developments are already knocking at the door. Before the New Year hits full stride, federal contractors—especially those in the DIB community—should take action now to understand the following key cyber and supply chain initiatives.
Cybersecurity Maturity Model Certifications
2019 marked a turning point in Defense Department’s attitude towards cybersecurity in the defense industrial base. Through the proposed Cybersecurity Maturity Model Certification (CMMC) program, DoD intends to replace plans and promises with cybersecurity certifications and grades of the 300,000 companies that make up the defense supply chain.
DoD’s aggressive implementation schedule calls for standing up an accreditation body this month that will train and authorize third-party organizations to begin auditing and certifying companies to one of five CMMC maturity levels.
January is also DoD’s target for releasing the final version of the CMMC controls that will form the basis for those five maturity levels and determine the contracts for which CMMC levels will be applicable in Fall 2020.
Given the tight timeframes, defense contractors, subcontractors and companies in the supply chain will need to swiftly assess compliance with the controls at each level in preparation for the audits and certifications to come later in the year.
Self-assess compliance with existing cybersecurity requirements (e.g., under DFARS 242.7012 and NIST SP 800-171).
Consider whether and how you will achieve certification at the highest levels of CMMC (i.e., Levels 4 and 5 of the maturity model).
Catalog and analyze subcontractor relationships to identify and assess potential certification requirements.
Begin strategizing recovery of CMMC-related costs.
Supply Chain Security
Numerous legislative and regulatory actions in 2018 and 2019 laid the groundwork for significant changes in global supply chains in 2020.
Most recently, the close of 2019 saw the much-anticipated release of proposed regulations implementing President Trump’s May 15, 2019 Executive Order 13873 on Securing the Information and Communications Technology and Services Supply Chain.
While industry awaits the Commerce Department’s response to industry’s comments, two other supply chain developments should have the attention of the government contracting community in the immediate term.
These include the long-awaited (and much feared) rule implementing the second phase of Section 889 of the 2019 National Defense Authorization Act (NDAA), and regulations expected to implement government-wide supply chain risk management standards and exclusion and removal procedures under Title II of the SECURE Technology Act of 2018, i.e., the Federal Acquisition Supply Chain Security Act of 2018.
Section 889 – The “Use” Prohibition
With a few narrow exceptions, Section 889 of the 2019 NDAA broadly prohibits the procurement and use by executive branch agencies and their contractors of telecommunications and video surveillance equipment and services produced by five Chinese companies (with others potentially to be named). These companies include Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Dahua Technology Company, Hangzhou Hikvision Digital Technology Company, and any subsidiary or affiliate thereof.
The law takes effect in two phases, sometimes referred to as the “procurement” ban and the “use” ban, respectively. The first phase of Section 889 took effect on August 13, 2019, prohibiting the purchase by executive branch agencies of covered telecommunications and video surveillance equipment and services.
The second phase of Section 889 takes effect on August 13, 2020. In November 2019, the General Services Administration announced that industry would see a “proposed rule” implementing the second phase of Section 889 by January 2020.
Unlike the first phase which—while broad—generally prohibits only the procurement of covered equipment and services by executive branch agencies, the second phase broadly prohibits the use by federal contractors of the same equipment and services (again, with some narrow exceptions).
While many in industry have decried the “use” prohibition as infeasible and overly broad, statements by the GSA and other government bodies suggest the government is indeed heading in the direction of a broadly scoped prohibition. As an example, in announcing the January target for the “proposed rule” implementing the “use” prohibition, GSA stated that contractors should, in preparation for the rule, “think about every tier of supply chain,” and “about use unrelated to performance of a GSA contract.”
While industry waits for this new proposed rule, federal contractors and subcontractors should take stock now of how they do or expect to “use” covered items and services—whether in the U.S. or abroad, and whether or not related to any U.S. government work—and analyze whether those uses may fall within the scope of the statutory ban.
Implementation of Federal Acquisition Supply Chain Security Act
The Federal Acquisition Supply Chain Security Act of 2018, more commonly referred to Title II of the SECURE Technology Act of 2018, created an inter-agency Federal Acquisition Security Council, chaired by the Office of Management and Budget, that is responsible for establishing government-wide supply chain risk management standards and developing criteria and procedures for issuing orders excluding or removing certain “sources” (i.e., companies) and/or “covered articles” from federal procurements.
Put simply: companies in the federal supply chain and defense industrial base should be prepared to implement (or contest) supplier and product blacklists and whitelists, if not in the immediate future than certainly in the year(s) ahead. Current estimates reflect a target of January (or early 2020) for proposed regulations implementing the 2018 law. Once issued, companies will need to analyze the regulations and assess the need for changes—either to their supply chain risk management practices in general or (more concretely) to their own supplier environments.
In anticipation of these developments, federal contractors and subcontractors should:
Conduct and review an IT inventory to identify potentially covered equipment.
Review supplier agreements and vendor contracts to identify potentially covered services.
Analyze, identify, and prepare to defend any uses of covered equipment or services you believe fall outside the scope of these new prohibitions.
Understand and develop procedures for satisfying ongoing supply chain-related obligations such as reporting and risk management activities.
Of the many expected changes to U.S. export controls in 2020 (such as new or proposed controls on certain “emerging” and “foundational” technologies, various changes to the USML and EAR, and continued uncertainty and change with respect to restrictions on Huawei and other Chinese technology companies), those in the DIB community should be immediately alert to important impending changes in the ITAR’s treatment of cross-border storage of controlled technical data.
On December 26, 2019, the State Department’s primary export control division, the Directorate of Defense Trade Controls (DDTC) published an interim final rule that would allow, under certain conditions, encrypted technical data and software that is subject to the ITAR to be sent, shipped or stored outside the United States without the need for a DDTC license or other authorization.
Although DDTC’s planned amendments to the ITAR contain subtle differences to corresponding provisions in the Export Administration Regulations (EAR), DDTC’s rule would nonetheless allow for the common international cloud-based storage and handling of properly encrypted technology/technical data and software subject to either the ITAR or to the EAR.
Unless DDTC publishes a new rule following its now-open comment period, the interim rule will become effective on March 25, 2020. The administration is actively seeking input from industry on this issue, and comments must be submitted by January 27, 2020.
In the meantime, companies who handle and store ITAR technical data (and other controlled technology and software) should carefully analyze the interim rule and begin preparations to take full advantage of the new rules once they become effective in March.
To prepare for these changes, companies who do or may handle ITAR technical data should:
Analyze their IT infrastructure and vendor environment to understand (and document) the implications of the new rules on existing and planned technical data flows.
Identify opportunities to economize and optimize arrangements for storing (e.g., in the cloud) and processing technical data and export-controlled technology and software.
Use this opportunity to harmonize IT and vendor environments (and policies and procedures) to address multiple emerging regulatory regimes (e.g., those discussed above).