A proposed interagency council would look around the world for companies and products to banish from the federal supply chain. As it did with Kaspersky Labs and Chinese telecom gear, the government would base future bans on national security grounds. It all promises to make things a little tougher for contractors. For one view, Federal Drive with Tom Temin turned to law firm Jenner & Block partner Cindy Robertson.
Insight by Carahsoft: Learn how the FedRAMP PMO and its partners believe the end result of many of ongoing initiatives is a better, faster and cheaper cloud security program by downloading this exclusive ebook.
Tom Temin: Ms. Robertson, good to have you on.
Cindy Robertson: Great to be here, thanks Tom.
Tom Temin: First of all, this proposed interagency council – it’s an OMB rulemaking proposal right now but it really originated on the Hill, didn’t it? Tell us the genesis of this proposed counselor interagency group.
Cindy Robertson: Sure, sure. So as you know, Congress has passed various pieces of legislation. And this one in particular focuses on trying to unify the executive agencies’ recognition of supply chain risk. So Congress was concerned that smaller groups of agencies might be doing this independently. And they really wanted to coordinate efforts and create a system whereby there would be more information sharing among multiple different agencies. And you can see based on the rule itself, that there’s just an alphabet soup of agencies who will be involved here, everyone from OMB, DoD, GSA, and then those you’d expect to be involved in homeland security including national intelligence, FBI, NSA, NIST, and CISA, among many others.
Tom Temin: And do you get the sense just from your experience in this market, that basically it would still be Russia and China, that would be the object of scrutiny here? Because a lot of countries are already banned, for example, Iran.
Cindy Robertson: You’re absolutely right, that I think the focus will be on countries who do pose a special security risk. But what was really interesting about the rulemaking and what caught my attention, is that when considering foreign influence, this new agency has broad powers to consider not just for an adversary, but really a company’s business operations in any foreign country. So what does that mean, exactly? It means that while countries that are perceived as a foreign adversary, of course merit special consideration, the FASC [Federal Acquisition Security Council] actually can consider whether the manufacturer has R&D, for example, or even distribution or service facilities in any foreign country. In addition to that, the committee can also consider personal and professional ties between the technology source, including its officers, directors, or employees, and any foreign government. So the rule sweeps really broadly.
Tom Temin: Yes, so I’m thinking, for example, of Nvidia – a very popular company in the graphics field, has a big federal presence. They have just acquired from Mr. [Masayoshi] Son – they’re about to – they made what they think will be a winning bid for a semiconductor company called Arm. And so suddenly, the company’s tentacles are all over the world through this acquisition. I’m just using that as an example. That’s the kind of thing that could come under the scrutiny of this council?
Cindy Robertson: Yeah, it absolutely could. And I think that’s why federal contractors should really note this rule and think about commenting on it to ensure that there are appropriate safeguards in place to make sure that you don’t inadvertently wind up before this committee, because once you do, it can be really challenging, I think, to make your case. So why do I say that? Well, it’s because of the breadth of the factors we already discussed, as well as the fact that once you’re within the committee’s review, you don’t have much opportunity to respond to allegations. You have essentially 30 days to basically wage your defense in terms of staying live within federal contracting. And that’s not a lot of time and the FASC is given really broad authority. It’s possible, of course, to potentially get a waiver even after a ban is issued. But I think the FASC is given very broad powers to issue these exclusion orders. And wide criteria to consider in making those determinations.
Tom Temin: We’re speaking with Cindy Robertson, she’s a partner at the law firm Jenner & Block. So in many ways, this is like the giant son of the [Section] 889 rule with respect to the Chinese telecom where you have all this banning, and it can’t be anywhere in your own supply chain as a contractor, and you’ve got waivers starting to come out of the Office of the Director of National Intelligence.
Cindy Robertson: Yeah, that’s exactly right. And again, that’s why we felt that this development merited some discussion because those recent bans have really imposed quite a lot of burden on federal contractors and their supply chain. So as you know, those recent bans against the five telecommunication and video surveillance companies came in two waves, really. So the first ban in 2019 focused on just using such products specifically in government procurements. But then the second part of that ban became operative in August 2020. And that ban swept very broadly across prime contractors’ operational use of any information technology or telecommunication services or video surveillance from those five companies. And so it’s been really challenging, I think, for federal contractors to identify operationally that use which is now banned, at least at the prime contractor level. And I think what we could anticipate is that this new committee would issue very similar exclusion orders to those we’ve seen in the past that are likewise broad in scope, and very burdensome.
Tom Temin: Now, the rule as proposed has comment period that’s open, I think, until the end of October. What do you advise people that care about this to say in comment?
Cindy Robertson: Well, I think it’s very important to talk about safeguards to ensure that although national security interests are very important, obviously, we want to be sure that there is a thorough review. And that Not anyone can just assert some sort of allegation against a company and have them lined up before the FASC in a way that doesn’t seem appropriate or right. And so there’s a lot of detail in the rule. But I think contractors will be most focused on the criteria that the FASC may consider in making these determinations of banned companies.
Tom Temin: Right. So it won’t be good enough to say, hey, this could put me out of business, because it doesn’t really address the public policy question.
Cindy Robertson: That’s correct. Instead, it really needs to focus on which factors should be permissibly considered, and making sure that seemingly innocuous ties to foreign countries, like distribution or service facilities, aren’t given undue weight.
Tom Temin: All right, what else do we need to know about the operation of this interagency commission, should it come to pass?
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
Cindy Robertson: Well, there’s a lot of framework in the rule, which is helpful to understand. But it’s also useful to know that this rule sets out a task force that’s going to be governed by CISA. And the task force is really the guts of the committee, and will be working on processes and procedures. So even though the rule designates this external framework, there’s still a lot of work left to be done, and that we don’t have absolute visibility into. So yet another good reason for comments if you want to help shape the way in which the task force shares information with critical components of the committee and how it weighs those factors.
Tom Temin: CISA being the Cybersecurity and Infrastructure Security Agency at [the Department of] Homeland Security, that brings up an important point, because this idea of information sharing – that’s been a uphill struggle for DHS, ever since it overtook the task of various sectors, cybersecurity coordination, and DHS has most of the sectors. They’ve got a history of a little bit of mistrust between DHS and industries where they have an interest in the cybersecurity because they’re critical.
Cindy Robertson: Yeah, this rule is full of policy tensions that you do see, just in terms of the government’s interest, and of course, protecting our vital intellectual property and our secrets from our adversaries. You know, combined with this real need for innovation and technology to benefit our systems as well. And so you’ve seen the Department of Defense, for example, reaching out and trying to capture innovation from mostly commercial organizations. But at the same time, those commercial organizations are largely relying sometimes on foreign talent. And so it’s going to be very interesting to see how this plays out and how the policy considerations are addressed.
Tom Temin: All right, but in the meantime, make that comment, correct?
Cindy Robertson: That’s right. The time for comments ends as you’ve said at the end of October. And we stand by ready to assist if you need help shaping comments, but they are vitally important to shape this process and I’ve experienced a lot of satisfaction in having comments really make a difference.
Tom Temin: Cindy Robertson is a partner at the law firm Jenner & Block. Thanks so much for joining me.
Cindy Robertson: You’re very welcome, Tom.
Tom Temin: in 9:48
will post this interview along with a link to her advisory at www.FederalNewsNetwork.com/FederalDrive. Hear the Federal Drive on your schedule. Subscribe on Apple Podcasts or Podcastone.