There is little disagreement among industry experts that the threat coming from Chinese companies ZTE and Huawei is tangible and needs to be addressed.
There is also little disagreement among contractors that the responsibility to do something about the security of not just telecommunications and video surveillance, but of all technology products rests jointly on the shoulders of government and industry throughout the supply chain.
Insight by Exterro: Capt. John Henry, operations officer of the USCG Cyber Command, discusses how the Command prepares for and responds to cyber incidents. Justin Tolman, forensic subject matter expert at Exterro, will provide an industry perspective.
And there is little disagreement that a rule in the Federal Acquisition Regulations is a good starting point, but far from the solution to the ever-growing problem of supply chain risk management.
The problem is that’s as far as industry and government have gotten. And the interim final rule that the FAR Council seemingly rushed out on Aug. 13 that bans the use of ZTE and Huawei products in the federal supply chain starting immediately didn’t help much, and may have made things worse.
Three industry associations expressed support for the overall idea of improving the federal supply chain, but said the interim final rule opens the door to some serious questions. Meanwhile two other groups declined to comment for assorted reasons; however, not because they fully supported the government’s regulations.
“It’s a complex rule for vendors and agencies to implement. It puts a burden on the vendors to exercise due diligence down through multiple levels of subcontractors. It’s not clear what will constitute reasonable due diligence given all the contracting levels and players that will be involved,” said Tom Sisti, executive vice president and general counsel at the Coalition for Government Procurement. “It would’ve been helpful to have some guidance on how to exercise due diligence so that an erroneous representation wasn’t viewed as a potential misrepresentation. This is a burden on vendors and agencies, there is no question about it. That’s not a criticism, but the due diligence will be important.”
Now because it’s an interim final rule, agencies, vendors and other stakeholders will have an opportunity to comment, and the government could make modifications to the final rule.
Sisti and others believe changes, maybe even significant ones, are possible given there are so many unanswered questions.
“We understand the need for immediacy, but it was drafted without a lot of industry participation, and coming out with immediate implementation means it will be relatively burdensome for companies to adjust their supply chains and respond to the rule in rapid fashion. That’s especially true as you drive this down through the supply chain of smaller businesses. It’s onerous on larger ones too but they have more resources,” said Wes Hallman, senior vice president for strategy and policy at the National Defense Industrial Association (NDIA). “Industry will have to think about the burden the rule is placing on them and how deal with that. That is why there needs to be more back and forth when writing rules.”
Industry knew the FAR Council was working on the rule for about a year as instructed by Congress in the 2019 defense authorization bill. And the council held a public meeting about a month before it published the interim final rule, which left some believing the event was pro forma and the interim rule was all but decided.
“We are disappointed that they waited a whole year and released the interim final rule five days before it became effective. There was no time for companies or agencies to prepare for that kind of overnight preclusion,” said Alan Chvotkin, the executive vice president and general counsel for the Professional Services Council. “We are disappointed that we received no real heads up for how to proceed even as they worked through text of rule. There were no advanced notice of proposed rulemaking. We knew the procurement policy folks were working, but we received no heads up from the procurement staff who will have to implement this.”
Aside from the immediate implementation challenges, experts say the interim final rule doesn’t address potential False Claims Act violations or how it fits together with the Section 846, the e-commerce provision, of the 2018 NDAA.
CGP’s Sisti said if vendors have to certify they and their subcontractors are not using ZTE or Huawei products, then what are the protections for industry if they make a mistake?
“You have to think about where things like telecommunications are involved where there isn’t a definition, do you revert to the Telecommunications Act? How does this impact software? Also how do you address the fact that it’s tempting to over report because it’s not something you can just say ‘yes’ to and cover your bases. This is very serious.”
Corbin Evans, the regulatory policy director for NDIA, said before a vendor can even make that certification, they must gain visibility into their entire supply chain.
Evans added, those additional costs likely will be borne by the government and taxpayer.
Evans and others aren’t arguing against the need for supply chain security, even if there are additional costs, but some dialogue to figure out the best way to mitigate costs would’ve been a better approach.
And then there is Section 846, the requirement for the General Services Administration to develop online approaches to make buying products and services below the micropurchase threshold easier.
The interim final rule covers those purchases too, so experts say it complicates the e-marketplace effort.
“The rule says there is risk and it’s not affected by commercial items or dollar value. So now there are two paths going on with the Section 846 effort. How is this going to be implemented in context of the e-commerce rule now that they have made this determination?” Sisti said. “How do you rationalize that with purchases under the micropurchase threshold? This interim rule says the risk is too great.”
He added the risk of purchases below the MPT is one that CGP and others have raised for a long time, particularly around who is liable for a violation or breach—the platform, the vendor or the purchaser?
“If an agency user now has to make a risk decision with every purchase, is that where we want to go in this environment?” Sisti asked.
PSC’s Chvotkin said applying this rule to commercial items also adds another layer of complexity to federal procurement at a time when Congress and agencies, through the use of other transaction agreements (OTAs) and commercial service offerings (CSOs) are trying to simplify it.
“We understand these will not be the last two companies subject to this type of ban,” said NDIA’s Corbin. “We have to create a system and expectation where DoD and industry better understand the tradeoffs between security and costs.”