Thursday brings the statutory deadline for federal contractors to certify they comply with the law banning telecommunications equipment from certain Chinese companies from their network. Lots of companies were hoping Congress would delay the Aug. 13 deadline. One reason is because even the government has only a vague idea of the cost and how to interpret this rule. Holland & Knight partner Eric Crusius had more insight on Federal Drive with Tom Temin.
Tom Temin: Eric, good to have you back.
Insight by Lookout: Learn the steps CIOs from the VA, NSF and the Drug Enforcement Administration in the Justice Department took to achieve the balance of security and accessibility as employees worked outside the office in this exclusive ebook.
Eric Crusius: Great to be here. Thanks so much.
Tom Temin: What are your clients facing? What are they telling you about this whole Chinese ban that’s supposed to be in effect tomorrow?
Eric Crusius: Right. I want to first start by saying that I think everyone agrees that something needed to be done, it’s just a matter of of what’s being done. Clients I think feel, talking with a bunch of them, feel like they’re being thrown into the ocean without a life raft, without knowing exactly what to do. They want to comply. They want to be compliant. They want to be able to certify tomorrow that they are compliant with this rule. But I think some of them are having some difficulty. And I think there’s good reason for that. I mean, I’ll give you one example. The rule talks about not only the named five name Chinese companies, but also their subsidiaries and affiliates. Well, the FAR Council has not put out a list of who those subsidiaries and affiliates are. So contractors elect to guess who they are. You can kind of guess maybe if the name like for instance, Huawei is the name of a subsidiary and affiliate, but if it’s not, that creates a lot of confusion. So that’s just one of the many things I think contractors are grappling with.
Tom Temin: Do many of them actually have that equipment that they have to remove and replace of the five prime named ones.
Eric Crusius: Yes, I’ve seen some that have. And I think part of the problem is that some of these definitions are so vague that contractors have equipment that may fall under this rule, and it’s hard to tell whether it does or not. So they’re making these kind of multimillion dollar decisions about whether to remove equipment, whether to replace it based off of kind of vague definitions that they can’t really interpret without help of the government.
Tom Temin: What are some of the definitions other than, say the names of the subsidiary and affiliate companies, which is hard to determine — what are some of the other vagaries in the rules because the rules have been published?
Stay up to date on all things federal with our revamped mobile app. Download it to your device today.
Eric Crusius: Right. One of them is reasonable inquiry, which is what contractors are required to do in order to kind of find this equipment. The government says it’s something short of an audit. But how short of an audit? We’re not really sure. The steps that need to be taken aren’t specifically laid out. So for instance, does an item have to be dissected to see if it contains parts from Huawei or Hikvision, or CTE or one of those other companies. Are contractors required, for instance, to interview employees to see what the employees know about these parts? So the fear is that, especially when you are talking about agencies across the government, is that contractors, maybe according to one agency, are taking sufficient steps but according to another agency are not taking sufficient steps because the definition of reasonable inquiry is vague enough that you can make an argument that any steps really are not good enough. So I think that’s one of the definitions. Another one is there are three companies mentioned in the second half of the rule and excuse me, if I butcher these names Hytera Communications Corporation, Hikvision Digital Technology, Dahua Technology Company. And it’s not all their products that are banned, its products for physical surveillance of critical infrastructure, other national security purposes, video surveillance. So we don’t know all those definitions. For instance, it has to be for the purposes of one of the options is public safety. What exactly is public safety? If you have security cameras in your warehouse and members of the public walk in, is that considered public safety? And one of the other limiting factors is critical infrastructure for surveillance of critical infrastructure. What is critical infrastructure? There’s no definition in the rule of that. Now, it’s defined elsewhere, but not really in the FAR, it’s found in the Patriot Act, National Institute of Standards and Technology defines it an Obama EO defines it — but they’re all slightly different definitions that give different guidance. So I think having definitions kind of to those key terms would be really helpful because contractors are making literally multimillion dollar decisions off these definitions.
Tom Temin: We’re coming into the final buying season of the 2020 fiscal year and so the law says that the the government won’t issue any contracts to companies that are in this position. So what are some short term things companies can do just to get through the next few months before anyone figures out what might be the case?
Eric Crusius: Right. I mean, so one of the things that they have built into the rule is a waiver process where companies can get a waiver if they can’t comply with the rule in enough time. But the issue with the waiver process is it doesn’t really help the part I think that contractors need help with. So the waiver process is available if you’ve already identified all the technology, that’s to say the offending technology that you have, and you just need time to replace it. The waiver process does not help if you’re still trying to figure out what technology you have. So contractors, I think my experience has been in just logically, I think that the biggest problem is identifying the technology and figuring out where it is. And then the second part what to do about it is also a difficult part. But that’s more of a cost thing. It’s more about just going out and procuring and buying replacement parts. So the waiver allows you to get a waiver on a agency by agency basis, so it’s not a enterprise waiver or cross government waiver. But it doesn’t allow you to get a waiver if you haven’t identified the technology within your company already, so that’s kind of a measure a company could take. As you well mentioned, we’re right in the middle of buying season right here. That’s something that companies can do if their in that position, but I think that won’t really help a lot of companies. And then on top of that you have GSA as they rightfully do come in very efficiently and say, hey, there’s going to be Mass Mod that includes this. And if you don’t sign this Mass Mod as a GSA Schedule contract holder, you’re not gonna be able to get any orders after tomorrow, August 13. So I think contractors don’t really have a lot of wiggle room. And I think part of the difficulty was, before this rule came out, DoD was asking for a delay, industry was asking for a delay. There was some expectation within industry that a delay was going to happen, and then it didn’t happen. And here we are, everyone is scrambling to comply with a really expedited basis.
Tom Temin: Do you think this could be a big post facto gotcha for contractors in the next fiscal year when some of the definitions might come into clearer focus? Companies find that whoops, I wasn’t compliant on that August 13 date?
Eric Crusius: Yes, absolutely. We’re all at asking for more meat on these bones, we may get the meat, but we may not like how it tastes. So that could cause some problems down the road for contractors. And because there’s a certification aspect to this where contractors are essentially certifying that they’re compliant with this rule with every offer that they make. That, of course brings in all the parade of horribles dealing with the False Claims Act and whistleblowers and mandatory disclosures and things like that. So it’s not an insignificant problem for contractors.
Tom Temin: And do you see any bridge between this rule banning the Chinese equipment and networks and systems and so on with the CMMC, which is also coming, the Cybersecurity Maturity Model Certification? Because how could you be CMMC compliant if there’s all this banned Chinese materials in your networks?
Eric Crusius: That’s a great point, actually. And I had a discussion at an event with somebody last week or two weeks ago about that because if you look at the CMMC model itself, it talks about supply chain and having a clean supply chain. And that’s exactly what this rule is about. From level two and up, you can argue, CMMC as you know,is divided into five levels, five being the most stringent, one being the least stringent. But if you want to get a certification essentially for two and up you really have to take your supply chain into consideration. Two is a little bit easier to comply with, of course, and four is the most difficult, but I think especially with a level four you really have to be compliant with this rule in order to get that certification — and I would argue two and three as well.
Tom Temin: Alright, so again, just to recap, the short term thing that contractor should do is accept contracts, but maybe start really getting in on their inventory.
Eric Crusius: Contractors are kind of in a no win situation right now if they don’t really know what they have as far as this technology goes and they accept the contract and essentially certify that they are compliant with this rule and they’re not. They put themselves in a very precarious position. So I would, I would urge contractors to kind of look at their systems before Thursday, tomorrow, and make sure that they are compliant before accepting a contract or certifying that they have comply with this rule. The answer may be not to enter into a contract if they can’t certify, if they suspect that they may have this technology because the risk, the downside is really great here.
Tom Temin: Yeah, so it depends really then on the capriciousness or lack there of that the government may choose to exercise down the line in the absence of any kind of rescue from Congress on the interpretation and the dates and so on.
Eric Crusius: Right. That’s a great point. I mean, contractors are going to kind of be left not to the discretion of the agency officials and all these different agencies who may interpret this rule slightly differently. DoD was good enough to put out some guidance about this, but it didn’t give a lot more information on these definitions. We’ll see what happens when other agencies are putting out guidance, but the guidance will be coming out after this rule is in effect. It’ll be helpful, but that helpfulness will be limited because contractors have already spent billions of dollars trying to comply with this rule.
Tom Temin: Well, we have a new old expression then, sellers beware.
Eric Crusius: Well said.
Tom Temin: Eric Crusius is a partner with the law firm Holland & Knight. Thanks so much.
Eric Crusius: Thank you.