As part of a recent wave of supply chain requirements, Section 889 of the 2019 National Defense Authorization Act (“NDAA”) imposed major new limitations on the use of certain Chinese telecommunications products and services in federal procurement, and recent implementing regulations mandate a range of compliance actions relating to the ban. This blog post provides practical guidance on the new rules and five compliance tips.
Ban against Procuring “Covered Telecommunications Equipment or Services”
The Department of Defense (“DoD”), General Services Administration (“GSA”), and National Aeronautics and Space Administration (“NASA”) recently released an interim rule implementing the first part of Section 889. This ban, which became effective August 13, 2019, sweeps broadly by prohibiting agencies from procuring the following “covered telecommunications equipment or services”:
- Telecommunications equipment produced by Huawei and ZTE Corporation;
- Video surveillance and telecommunications equipment used for public safety, surveillance of “critical infrastructure,” or national security purposes and produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company;
- Telecommunications or video surveillance services provided by such entities for any purpose; or
- Telecommunications or video surveillance equipment produced or provided by an entity that the Secretary of Defense determines is owned or controlled by, or otherwise connected to, the government of the People’s Republic of China.
The ban includes all affiliates and subsidiaries of the listed companies. The Department of Commerce in May 2019 identified 68 of Huawei’s affiliates, and in August 2019 added another 46 affiliates to the Entity List. The “catch-all” provision above also allows the government to extend these restrictions to additional companies if they are deemed connected to the Chinese government.
The interim rule prohibits “covered” equipment/services only if they are a “substantial or essential component of any system, or as critical technology as part of any system.” The rule offers little clarity in applying these terms, merely defining them as “any component necessary for the proper function or performance of a piece of equipment, system, or service.” Until agencies issue guidance on interpreting these terms, contractors should err on the side of gathering more documentation from suppliers and communicating with the government as to the scope of the ban as applied to individual procurements.
The term “critical technology” borrows from the Foreign Investment Risk Review Modernization Act (“FIRRMA”) and includes items on the United States Munitions List, the Commerce Control List, and nuclear equipment. This would cover defense-related weapons and other technology like aircraft and military electronics. The interim rule, however, does not define “critical infrastructure,” although if similarly based on FIRRMA, this term would refer to “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security.”
Exceptions and Waivers
Section 889 and the interim rule contain two exceptions. First, agencies can procure services that connect to the facilities of a third party, such as backhaul, roaming, or interconnection arrangements. This would likely immunize a contractor that merely exchanges traffic or shares networks with covered entities, although this could be a difficult exception to identify and apply for a contractor not specializing in telecommunications. Second, Section 889 does not prohibit covered equipment that “cannot route or redirect user data traffic or permit visibility into any user data or packets that such equipment transmits or otherwise handles.” In other words, if the product cannot access or interact with the data it handles, it is likely exempt from Section 889.
A contractor may also obtain a waiver under certain circumstances. The head of an agency may grant a one-time waiver on a case-by-case basis if the contractor demonstrates a “compelling justification” for requiring additional time to implement Section 889 requirements. The firm must submit a “full and complete laydown” of all covered equipment/services in the supply chain and a phase-out plan. The waiver cannot extend beyond August 13, 2021. In other circumstances, the Director of National Intelligence may issue waivers if the Director determines the waiver is necessary for national security purposes.
New FAR Clauses Requiring Offeror Representations and Reporting Obligations
The interim rule requires contracting officers to insert two new FAR clauses in all solicitations and contracts issued on or after August 13, 2019:
- FAR 52.204-24 requires offerors to represent whether they will provide covered equipment/services. In an offeror answers affirmatively, it must list all covered items and their proposed uses, including any factors to assist the contracting officer in determining whether the use is permissible (or possibly whether a waiver is appropriate). Notably, this representation is broader than the Section 889 ban because it requires a list of all covered items, regardless of whether they are a “substantial or essential” component or “critical technology.”
- FAR 52.204-25 imposes a reporting obligation during contract performance. If a contractor identifies any covered equipment/services, it has one (1) business day to report to the contracting officer, including mitigation actions undertaken or recommended. Within 10 business days, the contractor must report any further mitigation actions. This clause must be flowed down to subcontractors.
These provisions must also be inserted in any extension of existing contracts or task/delivery orders.
Section 889’s prohibitions and the FAR requirements apply to all acquisitions—including those below the simplified acquisition threshold, commercials items contracts, and COTS items. There is no exception for small businesses. To ease reporting obligations, DoD, GSA, and NASA are working on updates to the System for Award Management (“SAM”) to allow offerors to represent whether they sell covered equipment, systems, or services.
GSA Announces Mass Modification for Multiple Award Schedule Contracts
Agencies must modify existing IDIQ contracts to include the above FAR clauses for future orders. On September 9, 2019, GSA announced it will issue a mass modification to all GSA Multiple Award Schedule (“MAS”) contractors to add FAR 52.204-25 and GSAR clause 552.204-70 (which largely mirrors the representation in FAR 52.204-24). Contractors will have 60 days to accept and incorporate the clause into their contracts; otherwise, the contract may be terminated for convenience.
GSA also issued a class deviation that limits the representation required to the IDIQ contract level instead of at the order-level for low and medium risk IDIQ contract vehicles.
Ban Next Year against Using Covered Equipment/Services
Effective in August 2020, Section 889 will also broadly ban agencies from contracting with any company that uses covered equipment/services. This will have a significant impact on contractors by requiring firms to remove any covered products from their organization, such as Huawei laptops, phones, or other electronics. This prohibition is subject to further rulemaking. It unclear whether the ban will extend broadly to prohibit the use of covered equipment/services for any corporate purpose, or whether it will instead be limited only to the use on government contracts.
5 Compliance Tips
Section 889 compliance will require contractors to engage in ongoing supply chain review and management to avoid unwittingly supplying or using covered items. We’ve outlined five tips for firms to implement as part of their larger Section 889 compliance assessment:
- Conduct an internal audit to identify:
- any manufacturing relationships with the five vendors in the NDAA, including any subsidiaries or affiliates (be aware of equipment sold under another manufacturer’s name as with OEM and ODM relationships);
- all covered equipment/services supplied by any vendors on government contracts; and
- any company equipment or systems made by or containing components from a banned vendor (computers, servers, phones, and other electronics capable of executing software commands). This will be necessary to comply with the second part of Section 889 effective next year.
- Maintain an inventory of potentially covered products and a description of their use. This will help when providing the mandatory representation in FAR 52.204-24.
- Document efforts to comply with the law by developing written policies and procedures, including developing a consistent process for analyzing and categorizing products as covered vs. non-covered.
- Obtain certifications from subcontractors mirroring FAR 52.204-24 and similarly requiring subcontractors to identify any covered equipment/services. The certification should also require subcontractors to inform the prime contractor within one (1) business day of identifying any covered equipment/services as required by FAR 52.204-25 (which must be flowed down to subcontractors).
- If the firm believes an exception to Section 889 applies to any of its proposed products, obtain confirmation from the contracting officer as early as possible—ideally, before submitting the required representation. Be wary of accepting blanket claims from a manufacturer (or its representatives) that its products or services are “exempt” from Section 889 without further substantiation.
We will continue to track Section 889 developments as this promises to be an evolving area of law.