Effective December 4, 2023, a new interim rule will prohibit contractors from delivering or using covered articles and sources subject to exclusion or removal orders issued under the Federal Acquisition Supply Chain Security Act of 2018 (“FASCSA”). The rule is intended to eliminate certain technology from the federal supply chain that foreign adversaries might exploit to commit malicious cyber acts. The interim rule allows the executive branch through the Federal Acquisition Security Council (“FASC”) to exclude certain technologies and manufacturers from federal procurements and even to require removal of covered articles from federal or contractor information systems during performance.
The rule imposes a host of new obligations, including certification, monitoring, and reporting requirements. This post provides practical guidance on the rule and several compliance tips to help contractors prepare for the December deadline.
Congress passed Section 202 of the FASCSA to protect the information and communications technology (“ICT”) supply chain against threats and vulnerabilities that may lead to data and intellectual property theft, damage to critical infrastructure, or national security harm. The Act established the FASC as an interagency council authorized to make recommendations for orders that would require the removal of covered articles from agency information systems (removal orders) or the exclusion of sources or covered articles from agency procurement actions (exclusion orders) (collectively referred to as “FASCSA orders”).
In August 2021, the FASC issued a final rule establishing procedures for recommending removal and exclusion orders. The FASC evaluates supply chain risk based on several non-exclusive factors and sends its recommendations to the Secretaries of Homeland Security and Defense and the Director of National Intelligence to consider when deciding whether to issue a FASCSA order. If a FASCSA order is issued, agencies are required to implement the exclusion or removal order.
The Government Accountability Office (“GAO”) regularly denies protests because an offeror made assumptions in its proposal. To the offeror, such assumptions seem perfectly reasonable but to an agency the assumptions are incorrect or contrary to the agency’s intended procurement approach. As a result, the offeror’s proposal is rejected as non-compliant.
If the offeror files a GAO protest, GAO will likely dismiss the protest as being untimely, stating that the offeror was required to challenge a solicitation’s terms and conditions prior to the deadline for the submission of proposals. This scenario is frustrating because it likely could have been avoided had the offeror simply asked the agency questions.
Frequently, clients ask us to opine on what information an agency is seeking in a solicitation or how to interpret a term in a solicitation. These questions are often asked shortly before an offer is due. While we do our best, our guidance is not a substitute for agency guidance. We appreciate offerors are busy. Most prepare proposals based on due dates. As a result, by the time an offeror begins to prepare its proposal, the solicitation’s Q&A period is over.
Building on recent and ongoing efforts to limit Chinese government access to government contractor supply chains, the FAR Councils published an interim rule effective June 2, 2023, that will broadly ban TikTok on contractor and contractor employee electronic devices used in the performance of federal contracts. The ban will be implemented through a new contract clause at FAR 52.204-27. Expect to see the clause added in all future solicitations (including commercially available off-the-shelf (“COTS”) acquisitions and micro-purchases) and added to existing contracts over the next month. We answer seven common questions on this new interim rule and offer several compliance tips.
The new TikTok ban broadly prohibits contractors from having or using a “covered application” (e.g., TikTok or other successor applications by ByteDance Limited, a privately held company headquartered in Beijing, China) on any “information technology” used in the performance of a government contract. The ban applies regardless of whether the technology is owned by the government, the contractor, or the contractor’s employees. Bottom line, the rule has a (very) broad reach—it applies to contracts below the micro-purchase threshold, contracts for commercial products and services, and COTS items.
Last month, we wrote about a proposed amendment to the FY 2023 National Defense Authorization Act (“NDAA”) that would prohibit contractors from selling certain Chinese semiconductor technologies to federal agencies and from using these same covered products and services. This measure was added through Section 5949 of the NDAA.
On December 6, the House passed a compromise version of the NDAA, which appears to scale back the semiconductor ban by applying it only to federal sales of covered products and services, without also banning contractors from using them. However, the explanatory statement accompanying the NDAA suggests contractors (including their affiliates and subsidiaries) may ultimately be prohibited from using covered semiconductor technologies—which would raise a host of compliance and implementation concerns.
Compromise Version of NDAA Limits Semiconductor Ban to Federal Sales
Section 5949 bans semiconductor products and services from Semiconductor Manufacturing International Corporation, ChangXin Memory Technologies, and Yangtze Memory Technologies Corp., plus their subsidiaries and affiliates. This ban was modeled after the supply chain restrictions from Section 889, which prohibit contractors from selling and using covered telecommunications and video surveillance equipment from five Chinese telecom companies.
Effective January 1, 2023, the certification process for veteran-owned small businesses (“VOSBs”) and service-disabled veteran-owned small businesses (“SDVOSBs”) will be transferred from the Department of Veterans Affairs (“VA”) to the Small Business Administration (“SBA”). Except for implementation transitioning discussed below, to be eligible for sole-source and set-aside acquisitions, VOSBs and SDVOSBs will need to be certified by the SBA.
Previously, VOSB and SDVOSB verifications were made by the VA’s Center for Verification and Evaluation (“CVE”). To be eligible for VA contracts, VOSBs/SDVOSBs had to be verified by the CVE; there was no government-wide certification program, and firms seeking SDVOSB sole-source or set-aside contracts outside the VA only needed to self-certify their status pursuant to Section 36 of the Small Business Act, 15 U.S.C. 657f.
On November 29, 2022, the SBA published a final rule implementing Section 862 of the FY 2021 National Defense Authorization Act (“NDAA”) transferring authority for VOSB/SDVOSB certifications from the VA to the SBA. The final rule consolidates the eligibility requirements for the Veteran Small Business Certification Program, and the SBA is assuming control of VOSB/SDVOSB certification for purposes of nearly all small business federal contracting. SBA also published a Frequently Asked Questions (“FAQ”) page regarding the final rule.
On October 18, 2022, Senate Majority Leader Chuck Schumer (D-NY) issued a press release signaling a potentially significant expansion of Section 889 through a proposed amendment to the 2023 National Defense Authorization Act (“NDAA”). Schumer’s proposal is aimed at extending the telecommunications supply chain prohibitions in Section 889 to the semiconductor manufacturing industry.
Section 889 currently prohibits contractors from providing the federal government or using any products or services that incorporate “covered telecommunications equipment or services” from five Chinese telecom companies and their affiliates and subsidiaries: (1) Huawei Technologies Company, (2) ZTE Corporation, (3) Hytera Communications Corporation, (4) Hangzhou Hikvision Digital Technology Company, and (5) Dahua Technology Company.
Schumer’s 2023 NDAA amendment would expand Section 889 by banning semiconductor products like microchips from the following three Chinese entities: (1) Semiconductor Manufacturing International Corporation (“SMIC”), (2) ChangXin Memory Technologies (“CXMT”), and (3) Yangtze Memory Technologies Corp. (“YMTC”). Schumer noted that these companies have known links to the Chinese state security and intelligence apparatuses. The amendment is aimed at filling a gap in federal procurement restrictions that currently do not include semiconductor technology and services, creating a vulnerability for cyberattacks and data privacy. The amendment would not take effect until three years after the NDAA’s enactment, or until 2025.
Although we do not yet know whether Schumer’s amendment will be incorporated into the final NDAA bill, contractors should nevertheless begin evaluating their supply chains to identify any semiconductor products from any of the three named Chinese manufacturers. Schumer’s amendment signals a continually expansive interpretation and enforcement of Section 889, which may be reflected in the final rulemaking for Section 889. The current FAR docket anticipates a final rule in December 2022, although these deadlines continue to be moving targets.
Effective October 1, 2022, Department of Defense (“DoD”) contractors must comply with Part B of Section 889 of the FY 2019 National Defense Authorization Act (“NDAA”). The approximately two-year long Part B waiver granted to the Director of National Intelligence expired October 1. DoD contractors cannot seek a DoD agency-level waiver as DoD cannot grant waivers under the statute. Thus, as with other agencies, DoD is prohibited from entering into, extending, or renewing contracts with contractors who use covered telecommunications or video surveillance equipment and services from certain Chinese companies in any part of their business.
Compliance with Part A of Section 889 was straightforward. Part A prohibited contractors from selling covered technology to the federal agencies. Comparatively, compliance with Part B is much more complicated. Part B requires a contractor to certify that it does not use “any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.” The prohibition applies to all contracts at any dollar value. “Covered telecommunications equipment or services” is defined as equipment, services and/or video surveillance products from Huawei Technologies Company, Hangzhou Hikvision Digital Technology Company, Hytera Communications Company, Dahua Technology Company, ZTE Corporation, or any entity controlled by the People’s Republic of China.
Federal government contractors and subcontractors often struggle with flow-down clauses. Fundamentally, prime and subcontractors squabble over flow-down clauses because they involve assumption of risk. A prime contractor has committed to comply with all of the clauses in its prime contract. To the extent a prime contractor does not flow down a clause to its subcontractor, the prime contractor assumes the risk of any subcontractor non-compliance. This is because, if a contracting officer identifies regulatory non-compliance, the government only looks to the party with which it has privity to enforce compliance: the prime contractor. If the prime contractor has not flowed down the applicable clause to its subcontractor, the prime contractor is responsible for its subcontractor’s non-compliance. If the clause has been flowed down, the prime contractor can enforce compliance upon its subcontractor. From a subcontractor perspective, the more flow-down clauses it accepts from its prime contractor, the more compliance risk it assumes.
As a result, prime contractors seek to flow down as many FAR clauses as possible—well beyond the mandatory flow downs discussed below. Subcontractors, meanwhile, seek to keep flow-down clauses to a minimum. Subcontractors must analyze when it is appropriate and productive to resist non-mandatory flow-down clauses, and sometimes the answers to these questions may not be straightforward. Below we address the mandatory flow-down clauses for commercial subcontracts with commercial and non-commercial prime contractors, how subcontractors can handle irrelevant clauses, and best flow-down practices for prime contractors and subcontractors.
The U.S. Small Business Administration (“SBA”) recently issued a final rule that creates new opportunities for small businesses to submit relevant past performance, and new requirements for large/other than small prime contractors to provide past performance reviews to first-tier small business subcontractors.
The final rule is intended to help small businesses overcome the hurdle of having minimal past performance to use in competitive procurements. The rule creates new mechanisms to permit small businesses to use the past performance of a joint venture in which it was a member, or to use its performance as a first-tier subcontractor. The new rule takes effect on August 22, 2022.
Federal government contractors and subcontractors with 50 or more employees and a federal contract or subcontract with a value of $50,000 or more measured during any 12-month period are required to develop a written Affirmative Action Program (“AAP”) within 120 days from the start of the federal contract.
The Office of Federal Contract Compliance Programs (“OFCCP”) has established a Contractor Portal for federal government contractors to register and certify that they have developed and maintained affirmative action programs at each of their establishments or functional units: OFCCP Contractor Portal. Contractors that do not register and certify are more likely to be selected for an OFCCP AAP audit.
The deadline to register and submit AAP certifications is June 30, 2022.