What Does a Potential One-Year Delay for Part B of Section 889 Mean for Your Compliance Efforts?

Justin A. Chiarodo, Merle DeLancey Jr., and Robyn N. Burrows

In remarks to Congress and statements this week, the Department of Defense (“DoD”) announced that it is considering a one-year delay for full implementation of Part B of the Section 889 ban (we previously summarized the ban, which prohibits the government from contracting with entities using certain Chinese telecommunications equipment, here). The ban is currently scheduled to go into effect on August 13, 2020. What does this welcome development mean for contractors? We think it warrants prioritizing near-term compliance efforts to high-risk areas, pending forthcoming rulemaking that will provide needed specifics on the way forward.


During June 10 remarks before the House Armed Services Committee, Undersecretary for Acquisition and Sustainment Ellen Lord expressed the DoD’s full support for the intent of Section 889, but admitted she is “very concerned” about being able to accomplish Part B implementation by August 13. As to whether the DoD can meet the current timeline given COVID-19 disruptions and the lack of an interim rule, Ms. Lord acknowledged that “we need more time” for contractors to comply.

Following the undersecretary’s testimony, the DoD announced that it is considering adding contract language giving its suppliers an additional year to reach full compliance with Part B. Though not final, the DoD’s proposed delay could relieve DoD contractors from full compliance with the impending August deadline. We anticipate this approach would be similar to the phase-in period for compliance with the Defense Federal Acquisition Regulation Supplement Safeguarding and Cyber Incident Reporting clause. It is not yet clear whether the Office of Management and Budget, which currently has the draft interim rule for Part B, will incorporate a delayed implementation into that forthcoming rule.

The DoD also signaled that it is poised to advocate for a more risk-based approach to Part B implementation and rulemaking. During her testimony, Ms. Lord expressed concern with the “unintended consequences” of a minor infraction several layers deep within the supply chain potentially shutting down major portions of the defense industrial base by disqualifying key prime contractors from doing business with the federal government. The DoD suggested that the use of a risk-based approach may be useful to achieve effective implementation. The DoD’s consideration of a risk-based approach indicates that it is equally concerned about its contractors’ ability to comply with a strict application of Part B.

How DoD’s Announcements Inform Compliance Efforts with Part B

Without an interim rule and with less than two months before the statutory August deadline, how should contractors begin implementing Part B? Given the DoD’s recent comments suggesting a risk-based approach, contractors should consider adjusting their Part B implementation efforts using a risk assessment framework, prioritizing high-risk areas. That is, contractors should identify the extent to which telecommunications or video surveillance equipment is used to support government contracts, the nature of that work, and the frequency with which the technology is used.

The nature of the product’s telecommunication function also informs its risk potential. For example, computers, routers, phones, and network equipment can generally be considered a higher priority area than technology that, although technically subject to the ban, presents a moderate to low cybersecurity risk, depending on the nature and frequency of use (e.g., HVAC systems, fax machines, copiers, scanners).

Contractors should also communicate with key suppliers to ensure that they are aware of the rule and are similarly working to prepare for Part B.

Although the DoD’s statements are welcome news—and reflect that the government is mindful of the challenges presented by the ban—the DoD remains committed to Section 889 and contractors should proceed accordingly.

New DoD Cybersecurity Regulations Are Coming—Is Your Company Ready?

Michael Joseph Montalbano

In January, the Department of Defense (“DoD”) released more information on its much-anticipated Cybersecurity Maturity Model Certification (“CMMC”) framework. While a final rule is not expected until the fall, contractors need to begin preparing now so they do not miss out on DoD contract opportunities.

What Is the CMMC?

The CMMC is a certification system that all DoD prime and subcontractors must comply with to be eligible to compete for and perform future DoD contracts. Under the new CMMC requirements, an accreditation body tapped by DoD will begin training third-party assessors in the spring of 2020, who will in turn certify defense contractors under the CMMC. There will be five CMMC certification levels, of ascending sophistication:

    • Level 1 – Basic Cyber Hygiene
    • Level 2 – Intermediate Cyber Hygiene
    • Level 3 – Good Cyber Hygiene
    • Level 4 – Proactive
    • Level 5 – Advanced / Progressive

The contractor must comply with a combination of the following cybersecurity safeguards, depending on the certification level a contractor wants to achieve: (1) FAR 52.204 (Basic Safeguarding of Covered Contractor Information Systems); (2) NIST Special Publication 800-171 Revision 1 (“NIST Requirements”); (3) select subsets of a supplement to the NIST Requirements called NIST SP 800-171B; and (4) up to 171 “practices” identified in the CMMC. Though this may sound like a lot for contractors to process, DoD has released helpful appendices that put many of the requirements in easy-to-understand terms. Continue reading “New DoD Cybersecurity Regulations Are Coming—Is Your Company Ready?”

For Part B of Section 889, Is Compliance by August 13, 2020, Realistic?

Merle M. DeLancey Jr., Justin A. Chiarodo, and Robyn N. Burrows

On March 10, 2020, the Department of Commerce extended the deadline for U.S. companies to stop doing business with Huawei Technologies Co. Ltd. and its non-U.S. affiliates. The deadline has been extended multiple times and is now May 15, 2020. Under the extension, U.S. businesses can continue to work with Huawei on the operation of existing networks and mobile services, including cybersecurity research considered critical for network reliability.

Huawei was added to the Commerce Department’s Bureau of Industry and Security “Entity List” in May 2019. The Entity List includes foreign entities who have engaged in activities sanctioned by the State Department and activities contrary to U.S. national security and/or foreign policy interests.

In addition to the extension, the Commerce Department is seeking public comments through March 25, 2020, regarding the continuing need for, and scope of, possible future extensions concerning Huawei. The multiple extensions and new request for public comments are intended to allow time for companies and persons to shift from Huawei or its affiliates to alternative sources of equipment, software, and technology. Continue reading “For Part B of Section 889, Is Compliance by August 13, 2020, Realistic?”

Five Steps to Take to Prepare for Part B of the Section 889 Ban

Merle M. DeLancey Jr., Justin A. Chiarodo, and Robyn N. Burrows

Part B of Section 889 takes effect August 13, 2020. The ban prohibits the federal government from contracting with any “entity that uses” telecommunications and video surveillance products or services from Huawei Technologies Company Ltd. (Huawei) and four other Chinese entities, including their affiliates and subsidiaries (we’ve previously covered Section 889 here and here). This post examines recent industry feedback during a public meeting with the Department of Defense (“DoD”) and provides five compliance recommendations pending forthcoming rulemaking.

On March 2, 2020, DoD held a public meeting on Part B. Several trade associations gave feedback, and raised five major concerns: 1) the broad scope of the rule; 2) the inability of many contractors to meet the August 2020 compliance deadline; 3) whether the rule will apply outside the United States; 4) whether the term “use” would include a reseller’s commercial sales of prohibited products, thus precluding a supplier from contracting with the federal government; and 5) whether the “entity” subject to the ban includes only the legal entity executing the contract with the federal government, or also its affiliates and subsidiaries. Unfortunately, DoD did not indicate when an interim rule might issue. Continue reading “Five Steps to Take to Prepare for Part B of the Section 889 Ban”

Are You Prepared to Comply with the Fast Approaching Prohibition on the Use of Banned Telecommunications Equipment?

Merle M. DeLancey Jr., Justin A. Chiarodo, and Robyn N. Burrows

Background      

Section 889 of the 2019 National Defense Authorization Act (“NDAA”) imposed major new supply chain restrictions on the use of “covered” telecommunications products and services from Huawei Technologies Company Ltd. and several other Chinese entities and their affiliates.

Part A of Section 889 became effective in August 2019 and bans companies from providing covered technology to the Federal Government. Under Part A, a company cannot sell any product or provide any service to the government that uses covered technology. Compliance with Part A requires contractors to flow down the prohibition to subcontractors. Continue reading “Are You Prepared to Comply with the Fast Approaching Prohibition on the Use of Banned Telecommunications Equipment?”

A DoD New Year’s Resolution: No More Chinese (and Possibly Russian) Products and Services in Support of Key Missions

Justin A. Chiarodo and Robyn N. Burrows

A very Happy New Year to our GovCon Navigator readers! Further expanding recent supply chain restrictions across federal procurement, the Department of Defense (“DoD”) issued an interim rule prohibiting DoD from procuring equipment or services from certain Chinese entities (and possibly Russian) if used to carry out DoD nuclear deterrence or homeland defense missions. The rule builds on the Section 889 supply chain restrictions we previously covered in a prior blog post.

What should contractors do now given the interim rule is already in effect? Contractors should first evaluate their existing contract portfolios for covered missions and take immediate steps to eliminate all covered products from their supply chain (and find alternate sources of supply). If the rule might impact contract performance, you should be prepared to address this with the appropriate counterparty. And given the requirement for compliance certifications that mirror Section 889, contractors should also harmonize monitoring and compliance with their existing supply chain compliance programs. Among other things, this should address the requirement to obtain compliance certifications from downstream subcontractors and suppliers.

Read on for the specifics. Continue reading “A DoD New Year’s Resolution: No More Chinese (and Possibly Russian) Products and Services in Support of Key Missions”

5 Tips for Complying with New Section 889 Supply Chain Regulations

Justin A. Chiarodo and Robyn N. Burrows

As part of a recent wave of supply chain requirements, Section 889 of the 2019 National Defense Authorization Act (“NDAA”) imposed major new limitations on the use of certain Chinese telecommunications products and services in federal procurement, and recent implementing regulations mandate a range of compliance actions relating to the ban. This blog post provides practical guidance on the new rules and five compliance tips.

Ban against Procuring “Covered Telecommunications Equipment or Services”

The Department of Defense (“DoD”), General Services Administration (“GSA”), and National Aeronautics and Space Administration (“NASA”) recently released an interim rule implementing the first part of Section 889. This ban, which became effective August 13, 2019, sweeps broadly by prohibiting agencies from procuring the following “covered telecommunications equipment or services”:

  1. Telecommunications equipment produced by Huawei and ZTE Corporation;
  2. Video surveillance and telecommunications equipment used for public safety, surveillance of “critical infrastructure,” or national security purposes and produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company;
  3. Telecommunications or video surveillance services provided by such entities for any purpose; or
  4. Telecommunications or video surveillance equipment produced or provided by an entity that the Secretary of Defense determines is owned or controlled by, or otherwise connected to, the government of the People’s Republic of China.

The ban includes all affiliates and subsidiaries of the listed companies. Continue reading “5 Tips for Complying with New Section 889 Supply Chain Regulations”

Eastern District of California Allows False Claims Act Allegations Based on Noncompliance with DoD Cybersecurity Requirements to Go Forward

Carolyn R. Cody-Jones

A recent decision in the federal district court for the Eastern District of California is one of the first to recognize application of the False Claims Act (“FCA”) to Department of Defense (“DoD”) cybersecurity requirements, and will likely encourage future lawsuits alleging noncompliance with federal cybersecurity procurement regulations. In United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245 WBS AC, 2019 WL 2024595 (E.D. Cal. May 8, 2019), the court denied the defendant contractor’s motion to dismiss qui tam complaint fraud allegations against the company. The complaint—brought by a former employee from the company’s cybersecurity department a month after his termination from the company—alleged the defendant fraudulently entered into DoD and National Aeronautics and Space Administration (“NASA”) contracts despite knowing that it did not meet the minimum standards required to receive the awards. The court permitted the case to move forward despite the government declining to intervene.

The primary regulations at issue in the case are DFARS 252.204-7012, which recently required, as of December 31, 2017, that contractors have a cybersecurity plan in place complying with 110 recommended security control standards set forth in NIST SP 800-171. However, the court’s decision in Aerojet Rocketdyne focused on the previous 2013 final rule and the two interim rules in 2015 implementing DFARS 252.204-7012, and also a NASA cybersecurity regulation at 48 C.F.R. § 1852.204-76 involving contractor security controls for sensitive but unclassified government information. Continue reading “Eastern District of California Allows False Claims Act Allegations Based on Noncompliance with DoD Cybersecurity Requirements to Go Forward”

Top 10 Trends and Compliance Obligations in the Evolving World of Commercial Item Procurement

Blank Rome Partner Justin A. Chiarodo will be a presenter at BDO’s Winter 2019 Marketplace Outlook Update for Government Contractors, “Top 10 Trends and Compliance Obligations in the Evolving World of Commercial Item Procurement.” This live webinar will take place Thursday, February 28, 2019, from 12:30 to 1:30 p.m. EST.

For more information, please visit our website.

Cybersecurity Could Make or Break Defense Contractors’ Chances of Future Awards

Michael Joseph Montalbano

Cost, schedule, and performance, the three pillars of defense procurement, may soon be accompanied by a fourth pillar: cybersecurity. As the nature of warfare evolves away from pure kinetic capabilities to the asymmetric, cyber realm, the Department of Defense (“DoD”) has had to grapple with the reality that its defense contractors are prime targets for infiltration. Indeed, in the February 2018 Worldwide Threat Assessment, Director of National Intelligence Daniel Coats specifically identifies defense contractors and IT communications firms as the primary focal points of China—one of the United States’ primary cyber adversaries. As a result of this new reality, DoD has begun the process of revamping the defense procurement system to place greater emphasis on cybersecurity. In response to these moves by DoD, contractors should take a fresh look at their current operations to identify their own cyber vulnerabilities as well as the vulnerabilities of their subcontractors, suppliers, and other partners. Without adequate preparation, contractors risk finding themselves at a significant disadvantage during future contract bids. Continue reading “Cybersecurity Could Make or Break Defense Contractors’ Chances of Future Awards”