Tag: Cybersecurity

OMB Issues Guidance on Application of Section 889 to Federal Assistance Recipients—and Confirms No Part B “Use” Prohibition

Robyn N. Burrows ●

On April 22, 2024, the Office of Management and Budget (“OMB”) issued final guidance regarding the application of the Section 889 telecommunications ban to federal grants, loans, and cooperative agreements under 2 C.F.R. § 200.216. As a quick recap, Part A of Section 889 prohibits contractors from providing the federal government covered telecommunications equipment and services from certain Chinese manufacturers, whereas Part B prohibits contractors from using covered equipment and services. Section 889 also applies to grant, loan, and cooperative agreement recipients and subrecipients through 2 C.F.R. § 200.216, with certain differences. Most notably, OMB recently clarified that the Part B “use” prohibition does not apply to recipients and subrecipients, meaning they may use covered telecommunications equipment and services as long as they are not purchased with federal funds.

Continue reading “OMB Issues Guidance on Application of Section 889 to Federal Assistance Recipients—and Confirms No Part B “Use” Prohibition”

And No Longer Trending: 7 FAQs Regarding the Federal Contractor TikTok Ban

Justin A. ChiarodoLuke W. Meier, and Robyn N. Burrows ●


Building on recent and ongoing efforts to limit Chinese government access to government contractor supply chains, the FAR Councils published an interim rule effective June 2, 2023, that will broadly ban TikTok on contractor and contractor employee electronic devices used in the performance of federal contracts. The ban will be implemented through a new contract clause at FAR 52.204-27. Expect to see the clause added in all future solicitations (including commercially available off-the-shelf (“COTS”) acquisitions and micro-purchases) and added to existing contracts over the next month. We answer seven common questions on this new interim rule and offer several compliance tips.

What’s banned?

The new TikTok ban broadly prohibits contractors from having or using a “covered application” (e.g., TikTok or other successor applications by ByteDance Limited, a privately held company headquartered in Beijing, China) on any “information technology” used in the performance of a government contract. The ban applies regardless of whether the technology is owned by the government, the contractor, or the contractor’s employees. Bottom line, the rule has a (very) broad reach—it applies to contracts below the micro-purchase threshold, contracts for commercial products and services, and COTS items.

Continue reading “And No Longer Trending: 7 FAQs Regarding the Federal Contractor TikTok Ban”

Senate Majority Leader Schumer Proposes Section 889 Expansion

Robyn N. Burrows and Merle M. DeLancey, Jr. 

On October 18, 2022, Senate Majority Leader Chuck Schumer (D-NY) issued a press release signaling a potentially significant expansion of Section 889 through a proposed amendment to the 2023 National Defense Authorization Act (“NDAA”). Schumer’s proposal is aimed at extending the telecommunications supply chain prohibitions in Section 889 to the semiconductor manufacturing industry.

Section 889 currently prohibits contractors from providing the federal government or using any products or services that incorporate “covered telecommunications equipment or services” from five Chinese telecom companies and their affiliates and subsidiaries: (1) Huawei Technologies Company, (2) ZTE Corporation, (3) Hytera Communications Corporation, (4) Hangzhou Hikvision Digital Technology Company, and (5) Dahua Technology Company.

Schumer’s 2023 NDAA amendment would expand Section 889 by banning semiconductor products like microchips from the following three Chinese entities: (1) Semiconductor Manufacturing International Corporation (“SMIC”), (2) ChangXin Memory Technologies (“CXMT”), and (3) Yangtze Memory Technologies Corp. (“YMTC”). Schumer noted that these companies have known links to the Chinese state security and intelligence apparatuses. The amendment is aimed at filling a gap in federal procurement restrictions that currently do not include semiconductor technology and services, creating a vulnerability for cyberattacks and data privacy. The amendment would not take effect until three years after the NDAA’s enactment, or until 2025.

Although we do not yet know whether Schumer’s amendment will be incorporated into the final NDAA bill, contractors should nevertheless begin evaluating their supply chains to identify any semiconductor products from any of the three named Chinese manufacturers. Schumer’s amendment signals a continually expansive interpretation and enforcement of Section 889, which may be reflected in the final rulemaking for Section 889. The current FAR docket anticipates a final rule in December 2022, although these deadlines continue to be moving targets.

Westlaw Today: The ICTS Supply Chain Rules: Towards a U.S.-China Tech Decoupling?

Westlaw Today, August 9, 2022

Anthony Rapa ●

A July 2022 report relayed the news that the U.S. Department of Commerce (Commerce) is investigating the installation of Huawei equipment into cell towers situated near U.S. military bases and missile silos, based on concerns the equipment could hoover up sensitive data and transmit it to China.

The report indicates that Commerce is carrying out the investigation pursuant to its rules implementing Executive Order (EO) 13873 on “Securing the Information and Communications Technology and Services Supply Chain” (the ICTS Rules).

What are the ICTS Rules, and how will they be enforced? The ICTS Rules empower Commerce to review — and as warranted, to mitigate, block, or unwind — dealings in information and communications technology and services (ICTS) that have a nexus with a designated “foreign adversary,” including China and Russia.

You can read more on our website.

NISPOM Creates New Requirements for Senior Management Officials

Michael Joseph Montalbano

In February 2021, the Department of Defense (“DoD”) promulgated 32 C.F.R. Part 117. This move converted the National Industrial Security Program Operating Manual (“NISPOM”)—the rules that govern personnel and facility security clearances—from DoD policy into federal law. The move originally garnered little attention because the new regulations include virtually all requirements that were in the prior NISPOM. DoD, however, embedded new requirements with potentially significant implications for cleared contractors and their senior management officials (“SMO”). And the Defense Counterintelligence and Security Agency (“DCSA”) is now signaling that it will hold SMOs accountable if they fail to meet these requirements.

A cleared contractor’s SMO is the person “with ultimate authority over the facility’s operations and the authority to direct actions necessary for the safeguarding of classified information in the facility.” § 117.3(b). Typically, the SMO is the individual who holds the top position at a company, such as a chief executive officer or majority owner. Prior to the promulgation of Part 117, the SMO had discretion to delegate responsibility over the contractor’s industrial security program to another employee. Section 117.7(b)(2) of the new NISPOM regulations has put an end to that practice.

Continue reading “NISPOM Creates New Requirements for Senior Management Officials”

Where Are We Going with Section 889 Part B?

Justin A. Chiarodo, Merle M. DeLancey, Jr., and Robyn N. Burrows

About two months have passed since the August 13, 2020, effective date of Part B of Section 889 of the FY 2019 National Defense Authorization Act. Part B, sometimes referred to as the Chinese telecommunications equipment ban, broadly prohibits the federal government from contracting with entities that use certain Chinese telecommunications (including video surveillance) equipment and services.

After the FAR Council published its July 10, 2020, Interim Rule, contractors, large and small, spent countless hours working to be able to certify compliance by August 13. This deadline was critical because the Interim Rule said that absent such a certification, a contractor was ineligible for future contract awards. That is, government agencies were prohibited from renewing or extending existing contracts with contractors unable to certify Part B compliance. Indeed, agencies were prohibited from issuing an order under an existing contract to a contractor that failed to certify compliance.

Yet, despite the Rule’s laudable policy goals, the government’s piecemeal and inconsistent implementation has placed government contractors in an untenable position. Continue reading “Where Are We Going with Section 889 Part B?”

Newly Released Interim Rule Implementing Part B of Section 889

Justin A. Chiarodo, Merle M. DeLancey Jr., and Robyn N. Burrows

On July 10, the government issued the    long-awaited Interim Rule implementing Part B of Section 889 (here is a link to the pre-publication version, with the official version soon to follow). Part B prohibits the federal government from contracting with entities that use certain Chinese telecommunications equipment (previously discussed in our blog posts here and here). The Interim Rule is 86 pages and addresses issues related to compliance with Part B, as well as clarifying aspects of Part A.

These are the key points federal contractors need to know:

  • Effective Date: The effective date remains August 13, 2020. The ban applies to solicitations, options, and modifications on or after August 13. However, as we previously discussed, the Department of Defense may allow its contractors more time to comply, despite the statutory deadline.
  • Required Representation: An offeror must represent that, after conducting a reasonable inquiry, it does/does not use covered telecommunications equipment/services.
    • “Reasonable inquiry” means an inquiry designed to uncover any information in the entity’s possession about the identity of the producer or provider of covered telecommunications equipment or services used by the entity. An internal or third-party audit is not required.
  • Scope of “Use”: Applies to the contractor’s use of covered technology, regardless of whether it is used to perform a federal contract. Thus, a contractor’s commercial operations are included.
  • Affiliates/Subsidiaries: The required representation is not applicable to affiliates or subsidiaries at this time. The FAR Council is considering whether to expand the scope of the representation/prohibition to cover an offeror’s domestic affiliates, parents, and subsidiaries. If expanded, it would be effective August 13, 2021.
  • Subcontractors: The ban and required representation are not applicable to subcontractors at this time. The ban only applies at the prime contractor level and does not include a flow down obligation.
  • Detailed Waiver Process: The Interim Rule includes a detailed and complex process for seeking a waiver (really a two-year delayed application).
  • Suggested Compliance Steps: The Interim Rule suggests contractors adopt a “robust, risk-based compliance approach” to include educating personnel on the ban and implementing corporate enterprise tracking to identify covered equipment/services.

Regulators are still seeking feedback from industry, which suggests the government’s willingness to incorporate changes in a final rule. But prime contractors need to act now. In the next 30 days, prime contractors need to determine through a “reasonable inquiry” whether they use covered equipment, regardless of whether that use relates to performance of a federal contract. To demonstrate a reasonable inquiry, contractors should memorialize all steps taken and decisions made in performing the inquiry.

A more detailed analysis is forthcoming. In the meantime, if you have any questions regarding compliance, please contact one of Blank Rome’s Government Contracts practice group attorneys for guidance.

What Does a Potential One-Year Delay for Part B of Section 889 Mean for Your Compliance Efforts?

Justin A. Chiarodo, Merle DeLancey Jr., and Robyn N. Burrows


In remarks to Congress and statements this week, the Department of Defense (“DoD”) announced that it is considering a one-year delay for full implementation of Part B of the Section 889 ban (we previously summarized the ban, which prohibits the government from contracting with entities using certain Chinese telecommunications equipment, here). The ban is currently scheduled to go into effect on August 13, 2020. What does this welcome development mean for contractors? We think it warrants prioritizing near-term compliance efforts to high-risk areas, pending forthcoming rulemaking that will provide needed specifics on the way forward.

During June 10 remarks before the House Armed Services Committee, Undersecretary for Acquisition and Sustainment Ellen Lord expressed the DoD’s full support for the intent of Section 889, but admitted she is “very concerned” about being able to accomplish Part B implementation by August 13. As to whether the DoD can meet the current timeline given COVID-19 disruptions and the lack of an interim rule, Ms. Lord acknowledged that “we need more time” for contractors to comply.

Following the undersecretary’s testimony, the DoD announced that it is considering adding contract language giving its suppliers an additional year to reach full compliance with Part B. Though not final, the DoD’s proposed delay could relieve DoD contractors from full compliance with the impending August deadline. We anticipate this approach would be similar to the phase-in period for compliance with the Defense Federal Acquisition Regulation Supplement Safeguarding and Cyber Incident Reporting clause. It is not yet clear whether the Office of Management and Budget, which currently has the draft interim rule for Part B, will incorporate a delayed implementation into that forthcoming rule.

The DoD also signaled that it is poised to advocate for a more risk-based approach to Part B implementation and rulemaking. During her testimony, Ms. Lord expressed concern with the “unintended consequences” of a minor infraction several layers deep within the supply chain potentially shutting down major portions of the defense industrial base by disqualifying key prime contractors from doing business with the federal government. The DoD suggested that the use of a risk-based approach may be useful to achieve effective implementation. The DoD’s consideration of a risk-based approach indicates that it is equally concerned about its contractors’ ability to comply with a strict application of Part B.

How DoD’s Announcements Inform Compliance Efforts with Part B

Without an interim rule and with less than two months before the statutory August deadline, how should contractors begin implementing Part B? Given the DoD’s recent comments suggesting a risk-based approach, contractors should consider adjusting their Part B implementation efforts using a risk assessment framework, prioritizing high-risk areas. That is, contractors should identify the extent to which telecommunications or video surveillance equipment is used to support government contracts, the nature of that work, and the frequency with which the technology is used.

The nature of the product’s telecommunication function also informs its risk potential. For example, computers, routers, phones, and network equipment can generally be considered a higher priority area than technology that, although technically subject to the ban, presents a moderate to low cybersecurity risk, depending on the nature and frequency of use (e.g., HVAC systems, fax machines, copiers, scanners).

Contractors should also communicate with key suppliers to ensure that they are aware of the rule and are similarly working to prepare for Part B.

Although the DoD’s statements are welcome news—and reflect that the government is mindful of the challenges presented by the ban—the DoD remains committed to Section 889 and contractors should proceed accordingly.

For Part B of Section 889, Is Compliance by August 13, 2020, Realistic?

Merle M. DeLancey Jr., Justin A. Chiarodo, and Robyn N. Burrows


On March 10, 2020, the Department of Commerce extended the deadline for U.S. companies to stop doing business with Huawei Technologies Co. Ltd. and its non-U.S. affiliates. The deadline has been extended multiple times and is now May 15, 2020. Under the extension, U.S. businesses can continue to work with Huawei on the operation of existing networks and mobile services, including cybersecurity research considered critical for network reliability.

Huawei was added to the Commerce Department’s Bureau of Industry and Security “Entity List” in May 2019. The Entity List includes foreign entities who have engaged in activities sanctioned by the State Department and activities contrary to U.S. national security and/or foreign policy interests.

In addition to the extension, the Commerce Department is seeking public comments through March 25, 2020, regarding the continuing need for, and scope of, possible future extensions concerning Huawei. The multiple extensions and new request for public comments are intended to allow time for companies and persons to shift from Huawei or its affiliates to alternative sources of equipment, software, and technology.

Continue reading “For Part B of Section 889, Is Compliance by August 13, 2020, Realistic?”

Five Steps to Take to Prepare for Part B of the Section 889 Ban

Merle M. DeLancey Jr., Justin A. Chiarodo, and Robyn N. Burrows


Part B of Section 889 takes effect August 13, 2020. The ban prohibits the federal government from contracting with any “entity that uses” telecommunications and video surveillance products or services from Huawei Technologies Company Ltd. (Huawei) and four other Chinese entities, including their affiliates and subsidiaries (we’ve previously covered Section 889 here and here). This post examines recent industry feedback during a public meeting with the Department of Defense (“DoD”) and provides five compliance recommendations pending forthcoming rulemaking.

On March 2, 2020, DoD held a public meeting on Part B. Several trade associations gave feedback, and raised five major concerns: 1) the broad scope of the rule; 2) the inability of many contractors to meet the August 2020 compliance deadline; 3) whether the rule will apply outside the United States; 4) whether the term “use” would include a reseller’s commercial sales of prohibited products, thus precluding a supplier from contracting with the federal government; and 5) whether the “entity” subject to the ban includes only the legal entity executing the contract with the federal government, or also its affiliates and subsidiaries. Unfortunately, DoD did not indicate when an interim rule might issue.

Continue reading “Five Steps to Take to Prepare for Part B of the Section 889 Ban”

Exit mobile version
%%footer%%