This Job Never Gets Dull…. NDAA Subsection 889(1)(1)(B) Compliance for Security Integrators
The U.S. has entered our sixth month of the COVID-19 crisis – an unimaginable pandemic that has threatened our health and monumentally disrupted our livelihoods, our families, and our previous way of living. As most small business owners can attest (unless you happen to sell hand sanitizer or online educational tools), COVID is as lethal to businesses as it is to individuals (read more on the grim statistics at https://www.pnas.org/content/117/30/17656). The changing environment requires decisive and deliberate action in order to maintain business health despite the pandemic – it often feels like we are running in quicksand, trying to avoid getting sucked under. Early in the crisis, we quickly realized that our commercial small business base was unlikely to make purchases as they had previously; most were suffering from post-closure cashflow concerns and had no capital to expend, even on essential security requirements. While we created strategies to help these businesses by shifting our focus to a subscription offering, we also leaned gratefully on our enterprise customers, both federal and commercial, who had ongoing and even increasing, requirements for our goods and services.
But just when doing business with the Federal government looked to be the easier path in the mid-pandemic “new normal”, along comes the next bump in the road to keep us on our toes. On August 13th , the Interim Rule implementing Subsection 889(a)(1)(B) of the National Defense Authorization Act (NDAA) came into effect. This law, passed in 2018, was implemented as a national security measure to protect government information. Part A (aka the Sales Prohibition) was implemented on August 13th , 2019, and prohibited federal agencies and their contractors from procuring or using “telecommunications and video surveillance equipment or services from specific Chinese companies.” That was the easy part – a list of (5) Chinese companies and their subsidiaries, the government can’t purchase those products – and as most of us had already moved away from selling these brands anyway (remember the law passed in 2018, we had time to see it coming) and figure out alternatives. Unlike the clear and relatively narrow prohibitions provided for in Part A, when Part B (aka the Use Prohibition) came into effect this August, it contained broad prohibitions relating to the use of covered products and services incorporating certain Chinese technology, whether or not in the context of a federal contract. This directly impacts the ability of integrators to perform federal work using compliant products if they also provide video surveillance products to non-federal customers that do not meet the federal requirements. This prohibition is very broad, and there is no language that limits its application, so there is no exception for internal uses or uses unrelated to federal contracting. This makes compliance significantly more challenging than it was for Part A – a whole new minefield to navigate for businesses who work with the government or wish to do so in the future. While the law applies to all entities who do business with the federal government, for a Security Integrator, this is a real “foot-stomper” - understanding the law and how to fully comply with the language of the law is crucially important and we have no choice but to take immediate action to ensure compliance. And while we also knew Part B was coming, many of us were hoping for better clarity and perhaps the language that was more forgiving in order to mitigate the pain and cost that conducting a deep dive into regulatory compliance requires. But alas, if it were easy, everyone would do it, right?
So how does a Security Integrator ensure that their entire global supply chain, not just the part of the business that contracts with the U.S. government is devoid of equipment, systems, or services from those banned Chinese technology or surveillance companies? I would suggest the following steps, at a minimum, to get you to a place where you can check the box that says “DOES NOT provide covered telecommunications equipment or services” on your System for Award Management (SAM) annual representations and certifications for FAR 52.204-26 https://www.acquisition.gov/far/52.204-26? Here are some tips:
Educate key members of your organization on what NDAA 889(a)(1)(B) says and means
Identify potential covered products and technology – including those used internally (ie cell phones, laptops, networking equipment, mobile hot spots) and those sold to customers
Consider whether any telecommunications equipment may include components from banned companies
Query suppliers and manufacturers for documentation of compliance; track responses and results
Make supply chain switches to eliminate the Covered Telecommunications Equipment or Services
Implement a written compliance plan, and educate all key staff on what the plan is (include cost tracking, phase-out plan if appropriate)
Provide accurate representation to the Government (NOTE: If the answer to FAR 52.204-26 is still not “DO NOT,” there is limited opportunity to request a waiver. Additionally, if use is discovered during contract performance, you have 1 day to notify the Government)
And in good news, the FAR Council is still accepting comments on 889(a)(1)(B) through 14 September 2020, see https://www.lexology.com/library/detail.aspx?g=c263b35a-6b58- 43a2-bd1e-6abe793db4ab, so if you need clarification or have suggestions for wording changes, there is still time to provide input.
I caution you, while these compliance steps require significant upfront and ongoing personnel costs – it’s not free to pull key personnel off of paying work to analyze country of origin for every widget that passes through the doors - let’s consider the cost of non-compliance. An organization’s failure to submit an accurate representation to the Government constitutes a breach of contract which can result in contract cancellation and other financial consequences. Furthermore, noncompliance with NDAA Section 889 could result in a False Claims Act violation, for which the Government can seek damages and up to $23,000 in penalties per violation. If you can’t be compliant, it might be cheaper to stop doing business with the government than to risk the financial consequences of a breach.
In closing, I am in full support of the fundamental need to address the privacy and security risks associated with using covered Chinese telecommunications equipment and services, and plan to ensure that my company remains compliant with the recently published Interim Rule of NDAA Subsection 889(a)(1)(B). We take great pride in serving our public customers in the Department of Defense, Department of Veterans Affairs, Department of Homeland Security, and various other agencies and intend to keep ourselves in a position to provide them with our security solutions, knowing that they comply with their unique information security requirements.