Blog Post 06.05.20
U.S. government agencies continue to implement new rules to guard against supply chain threats and mitigate cybersecurity risks. We have previously discussed regulations aimed at excluding, and in some cases removing, Chinese-origin equipment from U.S. telecommunication networks and supply chains. In addition to discussing recent developments related to those regulations, this alert examines how the Department of Defense (DoD) and other agencies plan to mitigate cybersecurity risk at the contractor level.
Section 889 of the Fiscal Year 2019 National Defense Authorization Act
We previously discussed the two prohibitions (Part A and Part B) under Section 889(a)(1) of the Fiscal Year 2019 National Defense Authorization Act. Part A prohibits the government from procuring any equipment, system or service that uses “covered telecommunications equipment or services as a substantial or essential component of any system, or as a critical technology as part of any system.” The covered telecommunications equipment or services are those produced by Huawei, ZTE, Hytera, Hikvision, Dahua, and their subsidiaries or affiliates. Similarly, Part B prohibits the government from entering into or extending or renewing contracts with any entity that uses those same covered telecommunications equipment or services. Part A went into effect in August 2019; however, Part B is not effective until August 13, 2020.
Part B has been of particular concern for the defense industrial base and the DoD. The National Defense Industrial Association and the Professional Services Council sent a letter to Congress earlier this year requesting that it postpone Part B’s effective date until at least February 2021. The letter noted that “Part B will impose significant financial and operational costs on medium and small-sized firms at a moment of substantial uncertainty and hardship.” Similarly, the Under Secretary of Defense for Acquisition and Sustainment, Ellen Lord, asked Congress to delay Part B’s effective date, given the complexity of the supply chain. Recent pronouncements out of the U.S. government, as noted below, suggest that those requests went unanswered.
On July 14, 2020, the FAR Council published the interim rule that implements Part B, which will take effect on August 13, 2020. The interim rule requires contractors to represent—after conducting a reasonable inquiry—whether covered telecommunications equipment or services are used by the contractor. To perform a “reasonable inquiry,” a contractor must conduct an inquiry designed to uncover any information in the contractor’s possession about the identity of the producer or provider of covered telecommunications equipment or services used by the contractor. The definition of reasonable inquiry, however, “need not include an internal or third-party audit.” The prohibition applies regardless of whether the covered telecommunications equipment is used in performance of work under a federal contract. This means that if a government contractor only uses covered telecommunications equipment outside the U.S., in a capacity wholly unrelated to its government work, government agencies may still be prohibited from entering into contracts with it. That scenario, however, is subject to the limitations discussed below.
Based on the statutory language of Part B, there was concern that it could have a significant impact on downstream suppliers and subcontractors. As of now, the interim rule only applies to prime contractors. The interim rule notes, however, that the FAR Council is considering whether the final rule should apply to the offeror and any affiliates, parents and subsidiaries that are domestic concerns. That potential expansion would take effect no later than August 13, 2021. Public comment on the interim rule is due by September 14, 2020. Among many other questions, the government requests public comment on how extending the rule to affiliates, parents and subsidiaries would impact a contractor’s ability to comply with the prohibition and representation.
Secure and Trusted Communications Networks Act
As detailed previously, the Secure and Trusted Communications Networks Act prohibits the use of certain federal funds to obtain communications equipment or services from a company that poses a national security risk to U.S. communications networks. The Act directs the Federal Communications Commission (FCC) to publish a list of covered communications equipment or services that pose a national security threat. On June 30, 2020, the FCC formally determined that Huawei and ZTE pose a national security threat to the integrity of U.S. telecommunications networks and supply chains. This ostensibly means that the FCC may proceed with providing funds to small carriers to aid their transition away from Huawei and ZTE equipment, as authorized by the Act. For small telecommunications service providers that also perform government contracts, this process may allow for compliance with the interim rule discussed above, without suffering the added cost of compliance.
Cybersecurity Maturity Model Certification
In January 2020, DoD released the highly anticipated, final Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework, as discussed in our previous Client Alerts from December 2019 and February 2020. CMMC will require government contractors to get third-party assessments proving their networks meet a certain maturity level, ranging from one to five with a corresponding increase in security controls. It is anticipated that all contractors throughout the DoD supply chain will need to reach some level of CMMC certification if they are to receive future DoD contracts and subcontracts.
It appears, however, that the CMMC framework may be required on some non-DoD contracts this year. During CMMC presentations to industry in early 2020, DoD officials stated that the Treasury and Commerce departments had already said they will adopt the CMMC standard and the Department of Homeland Security would monitor the progress of the program before deciding. Additionally, in a July 6, 2020, request for proposal (RFP) for the 8(a) STARS III contract, the General Services Administration required that offerors meet certain CMMC standards. The RFP notes that “[w]hile CMMC is currently a DoD requirement, it may also have utility as a baseline for civilian acquisitions; so it is vital that contractors wishing to do business on 8(a) STARS III monitor, prepare for and participate in acquiring CMMC certification.” DoD has not issued a final rule in the Defense Federal Acquisition Regulation Supplement (DFARS) implementing CMMC; however, prior to the current pandemic, the new DFARS rule had been scheduled for release during the fall of this year. DoD has plans to include CMMC requirements in certain “pathfinder” solicitations later this year, but it has recently stated that certification will only be required at the time of award—not at the time of proposal submission. Each level of maturity will reflect a greater degree of protection against cybersecurity risks in the supply chain, with the majority of contracts awarded at the same level required under the current DoD cybersecurity standard established in DFARS 252.204-7012.
The recent actions discussed above reflect the U.S. government’s ongoing concern of the threats to U.S. telecommunication networks and supply chains—specifically, those threats posed by China and certain Chinese companies. As the scope of many recent restrictions make clear, the concern extends well beyond contracts with DoD or even federal contracts more broadly. Instead, these restrictions will require a complete assessment and change in the day-to-day business operations for many contractors. It is therefore critical that U.S. companies, even those without federal prime contracts, begin the process of ensuring their compliance with the aforementioned restrictions.