Introduction to the FAR and DFARS Rules
The Federal Acquisition Regulation (FAR) provides a set of guidelines for how the US Federal Government can procure products and services from private industry. A new FAR rule recently went into effect that bans the Government from procuring products or services that include telecommunication (“telecom”) equipment from certain Chinese vendors. The rule, FAR clause 52.204-25 titled “Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment”, prohibits the Government from:
procuring or obtaining, or extending or renewing a contract to procure or obtain, any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system
The rule also prohibits the Contractor from:
providing to the Government any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system
The FAR Ban on Telecom Equipment Includes:
- Telecom equipment produced by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of such entities)
- Video surveillance and telecom equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities)
- also: services that use this equipment
The vendors listed are all of Chinese origin. It is the contractor’s responsibility to identify the use of this equipment. If the contractor identifies any of this equipment or services used:
- as a substantial or essential component of any system, or
- as critical technology as part of any system, during contract performance, or
- the Contractor is notified of such by a subcontractor at any tier or by any other source
the contractor must, within one business day, report the following information to the Government Contracting Officer (in the case of the Department of Defense, the Contractor must report to the website at https://dibnet.dod.mil) :
- the contract number;
- the order number(s), if applicable;
- supplier name;
- supplier unique entity identifier (if known);
- supplier Commercial and Government Entity (CAGE) code (if known);
- model number (original equipment manufacturer number,
- manufacturer part number, or wholesaler number);
- item description;
- and any readily available information about mitigation actions undertaken or recommended.
DFARS Prohibits use of Chinese Telecom in Nuclear-Related Missions
The US Department of Defense (DoD) Supplement to the FAR (DFARS) reiterates the FAR clause’s associated prohibitions in DFARS clauses 252.204-7016, 7017, and 7018. DFARS 7018 in fact goes on to explicitly prohibit the use of that Chinese telecom equipment in support of the following nuclear-related DoD missions:
- The nuclear deterrence mission of DoD, including with respect to nuclear command, control, and communications, integrated tactical warning and attack assessment, and continuity of Government; or
- The homeland defense mission of DoD, including with respect to ballistic missile defense.
It’s obvious from these clauses that the US Government considers this equipment to pose some threat to national security. It’s also obvious from the clause that contractors cannot sell this equipment to the Government, nor use this equipment as part of conducting Government missions. We won’t speculate on the specific threat in this blog. But let’s explore some of the more ambiguous implications of these FAR/DFARS requirements.
The Ubiquity of this Chinese Telecom Equipment
The issue with this rule for many DoD contractors, especially small business suppliers and vendors, is that this Chinese technology is incorporated into many Internet Service Providers (ISP) network backbones, as well as specific tech such as home and business surveillance camera systems, and it can be very difficult to determine how so.
For instance, many small ISPs rely on Huawei equipment (cell tower components, network routers, etc.) to provide service to rural communities. There are several military bases in rural areas (Malmstrom AFB in Montana comes to mind) that have strong contractor supply chains, and these contractors may rely on these ISPs for Internet connections. And then with the increase in remote and “tele” work, many DoD contractor staff is working from home in these rural areas, and their home Internet connections may be provided by ISPs that may use Huawei equipment. So, if these contractors “provide a service” to the US Government and they rely on the ISPs with Huawei equipment to provide that service, does that scenario violate the FAR 52.204-25 clause?
Another example (and really not trying to throw anyone under the bus, this is one example of many) is Canada-based Lorex Technologies, which provides many surveillance, network video recording, and security camera systems. Their website does not list many technical specifications for these systems and does not provide information where Lorex sources system components from. Upon inquiry to Lorex technical support about whether Lorex incorporated any components from these banned Chinese vendors, Lorex support replied that indeed, “Lorex systems are Dahua based.”
So let’s say a Government contractor uses a Lorex video surveillance system to, say, monitor the parking lot outside their contractor facility where Government equipment is stored. Is this considered “providing a service” to the Government that uses this banned equipment in violation of the FAR rule? It’s not clear.
What does it mean to provide the Government a service?
Let’s use our parent company, Haight Bey & Associates, as an example service provider to the Government and explore what it means to provide a service to the government. Haight Bey & Associates (HB&A) is a prime DoD contractor, executing a Contractor Logistics Support (CLS) contract with the US Air Force (USAF). As part of the CLS contract we provide the following “services” to the USAF:
- Software and hardware integration
- Parts storage and sparing
- Parts repair
- Help Desk
- Field repair
We don’t sell telecom equipment or telecom services to the DoD, but we do provide a service to the DoD. That service is supported by our facility and home Internet connections, and we use surveillance systems to help secure the Government property we store at our facilities. So this FAR/DFARS rule has us asking the questions: “Are we required to investigate what equipment our ISPs use? Do we need to steer away from Chinese made surveillance equipment for our facilities, even if we don’t sell that equipment to the Government?” Unfortunately, we don’t have good answers to these questions, and I’m sure many of you reading this do not either.
One safeguard we recommend for any networked video recording system, no matter the manufacturer, is to disconnect it from your network if possible, or at a minimum isolate it within your network. Isolation can occur via several means, such as relegating the system to a subnet or VLAN, or even better to a DMZ. If the system contains Chinese components that the Chinese adversary can use to remotely compromise the system, removing it from your network will prevent the Chinese from remote command and control and potential exfiltration of data. If your operations require you to network the system, then be sure to isolate it, which at least will delay or prevent the adversary from using the system as a “launching pad” for further attacks on your other networked IT components.
More on this topic to come I’m sure…