Background for FAR and NDAA Section 889
After several years of growing security concerns raised by U.S. Government officials regarding five Chinese companies that provide telecommunication services to the U.S. technology sector — including worries about these companies’ connections to the Chinese government and military, violations of sanctions, unfair trading practices, and the potential risk of compromising U.S. and global networks — the US Congress introduced Section 889 into the National Defense Authorization Act (NDAA) in the Fiscal Year 2019.
In this post, we will help small business Department of Defense (DoD) contractors familiarize themselves with the contents of NDAA Section 889 and the Federal Acquisition Regulation (FAR) telecommunication prohibitions, all of their associated challenges, and how they pertain to CMMC compliance. We will also cover how to decipher banned vs. allowed equipment and where to find safe technology to use in your environment.
Understanding Parts A and B of Section 889
Part A of the NDAA Section 889, which became effective on August 13th, 2019, imposed restrictions on the U.S. Government’s procurement of “covered” telecommunications equipment manufactured by five specific Chinese vendors:
- Huawei Technologies Company
- ZTE Corporation
- Hytera Communications Corporation
- Hangzhou Hikvision Digital Technology Company
- Dahua Technology Company
This restriction applies regardless of whether the telecommunications equipment is manufactured by the five Chinese entities or their affiliates, through their contractors or alternate avenues. “Telecommunications” refers to the transfer of information between two objects using technology. “Telecommunications equipment”, then, is the technology that facilitates the transfer of information between two objects. Examples of these objects include IT equipment such as mobile devices, network routers, video surveillance and security systems. The term “covered” refers to any telecommunications equipment or services produced by the companies named above. This restriction has a wide scope including items deemed essential components or critical technology within a system. It applies across all industries and financial scales.
Part B (known as “the use ban”) elaborates on how contractors can do business with the government with respect to the banned telecommunications companies. Contractors are prohibited from selling to the government or using equipment from the five restricted companies. Additionally, Part B mandates organizations to perform a “reasonable inquiry” to ascertain if they use any prohibited technology and describe their use or non-use of the proscribed telecommunication equipment or services. You can read NDAA Section 889 in its entirety here. The FAR comprise a set of guidelines that the government follows during its procurement processes and is the method that the NDAA Section 889 is “flowed down” to the government contracting base. The telecommunication prohibitions of concern can be found in FAR 52.204-24, 25 and 26
The Challenges of Compliance
The regulations came as a surprise to many small business contractors because of the significant presence these five Chinese companies hold in the global telecommunications industry. Congressional Research Service estimates that Huawei Technologies Company is the largest of the five major equipment producers globally and has a large presence in over 170 countries. Additionally, many video surveillance systems, such as Network Video Recorders (NVR) and associated cameras, contain components manufactured by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, and Dahua Technology Company. Even companies based outside of China have been found to incorporate components from these banned Chinese entities in their products. Ascertaining whether your small business security system is compliant with the NDAA and FAR can be challenging, since many vendors do not explicitly list the source of their product components online. It is up to the contractor themselves to inquire about their systems.
The unexpected requirement to avoid these five Chinese companies has presented a dilemma for American small businesses. Adhering to the NDAA’s regulations is crucial for any company wanting to do business with the U.S. Government, and not doing so can lead to significant repercussions such as potential loss of a contract and legal action.
Small Business Contractors Facing CMMC
To protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared by the DoD with its contractors, the DoD established the Cybersecurity Maturity Model Certification (CMMC) program. See our CMMC Compliance roadmap along with other free tools here. CMMC is the DoD’s method for holding the DIB accountable for implementing the NIST 800-171 cybersecurity standard to protect CUI. Given that the telecommunication prohibitions concerning the five Chinese companies aren’t explicitly covered in NIST 800-171, a DoD contractor could technically comply with NIST 800-171 while utilizing Chinese telecom equipment. However, this would result in a violation of the FAR clauses associated with those prohibitions, and the contractor would then be subject to contract loss or legal action.
So, our recommendation would be: as you address NIST 800-171 controls where telecommunications equipment will be needed, ensure that you are not using any tech provided by companies listed in the prohibition. It’s easy to not purchase directly from the banned companies, but you may need to do a little digging (see next section) to find out for certain that another vendor is not just reselling you Chinese tech. 800-171 safeguard 3.10.2 (“Protect and monitor the physical facility and support infrastructure for organizational systems”) is one control example where NDAA 889 will need to be considered when assessing your compliance of the physical security rules. We discuss other control examples and their relation to the FAR telecom prohibition in our regular CMMC Workshops. Come join us!
Moving Towards Compliance
NDAA compliance letters
While you are doing your due diligence trying to meet the standards laid out in NDAA 889, you’ll want to seek out vendors’ NDAA Section 889 compliance documentation. If an organization sells products that are compliant with NDAA Section 889, they will be upfront about it, and their compliance letters shouldn’t be hard to find. For example, take a look at Honeywell’s letter on NDAA 889 compliance (Honeywell is a prominent technology firm that produces a variety of advanced engineered materials). Within the letter, Honeywell first briefly explains the NDAA Section 889. Next, they affirm several of their video systems product lines not only meet the requisites of NDAA Section 889 but also have undergone an “extensive cyber testing process.” Honeywell notes that the listed product lines are entirely devoid of components originating from any of the vendors emphasized in NDAA 2019, Section 889.
Conducting a reasonable inquiry
To conduct the necessary “reasonable inquiry” Section 889 requires, you will need to do some due diligence to determine what telecommunications equipment your organization currently uses, as well as that used by 3rd party suppliers. This means you’ll need to check with all suppliers such as 3rd party IT providers and any vendors, contractors, and subcontractors involved in furnishing crucial systems to your organization. You should ask for the product line vendors’ NDAA Section 889 compliance attestations such as the Honeywell example above. Additionally, before you allow any 3rd party to connect any telecommunications equipment to your networks or Wi-Fi, have them affirm the equipment is 889-compliant. Ensure the vendor maintains an inventory of their equipment so you can verify that no prohibited equipment is being used. For example, if an HVAC maintenance tech plans to use a Huawei mobile device during a service call, they cannot use this device to connect to your network.
Now that you know what to search for in terms of NDAA attestation documentation, finding approved technologies is a little easier. Note that if your business has been using products from these banned companies, you’ll need to report that fact and some other information to the government in accordance with FAR 52.204-24 section (e)(2). Phase out the prohibited technology you use and implement replacement new products and services.
The rise of security concerns with the five Chinese companies noted above, coupled with the widespread use of products from these companies, has led Congress to introduce bans on these products to safeguard our national interests and the security of our networks. Although NDAA Section 889 and the FAR telecom prohibitions have presented significant challenges to small businesses, you can meet the standards they require.
Abiding by NDAA 889 and phasing out telecommunication equipment from the five banned entities is crucial to ensure our small businesses can continue doing work in the Federal government supply chain and avoid legal action. We need to adopt technology produced by companies that act in accordance with NDAA Section 889. By disengaging with the banned companies, we can contribute to safeguarding our national interests and ensuring the integrity of the U.S. supply chain.