In recent years, both Congress and the Executive Branch have made it a key priority to mitigate risks across the industrial and innovation supply chains that provide hardware, software, and services to the U.S. government (“USG”).  Five of these initiatives are likely to result in new regulations in 2020, each of which could have a fundamental impact on companies’ ability to sell Information, Communications, Technology and Services (“ICTS”) to the USG.  As these requirements begin to take hold, federal contractors should be mindful of potential impacts and the actions that can be taken now to prepare for increased USG scrutiny of their supply chain security.

Section 889 of the Fiscal Year 2019 National Defense Authorization Act

As many USG contractors are now painfully aware, Section 889 of the Fiscal Year 2019 National Defense Authorization Act (“Section 889”) establishes two constraints on telecommunications supply chains.  Subsection 889(a)(1)(A), effective as of August 13, 2019, prohibits USG agencies from acquiring certain telecommunications equipment or services from Huawei, ZTE, Hytera Communications Corporation, Hikvision, or Dahua, or any of their subsidiaries or affiliates.  Section 889(a)(1)(B), effective August 13, 2020, prohibits USG agencies from “enter[ing] into a contract (or extend[ing] or renew[ing] a contract) with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”  As drafted, the statute is broad enough to apply in cases where a company uses such equipment or services solely in connection with its commercial sales outside of work the company does for the USG.

The interim rule for Section 889(a)(1)(A) was released last August and opened for comment.  The FAR Council has indicated that it will provide feedback to those comments when it issues the proposed regulations for Section 889(a)(1)(B), which have not yet been released.  This means that key terms, such as “entity” and “use” remain undefined.  Accordingly, contractors, especially those with a mix of commercial and government business, must take educated guesses in preparing compliance programs to begin to address these requirements.

SECURE Technology Act

On December 21, 2018, the President signed into law the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act.  The Act establishes the Federal Acquisition Security Council (“FASC”), which is charged with building greater cybersecurity resilience into federal procurement and acquisition rules.  The Act also gives the Secretary of the Department of Homeland Security, the Secretary of Defense, and the Director of National Intelligence the authority to issue exclusion and removal orders for information technology products and/or companies that supply such products if the FASC determines that they represent a risk to the USG’s supply chain.  The Act also permits federal agencies to exclude companies or products they deem to pose a supply chain risk from individual procurements.

Recent reports indicate that the FASC is nearing completion of a final interim rule that would specify the exclusion criteria and detail the appeal process from an exclusion order.  Although the Department of Defense (“DoD”) and the Intelligence Community currently have the authority to exclude products in certain instances, this interim rule would apply government wide.  Still to be seen is whether the exclusion determinations will be publicly available.

Cybersecurity Maturity Model Certification

On January 31, 2020, DoD released Version 1.0 (since updated to Version 1.02) of its Cybersecurity Maturity Model Certification (“CMMC”).  The CMMC is DoD’s upcoming framework for managing cybersecurity risks in the Defense supply chain.  Under the current paradigm, contractors that handle “Covered Defense Information” must self-attest to providing “adequate security” to protect that information, but are allowed to work toward implementing 110 NIST SP 800-171 security controls over time so long as the plans for doing so are appropriately documented.  Not only does the new CMMC add additional security controls (depending on the level of sensitivity assigned to the procurement), contactors must be in full compliance with each control at the time that contract performance begins.  Most importantly, contractors will no longer be able to self-certify compliance.  Instead, compliance with a particular CMMC level must be externally validated by trained auditors.

DoD is in the process of promulgating an update to the current Defense Federal Acquisition Regulation Supplement (“DFARS”) cybersecurity clause to account for the shift to CMMC requirements and is planning on choosing a subset of procurements where CMMC can be applied by the end of this year.  DoD’s goal is to fully implement CMMC certification requirements in all DoD awards by Fiscal Year 2026.  DoD has indicated, however, that COVID-19 could delay release of the DFARS clause.

Executive Order (“EO”) on Securing the ICTS Supply Chain

On May 15, 2019, the President issued an EO declaring a national emergency with respect to threats against ICTS in the United States.  The EO authorizes the Secretary of Commerce to prohibit, block, unwind, or mitigate any transaction involving ICTS that is “designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.”  Reviews of transactions will be conducted on a case-by-case basis.

Commerce received comments on a November 2019 proposed rule in January 2020.  There has been no known use of the authority during the rulemaking process and an update is expected from Commerce soon.

Sections 1654 and 1655 of the Fiscal Year 2019 National Defense Authorization Act

Sections 1654 and 1655 of the FY19 NDAA generally require contractors to disclose whether they have allowed within the last five years a foreign government that poses a cybersecurity risk to USG defense and national security systems and infrastructure (or for non-commercial items, any foreign government) to review the source code of any product, system, or service that DoD is using or intends to use.  The law also requires contractors to disclose whether they are under an agreement to allow a foreign government or a foreign person to review the source code of a product, system, or service that DoD is using or intends to use.  DoD will be able to condition contract awards on contractors’ mitigation of any risks that DoD identifies because of the foreign source code review.  The DFARS regulatory implementation of this requirement is currently on hold “pending resolution of technical issues,” and specific countries of concern have not been publicly identified, but regulations are still expected within the next year.

*  The contents of this post originally appeared in Washington Technology on June 26, 2020.

Print:
EmailTweetLikeLinkedIn
Susan B. Cassidy

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government…

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government contractors and represents her clients before the Defense Contract Audit Agency (DCAA), Inspectors General (IG), and the Department of Justice with regard to those investigations.  From 2008 to 2012, Ms. Cassidy served as in-house counsel at Northrop Grumman Corporation, one of the world’s largest defense contractors, supporting both defense and intelligence programs. Previously, Ms. Cassidy held an in-house position with Motorola Inc., leading a team of lawyers supporting sales of commercial communications products and services to US government defense and civilian agencies. Prior to going in-house, Ms. Cassidy was a litigation and government contracts partner in an international law firm headquartered in Washington, DC.

Photo of Samantha Clark Samantha Clark

Samantha Clark practices in the firm’s Public Policy Practice Group as well as the CFIUS and Government Contracts groups. Ms. Clark provides advisory and advocacy support to clients facing policy, political, and regulatory challenges in the aerospace, defense, and national security sector.

Before…

Samantha Clark practices in the firm’s Public Policy Practice Group as well as the CFIUS and Government Contracts groups. Ms. Clark provides advisory and advocacy support to clients facing policy, political, and regulatory challenges in the aerospace, defense, and national security sector.

Before joining the firm, Ms. Clark served in a number of senior staff positions on the U.S. Senate Armed Services Committee, most recently as Deputy Staff Director and General Counsel. In this role, she managed the passage of the National Defense Authorization Act (NDAA), the annual defense policy bill that authorizes the Defense Department’s budget. Ms. Clark worked on Chairman McCain’s legislative priorities to modernize the military retirement system and reform the defense acquisition system and served as an investigative counsel for the committee’s inquiry into cyber intrusions affecting U.S. Transportation Command contractors. During her time on the committee, she managed a multi-billion dollar policy portfolio that covered acquisition law and policy, national security law and policy, military, civilian, and acquisition workforce policy, congressional investigations, military end strength authorizations, military pay and compensation, law of war and detainee issues, and women in combat.

The Secretary of the Navy awarded Ms. Clark the Department of the Navy Distinguished Public Service Award for her “exceptional service to the Department of the Navy as Deputy Staff Director of the Senate Armed Services Committee,” and the Department of the Air Force awarded Ms. Clark her second Distinguished Public Service Award for her work leading specific legislative initiatives to modernize acquisition authorities and reform the military and civilian personnel systems in support of the Air Force during her tenure on the Senate Armed Services Committee.

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette advises clients on a range of issues related to government contracting. Mr. Burnette has particular experience with helping companies navigate mergers and acquisitions, FAR and DFARS compliance issues, public policy matters, government investigations, and issues involving government cost accounting and the…

Ryan Burnette advises clients on a range of issues related to government contracting. Mr. Burnette has particular experience with helping companies navigate mergers and acquisitions, FAR and DFARS compliance issues, public policy matters, government investigations, and issues involving government cost accounting and the Cost Accounting Standards.  Prior to joining Covington, Mr. Burnette served in the Office of Federal Procurement Policy in the Executive Office of the President, where he worked on government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year.