In recent years, both Congress and the Executive Branch have made it a key priority to mitigate risks across the industrial and innovation supply chains that provide hardware, software, and services to the U.S. government (“USG”).  Five of these initiatives are likely to result in new regulations in 2020, each of which could have a fundamental impact on companies’ ability to sell Information, Communications, Technology and Services (“ICTS”) to the USG.  As these requirements begin to take hold, federal contractors should be mindful of potential impacts and the actions that can be taken now to prepare for increased USG scrutiny of their supply chain security.

Section 889 of the Fiscal Year 2019 National Defense Authorization Act

As many USG contractors are now painfully aware, Section 889 of the Fiscal Year 2019 National Defense Authorization Act (“Section 889”) establishes two constraints on telecommunications supply chains.  Subsection 889(a)(1)(A), effective as of August 13, 2019, prohibits USG agencies from acquiring certain telecommunications equipment or services from Huawei, ZTE, Hytera Communications Corporation, Hikvision, or Dahua, or any of their subsidiaries or affiliates.  Section 889(a)(1)(B), effective August 13, 2020, prohibits USG agencies from “enter[ing] into a contract (or extend[ing] or renew[ing] a contract) with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”  As drafted, the statute is broad enough to apply in cases where a company uses such equipment or services solely in connection with its commercial sales outside of work the company does for the USG.

The interim rule for Section 889(a)(1)(A) was released last August and opened for comment.  The FAR Council has indicated that it will provide feedback to those comments when it issues the proposed regulations for Section 889(a)(1)(B), which have not yet been released.  This means that key terms, such as “entity” and “use” remain undefined.  Accordingly, contractors, especially those with a mix of commercial and government business, must take educated guesses in preparing compliance programs to begin to address these requirements.

SECURE Technology Act

On December 21, 2018, the President signed into law the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act.  The Act establishes the Federal Acquisition Security Council (“FASC”), which is charged with building greater cybersecurity resilience into federal procurement and acquisition rules.  The Act also gives the Secretary of the Department of Homeland Security, the Secretary of Defense, and the Director of National Intelligence the authority to issue exclusion and removal orders for information technology products and/or companies that supply such products if the FASC determines that they represent a risk to the USG’s supply chain.  The Act also permits federal agencies to exclude companies or products they deem to pose a supply chain risk from individual procurements.

Recent reports indicate that the FASC is nearing completion of a final interim rule that would specify the exclusion criteria and detail the appeal process from an exclusion order.  Although the Department of Defense (“DoD”) and the Intelligence Community currently have the authority to exclude products in certain instances, this interim rule would apply government wide.  Still to be seen is whether the exclusion determinations will be publicly available.

Cybersecurity Maturity Model Certification

On January 31, 2020, DoD released Version 1.0 (since updated to Version 1.02) of its Cybersecurity Maturity Model Certification (“CMMC”).  The CMMC is DoD’s upcoming framework for managing cybersecurity risks in the Defense supply chain.  Under the current paradigm, contractors that handle “Covered Defense Information” must self-attest to providing “adequate security” to protect that information, but are allowed to work toward implementing 110 NIST SP 800-171 security controls over time so long as the plans for doing so are appropriately documented.  Not only does the new CMMC add additional security controls (depending on the level of sensitivity assigned to the procurement), contactors must be in full compliance with each control at the time that contract performance begins.  Most importantly, contractors will no longer be able to self-certify compliance.  Instead, compliance with a particular CMMC level must be externally validated by trained auditors.

DoD is in the process of promulgating an update to the current Defense Federal Acquisition Regulation Supplement (“DFARS”) cybersecurity clause to account for the shift to CMMC requirements and is planning on choosing a subset of procurements where CMMC can be applied by the end of this year.  DoD’s goal is to fully implement CMMC certification requirements in all DoD awards by Fiscal Year 2026.  DoD has indicated, however, that COVID-19 could delay release of the DFARS clause.

Executive Order (“EO”) on Securing the ICTS Supply Chain

On May 15, 2019, the President issued an EO declaring a national emergency with respect to threats against ICTS in the United States.  The EO authorizes the Secretary of Commerce to prohibit, block, unwind, or mitigate any transaction involving ICTS that is “designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.”  Reviews of transactions will be conducted on a case-by-case basis.

Commerce received comments on a November 2019 proposed rule in January 2020.  There has been no known use of the authority during the rulemaking process and an update is expected from Commerce soon.

Sections 1654 and 1655 of the Fiscal Year 2019 National Defense Authorization Act

Sections 1654 and 1655 of the FY19 NDAA generally require contractors to disclose whether they have allowed within the last five years a foreign government that poses a cybersecurity risk to USG defense and national security systems and infrastructure (or for non-commercial items, any foreign government) to review the source code of any product, system, or service that DoD is using or intends to use.  The law also requires contractors to disclose whether they are under an agreement to allow a foreign government or a foreign person to review the source code of a product, system, or service that DoD is using or intends to use.  DoD will be able to condition contract awards on contractors’ mitigation of any risks that DoD identifies because of the foreign source code review.  The DFARS regulatory implementation of this requirement is currently on hold “pending resolution of technical issues,” and specific countries of concern have not been publicly identified, but regulations are still expected within the next year.

*  The contents of this post originally appeared in Washington Technology on June 26, 2020.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain and cybersecurity requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette is a government contracts and technology-focused lawyer that advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts…

Ryan Burnette is a government contracts and technology-focused lawyer that advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts and subcontracts, and has recognized expertise in national security related matters, including those matters that relate to federal cybersecurity and supply chain security. Ryan also advises on FAR and DFARS compliance, public policy matters, agency disputes, and government cost accounting.  He speaks and writes regularly on government contracts and cybersecurity topics, drawing significantly on his prior experience in government to provide insight on the practical implications of regulations.

Ryan is especially experienced with:

  • Government cybersecurity standards, including the Federal Risk and Authorization Management Program (FedRAMP); Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 and 252.204-7020; National Institute of Standards and Technology (NIST) publications, such as NIST SP 800-171; software and artificial intelligence security, attestations, and bill of materials requirements; and the Cybersecurity Maturity Model Certification (CMMC) program.
  • Supply chain requirements, including Section 889 of the FY19 National Defense Authorization Act; restrictions on covered semiconductors and printed circuit boards; Information and Communications Technology and Services (ICTS) restrictions; and matters relating to the Federal Acquisition Security Council (FASC).
  • Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
  • Federal Cost Accounting Standards and FAR Part 31 allocation and reimbursement requirements.

Prior to joining Covington, Ryan served in the Office of Federal Procurement Policy in the Executive Office of the President, where he developed and implemented government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year. While in government, Ryan worked on several contracting-related Executive Orders, and worked with White House and agency officials on regulatory and policy matters affecting contractor disclosure and agency responsibility determinations, labor and employment issues, IT contracting, commercial item acquisitions, performance contracting, GSA Schedules and interagency acquisitions, competition requirements, and suspension and debarment, among others.

Additionally, in the wake of significant incidents affecting the program, Ryan was selected to serve on a core team that led reform of security processes affecting federal background investigations for cleared employees and contractors. These efforts resulted in the establishment of a new federal bureau to conduct and manage background investigations.