In recent years, both Congress and the Executive Branch have made it a key priority to mitigate risks across the industrial and innovation supply chains that provide hardware, software, and services to the U.S. government (“USG”).  Five of these initiatives are likely to result in new regulations in 2020, each of which could have a fundamental impact on companies’ ability to sell Information, Communications, Technology and Services (“ICTS”) to the USG.  As these requirements begin to take hold, federal contractors should be mindful of potential impacts and the actions that can be taken now to prepare for increased USG scrutiny of their supply chain security.

Section 889 of the Fiscal Year 2019 National Defense Authorization Act

As many USG contractors are now painfully aware, Section 889 of the Fiscal Year 2019 National Defense Authorization Act (“Section 889”) establishes two constraints on telecommunications supply chains.  Subsection 889(a)(1)(A), effective as of August 13, 2019, prohibits USG agencies from acquiring certain telecommunications equipment or services from Huawei, ZTE, Hytera Communications Corporation, Hikvision, or Dahua, or any of their subsidiaries or affiliates.  Section 889(a)(1)(B), effective August 13, 2020, prohibits USG agencies from “enter[ing] into a contract (or extend[ing] or renew[ing] a contract) with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”  As drafted, the statute is broad enough to apply in cases where a company uses such equipment or services solely in connection with its commercial sales outside of work the company does for the USG.

The interim rule for Section 889(a)(1)(A) was released last August and opened for comment.  The FAR Council has indicated that it will provide feedback to those comments when it issues the proposed regulations for Section 889(a)(1)(B), which have not yet been released.  This means that key terms, such as “entity” and “use” remain undefined.  Accordingly, contractors, especially those with a mix of commercial and government business, must take educated guesses in preparing compliance programs to begin to address these requirements.

SECURE Technology Act

On December 21, 2018, the President signed into law the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act.  The Act establishes the Federal Acquisition Security Council (“FASC”), which is charged with building greater cybersecurity resilience into federal procurement and acquisition rules.  The Act also gives the Secretary of the Department of Homeland Security, the Secretary of Defense, and the Director of National Intelligence the authority to issue exclusion and removal orders for information technology products and/or companies that supply such products if the FASC determines that they represent a risk to the USG’s supply chain.  The Act also permits federal agencies to exclude companies or products they deem to pose a supply chain risk from individual procurements.

Recent reports indicate that the FASC is nearing completion of a final interim rule that would specify the exclusion criteria and detail the appeal process from an exclusion order.  Although the Department of Defense (“DoD”) and the Intelligence Community currently have the authority to exclude products in certain instances, this interim rule would apply government wide.  Still to be seen is whether the exclusion determinations will be publicly available.

Cybersecurity Maturity Model Certification

On January 31, 2020, DoD released Version 1.0 (since updated to Version 1.02) of its Cybersecurity Maturity Model Certification (“CMMC”).  The CMMC is DoD’s upcoming framework for managing cybersecurity risks in the Defense supply chain.  Under the current paradigm, contractors that handle “Covered Defense Information” must self-attest to providing “adequate security” to protect that information, but are allowed to work toward implementing 110 NIST SP 800-171 security controls over time so long as the plans for doing so are appropriately documented.  Not only does the new CMMC add additional security controls (depending on the level of sensitivity assigned to the procurement), contactors must be in full compliance with each control at the time that contract performance begins.  Most importantly, contractors will no longer be able to self-certify compliance.  Instead, compliance with a particular CMMC level must be externally validated by trained auditors.

DoD is in the process of promulgating an update to the current Defense Federal Acquisition Regulation Supplement (“DFARS”) cybersecurity clause to account for the shift to CMMC requirements and is planning on choosing a subset of procurements where CMMC can be applied by the end of this year.  DoD’s goal is to fully implement CMMC certification requirements in all DoD awards by Fiscal Year 2026.  DoD has indicated, however, that COVID-19 could delay release of the DFARS clause.

Executive Order (“EO”) on Securing the ICTS Supply Chain

On May 15, 2019, the President issued an EO declaring a national emergency with respect to threats against ICTS in the United States.  The EO authorizes the Secretary of Commerce to prohibit, block, unwind, or mitigate any transaction involving ICTS that is “designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.”  Reviews of transactions will be conducted on a case-by-case basis.

Commerce received comments on a November 2019 proposed rule in January 2020.  There has been no known use of the authority during the rulemaking process and an update is expected from Commerce soon.

Sections 1654 and 1655 of the Fiscal Year 2019 National Defense Authorization Act

Sections 1654 and 1655 of the FY19 NDAA generally require contractors to disclose whether they have allowed within the last five years a foreign government that poses a cybersecurity risk to USG defense and national security systems and infrastructure (or for non-commercial items, any foreign government) to review the source code of any product, system, or service that DoD is using or intends to use.  The law also requires contractors to disclose whether they are under an agreement to allow a foreign government or a foreign person to review the source code of a product, system, or service that DoD is using or intends to use.  DoD will be able to condition contract awards on contractors’ mitigation of any risks that DoD identifies because of the foreign source code review.  The DFARS regulatory implementation of this requirement is currently on hold “pending resolution of technical issues,” and specific countries of concern have not been publicly identified, but regulations are still expected within the next year.

*  The contents of this post originally appeared in Washington Technology on June 26, 2020.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government…

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government contractors and represents her clients before the Defense Contract Audit Agency (DCAA), Inspectors General (IG), and the Department of Justice with regard to those investigations.  From 2008 to 2012, Ms. Cassidy served as in-house counsel at Northrop Grumman Corporation, one of the world’s largest defense contractors, supporting both defense and intelligence programs. Previously, Ms. Cassidy held an in-house position with Motorola Inc., leading a team of lawyers supporting sales of commercial communications products and services to US government defense and civilian agencies. Prior to going in-house, Ms. Cassidy was a litigation and government contracts partner in an international law firm headquartered in Washington, DC.

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts and subcontracts, and has recognized expertise in national…

Ryan Burnette advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts and subcontracts, and has recognized expertise in national security related matters, including those matters that relate to federal cybersecurity and federal supply chain security. Ryan also advises on government cost accounting, FAR and DFARS compliance, public policy matters, and agency disputes. He speaks and writes regularly on government contracts and cybersecurity topics, drawing significantly on his prior experience in government to provide insight on the practical implications of regulations.