(This article was originally published in Law360 and has been modified for this blog.)

Companies in a range of industries that contract with the U.S. Government—including aerospace, defense, healthcare, technology, and energy—are actively working to assess whether or not their information technology systems comply with significant new restrictions that will take effect on August 13, 2020.  These new restrictions prohibit the use of certain Chinese telecommunications equipment and services, and a failure to comply can have dramatic consequences for these companies.  The new restrictions also will have an immediate impact on mergers and acquisitions involving a company that does—or hopes to do—business with the Federal government.  In this article, we highlight some key considerations for M&A practitioners relating to these restrictions.

Background

On July 14, 2020, the U.S. Government’s Federal Acquisition Regulatory Council (“FAR Council”) published an interim rule to implement Section 889(a)(1)(B) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (“FY19 NDAA”).[1]  When the new rule takes effect on August 13, it will prohibit the Department of Defense and all other executive branch agencies from contracting—or extending or renewing a contract—with an “entity” that “uses” “covered telecommunications equipment or services as a substantial or essential part of any system.”  The restrictions cover broad categories of equipment and services produced and provided by certain Chinese companies—namely Huawei, ZTE, Hytera, Hangzhou Hikvision, Dahua, and their affiliates.[2]

The new rule will be applicable to all contracts with the U.S. Government, including those for commercial item services and commercially available-off-the-shelf products.[3]  Companies with a single one of these contracts will soon have an ongoing obligation to report any new discovery of its internal “use” of certain covered telecommunications equipment and services to the Government within one business day with a report of how the use will be mitigated ten business days later.[4]  Further, although companies can seek to obtain a waiver on a contract-by-contract basis from agencies, these waivers must be granted by the head of the agency, and may only extend until August 13, 2022 at the latest.[5]

The new rule is the second part of a two-stage implementation of Section 889’s restrictions on covered telecommunications equipment and services in Government contracting.  It builds on an earlier rule that implemented Section 889(a)(1)(A) of the FY19 NDAA on August 13, 2019 by prohibiting an executive branch agency from acquiring certain covered telecommunications equipment or services that is a substantial or essential part of any system.[6]

The new rule is expansive in scope, and its effects will be felt far beyond the traditional defense industrial base.  Thus, mergers and acquisitions practitioners are well advised to become familiar with the rule and consider how it might impact any future transaction where an acquisition target does at least some business with the Government or has aspirations to do so in the future.

Due Diligence Considerations

Special consideration should be made during due diligence to evaluate a target’s compliance with the new rule.  In addition to “rip and replace costs” of abandoning covered telecommunications equipment or services to come into compliance, post-closing risks associated with a violation of the rule might include the loss of future contracts, contractual penalties (which could potentially apply across all Government contracts that a company holds) and potential False Claims Act liability.  Two areas of the rule in particular should be carefully considered when assessing a target’s compliance with the requirements.

Meaning of “Use”

The FAR Council has not specifically defined the term “use.”  This means that it is not clear, at present, how far the prohibition on certain covered telecommunications and services is intended to extend within a company.  For example, as many employees work remotely due to COVID-19, these employees may rely on mobile phones, routers, modems, internet services, cloud business solutions, and other equipment and services that potentially could constitute “use” by a company.  Many companies, including possible acquisition targets, have not yet taken steps to evaluate and mitigate these types of risks due to the complex compliance requirements and the fact that the new rule was only issued a few weeks ago.

With this said, as one point of clarification, the FAR Council explicitly stated that the prohibition on “use” of certain covered telecommunications equipment or services will apply “regardless of whether that usage is in performance of work under a Federal contract.”[7]  Thus, unlike many Federal Acquisition Regulation requirements, the restrictions in the new rule apply to both Government and commercial activities of an “entity” that contracts with the Government.

From a diligence perspective, a buyer will therefore need to ensure that it understands and considers the compliance steps that a target is taking across the entire business of the entity that contracts with the Government.  This may be a particular challenge for a target that has a relatively small portion of its business focused on Government contracting.

“Reasonable Inquiry” Standard

Companies will be required to represent to the Government during the contracting process whether they “use covered telecommunications equipment or services, or use any equipment, system, or service that uses covered telecommunications equipment or services.”[8]  Prior to making that representation, a company must conduct a “reasonable inquiry” into its use of such equipment or services.  “Reasonable inquiry” is defined in the new rule as “an inquiry designed to uncover any information in the entity’s possession about the identity of the producer or provider of covered telecommunications equipment or services used by the entity that excludes the need to include an internal or third-party audit.”[9]

Due to practical considerations, a prospective buyer is generally unable to confirm for itself that a target is not using covered telecommunications equipment or services or that the target holds no information “in [its] possession about the identity of the producer or provider of covered telecommunications equipment or services.”  Thus, the buyer will need to assess the process that the target used to conduct its inquiry to determine its likely degree of compliance with the requirements.

Because the exact steps involved with undertaking a “reasonable inquiry” are not yet crystallized, it is likely that individual companies will undertake considerably different approaches to ascertain whether any covered telecommunications equipment or services are in use.  Some companies may conduct expansive inquiries that include a review of vendor contracts, invoices, and receipts over a lengthy period of time.  Other companies may conduct interviews with key employees or undertake targeted information gathering efforts among their suppliers.  The unique approach that a target might take should be evaluated during due diligence relative to emerging industry practices and to the requirements of the regulation to understand the relative degree of risk associated with the approach.

It will also be prudent to assess after August 13, 2020 whether a target is relying on any statutory exceptions or has requested a delayed implementation waiver for additional time to comply.[10]  The waiver process would need to be tracked very closely to ascertain the ability of the target to continue contracting with the Government without significant interruption after the waiver period expires.  If in evaluating a target it is identified that a waiver is likely to be necessary for the target to come into compliance with Section 889(a)(1)(B), an analysis as to the uniqueness of the product offered to the Government and the strength of the target’s “compelling justification” for additional time to comply should be undertaken.

Integration Considerations

A prospective buyer should also consider how the new rule might affect its post-closing integration plans.  Two notable areas to consider are (1) how a potential further expansion of the rule in the next year could affect a buyer’s corporate family, and (2) whether integration plans for the buyer and the target need to be adjusted to account for the rule in its current form.  This will involve consideration of not just the target’s state of compliance, but also the buyer’s.

Potential Extension of the Rule

Prior to release of the new rule, there was uncertainty within industry about whether and how the term “entity” would be defined.  As noted above, the FAR Council clarified in the new rule that the “prime contractor is the only ‘entity’ that the agency ‘enters into a contract’ with,” and limited the scope of application of the rule to the signatory to the government contract.  Notwithstanding this statement, the FAR Council indicated that it would consider expanding application of the rule beyond the contracting entity.  Specifically, the FAR Council announced that it is seeking public comments on whether to expand the rule to apply to “the offeror and any affiliates, parents, and subsidiaries of the offeror that are domestic concerns, and expand the representation at 52.204-24(d)(2) so that the offeror represents on behalf of itself and any affiliates, parents, and subsidiaries of the offeror that are domestic concerns.”[11] The FAR Council stated that it will make this determination at the time that it finalizes the new rule, which should happen by August 13, 2021.

The potential expansion of the rule could have most significant implications for large  companies with a number of corporate entities, particularly where some or all of those other entities do not themselves have Government contracts.  For example, if a single company in a corporate family holds a prime contract with the Government (including a newly acquired company), that company may soon need to ensure that adequate diligence has been conducted across the entire corporate family if the FAR Council were to move forward with this extension of the rule.  The same could be true for companies in a private equity portfolio.

Delayed discovery of covered telecommunications equipment or services has the potential to have a disruptive impact on business operations, particularly if it is difficult or costly to change service providers or to replace equipment.  Accordingly, it may be prudent to consider the associated risk of expansion of the rule in advance of acquiring an entity that holds Government contracts to ensure that the acquisition does not have unforeseen impacts on the buyer’s broader business.

Integration Planning

Even in its present form, a prospective buyer may need to consider the potential impact of the rule across the buyer’s corporate family.  Principally, because the new rule does not distinguish between services provided by vendors and services provided by affiliated companies, companies could be deemed to be “using” certain covered telecommunications equipment and services where they accept shared services from a parent, subsidiary, or an affiliate.  The prohibition would most clearly cover “use” of shared corporate networks or IT services, but it could also include “use” of corporate management or logistics services if those services are in turn reliant on covered telecommunications equipment or services as a substantial or essential part of any system.  Indeed, the FAR Council explicitly identified “building management, billing and accounting, and freight services” as industries that will be impacted by the new prohibition, so it is likely that the Government will pay close attention to these types of shared services.[12]  It will therefore be important for buyers to identify the shared services that they are contemplating providing to the target following the acquisition, assess whether those shared services are reliant on covered telecommunications equipment and services, and evaluate whether the target has the ability to stand-alone without certain support from the parent or other affiliated entities in cases where a “rip and replace” effort is not feasible.

Conclusion

Although the Section 889(a)(1)(B) prohibitions on “use” of certain covered telecommunications equipment and services may be straightforward in concept, the new regulations raise considerable complexities in the transactional context that that will need to be fully considered as part of any deal involving a Government contractor.  Prospective buyers should consider the aforementioned issues and others as early as possible to ensure that any potential issues are identified and addressed as the transaction moves forward.

[1] Pub. L. No. 115-232.

[2] Prohibition on Contracting With Entities Using Certain Telecommunications and Video Surveillance Services or Equipment, 85 Fed. Reg. 42,665 (July 14, 2020); see also FAR 52.204-25(a).

[3] 85 Fed. Reg. at 42,673.

[4] Id. at 42,666; see also FAR 52.204-25(d).

[5] 85 Fed. Reg. at 42,677.  The statute and interim rule also allows the Director of National Intelligence to provide a waiver that does not have an expiration date if it is in the national security interests of the United States, but we expect these waivers to be uncommon.  See id. at 42,668.

[6] Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment, 84 Fed. Reg. 40,216 (Aug. 13, 2019).

[7] 85 Fed. Reg. at 42,666, 42,678.

[8] Id. at 42,678.

[9] Id. at 42,679.

[10] The principal exception to Section 889(a)(1)(B) is set forth at Section 889(a)(2)(B) of the FY19 NDAA; it applies to telecommunications equipment that cannot route or redirect user data traffic or permit visibility into any user data or packets that such equipment transmits or otherwise handles.

[11] See 85 Fed. Reg. at 42,666, 42,672-73 (emphasis added).

[12] See id. at 42,668.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Scott A. Freling Scott A. Freling

Scott is sought after for his regulatory expertise and his ability to apply that knowledge to the transactional environment. Scott has deep experience leading classified and unclassified due diligence reviews of government contractors, negotiating transaction documents, and assisting with integration and other post-closing…

Scott is sought after for his regulatory expertise and his ability to apply that knowledge to the transactional environment. Scott has deep experience leading classified and unclassified due diligence reviews of government contractors, negotiating transaction documents, and assisting with integration and other post-closing activities. He has been the lead government contracts lawyer in dozens of M&A deals, with a combined value of more than $76 billion. This has included Advent’s acquisition of Maxar Technologies for $6.4 billion, Aptiv’s acquisition of Wind River for $3.5 billion, Veritas Capital’s sale of Alion Science and Technology to Huntington Ingalls for $1.65 billion, and Peraton’s acquisition of Perspecta for $7.1 billion.

Scott also represents contractors at all stages of the procurement process and in their dealings with federal, state, and local government customers. He handles a wide range of government contracts matters, including compliance counseling, claims, disputes, audits, and investigations. In addition, Scott counsels clients on risk mitigation strategies, including obtaining SAFETY Act liability protection for anti-terrorism technologies.

Scott has been recognized by Law360 as a MVP in government contracts. He is a past co-chair of the Mergers and Acquisitions Committee of the ABA’s Public Contract Law Section.

Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain…

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain, artificial intelligence, and software development requirements.

Ryan also advises on Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) compliance, public policy matters, agency disputes, and government cost accounting, drawing on his prior experience in providing overall direction for the federal contracting system to offer insight on the practical implications of regulations. He has assisted industry clients with the resolution of complex civil and criminal investigations by the Department of Justice, and he regularly speaks and writes on government contracts, cybersecurity, national security, and emerging technology topics.

Ryan is especially experienced with:

  • Government cybersecurity standards, including the Federal Risk and Authorization Management Program (FedRAMP); DFARS 252.204-7012, DFARS 252.204-7020, and other agency cybersecurity requirements; National Institute of Standards and Technology (NIST) publications, such as NIST SP 800-171; and the Cybersecurity Maturity Model Certification (CMMC) program.
  • Software and artificial intelligence (AI) requirements, including federal secure software development frameworks and software security attestations; software bill of materials requirements; and current and forthcoming AI data disclosure, validation, and configuration requirements, including unique requirements that are applicable to the use of large language models (LLMs) and dual use foundation models.
  • Supply chain requirements, including Section 889 of the FY19 National Defense Authorization Act; restrictions on covered semiconductors and printed circuit boards; Information and Communications Technology and Services (ICTS) restrictions; and federal exclusionary authorities, such as matters relating to the Federal Acquisition Security Council (FASC).
  • Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
  • Federal Cost Accounting Standards and FAR Part 31 allocation and reimbursement requirements.

Prior to joining Covington, Ryan served in the Office of Federal Procurement Policy in the Executive Office of the President, where he focused on the development and implementation of government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year.  While in government, Ryan helped develop several contracting-related Executive Orders, and worked with White House and agency officials on regulatory and policy matters affecting contractor disclosure and agency responsibility determinations, labor and employment issues, IT contracting, commercial item acquisitions, performance contracting, schedule contracting and interagency acquisitions, competition requirements, and suspension and debarment, among others.  Additionally, Ryan was selected to serve on a core team that led reform of security processes affecting federal background investigations for cleared federal employees and contractors in the wake of significant issues affecting the program.  These efforts resulted in the establishment of a semi-autonomous U.S. Government agency to conduct and manage background investigations.