**Important Update** On Aug. 12, 2020, the Office of the Director of National Intelligence (ODNI) granted a temporary waiver until Sept. 30, 2020 to United States Department of Defense (DoD) “to continue its contracting activities that would otherwise be prohibited under 889(a)(1)(B)”. ODNI will review the matter and make a recommendation in the future as to whether to issue a waiver for an additional period of time beyond Sept. 30, 2020. The extension gives vendors contracting with DoD additional time to assess exposure under the rule. There is no indication around how this will affect other agency procurements but all indications are that these procurements will proceed with the prohibitions in place (as discussed below). If there are any questions, please don’t hesitate to contact the Baker Tilly team.
While many in industry – and in government, for that matter – thought it would be delayed or significantly modified, Section 889 (a)(1)(B) will go into effect on Aug. 13, 2020.
The impact of this rulemaking activity is about to become very real for federal contractors, as contracting officers will be required to include the updated provisions at FAR 52.204-24, “Representation Regarding Certain Telecommunications and Video Surveillance Services or Equipment,” and the clause at FAR 52.204-25, “Prohibition on Contracting for Certain Telecommunications and Services and Video Surveillance Equipment”:
- In solicitations issued on or after Aug. 13, 2020, and resultant contracts; and,
- In solicitations issued before Aug, 13, 2020, provided award of the resultant contract(s) occurs on or after Aug. 13, 2020
Contracting officers are also required to modify existing indefinite delivery indefinite quantity contracts to include the updated FAR clauses for application to future orders, prior to placing any new orders. If an option is being exercised on an existing contract or it is being modified, contracting officers shall include the clauses.
Please note that this is an interim rule and the FAR Council will accept industry comments on regulations.gov until Sept. 14. This is an important period for industry to provide comment and help support the formulation of the final rule.
Day two: change hits home for GSA Schedule contractors and their federal agency customers
The General Services Administration (GSA) recently announced its plans for implementing the updated rules, which will immediately impact approximately 10,000 GSA Schedule contract holders and their federal agency customers. GSA plans to issue a Refresh/Mass Modification to its Schedule contractors on Aug. 14 to implement Part B of Section 889 and incorporate FAR Clause 52.204-25 (the refresh will also incorporate two additional and unrelated changes). Contractors will have 90 days to accept this Refresh/Mass Modification. However, and perhaps most important for GSA Schedule contractors and for ordering agencies that rely on the Schedules program to procure important and mission-critical goods and services, new orders cannot be placed against a GSA Schedule contract until the contractor has accepted the contract modification to add the updated FAR clause to their contract. GSA has indicated that there will be no exceptions to this requirement.
Once a contractor has accepted the modification, they will either need to certify in the System for Award Management (SAM) that they do not use “covered” telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system (more on what this means a bit later). This prohibition applies regardless of whether or not that usage is in the performance of work under a federal contract. If the contractor cannot make this blanket certification in SAM, they can instead choose to do so on an order-by-order or contract-by-contract basis. As a note, the SAM.gov system needs to be updated to incorporate the electronic representation. Until this is implemented, contractors will need to make a representation as part of their response to solicitations.
While we have focused here on GSA Schedule contractors, the rule applies to all contracts and all contractors immediately. Anecdotally, we have heard that some contractors who are involved in current and active bidding situations have already been asked to make representations. We have also heard of prime contractors beginning to survey their subcontractors and suppliers, asking if they have any of the banned equipment in their systems.
Section 889 background
For the uninitiated, or others who have not been tracking this closely, Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 included a ban on telecommunications and video equipment or services from certain Chinese entities. Part A of the rule, effective Aug. 13, 2019, banned the federal government from making purchases of covered equipment, applications and services from five Chinese tech giants – including, most notably, Huawei Technologies Company and ZTE Corporation. The ban also includes video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company or Dahua Technology Company, and there is speculation that other companies could be added in the future. The prohibition on Huawei products, in particular, is expected to impact federal contractors because it has been ranked as the world’s top telecommunications supplier and number two phone manufacturer.
The ban cast a wide net, covering items and services that are “a substantial or essential component of any system, or as critical technology as part of any system.” Additionally, the rule applies below and above the simplified acquisition threshold, and covers purchases of commercial and commercial off-the-shelf items (COTs). The rule introduced the two FAR provisions noted above, FAR 52.204-24, “Representation Regarding Certain Telecommunications and Video Surveillance Services or Equipment,” and FAR 52.204-25, “Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment.”
While problematic for many contractors, this first phase of the rule was focused on the delivery of these products or associated services to the federal government, and therefore impacted a specific subset of contractors. Then came Part B, commonly referred to as “the use ban.”
On July 14, 2020, the FAR Council published an interim rule modifying FAR 52.204-24, to implement Section 889(a)(1)(B) of the 2019 NDAA. Under Part B, federal agencies are prohibited from contracting with an organization that “uses any equipment, system, or service that that uses covered telecommunication equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.” The same equipment included in Part A is included in the definition of “covered” equipment.
The definition of “substantial or essential component” and “critical technology” is unchanged from the original version of the rule, where a “substantial or essential component” was defined as “any component necessary for the proper function and performance for a piece of equipment, system, or service.” The definition of “critical technology” is adopted from the Foreign Investment Risk Review Modernization Act (FIRRMA), which is meant to be far-reaching. The FIRRMA definition includes technologies listed on the United States Munitions List set forth in the International Traffic in Arms Regulations (ITAR), Commerce Control list set forth in Supplement No. 1 to Part 774 of the Export Administration Regulations (EAR), and even emerging and foundational technologies controlled pursuant to Section 1758 of the Export Control Reform Act of 2018.
Similar to Part A, the rule applies to all contracts, including those for commercial items and those above and below the simplified acquisition threshold. The use prohibition on this equipment is not limited to equipment used in the performance of a federal contract, meaning that contractors must understand if the banned equipment is being used in any part of their business.
The interim rule may provide some relief for contractors (compared to what could have been) in that it isn’t requiring a flow down; however, prime contractors are responsible for reviewing whether they are contracting with an entity that uses equipment, systems or services that use the offending equipment as a substantial or essential component of any system. Additionally, the rule in its current state does not extend to an entity’s parents, subsidiaries or affiliates, but the FAR Council noted that it would be reviewing this part of the rule and that it may be updated to extend to these parts of an organization in the future.
Finally, the rule requires an organization to conduct a “reasonable inquiry” into whether it uses the covered equipment or services, and defines this as an inquiry “designed to uncover any information in the entity’s possession about the identity of a producer or provider of covered telecommunications equipment or services used by the entity.” The rule explains that a reasonable inquiry need not include an internal or third-party audit, and many would interpret the rule as written not to require reverse engineering of products to ensure an understanding of all parts and subparts (please note that the specific language around reasonable inquiry only applies to the Part B of the rule).
The rule does provide for a waiver process that will no longer be available come August 2022, when compliance will become mandatory. In order to request a waiver, a contractor must understand if and where it has the banned technology in use, and the procuring agency must take a number of steps in analyzing the issue before granting a waiver. Additionally, the rule permits that an agency can choose to select a vendor that does not require a waiver over another that does.
Despite some aspects of the rule that may lessen the potential burden and “soften the blow,” there is still a lot to unpack and understand – and a requirement for federal contractors to do so quite rapidly.
What is a contractor to do?
Part B specifies that a contractor must conduct a reasonable inquiry. Until that has been completed, we would advise against certifying in SAM or on a specific order or contract that the banned equipment is not in use as a critical part of any system. While the waiver process is untested and agencies have the right not to grant a waiver and to favor companies that do not need a waiver, a company that falsely certifies would be putting itself at significant risk.
While the interim rule provides some guidance on what a reasonable inquiry does (and does not) include, much is left open to interpretation on how to complete this task. If looking at a reasonable inquiry as simply a short-term requirement (and not taking a more holistic and long-term view), we see it as important to define the inquiry well, and then to complete an inquiry that meets that definition. Involving legal counsel in the design of the inquiry would be wise, and documenting what was done during the inquiry and recording the results will also be important. A risk-based approach that focuses more energy on higher-risk and higher-importance systems and suppliers are points for consideration.
While focusing on the short-term requirement may be critically important for many contractors, it is also important to note that the rule provides for either an annual certification in SAM, or a certification on each contract and/or order. A single reasonable inquiry, as discussed above, allows one to make a representation at a static point in time, and provides no “real-time” assurance that the offending equipment is not in use by a subcontractor or supplier after the representation is made.
We believe that forward-thinking contractors should not think of the Section 889 requirements in this manner; instead, they should begin (if they are not already) to think more holistically and longer term about their supply chains, and consider implementing a supply chain risk management (SCRM) plan. In fact, in the preamble to the interim rule, the FAR Council notes that “adopting a robust, risk-based compliance approach will help reduce the likelihood of noncompliance.” It goes on to state that “during the first year that 889(a)(1)(B) is in effect, contractors and subcontractors will need to learn about the provision and its requirements, as well as develop a compliance plan.” The FAR Council “assumes that the following steps would most likely be part of the compliance plan developed by an entity”:
In our opinion, the FAR Council is pretty clearly spelling out their desire that companies put some kind of SCRM plan in place. Thinking beyond the FAR Council’s desire here, contractors need not be reminded that the threat landscape is continuously evolving. The COVID-19 pandemic laid bare many of the weaknesses that exist in our nation’s supply chain, across a wide variety of industries, leading to a new set of challenges for a wide range of organizations, and perhaps creating additional incentives for companies to have a deep understanding of their supply chains and effective risk management plans. Beyond the requirements of Part B, and the turmoil in the world today, we are seeing additional SCRM plan requirements more and more frequently in federal procurements, particularly when they involve information and communications technology or related services. The chart below highlights just a few of the contracts that include these requirements:
Similar requirements recently appeared in GSA’s 8(a) STARS III solicitation – raising questions among the industry around how often federal contractors can expect to see SCRM requirements in federal RFPs in the future.
The biggest and the best contractors are getting out ahead of this, and we believe all forward-thinking contractors should consider implementing robust SCRM plans as part of their business operations. Given the requirements of Section 889, the appearance of additional SCRM plan requirements in a number of federal procurements, and the general state of the world, a strong SCRM plan may begin to serve as a competitive advantage for federal contractors, subcontractors and suppliers.
It is our belief that a strong SCRM plan should not only consider federal regulations and requirements, but should also address continuity, business and other risks. Additionally, it should be calibrated to each company and its specific operations, appropriately cataloging and addressing risks, ensuring compliance with federal regulations, and providing for nimble and effective response capabilities when potential issues arise. While an effective SCRM plan may not be easy to develop or simple to implement, it can serve to position a company very well in the federal marketplace, and beyond.