WHY IS SECTION 889 B IMPORTANT TO FEDERAL CONTRACTORS

WHY IS SECTION 889 B IMPORTANT

The General Services Administration (GSA) updated the GSA Multiple Award Schedule (MAS) Solicitation on August 13, 2020. Companies, as a result, received a mass modification (mod) to integrate update changes into their contracts — the most vital being the implementation of Section 889, Part B. An important change to Federal procurement, this rule impacts every contractor doing business with the government. Only when compliant with Section 889 B can continue receiving orders and bids through the GSA contract. Here is what Section 889 includes and why it holds immense significance.

What is Section 889 B?

Section 889, Part B of the John S. McCain National Defense Authorization Act for the fiscal year 2019 (NDAA) essentially states that a contractor cannot use ‘Covered Telecommunications Equipment or Services’. Video surveillance equipment, services or telecommunications either produced or offered by these five companies are said to be ‘Covered Telecommunications Equipment or Services’ — Huawei Technologies Company, Dahua Technology Company, Hangzhou Hikvision Digital Technology Company, ZTE Corporation and Hytera Communications Corporation.

The rule states if a company possesses or intends to pursue any federal contracts, they cannot utilize covered/prohibited telecommunications even if the use is strictly limited to the commercial business of the company. In other words, the government cannot enter, extend or renew a contract with a company that utilizes covered technology on any of its systems, equipment or services. The rule applies to both federal and commercial business, extending to all sectors including banking, information technology, healthcare, travel and transportation, higher education and professional services among others.

Part A to Section 889 came into effect on August 13, 2019. It states that a contractor cannot sell or offer prohibited telecommunications (telecom) to federal agencies. The rule applies only to what a contractor offers to the government under a contract.

Why was Section 889 implemented? 

Section 889 came into effect as Congress determined there are growing security, privacy and espionage risks from using telecommunications equipment and services offered by certain companies. This refers to companies connected to, controlled by or owned by the Chinese government. Part A and Part B aim to mitigate or at least, limit the US’ reliance on foreign-owned/controlled equipment services by preventing the purchase and use of this equipment. Section 889 was also implemented due to China’s growing presence to collect intellectual proprietary property in the intelligence community.

Covered Telecommunications Equipment or Services cannot be utilized as a ‘substantial or essential component’ of any system, or as ‘critical technology’ as part of any system. You can read about what defines substantial or essential components or critical technology in FAR 52.204-25(a)(6).

Are there exceptions to the rule?

There are two exceptions to Section 889 Part A and Part B.

1.There is no prohibition on companies that offer a service that connects to the facilities of a third party. This includes roaming, backhaul, or interconnection arrangements.

  • Roaming: Refers to cellular communication services received from a visited network when unable to connect to the usual network.
  • Backhaul: Part of a satellite network that acts as an intermediate between the core network and the small networks utilized for distribution to other smaller channels (for instance, connecting cell phone towers/towers to the main telephone network).
  • Interconnection arrangements: Arrangements controlling the physical connection of two or more networks to permit the use of another’s network to hand off traffic where it is ultimately delivered (for instance, the connection of a customer of telephone provider A to a customer of telephone company B) or sharing data and other information sources.

2. The other exception is telecommunications equipment that cannot redirect or route user data traffic or offer visibility into any user data or packets that this equipment transmits or handles.

How to know if your company is 889 B compliant?

Being compliant with Section 889 B can be challenging for companies so it is vital to take the time to review the information released by GSA carefully to avoid confusion. Here are a few essential steps to follow during the compliance review process.

  1. Know the regulations: Understand the rules and actions involved with Section 889 carefully.
  2. Conduct an inquiry: Carry out a sensible inquiry to find out whether your company uses covered telecommunications equipment or services. Remember, while the inquiry does not require you to conduct a third-party or internal audit, conducting a review of information that is in your possession is essential. This gives you a reasonable idea if your company uses covered telecom.
  3. Assess the cost of discontinuing services: If you get to know that your company uses prohibited services or equipment, assess the cost of discontinuing services or removing these items.
  4. Keep employees informed: Inform your employees (including procurement, purchasing and material management staff) about Section 889. Educate them on your company’s compliance plan and the need to report in case prohibited telecom is recognized.
  5. Represent whether your company uses covered telecom: As of August 13, 2020, whenever you respond to orders under your GSA MAS contract, you need to represent whether your company makes use of covered telecom solutions or not. The System for Award Management Representation (SAM) is required by Section 889 B to represent whether your company uses covered telecom. This makes it easy for companies to represent whether they make use of covered telecom within SAM. Those that do not utilize covered telecom will only be required to represent annually.

When asking permission for a waiver, it is vital to implement a phase-out plan which involves not using prohibited telecom services in current and future production. Only the Director of National Intelligence (DNI) can issue a true waiver in line with security interests. Even though the head of an executive agency can grant a one-time waiver, it usually occurs on a case-by-case basis and only delays implementation. The process to obtain a waiver is long while your company also needs to adhere to high standards. Having said that, if an agency waiver is granted to a contractor for Part A or Part B, they can delay adhering to Section 889 Part A through August 13, 2021. Similarly, a contractor can delay complying with Section 889 Part B through August 13, 2022.

On the whole, waivers are limited and granted only in exceptional circumstances so focusing on reducing the possibilities of non-compliance makes more sense. For a more realistic approach to ensure compliance, think more holistically about your supply chain and accordingly implement a robust, supply chain risk management (SCRM) plan for the long term. A strong SCRM plan should focus on two things — adhering to federal regulations and addressing continuity, business and uncertainties.

For a more comprehensive security risk posture, implement software solutions to do the job without the need to allocate additional resources. IntegrityShield by SureShield seamlessly integrates with other third-party applications used by your enterprise and helps you manage third-party compliance effectively. It not only works to limit risks but also helps you gain a deep understanding of your supply chain and its data systems. It also offers a complete audit trail that demonstrates proof of compliance (POC), verification and validation.

To know more about the latest developments in IT and data security, read our blog or follow us on Twitter or LinkedIn.

HOW TO BUILD A VULNERABILITY MANAGEMENT PROGRAM

Vulnerability management is broadly described as the practice of identifying vulnerabilities in unpatched systems that, if exploited by adversaries, could jeopardize your entire business environment. Typically, vulnerability management is a foundational practice and an integral part of any standards initiative for cybersecurity. The ever-changing device demographics and the increasing complexity of cyberattack techniques are challenging existing methods of managing security vulnerabilities.

As such attacks continue to grow, a vulnerability management program is vital to adequately protect your infrastructure, applications, and data.

What are the 4 Key Elements in a Vulnerability Management Program?

1.Vulnerability Assessment

An effective vulnerability management program helps assess risks, weaknesses and exposure threats. It then instils the required protections that reduce the likelihood of a breach of your sensitive data. Learn how to identify sensitive data on our blog.

2.Vulnerability Management Tools

These are vital tools that help identify and scan the vulnerabilities in your system, aid deep learning and AI configuration.

3.Integration and Alignment 

A successful vulnerability management program must be linked to vulnerability databases and must be in sync with key stakeholders throughout the organisation as well as compliance and regulatory requirements.

4.Agility

A vulnerability management program needs to be agile enough to keep your organization safe. The security systems and related processes need to meet the ever-changing threat landscape and be cyber-resilient. Cyber-resilience and scale are also important considerations.

Steps to Building a Vulnerability Management Program 

1, Assemble and choose your team wisely: It is vital to identify all the key players needed in your team. For instance, having a security director or manager in charge of vulnerability management, as well as at least one analyst who identifies, tracks and assesses vulnerabilities throughout your environment is necessary.

2,Obtain the appropriate tools: The right tools used by security teams aid in discovering flaws in the environment, providing detailed information about all of an organization’s assets and identifying the top vulnerabilities that pose the greatest risk to the organisation. Read also, how to conduct a cyber risk assessment.

3.Compare the threat landscape to your environment: By doing this you understand your organization’s assets and known vulnerabilities. Threat intelligence will assist you in determining the impact of a potential exploit which is another important factor in risk assessment.

4Knowing your assets, applications, and risk tolerance are essential: Understanding your current assets and the level of risk for your organisation is critical for effective prioritisation. Automated tools like SecurityShield by SureShield assists with this discovery task by identifying assets such as servers, workstations, virtual machines, storage arrays, and network infrastructure.

5,Measure, evaluate and prioritise your vulnerabilities: Platforms that combine real-world vulnerability intelligence, data science, automated risk analysis, customised risk metrics, and even risk-based SLAs are vital when selecting the right platform for your organisation.

6.Communicate, correct, and report: Your vulnerability management solution should facilitate, rather than obstruct, internal communication among key teams. It should also help you remediate quickly and efficiently. Using a software solution such as SecurityShield can be greatly beneficial to your organisations. It continuously scans servers or endpoints to search for flaws in software design. It discovers vulnerabilities, assesses their impact, classifies them, identifies risks they pose, and then generates a prioritized risk response remediation plan to fix them.

Broadly, SecurityShield helps to:

  • Spot missing patches, errors and weaknesses in system configuration settings and general deviations from policy
  • Map risks to non-compliance of regulatory controls like Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry (PCI)
  • Scan for more than 35,000 vulnerabilities and conduct nearly 100,000 checks across your networks
  • Auto-discover and scan any IT assets
  • Automate real-time continuous monitoring of IT assets
  • Automate mapping of vulnerabilities to control frameworks
  • Leverage big data analytics and machine learning for better organizational security
  • Significantly lower cost of ownership in months

Protect your organization by implementing the right software solutions and tools. Read our blog posts to know more about us, or follow us on Twitter and LinkedIn for some insightful updates and information.