The General Services Administration (GSA) updated the GSA Multiple Award Schedule (MAS) Solicitation on August 13, 2020. Companies, as a result, received a mass modification (mod) to integrate update changes into their contracts – the most vital being the implementation of Section 889, Part B. An important change to Federal procurement, this rule impacts every contractor doing business with the government. Only when compliant with Section 889 B can continue receiving orders and bids through the GSA contract. Here is what Section 889 includes and why it holds immense significance.
Section 889, Part B of the John S. McCain National Defense Authorization Act for the fiscal year 2019 (NDAA) essentially states that a contractor cannot use ‘Covered Telecommunications Equipment or Services’. Video surveillance equipment, services, or telecommunications either produced or offered by these five companies are said to be ‘Covered Telecommunications Equipment or Services’ – Huawei Technologies Company, Dahua Technology Company, Hangzhou Hikvision Digital Technology Company, ZTE Corporation, and Hytera Communications Corporation.
The rule states if a company possesses or intends to pursue any federal contracts, it cannot utilize covered/prohibited telecommunications even if the use is strictly limited to the commercial business of the company. In other words, the government cannot enter, extend or renew a contract with a company that utilizes covered technology on any of its systems, equipment, or services. The rule applies to both federal and commercial business, extending to all sectors including banking, information technology, healthcare, travel and transportation, higher education, and professional services among others.
Part A to Section 889 came into effect on August 13, 2019. It states that a contractor cannot sell or offer prohibited telecommunications (telecom) to federal agencies. The rule applies only to what a contractor offers to the government under a contract.
Section 889 came into effect as Congress determined there are growing security, privacy, and espionage risks from using telecommunications equipment and services offered by certain companies. This refers to companies connected to, controlled by, or owned by the Chinese government. Part A and Part B aim to mitigate or at least, limit the US’ reliance on foreign-owned/controlled equipment services by preventing the purchase and use of this equipment. Section 889 was also implemented due to China’s growing presence to collect the intellectual proprietary property in the intelligence community.
Covered Telecommunications Equipment or Services cannot be utilized as a ‘substantial or essential component’ of any system, or as ‘critical technology’ as part of any system. You can read about what defines substantial or essential components or critical technology in FAR 52.204-25(a)(6).
There are two exceptions to Section 889 Part A and Part B.
A. There is no prohibition on companies that offer a service that connects to the facilities of a third party. This includes roaming, backhaul, or interconnection arrangements.
B. The other exception is telecommunications equipment that cannot redirect or route user data traffic or offer visibility into any user data or packets that this equipment transmits or handles.
Being compliant with Section 889 B can be challenging for companies so it is vital to take the time to review the information released by GSA carefully to avoid confusion. Here are a few essential steps to follow during the compliance review process.
When asking permission for a waiver, it is vital to implement a phase-out plan which involves not using prohibited telecom services in current and future production. Only the Director of National Intelligence (DNI) can issue a true waiver in line with security interests. Even though the head of an executive agency can grant a one-time waiver, it usually occurs on a case-by-case basis and only delays implementation. The process to obtain a waiver is long and your company also needs to adhere to high standards. Having said that, if an agency waiver is granted to a contractor for Part A or Part B, they can delay adhering to Section 889 Part A through August 13, 2021. Similarly, a contractor can delay complying with Section 889 Part B through August 13, 2022.
On the whole, waivers are limited and granted only in exceptional circumstances so focusing on reducing the possibilities of non-compliance makes more sense. For a more realistic approach to ensure compliance, think more holistically about your supply chain and accordingly implement a robust, supply chain risk management (SCRM) plan for the long term. A strong SCRM plan should focus on two things — adhering to federal regulations and addressing continuity, business, and uncertainties.
For a more comprehensive security risk posture, implement software solutions to do the job without the need to allocate additional resources. IntegrityShield by SureShield seamlessly integrates with other third-party applications used by your enterprise and helps you manage third-party compliance effectively. It not only works to limit risks but also helps you gain a deep understanding of your supply chain and its data systems. It also offers a complete audit trail that demonstrates proof of compliance (POC), verification, and validation.
To know more about the latest developments in IT and data security, read our blog or follow us on Twitter or LinkedIn.