On Wednesday August 7, 2019, the Federal Acquisition Regulatory (FAR) Council (comprised of the Department of Defense (DOD), the General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA), collectively, “the agencies”) issued a prepublication version of an Interim Final Rule implementing the first phase of § 889 of the National Defense Authorization Act of 2019 (“2019 NDAA”).
Section 889 of the 2019 NDAA generally prohibits federal agencies, federal contractors, and grant or loan recipients from procuring or potentially using—without a waiver or exemption—certain “covered telecommunications equipment or services,” specifically those produced by Huawei Technologies Company and ZTE Corporation and, with respect to certain public safety or surveillance applications, Hytera Communications Corporation, Dahua Technology Company, and Hangzhou Hikvision Digital Technology Company—as a “substantial or essential component of any system, or as critical technology as part of any system.”
Broadly speaking, § 889’s prohibitions become effective in two phases:1
In the prepublication version of the Interim Final Rule released Wednesday, the FAR Council set forth revisions and additions to the FAR to implement paragraph (a)(1)(A) of § 889 of the 2019 NDAA. As described below, the rule—which will be effective as published as of next Tuesday, August 13, 2019—imposes new, affirmative requirements for U.S. government contractors (regardless of agency) that may involve new forms of diligence and compliance controls.
The rule implements the provisions of § 889 through two additions to the FAR: FAR 52.204-24 “Representation Regarding Certain Telecommunications and Video Surveillance Services or Equipment,” and FAR 52.204-25 “Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment.”
Under the rule, contracting officers shall:
Importantly, prime contractors should ensure that they carefully collect and track costs of compliance with these new provisions for existing contracts. The cost of compliance with a new contract provision will be recoverable on both fixed-price and cost-reimbursement contracts. Contracts should be carefully reviewed to identify the cost of compliance in any modification seeking to add these clauses.
Further, pursuant to determinations described in the Interim Final Rule, the new FAR clauses will apply to contracts at or below the Simplified Acquisition Threshold (SAT), as well as Commercial Items and Commercially Available Off-the-Shelf Items (COTS). According to the FAR Council, although § 889 does not address acquisitions of commercial items or COTS, “there is an unacceptable level or risk” of purchasing and using covered equipment and services that “is not alleviated by” the availability of the same items to the general public or the small size of the purchase (i.e., at or below the SAT). As a result, the rule warns that agencies “may face increased exposure for violating the law and unknowingly acquiring” banned items absent this additional coverage.
Under FAR 52.204-24, each offeror must provide a representation that “It [ ] will, [ ] will not provide covered telecommunications equipment or services to the Government in the performance of any contract, subcontract or other contractual instrument resulting from this solicitation.” If the offeror responds affirmatively (i.e., that it will provide such items or services), the offeror shall further provide the following information as part of its offer:
Under FAR 52.204-25, contractors must also satisfy, pursuant to subparagraph (d), certain reporting requirements in the event that they identify the “use” of covered telecommunications equipment or services during contract performance or the contractor is made aware of the use of the same by a subcontractor at any tier or by any other source. Notably, the rule does not specify whether such “use” must be that of the procuring agency or the contractor itself (or for that matter any other party, and whether or not involved in activities related to contract performance).
One-Business Day Reporting Requirement – In such case, FAR 52.204-25 requires the contractor to report the information to the contracting officer within one business day from the date of such identification or notification and identify in such report the contract number; the order number(s), if applicable; supplier name; supplier unique entity identifier (if known); supplier CAGE code (if known); brand; model number (OEM number, manufacturer part number or wholesaler number); item description; and any readily available information about mitigation actions undertaken or recommended.
Ten-Business Day Reporting Requirement – FAR 52.204-25 further requires within ten business days a report of information containing “any further available information about mitigation actions undertaken or recommended.” Further, the contractor must “describe the efforts it undertook to prevent use or submission of covered telecommunications equipment or services, and any additional efforts that will be incorporated to prevent future use, or submission of covered telecommunications equipment or services.”
Finally, under paragraph (e) of FAR 52.204-25, contractors must flow down the substance of the clause, including paragraph (e), to all subcontractors at all tiers, “including [in] subcontracts for the acquisition of commercial items” (i.e., flow down would not be required to COTS subcontracts). Notably, this flowdown requirement appears only in FAR 52.204-25. However, while contractors are accordingly not required, as a matter of law, to obtain certifications required by FAR 52.204-24 from subcontractors and suppliers in their supply chain, they would be wise to do so.
Building on the prohibitory language of § 889, the rule adds two important definitions clarifying the scope of covered items and services.
First, the rule adopts the definition of “critical technologies” included in the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) (Section 1703 of Title XVII of the 2019 NDAA, Pub. L. 115-232, 50 U.S.C. § 4565(a)(6)(A)).
As we previously discussed in our coverage of FIRRMA,3 “critical technology” is essentially any technology on an export control list, primarily the U.S. Munitions List (USML) (sensitive military items) (Part 121.1 of the International Trafficking in Arms Regulations (ITAR)) or the Commerce Control List (CCL) (commercial, dual-use and less sensitive military items) (Supp. No. 1 to Part 774 of the Export Administration Regulations (EAR)). If it is not listed, then it is not a “critical technology.” Critical technologies will eventually include now-uncontrolled “emerging and foundational” technologies essential to national security that are identified through a regular order interagency process and, after a public notice-and-comment process, identified on an export control list.
In its explanation for adopting the FIRRMA definition, the agencies note that § 889 and FIRRMA have similar objectives (i.e., ensuring U.S. national security from “certain risks regarding foreign actors”) and that consistency in effectuating those objectives is crucial. The agencies acknowledge that some elements of “critical technology,” as so defined, “may not raise concerns” with respect to covered telecommunications equipment or services (e.g., export controlled agents or toxins). However, they assert that “the majority of identified categories in the FIRRMA definition . . . include or could potentially include covered telecommunications equipment or services,” and that “[s]ince the prohibition does not apply if no covered telecommunications equipment or services are present, a definition that includes [additional, unrelated categories] is overbroad in a way that incurs no additional cost, and ensures the benefits of consistency with other Government efforts.”
Notably, this definition necessarily excludes items subject to U.S. export controls and controlled for only Anti-Terrorism (AT) reasons. Rather, it includes items “included on the Commerce Control List” and “controlled . . . [p]ursuant to multilateral regimes, including for reasons relating to national security, chemical and biological weapons proliferation, nuclear nonproliferation, or missile technology; or [f]or reasons relating to regional stability or surreptitious listening.” As a result, is unclear whether the rule prohibits the acquisition or use of networking equipment and electronics devices (e.g., handsets) commonly classified under Export Control Classification Numbers (ECCN) 5A991 and 5A992 (or other similarly controlled product groups), which are controlled only for AT reasons and would accordingly not qualify as “critical technology.”
Second, and without similar elaboration, the rule defines “substantial or essential component” to mean “any component necessary for the proper function or performance of a piece of equipment, system, or service.” The rule does not define the term “necessary” or “proper function,” leaving an open question how strictly those terms will be interpreted and applied.
Notably, the rule leaves undefined other key terms that generated commentary and concern among industry stakeholders through DOD’s early engagement comment period and other public meetings. For example, the rule does not define or clarify the scope of the terms “affiliate or subsidiary,” “uses” or “system(s).” These terms, among other provisions, may receive additional attention and commentary during the public comment period and produce additional clarifying guidance in the agencies’ Final Rule.
Although the rule is effective as of August 13, 2019, the agencies will accept comments from interested parties for 60 days after the publication of the rule in the Federal Register, i.e., approximately early- to mid-October depending on when the rule is officially published, for consideration in the formation of the final rule.
Section 889 and its forthcoming FAR counterparts impose significant, and in some cases novel, compliance obligations for U.S. government contractors and subcontractors. Companies who sell to the federal government directly or indirectly should immediately review and assess their exposure under the rule in preparation for the August 13, 2019 effective date. In the following days and weeks, affected companies should also consider submitting public comments to provide feedback and direction on various aspects of the rule. This feedback will be of critical importance in generating guidance on as-yet undefined terms and requirements in the eventual Final Rule.
1 Section 889(b)(1), also effective August 13, 2020, further provides that executive agencies “may not obligate or expend loan or grant funds to procure or obtain, extend or renew a contract to procure or obtain, or enter into a contract (or extend or renew a contract) to procure or obtain the equipment, services, or systems described in subsection (a).”
2 FAR 1.108(d) provides:
(d) Application of FAR changes to solicitations and contracts. Unless otherwise specified-
(1) FAR changes apply to solicitations issued on or after the effective date of the change;
(2) Contracting officers may, at their discretion, include the FAR changes in solicitations issued before the effective date, provided award of the resulting contract(s) occurs on or after the effective date; and
(3) Contracting officers may, at their discretion, include the changes in any existing contract with appropriate consideration.
3 The CFIUS Reform Legislation—FIRRMA—Will Become Law on August 13, 2018 (Aug. 10, 2018), https://www.jdsupra.com/post/documentViewer.aspx?fid=316DB5F5-C3EC-4CC6-AE88-97EBD09E3007.