Are you facing challenges with National Defense Authorization Act (NDAA) Section 889b compliance and managing security risks related to Chinese-covered telecommunications equipment? Ensuring compliance with Section 889b is essential for contractors providing telecommunications services to the federal government, especially in the context of Chinese manufacturers such as Huawei and ZTE.
The NDAA, signed into law on August 13, 2018, introduced stringent restrictions on the procurement of telecommunications equipment or services linked to certain Chinese entities. This expanded the list of prohibited products for federal contractors.
According to the National Defense Industrial Association (NDIA):
The 2019 NDAA Section 889b prohibits federal agencies, government contractors, and recipients of grants and loans from acquiring or using specific “covered telecommunications equipment or services.” This includes products from Huawei, ZTE, Hytera, Hikvision, and Dahua, as well as their subsidiaries, when these items are deemed critical to any system or considered essential technology within a system.
The Two Phases of Prohibition Under NDAA Section 889
The restrictions under NDAA Section 889 were implemented in two phases:
Section 889 (a)(1)(A) required the federal government, as of August 13, 2019, to not “procure or obtain or extend or renew a contract to procure or obtain any equipment, system, or service that uses covered telecommunication equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”
Section 889 (a)(1)(B), which went into effect on August 13, 2020, will prohibit the federal government from entering into or extending or renewing contracts with any entity that “uses any equipment, system, or service that uses covered telecommunication equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”
These regulations, reinforced by Section 889b, aim to enhance national security by restricting the use of telecommunications equipment from Huawei, ZTE, Hytera, Hikvision, Dahua, and their subsidiaries.
How Will Section 889 Compliance Impact Contractors?
Section 889b compliance, which is already in effect, requires contractors providing “covered telecommunications equipment or services” to the federal government to reconfigure their supply chains to exclude Huawei/ZTE components from their final products or services. This regulation was introduced via an interim rule that was updated in early 2020.
The government mandates that contractors annually disclose whether the supplies or services they offer include covered telecommunications equipment or services. Additionally, they must report to the government if they use covered telecommunications equipment or services during contract performance.
Section 889b will have a much broader impact on the government and contractors. The statute’s language is extensive and requires substantial interpretation by regulatory authorities during implementation. The definition of the term use could imply that the government may prohibit doing business with a contractor if the contractor’s internet service provider (ISP) utilizes Huawei/ZTE equipment to provide internet service.
A more extreme example involves contractors using security cameras containing Huawei/ZTE components, further complicating compliance efforts.
Next Steps for Government and Contractors
Government stakeholders and contractors need to inventory their telecommunications equipment, evaluate their supply chains, and review acquisition procedures to identify prohibited equipment in their infrastructure, ensuring Section 889b compliance across all devices.
This is a difficult task for legacy IT Asset Management (ITAM) tools, which often fail to discover and fully identify the manufacturers of all devices across IT, OT, and IoT environments. Some organizations rely on multiple tools and patch together inventory reports, leading to gaps in visibility. Additionally, white-labeled and private-labeled devices create further ambiguity.
How Sepio Can Help With Section 889b Compliance
As a leader in the cyber-physical security market, Sepio provides a comprehensive solution for Section 889b compliance. Our platform enables full visibility into all devices operating over network and USB interfaces, ensuring organizations can detect and eliminate prohibited telecommunications equipment.
Using Physical Layer fingerprinting technology and machine learning, Sepio calculates a digital fingerprint from the electrical characteristics of the device and compares them against known fingerprints, automatically providing information on the vendor name, product name and more.
With this capability, government stakeholders and contractors can, in real time, monitor and maintain a state of section 889b compliance and prevent potential supply chain intrusions.
Gain full visibility. Reduce risk. Ensure compliance
Talk to an expert today to learn how Sepio’s patented technology can help you gain control of your asset risks and maintain Section 889b compliance.
