Are you facing challenges with National Defense Authorization Act (NDAA) Section 889(b) compliance and dealing with security concerns related to Chinese covered telecommunications equipment?
The NDAA was signed into law on August 13, 2018. Imposed new restrictions on procurement of telecommunications equipment or services based on ties to certain Chinese entities. Thereby expanding the list of forbidden products for federal contractors.
From National Defense Industrial Association (NDIA) website:
The 2019 National Defense Authorization Act’s, NDAA Section 889(b) prohibits the federal government, government contractors, and grant and loan recipients from procuring or using certain “covered telecommunications equipment or services”. The specified equipment is produced by Huawei, ZTE, Hytera, Hikvision, and Dahua, along with their subsidiaries. When it serves as a “substantial or essential component of any system” or is considered critical technology within a system.
The Two Phases of Prohibition
Section 889 (a)(1)(A) required the federal government, as of August 13, 2019, to not “procure or obtain or extend or renew a contract to procure or obtain any equipment, system, or service that uses covered telecommunication equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”
Section 889 (a)(1)(B), which went into effect on August 13, 2020, will prohibit the federal government from entering into or extending or renewing contracts with any entity that “uses any equipment, system, or service that uses covered telecommunication equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”
How will Section 889 Compliance Impact Contractors?
Section 889(b) compliance, which is already in effect, requires that contractors providing “covered telecommunication equipment or services” to the federal government reconfigure their supply chains to exclude Huwaei/ZTE components in the final products or services. This regulation was put into place via an interim rule that was updated in early 2020.
The government mandates that contractors annually disclose whether the supplies or services they offer include covered telecommunications equipment or services. Additionally, they must report to the government if they use covered telecommunications equipment or services during contract performance.
Section 889 (a)(1)(B) will have a much broader impact on the government and contractors. The statute’s language is extensive and necessitates substantial interpretation from regulatory authorities during implementation. The definitions of the term “use” might imply that the government could prohibit doing business with a government contractor if the contractor’s internet service provider (ISP) utilizes Huawei/ZTE equipment in providing internet service.
An even more extreme example has been raised for those contractors that use security cameras containing Huawei/ZTE components.
Next Steps for Government and Contractors
Government stakeholders and contractors need to inventory their telecommunication equipment. Evaluate their supply chain and acquisition procedures in order to identify prohibited equipment in their infrastructure.
This is a difficult task for legacy ITAM tools. Which fail to discover and fully identify the manufacturers of all devices in all environments (IT, OT, IoT). Some organizations use multiple tools and patch together inventory reports which results in gaps in visibility. Additionally, white-labeled and private-labeled devices may create further ambiguity.
How Sepio Can Help With Section 889(b) Compliance
As a leader in the Cyber-Physical market, Sepio addresses these concerns. Sepio’s platform is designed to discover all devices operating over network and USB interfaces. In addition to complete discovery, we empower organizations to create and enforce device policies and block unapproved and rogue hardware.
Using Physical Layer fingerprinting technology and machine learning, Sepio calculates a digital fingerprint from the electrical characteristics of the device and compares them against known fingerprints, automatically providing information on the vendor name, product name and more.
With this capability, government stakeholders and contractors can, in real time, monitor and maintain a state of section 889(b) compliance and prevent potential supply chain intrusions.