The National Defense Authorization Act (NDAA) is a pivotal United States federal law that outlines the budget, expenditures, and policies for the Department of Defense (DoD). As a cornerstone of national security, it establishes the framework for the military’s operations, ensuring robust security policies and security awareness in protecting critical infrastructure.
Protecting National Security: NDAA Section 889(b)
The aim of National Defense Authorization Act (NDAA) Section 889(b) is to protect National Security from cyber-attacks carried out by foreign adversaries. The US government has, on numerous occasions, accused the Chinese government of using its telecommunications operators companies for pernicious purposes. Specifically, malicious activity aimed towards the US.
According to Robert Bigman, “this [Section 889] was specifically [created] as a result of intelligence that the US government had”. The regulation is designed to address security risks, prevent data breaches, and mitigate vulnerabilities in the nation’s telecommunications infrastructure.
Restrictions on Covered Telecommunications Equipment
The NDAA imposes restrictions on the procurement and usage of specific telecommunications equipment or services. These restrictions apply to federal entities, contractors, and grant recipients to prevent exposure to data-security vulnerabilities. Prohibited equipment includes products from Huawei, ZTE, Hytera, Hikvision, and Dahua, as well as their subsidiaries. Such equipment cannot be used as a substantial or essential component of any system or as critical technology, ensuring application security and the protection of sensitive data.
The statue does not have an exemption for commercial item contracting. Thus the prohibition applies to all purchases regardless of the size of the contract or order.
Section 889 is Comprised of Two Parts:
Sec. 889(a)(1)(A) (known as Part A) | Requires the federal government, as of August 13, 2019, to not “procure or obtain or extend or renew a contract to procure or obtain any equipment, system, or service that uses covered telecommunication equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.” |
Sec. 889(a)(1)(B) (known as Part B) | Since August 13, 2020, the federal government is prohibited from entering into or extending or renewing contracts with any entity that “uses any equipment, system, or service that uses covered telecommunication equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.” |
Compliance Challenges Under NDAA Section 889(b)
Sec. 889 part B significantly impacts government contractors, as its broad language makes compliance difficult. Contractors must disclose whether their supplies or services involve covered telecommunications equipment annually. They must also report when such equipment is used during contract performance, ensuring transparency and reducing cybercrime risks. Non-compliance could lead to security breaches or compromised operations, increasing exposure to hackers and malware.
According to Robert Bigman, anyone supporting contractors who serve the government must comply with these regulations. Contractors are obligated under National Defense Authorization Act (NDAA) Section 889(b) to annually disclose to the government whether their supplies or services involve covered telecommunications equipment or services.
Covered Telecommunications Equipment and Services
Supplies and services also include products that they use, but do not own. And is not limited to geographical boundaries, meaning that the geographical location of the equipment system or service, and the geographical location of its use, is irrelevant – all covered telecommunications equipment and services fall under the regulation.
Furthermore, contractors must report to the government when covered telecommunications equipment or services are in operation during contract performance. National Defense Authorization Act (NDAA) Section 889(b) challenges proves to be a comprehensive regulation that aims to maintain US National Security. As the attack surface increasingly moves towards the perilous cyber realm.
Strengthening Security Under NDAA Section 889(b)
The NDAA Section 889(b) requirements emphasize the need for advanced authentication protocols, robust encryption, and improved incident response strategies to combat modern cyber threats. This includes addressing vulnerabilities in information-technology systems and ensuring data privacy through rigorous data-protection measures.
As security experts highlight, the regulation reinforces the importance of safeguarding sensitive information and mitigating risks from foreign entities. Compliance with NDAA Section 889(b) supports a secure operational environment, protecting against attacker intrusion and securing critical national assets.
Benefits of Sepio’s Solution for Section 889(b) Compliance
Sepio’s solution offers a comprehensive approach to meeting the requirements of Section 889(b) compliance. By providing full visibility into all hardware devices connected to your network, Sepio ensures that only trusted, authorized devices are allowed access. This reduces the risk of using unapproved hardware, which could lead to security vulnerabilities or non-compliance.
Key benefits include:
- Enhanced Device Visibility: Continuous monitoring and real-time detection of all network connected devices.
- Risk Mitigation: Identifying and isolating unauthorized or potentially harmful devices, significantly reducing the risk of data breaches or cybersecurity threats.
- Centralized Management: A unified platform for managing device access, minimizing administrative overhead and enhancing operational efficiency.
Contractors and government entities must enhance their security posture by leveraging technologies that provide real-time visibility into shadow assets, prioritize risks, and fortify defenses against cyber attacks. Sepio’s patented technology empowers organizations to secure their operations and reduce security risks, ensuring compliance with the National Defense Authorization Act (NDAA) and maintaining information-security standards.
Secure Your Operations with Sepio
Gain control of your asset risks and enhance your security awareness with Sepio. Talk to an expert. It will help you understand how to use Sepio’s patented technology to gain control of your asset risks.
Read the NDAA Section 889 Challenges (pdf)