The National Defense Authorization Act (NDAA) is a United States federal law that specifies the budget and expenditures for the Department of Defense (DoD) and sets policies for the military. It is one of the key pieces of legislation that Congress must pass each year to authorize funding and establish the policies under which the military operates.
The aim of National Defense Authorization Act (NDAA) Section 889(b) is to protect National Security from cyber-attacks carried out by foreign adversaries. The US government has, on numerous occasions, accused the Chinese government of using its telecommunications operators companies for pernicious purposes. Specifically, malicious activity aimed towards the US.
According to Robert Bigman, “this [Section 889] was specifically [created] as a result of intelligence that the US government had” (Interview with Robert Bigman, Former CISO @CIA).
National Defense Authorization Act (NDAA) Section 889(b)
National Defense Authorization Act (NDAA) imposes restrictions on the procurement and usage of specific telecommunications equipment or services. These restrictions apply to entities such as the federal government, government contractors, and grant and loan recipients. The prohibited equipment or services include those produced by Huawei, ZTE, Hytera, Hikvision, and Dahua, as well as their subsidiaries. These entities cannot use such equipment or services as a substantial or essential component of any system or as critical technology within any system.
The statue does not have an exemption for commercial item contracting. Thus the prohibition applies to all purchases regardless of the size of the contract or order.
Section 889 is Comprised of Two Parts:
|Sec. 889(a)(1)(A) (known as Part A)
|Requires the federal government, as of August 13, 2019, to not “procure or obtain or extend or renew a contract to procure or obtain any equipment, system, or service that uses covered telecommunication equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”
|Sec. 889(a)(1)(B) (known as Part B)
|Since August 13, 2020, the federal government is prohibited from entering into or extending or renewing contracts with any entity that “uses any equipment, system, or service that uses covered telecommunication equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”
Part B of the regulation has a significant impact on the government and its contractors. The statute’s language is extensive and ambiguous, making compliance challenging.
According to Robert Bigman, anyone supporting contractors who serve the government must comply with these regulations. Contractors are obligated under National Defense Authorization Act (NDAA) Section 889(b) to annually disclose to the government whether their supplies or services involve covered telecommunications equipment or services.
Covered Telecommunications Equipment and Services
Supplies and services also include products that they use, but do not own. And is not limited to geographical boundaries, meaning that the geographical location of the equipment system or service, and the geographical location of its use, is irrelevant – all covered telecommunications equipment and services fall under the regulation.
Furthermore, contractors must report to the government when covered telecommunications equipment or services are in operation during contract performance. National Defense Authorization Act (NDAA) Section 889(b) challenges proves to be a comprehensive regulation that aims to maintain US National Security. As the attack surface increasingly moves towards the perilous cyber realm.Download White paper