Government contractors want the General Services Administration to clarify its expectations before barring agencies from working with vendors that have supply chain ties to some Chinese-based companies, like Huawei and ZTE, among others.
A range of industry and legal experts representing large and small telecom, IT, cybersecurity, real estate, and construction companies met with GSA officials Wednesday to express their concerns with the forthcoming ban.
Viewing the U.S. supply chain as a beachhead for economic espionage by foreign adversaries, namely China, lawmakers added language to the National Defense Authorization Act of fiscal 2019 banning some companies seen as economic, intellectual property and national security threats.
The first interim Federal Acquisition Regulation, under NDAA Section 889(a)(1)(A), took effect Aug. 13 and stops agencies from directly procuring technologies or services with “substantial or essential” covered telecommunications components. “Covered” components include equipment and services from Huawei and ZTE, as well as their subsidiaries, affiliates and several other companies connected to the Chinese government.
Now GSA, the Department of Defense and NASA are working on a second interim prohibition under Section 889(a)(1)(B) that, if interpreted broadly, would ban agencies from contracting with anyone using the blacklisted Chinese-based telecom tech and services in any capacity.
“Part A — the part that’s in effect right now — is crazily burdensome enough, but part B is really a whole other world,” said Jonathan Aronie, a government contracts lawyer at Sheppard Mullin, at the meeting. “It’s companywide, so it impacts everything that you think has nothing to do with your government business.”
Companies’ e-commerce portals, vehicle fleets, building thermostats, and security cameras could all require certifications, lest they risk a False Claims Act suit. That is unless GSA provides a better definition of what products are covered, a good list of covered subsidiaries and affiliates, and compliance program standards, Aronie said.
GSA should develop a framework for industry self-attestation within the supply chain, said Rob Arnold, CEO of Threat Sketch, a cybersecurity risk management company based in Winston Salem, North Carolina.
“The real problem, of course, is the supply chain,” Arnold said. “It’s almost infinitely deep.”
Government solutions often consist of layers of software obtained through open source or commercial licenses, so any self-attestation framework must be comprehensive and cost-effective for companies, he added.
Because neither the statute nor the interim rules currently provide companies with a safe harbor for simply trying their best to comply, prime contractors will need to take additional steps to certify suppliers, said David Drabkin, director of government contracting consulting at public accounting firm Dixon Hughes Goodman.
“Nobody is objecting to the need to protect the government as their client or, for that matter, any of their other clients,” Drabkin said. “The question is: How do we get there? And does it really make sense to have flipped the switch — which is what the government did — made all these things applicable without giving people the room to understand and begin the process of, where it’s appropriate, moving to different systems and solutions in order for them to be able to do business both with their government customers and their private sector customers?”
Norman Don, managing director at real estate agency FD Stonewater, said the government approached the first Section 889 prohibition in a “thoughtful” manner by defining expectations and that he hopes that “carries forward” with the second.
That could prove difficult if covered telecom technologies and services prove moving targets.
“One of the hardest things that the industry and GSA is going to have to deal with is when the bad actor changes,” Arnold said. “Right now we have it basically designated as China, North Korea, Iran and a handful of non-state actors, but what happens when that shifts?”
Already about 20 additional companies have been identified as being covered by Section 889. The government may quickly find itself unable to schedule contracts because companies are ineligible or incapable of meeting certifications under the broad interpretation, Drabkin said.
Small businesses could wind up undone by or the solution to the second Section 889 prohibition, depending on how it’s approached. About 139,730 are affected by the statute and will struggle with hiring consultants to ensure compliance, as well as mistrust from prime contractors that they haven’t done their due diligence, said Ann Sullivan, president of Madison Services Group.
In reality, small businesses onshore more than they offshore and have more room to innovate — making them a good alternative for agencies, Arnold said.
A proposed rule to implement the second Section 889 prohibition is expected in January 2020, with the interim rule going into effect on Aug. 13, 2020.
Companies concerned they won’t be compliant by that deadline can apply for a waiver that expires on Aug. 13, 2021, but that requires producing a full supply chain layout and phase-out plan.
“It’s not a waiver,” said Michael Thompson, senior procurement analyst at GSA. “It’s a delayed implementation.”