The Office of Management and Budget will not require full-scale audits of federal contractors’ networks in the implementation of a ban on Huawei and other Chinese technology, according to an interim rule issued this week.
Not requiring a full audit under Section 889 Part B of the fiscal 2019 National Defense Authorization Act means that contractors will still need to do a thorough vetting of their networks to ensure they don’t have any ties to the Chinese tech, but they won’t have to pay an outside company or spend time with an internal team scrubbing their purchases with a fine-tooth-comb — an additional burden that some contractors had feared.
Section 889 Part B requires the ban to go into effect Aug. 13. Part A placed an earlier ban on federal agencies using tech from the Chinese companies Huawei, ZTE, Hytera, Dahua, or Hangzhou Hikvision, while Part B will forbid federal contractors from any use of those companies in their supply chains.
The broadness of the law’s language has inspired worry in the contracting community over how severely the government would interpret it and how quickly contracting officers will require compliance. Previously, the Department of Defense’s top acquisition official Ellen Lord told Congress she planned to give contractors an extra a year to comply with the law’s implementation.
The Professional Services Council and the National Defense Industry Association penned a letter to Congress asking for an extension to the law’s deadline until February 2021. The law is not-self implementing, and while the deadline is set in stone, the implementation and compliance depends on OMB’s guidance and the actual contracting language agencies write.
The economic toll of the coronavirus pandemic, new cyber regulations from the DOD and other factors have added to the list of recent troubles for contractors.
“Part B will impose significant financial and operational costs on medium- and small-sized firms at a moment of substantial uncertainty and hardship,” the influential trade groups wrote in March.
Now that the guidance has arrived, contractors have more information about how the government will interpret and implement the law.
Katherine Gronberg, vice president for government affairs at Forescout, told FedScoop the interim rule is a “softer” implementation because it does not require contractors to do a full internal or third-party audit to look for the banned tech in their networks.
“I believe that is in direct result of industry voicing this would be very burdensome,” she said.
Even though contractors won’t be required to do a full audit of their networks, conducting a “reasonable inquiry” for the technology — as the interim rule calls for — still could cause strain for those without digital records that can be inspected remotely, Gronberg said.
“Companies are going to have to start being ready on future contracts in the very near term,” she said.