The Department of Defense is considering giving contractors an extra year to rid their networks of technology from Huawei, ZTE and other Chinese companies.
Part B of Section 889 of the 2019 National Defense Authorization Act bans the whole government from doing business with any company that “uses” several types of Chinese technology deemed to be a national security risk, effective Aug. 13. But the broadness of the law’s language and the complexity of the government’s global supply chain have complicated efforts for contractors to hit the August deadline.
The DOD tells FedScoop that it is considering a one-year delay for contractors to comply with the regulations prompted by the law. The deadline would technically still be in effect, but DOD would change the requirements in contracting language allowing vendors more time to reach full compliance.
The final rules will come from the Office of Management and Budget‘s Federal Acquisition Council, which has not issued any guidance yet. OMB said the deadline for the law remains firmly in place.
“The Administration will implement the prohibition deadline set by Congress. Guidance is coming soon,” an OMB spokesperson said.
The lack of clarity has caused concern among contractors that they could be shut out of lucrative contracts if another company in their supply chain uses the soon-to-be banned tech.
“I am very concerned about being able to implement it in August,” Undersecretary for Acquisition and Sustainment Ellen Lord told Congress on Wednesday. A DOD spokesman, Lt. Col. Mike Andrews, later told FedScoop that the DOD is looking to delay full compliance by a year.
“DoD fully supports the intent of Section 889, but the Department is hearing that, in light of the COVID impacts and disruptions to the industrial base including small businesses, there may be reasons to extend by one year the implementation of the rule,” he said. “While necessary to accomplish, the requirements of 889 will require significant investment and may benefit from use of a risk based approach to achieve effective implementation.”
It’s unclear if other agencies will take similar actions and find ways to delay full compliance or if the White House, which houses OMB, will support the DOD’s signals for delays.
Lord let defense contractors exhale an added sigh of relief by signaling the DOD would push for a softer, risk-based approach to implementation and rule making. There was concern in the industry that small infractions — such as a soon-to-be banned security camera in the parking lot of a subcontractor six tiers down — could invalidate a major prime contract. A risk-based approach would put more emphasis on eliminating Chinese tech from the most sensitive parts of the supply chain, Katherine Gronberg, vice president for government affairs at Forescout, told FedScoop in March.
The news of both a potentially delayed implementation and a more risk-based approach was met with cheers by the Professional Services Council, a group that represents IT and services contractors across the government. PSC signed on to a letter in March asking Congress for a six-month delay in the law itself as the coronavirus pandemic started to rupture supply chains and disrupt businesses.
While the PSC is happy with the implementation delay, CEO David Berteau says he hopes that OMB will soon publish guidance for contractors to prepare themselves for however the government chooses to interpret the law.
“It is not a self-implementing law,” he said. He added that contractors can’t “plan for guidance you don’t have.”
While contractors were nervous about how the law would be implemented before the pandemic, the last few months have only added anxiety for industry and government. Small business without extensive records about their IT supplies could be hardest hit, Gronberg said. Widespread teleworking doesn’t make any of it easier, either.
“With large numbers of employees working from home during the COVID-19 crisis, accessing company network resources through their home routers and ISPs, companies’ networks have become vastly more complex and decentralized,” she said in an email. “Security teams are distracted supporting and securing remote workers, so it stands to reason that meeting requirements like this — difficult under normal circumstances — are now made considerably more difficult.”