Are you facing challenges with NDAA Section 889?
The National Defense Authorization Act (NDAA) was signed into law on Aug. 13, 2018 and imposed new restrictions on procurement of telecommunications equipment or services based on ties to certain Chinese entities, thereby expanding the list of forbidden products for federal contractors.
From NDIA website:
Section 889 of the 2019 National Defense Authorization Act prohibits the federal government, government contractors, and grant and loan recipients from procuring or using certain “covered telecommunication equipment or services” that are produced by Huawei, ZTE, Hytera, Hikvision, and Dahua and their subsidiaries as a “substantial or essential component of any system, or as critical technology as part of any system.”
The two phases of prohibition:
Sec. 889(a)(1)(A) required the federal government, as of August 13, 2019, to not “procure or obtain or extend or renew a contract to procure or obtain any equipment, system, or service that uses covered telecommunication equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”
Sec. 889(a)(1)(B), which went into effect on August 13, 2020, will prohibit the federal government from entering into or extending or renewing contracts with any entity that “uses any equipment, system, or service that uses covered telecommunication equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”
How will NDAA Sec. 889 impact contractors?
Section 889(a)(1)(A), which is already in effect, requires that contractors providing “covered telecommunication equipment or services” to the federal government reconfigure their supply chains to exclude Huwaei/ZTE components in the final products or services. This regulation was put into place via an interim rule that was updated in early 2020. Contractors are required to present to the government annually whether the supplies or services that they offer include covered telecommunications equipment or services. They are also required to report to the government when covered telecommunications equipment or services are used during contract performance.
Section 889(a)(1)(B) will have a much broader impact on the government and contractors. The language used in the statute is very extensive and requires significant interpretation from regulatory authorities when being implemented. Definitions of the term “use” could imply that the government would be prohibited from doing business with a government contractor that has an internet service provider (ISP) that uses Huawei/ZTE equipment in providing internet service. An even more extreme example has been raised for those contractors that use security cameras containing Huawei/ZTE components.
Next steps for Government and contractors
Government stakeholders and contractors need to inventory their telecommunication equipment and evaluate their supply chain and acquisition procedures in order to identify prohibited equipment in their infrastructure. This is a difficult task for legacy ITAM tools which fail to discover and fully identify the manufacturers of all devices in all environments (IT, OT, IoT). Some organizations use multiple tools and patch together inventory reports which results in gaps in visibility. Additionally, white-labeled and private-labeled devices may create further ambiguity.
How Sepio Systems can help
As a leader in the Cyber-Physical market, Sepio Systems addresses these concerns. Sepio’s Hardware Access Control solution (HAC-1) is designed to discover all devices operating over network and USB interfaces. In addition to complete discovery, we empower organizations to create and enforce device policies and block unapproved and rogue hardware. Using Physical Layer fingerprinting technology and machine learning, Sepio Systems calculates a digital fingerprint from the electrical characteristics of the device and compares them against known fingerprints, automatically providing information on the vendor name, product name and more.
With this capability, government stakeholders and contractors can, in real time, monitor and maintain a state of compliance and prevent potential supply chain intrusions. To learn more about Sepio Systems and how our innovative technology can help you achieve compliance with this challenging Executive Order please reach out to our sales team or feel free to schedule a demo.