NDAA Section 889 Challenges

ndaa section 889

Overview of Section 889

Section 889 is part of the National Defense Authorization Act (NDAA) for Fiscal Year 2019. The statute imposes new restrictions on the procurement of telecommunications equipment or services from certain companies, and their subsidiaries or affiliates, based on their ties to the Chinese government. In doing so, the regulation expanded the list of forbidden products for federal contractors. The aim of Section 889 is to protect National Security from cyber-attacks carried out by foreign adversaries. The US government has, on numerous occasions, accused the Chinese government of using its telecommunications operators for pernicious purposes – specifically, malicious activity aimed towards the US. According to Robert Bigman, former CISO at the CIA, “this [Section 889] was specifically [created] as a result of intelligence that the US government had”.

NDAA Section 889 Challenges

Section 889 prohibits the federal government, government contractors, and grant and loan recipients from procuring or using certain “covered telecommunications equipment or services” that are produced by Huawei, ZTE, Hytera, Hikvision and Dahua and their subsidiaries as a “substantial or essential component of any system, or as critical technology as part of any system”. The statue does not have an exemption for commercial item contracting, thus the prohibition applies to all purchases regardless of the size of the contract or order. Section 889 is comprised of two parts:

Sec. 889(a)(1)(A) (known as Part A)Requires the federal government, as of August 13, 2019, to not “procure or obtain or extend or renew a contract to procure or obtain any equipment, system, or service that uses covered telecommunication equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”
Sec. 889(a)(1)(B) (known as Part B)Since August 13, 2020, the federal government is prohibited from entering into or extending or renewing contracts with any entity that “uses any equipment, system, or service that uses covered telecommunication equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”

Part B has a much broader impact on the government and its contractors due to the extensive and ambiguous language used in the statute. To put simply, Robert Bigman states that “people who are providing support to the contractors who are providing support to the government…they all have to comply”. As such, under Section 889, contractors are required to present to the government, annually, whether the supplies or services that they offer include covered telecommunications equipment or services. Supplies and services also include products that they use, but do not own, and is not limited to geographical boundaries, meaning that the geographical location of the equipment system or service, and the geographical location of its use, is irrelevant – all covered telecommunications equipment and services fall under the regulation. Furthermore, contractors must report to the government when covered telecommunications equipment or services are in operation during contract performance. Section 889 proves to be a comprehensive regulation that aims to maintain US National Security as the attack surface increasingly moves towards the perilous cyber realm.

Download White paper