The saga of what is prohibited and what is covered by an exception to the National Defense Authorization Act, FY 2019, Section 889 prohibition on the use or delivery of covered telecommunications and video surveillance equipment and services continues.
As reported previously, the FAR rule implementing Section 889(a)(1)(B)’s prohibitions was published on July 14, 2020 as an interim rule to be effective August 13, 2020. The representations portion of the rule was recently postponed to October 26, 2020, but the notice of this delay does not state that it applies to the actual FAR 52.204-25 (August 2020) clause that is being put into government procurements and contracts. This means that, without more, contractors must still comply with this clause when it is included in their contracts. Not only is the clause being included in solicitations, but efforts are being taken to include the clause in existing contracts. Thus, though representation of compliance is not required, the compliance with the clause is. The clause requires that you identify and report when you discover covered equipment or services are being used and that you provide a plan for replacement of discovered covered equipment or services. Thus, it is imperative that contractors think about what they are required to do to comply with the provisions of both parts (a)(1)(A) and (a)(1)(B) of Section 889, and work towards compliance.
The GSA has issued a set of decision trees for agency evaluation of whether and to what extent the prohibition of, or an exception to, Section 889(a)(1)(A) and (a)(1)(B) will apply. The decision trees do not, however, afford the user any further clarity on what is intended by key terms of the Section – “use,” “public safety,” “security of Government facilities,” “critical infrastructure,” or “national security purposes.”
Notable, as well, is that the decision tree does not explain how the user can determine whether equipment can “route or redirect user data traffic or permit visibility into any user data.” Given reported concerns with the incorporation of USBAnywhere “bugs” into baseboard management controllers that then can be used by attackers to exfiltrate data or manipulate images or systems through a virtual mouse and keyboard, one wonders how a contractor could on its own without a forensic analysis reasonably determine that equipment cannot route or redirect traffic or data.
For those that have questions like these or others, GSA is hosting a “GSA Live Webinar regarding GSA’s Implementation of Section 889” on September 10th.
On August 11, 2020, NASA issued a memorandum for its contracting community regarding implementation of Section 889(a)(1)(B). The NASA memorandum emphasizes that the rule “does not flowdown to subcontractors,” but it provides little guidance concerning the parameters of the “reasonable inquiry” its prime contractors are required to undertake. Thus, despite stating that “[t]he purpose of this memorandum is to work with our industry partners to ensure there is awareness about this FAR requirement and to assess if your company will be impacted by it,” the memorandum and its attachments are not particularly helpful.
The takeaway: In light of the imminent application of the clause, contractors should be on the lookout for guidance being issued by their contracting agency and consider asking questions in order to ascertain how these prohibitions will be interpreted and implemented under their contracts.
We are following these issues closely. If you have questions about Section 889 implementation or other government contracts matters, contact the author, or your Stinson counsel.