Have you a received Section 889 letter yet? If not, you may soon. The letters ask whether you provide or use “covered telecommunications equipment or services.” They are part of the implementation of Section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (the 2019 NDAA), which has two phases. The first phase started in August 2019 but has a limited scope. The second phase—which started in August 2020—is much broader and raises a lot more questions. This article answers some of those questions and provides some tips on how to comply.

Keep in mind that Section 889 is still being implemented. Much of this analysis is based on interim rulemakings at 85 F.R. 42665 and 85 F.R. 53126. Final rules may change based on public comments.

1. What is Section 889?

 In the 2019 NDAA, Congress determined that there are increased privacy, security, and espionage risks from using telecommunications equipment and services provided by certain companies (i.e., companies that are connected to, owned by, or controlled by the Chinese government). Section 889 seeks to mitigate those risks by prohibiting the purchase and use of such equipment.

The prohibitions were implemented in two phases:  Section 889(a)(1)(A) prohibits agencies from purchasing covered telecommunications equipment, system, or service. Section 889(a)(1)(B) prohibits agencies from entering into (or extending or renewing) a contract with a company that uses covered telecommunications equipment or services (underlining added):

(a)Prohibition on Use or Procurement.—(1) The head of an executive agency may not—

(A) procure or obtain or extend or renew a contract to procure or obtain any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as party of any system; or

(B) enter into a contract with (or extend or renew a contract) with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.

The purchase prohibition has been in effect since August 13, 2019. It focuses on the products that a company supplies to the Government (or its contractors).

The use prohibition went into effect on August 13, 2020 and is much broader. It is essentially aimed at ensuring that the Government does not do business with companies that use covered telecommunications equipment or services.

2. Does Section 889 apply to federal grant funding too?

Yes. Section 889(b) extends to grants and provides that grant funding may not be used to “procure or obtain” covered telecommunications equipment or services. It also instructs grant awarding agencies to encourage and facilitate transition away from covered telecommunications and services. The agencies must “prioritize available funding and technical support to assist affected business, institutions and organizations . . . to transition from covered communications equipment and services to procure replacement equipment and services.”

This prohibition is implemented in the Uniform Guidance—the FAR for grant recipients—at 2 C.F.R. § 200.216. The Uniform Guidance cost principles make it clear that the costs of procuring or obtaining covered telecommunications equipment or services are not allowable (2 C.F.R. § 200.471).

3. What are “covered telecommunications equipment or services”?

In short, it is almost any telecommunications or video surveillance equipment or services from a company that is owned by, controlled by, or connected to the Chinese government. The detailed definition is below. The first two elements of the definition name specific prohibited companies—Huawei, ZTE, Hytera, Hangzhou Hikvision, Dahua, and their subsidiaries and affiliates. The last two elements of the definition are much broader.  They include any telecommunications or video surveillance equipment or services produced by a company that is owned, controlled, or “connected” to the People’s Republic of China:

1. Telecommunications equipment from Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of such entities);
2. For the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes, video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities).
3. Telecommunications or video surveillance services provided by such entities or using such equipment.
4. Telecommunications or video surveillance equipment or services produced or provided by an entity that the Secretary of Defense . . . reasonably believes to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country.

The only “covered foreign country” is The People’s Republic of China. Contractors (and subcontractors at any tier) that use telecommunications or video surveillance equipment or services obtained from Huawei, ZTE, Hytera, Hangzhou Hikvision, Dahua or another company connected with the Chinese government may be subject to Section 889.

There is no separate definition or list for what type of equipment or service falls within the “telecommunications” category. Although this leaves some ambiguity, a key feature is whether the equipment can transmit user data or be hacked to access user data. If it cannot, the equipment may not qualify or be subject to the prohibition. The Section 889 prohibitions do not apply to equipment that “cannot route or redirect user data traffic or permit visibility into any user data or packets that such equipment transmits or otherwise handles.”

There is no requirement that covered equipment connect to the internet. Even if your equipment is installed on a closed network (i.e., it does not connect to the internet), the equipment may still be covered if it could transmit data when connected to the internet. But there is an exception for equipment that connects to third party facilities through backhaul, roaming, or interconnection arrangements.

4. What do “substantial or essential component” and “critical technology” mean?

“Critical technology” is fairly specific. It includes: (i) defense articles or services on the ITAR munitions list; (ii) items on the Commerce Control List; (iii) specially designed and prepared nuclear equipment, parts, materials, components, software, and technology; (iv) nuclear facilities, equipment, and material; (v) certain biological agents or toxins; and (vi) emerging and foundational technologies subject to the Export Control Reform Act.

The definition of “substantial or essential component” is less specific. It means “any component necessary for the proper function or performance of a piece of equipment, system, or service.”  In other words, if the product or system will not work without the telecommunications equipment or service provided by a prohibited entity, then it may fall within the Section 889 prohibitions. 

5. What contractors (e.g., prime, sub, etc.) are subject to Section 889?

 Section 889 applies broadly to prime contractors, subcontractors, and other contractual arrangements connected with a government contract. The prohibitions are implemented through three main FAR clauses.

The first clause—FAR 52.204-25—outlines the Section 889 prohibitions, along with detailed definitions (which we discuss below). The clause is required to be included in all contracts and solicitations and must be flowed down and incorporated into “all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial items.”  So even if a company does not directly contract with the government, they may be subject to the prohibitions if they have a “contractual instrument” with a prime contractor or subcontractor that does hold a government contract.

The second and third clauses—FAR 52.204-24 and FAR 52.204-26—are representation clauses that require contractors to certify whether they provide or use covered telecommunications equipment or services. The representations at FAR 52.204-24 are included in all solicitations and were initially required to be completed for every single proposal that a company submitted. But under the current rules, offerors can skip the offer-by-offer representation if they have completed the annual representation at FAR 52.204-26 as part of their SAM registration and represented that they do not use covered telecommunications equipment or services. The specific representations are below:

1. The Offeror represents that it [ ] does, [ ] does not provide covered telecommunications equipment or services as a part of its offered products or services to the Government in the performance of any contract, subcontract, or other contractual instrument.
2. After conducting a reasonable inquiry for purposes of this representation, the offeror represents that it [ ] does, [ ] does not use covered telecommunications equipment or services, or any equipment, system, or service that uses covered telecommunications equipment or services.

The italics (which are added) highlight key differences between the two representations. The first representation (i.e., the product prohibition) asks whether the offeror provides covered telecommunications as part of its offered products in connection with a Federal contract. If the company offers covered telecommunication products to other non-governmental customers, that seemingly is not covered by the product prohibition.

The second representation (i.e., the use prohibition) is not limited to federal contracts. It “applies to the use of covered telecommunications equipment or services, regardless of whether that use is in performance of work under a Federal contract.”  See FAR 52.204-25(b)(2).

There are three counterparts to these clauses in the DFARS:  (i) DFARS 252.204-7016; (ii) DFARS 252.204-7017; and (iii) DFARS 252.204-7018, which was recently issued as a final rule in 86 FR 3832.

6. The representation says “after conducting a reasonable inquiry”—what is a reasonable inquiry?

 The reasonable inquiry requirement ensures that contractors do some investigation to verify whether they use covered telecommunications. But it does not necessarily mean turning over every stone. The “reasonable inquiry” definition is below. It primarily requires reviewing documentation and having discussions with the vendors in your supply chain to identify which companies provide telecommunications equipment and services:

“Reasonable inquiry means an inquiry designed to uncover any information in the entity’s possession—primarily documentation or other records—about the identity of the producer or provider of covered telecommunications equipment or services used by the entity. A reasonable inquiry need not include an internal or third-party audit.

Questions to think about as part of a reasonable inquiry include:

• • Who is your internet service provider?
  • Which company provides your company’s mobile phones?
  • Who manufactures your laptops?
  • Which company provides video surveillance services at your locations?
  • Who made the surveillance cameras?
  • Does your company use any GPS tracking devices? Who made those?
  • Does your company use any health or security screening equipment (e.g., facial recognition, temperature scanners)?

7. What do we do if we use covered telecommunications equipment or services?

You likely will need to disclose it. The regulations require disclosure both when submitting an offer and during contract performance. Under FAR 52.204-24(e), if you are planning to provide covered telecommunications equipment or services, you must disclose that fact to the Government, along with an explanation for why the proposed equipment or service would be permissible under Section 889. The same is true if you just use covered telecommunications equipment or services at the time you submit an offer to the Government.

There is also a disclosure requirement if you do not provide or use covered telecommunications equipment or services at the time you submit an offer, but you later discover otherwise. Under FAR 52.204.25(d), if a contractor identifies covered telecommunications equipment or services during contract performance, or is notified of such by a subcontractor at any tier, the contractor must report it to its contracting officer within one business day. The contractor then has to report, within ten business days, any mitigation actions taken or recommended, as well as the efforts that were undertaken to prevent the covered telecommunications equipment or services from being offered or used.

You may also be able to request a waiver. Section 889(d) allows agencies to waive the prohibitions on a one-time basis “with respect to an entity that requests such a waiver.”  But waivers require a “compelling justification” and a report to the “appropriate congressional committees,” or the approval of the Director of National Intelligence.

FURTHER READING

GSA Section 889 Implementation FAQ

[View source.]