The U.S. Government is Working to Secure its IT Supply Chain. Here’s How To Get It Right.

With news of cyber-attacks and IP theft rippling across the government contracting world, officials in the United States Congress and Executive Branch have recognized the importance of securing federal IT networks and infrastructure. Concerns about the U.S. government’s supply chain security contributed to the enactment of a 2018 law, commonly known as Section 889, targeted at Huawei, ZTE and three Chinese manufacturers of video surveillance equipment. This new law bars government agencies not only from buying equipment made by the named companies, but also from doing business with contractors that “use” the prohibited equipment.

Though the tech industry shares the government’s goal of securing the federal supply chain, this law’s lack of clarity—particularly how vague the definition of the term “use” is—rendered contractors without clarity about how to come into compliance. This confusion was compounded by the absence of any draft implementation guidance that could offer any practical insight into the new requirements until only a few weeks before it took effect. When an interim rule was finally published, it attempted to make sense of Sec. 889 by directing contractors to conduct a “reasonable inquiry” into whether their company uses covered equipment or services. What this precisely is, and how to stay in compliance with the law, remains unclear—the rule did not provide much detail on what should be considered as part of this inquiry, only noting that the requirement falls short of an internal or third-party audit.

The latter provision of Sec. 889, banning government agencies from doing business with contractors that use prohibited equipment, is in effect for every government contract as of August 13, 2020, and the Federal Acquisition Regulatory (FAR) Council released an interim rule on July 14, 2020 implementing this far-reaching change. ITI led a multi-industry comment submission through the Council of Defense and Space Industry Associations (CODSIA) detailing how the government can meet Sec. 889’s national security objectives while ensuring continuity of operations and minimizing negative contractor impacts.

If a contractor identifies any use of banned equipment, the law allows the company to seek a waiver from its customer agencies in the short term while it works to remove the problematic technology. However, the waiver process outlined in the interim rule is muddled, time-consuming, and seems designed to discourage companies and government contracting officials from seeking a waiver altogether. In our comments, we recommended ways the government can facilitate a fair and expedited waiver process that still allows agencies to take advantage of innovative government contracting practices like Government-wide Acquisition Contracts (GWACs) and simplified transactions with a Government Purchase Card.

Additional detail to guide contractors both in conducting the reasonable inquiry and the mechanics of the waiver process is paramount. If contractors aren’t confident that they can meet the new requirements, they might choose to exit the federal marketplace altogether, leaving the U.S. unable to build its technological advantage against the same adversaries Sec. 889 was intended to counter.

Though Sec. 889 is certain to cause major disruption to the federal procurement process, this law is only one piece of a greater puzzle. Heightened interest in supply chain risk management over the last few years has spawned many new laws, executive orders, regulations, and agency actions that contractors must navigate. Streamlining this confusing patchwork of requirements is necessary to protect sensitive government and contractor information while still allowing agencies to take full advantage of companies’ innovative offerings.

Any effective supply chain security policy will look at the greater challenge holistically and prioritize securing acquisitions that create the most risk, while providing government contracting officials with the flexibility to meet their agencies’ mission needs. Rather than merely banning specific entities or focusing solely on country of origin, policymakers should ensure the government has the tools to nimbly defend the U.S. against supply chain risks today and adapt to address the threats of tomorrow.

We believe the 2018 SECURE Technology Act takes the better approach. This law established the Federal Acquisition Security Council (FASC), which brings cybersecurity and supply chain experts from across the government together with industry to conduct objective supply chain risk analyses and recommend the removal of problematic equipment from government networks. ITI asserts the need for ample coordination with the FASC in our Sec. 889 comments, and we plan to provide input into a recently-released interim final rule that details the FASC process.

In order to effectively address one of the biggest national security challenges our nation faces today, government and industry must work hand-in-glove to create solutions that protect the federal supply chain while incentivizing companies to provide best-in-class, secure products to the government.

Public Policy Tags: Cybersecurity, Public Sector

Related