Everything You Need to Know About Section 889 of the NDAA Compliance Requirements

Article

Table of Contents

Introduction

Section 889 of the 2019 National Defense Authorization Act (NDAA) has significant implications for acquisition and procurement executives, government contractors, and suppliers, particularly those acquiring, procuring, manufacturing, and supplying telecommunications equipment and services. The purpose of the legislation is to address national security and intellectual property threats that the United States faces.
Exiger’s products and services can assist organizations in meeting Section 889, Federal Acquisition Regulation (FAR), and General Services Administration Acquisition Regulation (GSAR) compliance requirements. In this comprehensive guide, we will provide an overview of the legislation’s history and subsequent regulations, along with an understanding of Exiger’s supply chain risk management solution.

Section 889 of the NDAA Compliance Requirements

Section 889 was included in the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115–232). It was enacted to counter national security threats posed using certain telecommunications equipment and services. The legislation is divided into two parts, namely 889(a)(1)(A) and 889(a)(1)(B). Part A, which went into effect on August 13, 2019, prohibits federal agencies from procuring or obtaining, extending or renewing contracts for, any equipment, system, or service that uses covered telecommunications equipment or services. Part B, effective from August 13, 2020, imposes additional prohibitions and requirements on federal agencies.

Covered Telecommunication Equipment

FAR Case 2018-017

This case addresses Section 889(a)(1)(A) and focuses on the representation and disclosure requirements for contractors. It introduces a new solicitation provision (52.204-26) and contract clause (52.204-24) to ensure compliance with the prohibition.
“The downstream impact is deliberately and potentially vast. The rebuttable presumption included in the UFLPA means that almost any goods coming from China that are comprised of cotton, refined metals, circuits, and polysilicon are reasonably subject to inspection and due diligence,” Exiger CEO Brandon Daniels explained. “This has the potential to be just as sweeping and impactful as the Bank Secrecy Act, anti-money laundering and counter terrorist financing (BSA/AML/CFT) changes after 9/11.” As Daniels stated in a recent Fortune article detailing potential UFLPA supply chain disruptions, the effects of the act will be felt by consumers.

FAR Case 2019-009

FAR Case 2019-009 relates to Section 889(a)(1)(B) and provides guidance on the prohibition of contracts with entities using covered telecommunications equipment or services. It prohibits the use of such equipment as a substantial or essential component of any system or as critical technology.

GSAR Clause

The GSAR clause, like the FAR clause, dictates the procurement process for government agencies. It “contains agency acquisition policies and practices, contract clauses, solicitation provisions, and forms that control the relationship between GSA and contractors and prospective contractors.” To address the requirements of Section 889, the FAR Council has implemented several rules and regulations:
Representation and Disclosure Requirements

According to an interim rule instituted by the FAR council, government contractors and workers must provide additional information about telecom supplies and services they use. To do so, federal agencies perform a reasonable inquiry and submit an annual representation. A reasonable inquiry does not involve a third-party audit and can be completed by internal research. Each offeror’s information will inform the government of what risks each agency may be exposed to.

A supply chain risk management software can help you identify which items need to be represented and which parts of your supply chain are at risk. Even entities that are not the prime contractor (the party you enter into a contract with) need to be evaluated.

Sale Prohibition Requirement
Section 889 prohibits certain telecommunications items and services from being procured or used by federal contractors or subcontractors. The sale prohibition pertains to the purchase of prohibited equipment. Government workers or contractors are not allowed to procure them.

Monitoring these prohibited items using Exiger’s DDIQ to ensure they are not procured is an important step in risk management. It’s also very important to ensure your company’s supply chain does not procure these items in any capacity, even as components to your final product.

Use Prohibition Requirement

Just as federal agencies are not allowed to purchase prohibited items, they are prohibited from using them. It is particularly important to perform supply chain due diligence to comply with this requirement. You need to know your third-party partners and if they could be using prohibited items or software. This includes equipment components.

Section 889 Exceptions

Section 889 very clearly prohibits the procurement or use of prohibited telecommunications equipment and services. In some cases, a waiver may be provided, but there are only two exceptions to the rule in most cases.
The first exception allows government workers to procure services that rely on prohibited or covered equipment for specific reasons. Reasons include “backhaul,” “interconnection arrangements,” and “roaming.” These practices rely the least heavily on covered equipment. For example, backhaul is considered “intermediate links between the core network, or backbone network, and the small subnetworks at the edge of the network.”
The next exception refers to telecommunications equipment. Covered equipment is allowed if, after review, it “cannot route user data traffic, redirect user data traffic, or permit visibility into any user data or packets that such equipment transmits or otherwise handles.”

Section 889 Compliance Best Practices

As a government agency and contractor, it’s important to implement best practices with your contracting officers and compliance teams. Review these steps to set your team up for success.
1. Consider All Federal Agreements
The first step you can take in confirming your compliance is to review all relevant documents. Section 889 explicitly states that the federal government cannot enter into a contract to acquire, procure, or use any covered equipment or services. Review your agreements to ensure you are compliant.
2. Educate Decision-Makers
Ensure your team is familiar with Section 889, the FAR clause, and the GSAR clause. Providing them with all relevant information will empower them to make the best decisions possible. Before entering new contracts, your decision-makers should review the Federal Register and Section 889 FAQs for updated regulations.

When you’re ready to bring on more decision-makers, be prepared to onboard them quickly and provide them with the same information. If you are hiring for Residence & Citizenship by Investment (RCBI) programs, consider an applicant management service to move the process along.
3. Identify Compliance Risks
Identify any risks associated with your current contracts and vendors. A great way to identify these risks is by using a risk management platform. This program will analyze your business for lurking risks and provide your team with actionable insights.

Exiger’s supply chain risk management solution is an example of a program that can help identify potentially blacklisted items, even those buried deep within your supply chain.

Ensure Your Section 889 Compliance with Exiger

Ensuring your supply chain is secure is a vital part of complying with the final rules of Section 889. Review your agreements, arm your team with the information they need, and utilize a program that will help you discover risks to inform risk-based decisions.

Exiger’s supply chain risk management solution helps mitigate regulatory, criminal and reputational risk in your vendor population, reduces operational friction and cost in onboarding and refreshing vendors, hardens your suppliers’ cyber vulnerabilities in a collaborative manner, predicts operational disruption and creates a more resilient vendor ecosystem.
Exiger’s award-winning DDIQ platform provides AI-driven due diligence using thousands of data sources to surface, filter and categorize risk. Exiger has also built an 889 Watchlist, which clients can use to screen their vendor lists against the full set of ever-changing subsidiaries that could be considered covered companies. The Section 889 list was purpose-built to support our government agency clients and is now available for commercial use.

Contact us today to get started with your complimentary live report.

Table of Contents

Get in Touch

Find out how Exiger can help you with Section 889 compliance.

Demo The
Exiger Platform

Rule Your Cube

Rule Your Cube
Be a supply chain superhero