Understanding the DOD's ban on some China-made telecom gear
- By Lauren C. Williams
- Aug 05, 2020
The Defense Department has issued initial guidance on how acquisition executives should implement the government ban on contracting with companies that use telecommunications services and equipment from certain Chinese manufacturers. But questions linger with concerned whispers among industry advocates about implementation and hopes for an extension to the Aug. 13 compliance deadline.
To get some clarity, FCW spoke with Alejandro Sarria and Jason Workmaster, two government contract attorneys at the Miller & Chevalier law firm in Washington, D.C., to get a better understanding of what the interim rule and DOD's initial guidance mean, and what to expect going forward.
What does this DOD memo mean, what is it saying?
WORKMASTER: There remains a lot of uncertainty both on the government side and on the contractor side. And you know the process for working through that uncertainty is going to take some time. Because when there's a lack of clarity there's going to have to be some judgment calls made. There's always a chance of those judgment calls, down the road, get second guessed.
When the legislation, the rule, talks about equipment system systems or services, is that really every single piece of equipment system or potential service that you use? And, so far, the government has not really shown either an interest or an ability to kind of put some parameters around that. And a contractor is trying to figure out exactly how much due diligence needs to be done, what systems, what equipment, what services do I need to be looking at.
I could see a contractor saying, "My janitorial service? That cannot possibly be what this rule is aimed at," and deciding not to worry about the janitorial service for purposes of making representation to the government. Do you tell the government that you've excluded janitorial services from your search? There's a risk in both ways.
That reminds me of the discussions around CMMC, the Defense Department's upcoming cybersecurity standard for contractors. Do you think the Section 889 mandate could go that far? Do you see any similarities or crossover there?
SARRIA: I think there are similarities, right. There are a number of supply chain-related rules, counterfeit parts, for example, and CMMC, that have come out in the last couple of years and they reflect the government's concern about really understanding who they are doing business with and the components that are baked into the systems that they rely on so heavily, particularly for national national security purposes. So that janitorial services example is an extreme one, but on its face, the rule seems to reach even that.
But there are nuggets in the interim rule itself that suggest that the government is focused on a risk based approach. For example, the parts of the rule that define covered telecommunications equipment and services -- that's a term of art. It's focused on particular types of equipment and services. There's one exception where it seems like the government, from a policy perspective, may not be interested in equipment that cannot route or reroute user data or data packages from a device.
What should companies be doing now?
SARRIA: Start with things that make sense where you think you probably have the most exposure from a telecom equipment systems and services perspective for most companies that's gonna be your IT procurements, your information services procurements. When it relates to these Dahua and Hikvision video surveillance equipment and services, you're probably looking at your real estate infrastructure where you could be potentially using these security cameras or for other purposes.
I think what makes most sense for companies is to set up risk-based tiers where you focus on what matters first and then work your way down to the things that present lower risk. Ultimately, those are the facts you're going to need as a contractor in the event that you seek a waiver or if you're required at the contract level to make a representation to provide the government a little bit more context as to what you may or may not be using so the government has an opportunity to consider the you know whether or not that actually creates a national security risk.
WORKMASTER: Document, document, document. In-house lawyers, the compliance organization, those folks have to go out and gather all this information from their IT people, they have to be working with their procurement people to do the reasonable inquiry of the [subcontractors] and suppliers. Maintaining a good file because if there is false claims activity, if there are whistleblowers, having a good record of doing a reasonable job to make sure that your representations the government are accurate is going to be hugely, hugely important. And if you've built that record as you're going along, you're gonna save yourself potentially a lot of heartache, a lot of time, and potentially a lot of money down the road.
It seems like a review could be quite extensive. How long would a review like this take to be in compliance?
SARRIA: It's all over the map. It sort of depends on your exposure and the extent to which you have entanglements with these companies. If you're a multinational [company] with operations in Asia, this could take several weeks to complete everything, like three or four weeks to even get your arms around the issue. Then there's a secondary question of whether or not any of the use constitutes, falls into this bucket of substantial or central component or critical technology.
Entities where they're set up just kind of as a stand alone government contracts business here in the United States and they don't share any systems or networks with other affiliates or divisions of the company that can be a much more limited inquiry in terms of time.
The waiver process that was mentioned in this memo. That's something of particular interest to contractors; tell me what the guidance is saying and what you'd like to see going forward.
SARRIA: On the order of waiver processes for certifications and reps in government contracting, I would say this is on the heavier side in terms of the number of steps and the number of reporting obligations that the government has in order to actually secure a waiver. And so one thing that the DOD memo makes clear is that the waiver, the decision whether to seek a waiver and the ability [to do] what it takes to obtain the waiver really falls on the contracting officer and his or her program personnel within the government.
Now, what I think is helpful in the memorandum, and in some ways is probably common sense, but the government owns the process and is going to decide whether or not to initiate the process, doesn't preclude contractors from engaging in advocacy to seek a waiver. If you know there's a big acquisition program on the horizon, let's say October or November, that you are pretty confident is going to include these requirements to make the representation on Section 889, now is really the time to start thinking about language to include in your proposal or in a letter that you send ahead of time to the government that lays out not only what the use is but why you think a waiver may or may not be appropriate for particular components.
One feature that the government could consider here is whether or not there should be block waivers, for example, as opposed to just the contractor-by-contractor basis. If the government knows at this point that there's a high probability that those contractors that would provide those goods and services are going to need to utilize any of these banned technologies query whether the government itself would consider a block waiver that goes to the entire procurement as opposed to just granting one particular offer or a waiver in connection with its proposal. That's just one idea; I don't know if the government is considering it but it may fit in in certain circumstances.
WORKMASTER: The waiver is only going to extend for a couple of years. So even if you get one, it's going to be of limited duration, and reading between the lines there, it's always tough to get waivers of requirements in general. I just think that's burden is going to be even higher in this scenario just because it is such a hot button topic.
Editor's note: This interview, which first appeared on FCW, was edited and condensed for length and clarity. FCW is a Defense Systems partner site.
Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.
Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.
Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.
Click here for previous articles by Wiliams.