What Is NDAA Section 889?
The National Defense Authorization Act (NDAA) is an annual bill proposed by the Department of Defense (DoD). Funding is approved and allocated to various defense activities before each fiscal year.
Section 889 of the NDAA prohibits federal contracts for the use or procurement of certain blacklisted telecommunication and video surveillance equipment. This is in an effort to protect national security.
These goods are produced by certain companies and their subsidiaries in the People’s Republic of China. These Chinese companies are specifically named: Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, Huawei Technologies Company, ZTE Corporation and Dahua Technology Company.
Section 889 also applies to the subcontract of commercial items and prohibits government agencies from working with certain service providers.
As of 2019, Section 889 mandated that the federal government does not “procure or obtain or extend or renew a contract to procure or obtain any equipment, system, or service that uses covered telecommunication equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”
In addition, it prohibits the U.S. government from entering into government contracts with any party that “uses any equipment, system or service that uses covered telecommunication equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”
In this article, we will review everything you need to know about Section 889 and how to ensure your compliance.
The General Services Administration (GSA) is a government agency responsible for providing real estate and technology services. Since the GSA provides technology and facilities that may or may not contain equipment, it must abide by the regulations outlined in Section 889.
In this section, we’ll review the two main impacted clauses:
The Federal Acquisition Regulation (FAR) clause is one of the many regulations the GSA has implemented. It governs how an executive agency procures supplies and services. The clause applies to “all participants in Government acquisition including not only representatives of the technical, supply, and procurement communities but also the customers they serve, and the contractors who provide the products and services.”
This clause, and the procurement work done at government agencies, has been directly impacted by Section 889. A FAR subpart was added to address the telecom restrictions set forth by Section 889 to ensure compliance.
The GSAR clause, similar to the FAR clause, dictates the procurement process for government agencies. It “contains agency acquisition policies and practices, contract clauses, solicitation provisions, and forms that control the relationship between GSA and contractors and prospective contractors.”
What Does Section 889 Require?
Section 889 includes several important provisions for companies and government agencies to comply with. In this section, we will review the main requirements you need to familiarize yourself with. To simplify your compliance process, inform your team of these requirements and consider using a third-party risk management solution.
According to an interim rule instituted by the FAR council, government contractors and workers must provide additional information about telecom supplies and services they use. To do so, federal agencies perform a reasonable inquiry and submit an annual representation. A reasonable inquiry does not involve a third-party audit and can be completed by internal research. Each offeror’s information will inform the government of what risks each agency may be exposed to.
A supply chain risk management platform can help you identify which items need to be represented and which parts of your supply chain are at risk. Even entities that are not the prime contractor (the party you enter into a contract with) need to be evaluated.
Sale Prohibition Requirement
Section 889 prohibits certain telecommunications items and services from being procured or used by federal contractors or subcontractors. The sale prohibition pertains to the purchase of prohibited equipment. Government workers or contractors are not allowed to procure them.
Monitoring these prohibited items to ensure they are not procured is an important step in risk management. It’s also very important to ensure your company’s supply chain does not procure these items in any capacity, even as components to your final product.
Use Prohibition Requirement
Just as federal agencies are not allowed to purchase prohibited items, they are not allowed to use them. It is particularly important to perform supply chain due diligence to comply with this requirement. You need to know your third-party partners and if they could be using prohibited items or software. This includes equipment components.
Section 889 Exceptions
Section 889 very clearly prohibits the procurement or use of prohibited telecommunications equipment and services. In some cases, a waiver may be provided, but there are only two exceptions to the rule in most cases.
The first exception allows government workers to procure services that rely on prohibited or covered equipment for specific reasons. Reasons include “backhaul,” “interconnection arrangements,” and “roaming.” These practices rely the least heavily on covered equipment. For example, backhaul is considered “intermediate links between the core network, or backbone network, and the small subnetworks at the edge of the network.”
The next exception refers to telecommunications equipment. Covered equipment is allowed if, after review, it “cannot route user data traffic, redirect user data traffic, or permit visibility into any user data or packets that such equipment transmits or otherwise handles.”
Section 889 Compliance Best Practices
As a government agency, it’s important to implement best practices with your contracting officers and compliance teams. Review these steps to set your team up for success.
1. Consider All Federal Agreements
The first step you can take in confirming your compliance is to review all relevant documents. Section 889 explicitly states that the federal government cannot enter into a contract to procure or use any covered equipment or services. Review your agreements to ensure you are compliant.
2. Educate Your Decision-Makers
Ensure your team is familiar with Section 889, the FAR clause, and the GSAR clause. Providing them with all relevant information will empower them to make the best decisions possible. Before entering new contracts, your decision-makers should review the Federal Register and Section 889 FAQs for updated regulations.
When you’re ready to bring on more decision-makers, be prepared to onboard them quickly and provide them with the same information. If you are hiring for Residence & Citizenship by Investment (RCBI) programs, consider an applicant management service to move the process along.
3. Identify Compliance Risks
Identify any risks associated with your current contracts and vendors. A great way to identify these risks is by using a risk management platform. This program will analyze your business for lurking risks and provide your team with actionable insights.
Exiger’s supply chain risk management solution is an example of a program that can help identify potentially blacklisted items, even those buried deep within your supply chain.
Looking to empower your company or government agency to protect your supply chains from lurking risk? Look no further than Exiger, which offer the world’s first real-time Supply Chain Explorer.
Ensure Your Section 889 Compliance With Exiger
Ensuring your supply chain is secure is a vital part of complying with the final rules of Section 889. Review your agreements, arm your team with the information they need, and utilize a program that will help you identify and escalate risks.
Exiger’s supply chain risk management solution helps mitigate regulatory, criminal and reputational risk in your vendor population, reduces operational friction and cost in onboarding and refreshing vendors, hardens your suppliers’ cyber vulnerabilities in a collaborative manner, predicts operational disruption and creates a more resilient vendor ecosystem.
The DDIQ platform provides AI-driven due diligence using thousands of data sources to surface, filter and categorize risk. Exiger has also built an 889 Watchlist, which clients can use to screen their vendor lists against the full set of ever-changing subsidiaries that could be considered covered companies. The Section 889 list was purpose-built to support our government agency clients and is now available for commercial use.
Contact us today to get started with your complimentary live report.