The List of Forbidden Products Grows: The NDAA’s Prohibitions on Use of Certain Chinese-Made Equipment
The 2019 National Defense Authorization Act (“NDAA”) imposes new restrictions on procurements for telecommunications equipment or services based on ties to certain Chinese entities, thereby growing the list of forbidden products for contractors. Specifically, Section 889 prohibits executive-branch agencies from initiating procurements or entering into contracts for certain telecommunications equipment or services from companies associated with, owned, or controlled by the People’s Republic of China, that are to be used “as a substantial or essential component of any system, or as critical technology as part of any system.”
These prohibitions reflect the Government’s increased concerns that Chinese intelligence services could use Chinese telecommunications companies to exploit U.S. technological data. This comes after the heads of six U.S. intelligence agencies recommended, during a Senate Intelligence Committee hearing in February 2018, private citizens not use products or services from Huawei Technologies Company or ZTE Corporation. At this hearing, FBI Director Chris Wray testified that the U.S. agencies were “deeply concerned about the risks of allowing any company or entity that is beholden to foreign governments that don’t share our values to gain positions of power inside [U.S.] telecommunications networks.” As a result of these concerns, the Government continues to exhibit increased scrutiny of its own supply chain, including the contractors it hires and their suppliers. Section 889’s prohibitions echo those included in the 2018 NDAA, barring the use by the U.S. Government of Kaspersky software products and services. This restriction was eventually implemented as an interim rule in June 2018 by FAR 52.204-23.
Specifically, Section 889 creates a general prohibition on telecommunications or video surveillance equipment or services produced or provided by the following companies (and associated subsidiaries or affiliates):
Huawei Technologies Company; or
It also prohibits equipment or services used specifically for national security purposes, such as public safety or security of government facilities, provided by the following companies (and associated subsidiaries or affiliates):
Hytera Communications Corporation;
Hangzhou Hikvision Digital Technology Company; or
Dahua Technology Company
While the prohibitions are initially limited to the five named companies, Section 889 authorizes the Secretary of Defense, in consultation with the Director of National Intelligence or the Director of the FBI, to extend these restrictions to additional companies based on their relationships to the Chinese Government. The prohibitions will take effect for executive-branch agencies on August 13, 2019, one year after the date of the enactment of the 2019 NDAA, and will extend to beneficiaries of any grants, loans, or subsidies from such agencies after an additional year.
The provisions of Section 889 are quite broad, and key concepts are left undefined, such as how the Secretary of Defense is to determine what constitutes an entity that is “owned or controlled by, or otherwise connected to” a covered foreign country, or how the head of an agency should determine whether a component is “substantial,” “essential,” or “critical” to the system of which it is part. The statute also fails to address the application of the prohibitions to equipment produced by U.S. manufacturers that incorporate elements supplied by the covered entities as original equipment manufacturers (“OEMs”) or other kinds of supplier relationships.
Section 889 contains two exceptions under which its prohibitions do not apply:
(1) It allows Executive agencies to procure services that connect to the facilities of a third party, “such as backhaul, roaming, or interconnection arrangements.” This likely means telecommunications providers are permitted to maintain common network arrangements with the covered entities.
(2) It permits covered telecommunications equipment that is unable to “route or redirect user data traffic or permit visibility into any user data or packets” it might handle, meaning a contractor may still be able to provide services to the Government so long as any covered equipment provided is unable to interact or access the data it handles.
Furthermore, Section 889 allows for the head of any federal agency to issue a waiver of the prohibition for up to two years where the entity applying for the waiver provides a compelling justification for the additional time needed to implement the requirements and submits a “full and complete laydown of the presences of covered telecommunications or video surveillance equipment or services in the entity’s supply chain,” as well as the entity’s plan to eliminate the prohibited equipment or services from its systems. The provision also allows the director of national intelligence to provide a waiver where he or she deems it to be in the national security interests of the United States.
Potential Future Action
As occurred with regard to Kaspersky products, where a prohibition began with an agency administrative action, was then included in the NDAA, and then became a part of the FAR, it is possible that a FAR or DFARS provision may be forthcoming regarding these Chinese companies’ products. Section 889 also leaves the door open for other entities to be added to its list. As this issue is likely to continue evolving, we will continue to monitor developments as they occur.