July 1, 2020
Overview: The U.S. government continues to express serious security concerns about activities of certain Chinese telecom companies, including their involvement in 5G networks across the globe, presence in the U.S. telecommunications market, – as reflected in the FCC’s June 30 actions, and continued undermining of U.S. export controls. Section 889 of the 2019 National Defense Authorization Act (NDAA) sought to address some of these concerns by proscribing the sale and use of any equipment or service that uses either “covered telecommunications equipment or services as a substantial or essential component of any system” or as “critical technology as part of any system.” As described in Chart 1, “covered telecommunications equipment” currently includes a range of specified telecommunications and video surveillance equipment. The implementing guidance for Section 889(A) used the definition of “critical technology” contained in the Foreign Investment Risk Review Modernization Act (FIRRMA).
Chart 1: Covered telecommunications equipment or services
- Telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of such entities)
- For the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes, video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities)
- Telecommunications or video surveillance services provided by such entities or using such equipment
- Telecommunications or video surveillance produced or provided by an entity that the Secretary of Defense, in consultation with the Director of National Intelligence or the Director of the Federal Bureau of investigation, reasonably believed to be an entity owned or controlled by, or otherwise connected to the [People’s Republic of China]
(This chart was created with information from Section 889(f)(3) of the 2019 NDAA).
Section 889(A), prohibiting the sale of covered telecommunications equipment or services to U.S. government executive agencies, went into effect in August 2019. Part A impacts business units directly engaged in pursuing and delivering under government contracts.
Section 889(B), prohibiting use of “covered telecommunications equipment or services” by both U.S. government contractors and recipients of federal funds, goes into effect in August 2020. As written, Section 889(B) will likely reach across a company’s business units and supply chain, even impacting the operations of business units overseas that are not directly involved in U.S. government contracting. A rule issued by the Department of Defense and General Services Administration with implementing guidance for Section 889(B) is pending and is expected to provide clarity around critical questions such as the scope of the “use” prohibition and further detail concerning specific telecommunications equipment or services.
Media reports have suggested that industry groups are pressing regulators to delay implementation of Section 889(B), particularly in light of the disruption caused by the COVID-19 pandemic. On June 10, 2020, Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, testified before the House Armed Services Committee and expressed concerns with the implementation timeline and suggested more time might be necessary to prevent serious disruption to the Defense Industrial Base (DIB).
Ultimately, failure to comply with Section 889(B) can lead to a termination of a contract or potential False Claims Act (FCA) liability. Accordingly, even before issuance of the regulations, companies doing business with the U.S. government or receiving federal funding should start to proactively assess the potential impact of Section 889(B) on their business operations, supply chains, and compliance programs. The implementing rule will likely include a waiver application process for compelling circumstances.
Elements of Section 889(B) Compliance Assessment:
Section 889(B) compliance will require cross-functional collaboration and integration across a range of stakeholders. Specifically, company counsel and compliance functions will need to work with their global counterparts in procurement, finance, IT, and sales and marketing to map company supply chains and identify the areas of heightened risk – leveraging the five elements in Chart 2.
An effective assessment will position the company to quickly and effectively respond to Section 889(B) regulations, once issued. The assessment should focus on the following elements:
Review of Federal Funding or Contracts
Section 889(B) applies to an award of a new contract, or extension or renewal of an existing contract, as well as entities receiving federal funds (e.g., grants). Legal and compliance departments should work with procurement, sales, marketing, and finance counterparts to create an inventory of their organization’s federal contracts, identify when existing contracts or funding will be up for renewal or extension, catalogue any receipt of federal funding, and then identify how Section 889(B) will impact each of those processes.
Identification of Telecommunications Equipment and Services
Company counsel and compliance functions should work closely with IT counterparts – both at the corporate level and at the business unit level – to create or update an inventory of the range of telecommunications equipment and services used internally within their business operations, and cross-reference any specific equipment or services covered in the Section 889(B) rule issued by DoD and GSA.
The inventory should carefully detail the type and function of telecommunications equipment or services. Equipment or services involved in the transmittal of national security-sensitive data or information will likely raise more concern from a regulator perspective.
This inventory will provide the foundation for conducting a detailed assessment to then verify which telecommunications equipment and services are proscribed by Section 889(B), and identify which should be prioritized for modification of contracts, requests for certifications from vendors that the items are not subject to Section 889(B), or identification of potential replacement vendors.
Inventory of Existing Vendors
Company counsel and company functions should work with their procurement and IT counterparts to identify vendors that are providing telecommunications equipment and services across the company’s global business operations. Depending on the nature of the procurement system, this may be a simple or a complex operation requiring review of multiple enterprise resource planning systems. Should the inventory identify entities that are subsidiaries or affiliates of named Chinese telecom providers, companies should begin to identify potential replacement vendors. Finally, companies need to carefully assess those vendors that provide managed services and who may be using proscribed covered equipment or services.
Review of Existing Vendor Contracts and Standard Contracting Provisions
Conducting an inventory and assessment of vendors will enable company counsel and compliance functions to work with their procurement and supply chain counterparts to develop a process to update existing contracts to include representations, warranties, and other contractual provisions regarding Section 889(B) compliance, as well as consideration of additional, relevant contractual clauses, including, for example, focused audit rights for higher risk vendors.
Company legal counsel and compliance functions should review standard or form contracts to ensure they include representations, warranties, and other contractual provisions that appropriately address and allocate Section 889(B) risk.
Update Policies, Processes, Controls, and Recurring Internal Audits
Companies should identify existing policies and processes that will require updating to comply with Section 889(B). This may include changes to third-party risk assessments or new procurement requirements to verify the sourcing of telecommunications equipment or services prior to onboarding of a new vendor. At the same time, company counsel and compliance functions will need to review their existing inventory of internal controls to verify these adequately address the risk profile Section 889(B) seeks to address. Companies also should put in place rigorous self-audits to assess ongoing compliance with Section 889(B). In many cases, companies will be able to build on existing good governance processes already in place to assure compliance with Section 889(A).
How Ankura Can Help
Our National Security, Trade, and Technology (NSTT) professionals are closely monitoring the rule-making process to assess the impact of Section 889(B) on federal contractors and recipients of federal funding.
Supply Chain Risk Management (SCRM) – The starting point for Section 889(B) compliance, as with other downstream supply chain compliance requirements, is to have in place an approach to monitor supply chain risk. Our NSTT practitioners routinely work with federal contractors in the DIB of all sizes to implement robust SCRM methodologies.
Compliance Program Enhancement – Companies should put in place policies, processes, and other elements of an internal control framework to comply with Section 889(B), including third party identification and management. Our NSTT practitioners have designed compliance programs and internal controls that implement a range of emerging national security-related regulations.
Audit Services – Our NSTT practitioners can work with clients to quickly review, vet, and confirm a company’s current inventory of services and equipment that are subject to Section 889(B). Informed by experience and expertise in the telecommunications and national security sectors, our risk-based audit approach is efficient, thorough, and importantly – credible to the regulators.
Diligence/Investigations – Our NSTT practitioners can help you quickly conduct detailed investigations to support exercise of audit rights and conduct on-the-ground assessments of vendor/supplier compliance with Section 889(B). In the event of a breach, NSTT practitioners, experienced in conducting investigations, audits, and monitorships can assist you to quickly communicate to regulators the scope of any violation and the effectiveness of mitigation/remediation measures.