In our CMMC-related discussions, we often get questions regarding Section 889 of the National Defense Authorization Act (NDAA) of 2019. If you aren’t familiar with this requirement, or with FAR 52.204-24, FAR 52.204-25, and FAR 52.204-26, which make the requirements of Section 889 effective, Executive Branch agencies are prohibited “from procuring or obtaining, or extending or renewing a contract to procure or obtain, any equipment, system, or service that uses” telecommunication or video surveillance equipment or services provided by a “covered entity” (we discuss the covered entity definition below). The government’s descriptions of these FAR provisions and the NDAA use the term “telecommunication equipment” to refer to both telecommunication equipment and video surveillance equipment, and we will do the same in this article for brevity. The government published a handy two-page flyer with some details about the requirements, and we are providing the information below to supplement the flyer.
Overview
52.204-26 requires contractors to make an annual representation, recorded the System for Award Management (SAM) (https://www.SAM.gov), that they do not provide covered telecommunications equipment to the government or use covered telecommunications in the performance of contracts. 52.204-24 requires all offerors (i.e. prospective government contractors) to represent, after conducting a reasonable inquiry, whether covered telecommunications equipment or services are used by the offeror, and if so, to provide further information. 52.204-25 prohibits the head of an executive agency from entering into a contract, or extending or renewing a contract, with an entity that uses any equipment, system or service that uses covered telecommunications or video surveillance equipment or services as a substantial or essential component of any system, or as critical technology as part of any system, unless an exception applies or a waiver is granted. 52.204-25 also requires contractors to report use of any such equipment, systems, or services discovered during contract performance.
These requirements apply to all acquisitions, including acquisitions at or below the simplified acquisition threshold and to acquisitions of commercial items, including commercially available off-the-shelf items.
Representations
52.204-24 and 52.204-26 have some commonalities. Both require contractors to review the list of excluded parties in SAM for entities excluded from receiving federal awards for covered telecommunications equipment or services. Contractors must then formally represent to the government whether they do/do not:
- provide covered telecommunications equipment or services as a part of its offered products or services to the Government in the performance of any contract, subcontract, or other contractual instrument; and
- use covered telecommunications equipment or services, or any equipment, system, or service that uses covered telecommunications equipment or services, after conducting a reasonable inquiry for purposes of this representation.
As noted above, 52.204-26 requires contractors to record their representations in SAM on an annual basis. 52.204-24 is complimentary to this. 52.204-24 is intended to be incorporated in solicitations and contracts, and includes disclosure requirements if the contractor represents that it does use or provide covered telecommunication equipment. These disclosure requirements help the government understand the risk the telecommunication equipment poses to the government.
Notification Requirements
52.204-25 includes a reporting provision that requires a contractor to notify the government if the contractor identifies covered telecommunication equipment is being used during the performance of the contract. Thus, it is clear that contractors are expected to integrate compliance with these provisions into their overall compliance and procurement processes.
Reasonable Inquiry
Contractors are expected to make a reasonable inquiry into whether the equipment being used in the performance of the contract or provided to the government comprises covered telecommunication equipment. A natural question, then, is what is a “reasonable inquiry?” The Interim Rule sheds some light on this in two places:
“A reasonable inquiry is an inquiry designed to uncover any information in the entity’s possession about the identity of the producer or provider of covered telecommunications equipment or services used by the entity. A reasonable inquiry need not include an internal or third-party audit.” (Interim Rule, pp. 13-14)
A “reasonable inquiry is an inquiry designed to uncover any information in the entity’s possession—primarily documentation or other records—about the identity of the producer or provider of covered telecommunications equipment or services used by the entity.” (Interim Rule, pp. 25-26)
So, it would appear that contractors are expected to review information in their possession, such as documentation or other records, about the identity of the producer or provider of the telecommunications equipment or services used by the contractor. The contractor need not, however, conduct an internal or third-party audit.
List of Covered Telecommunication Equipment Manufacturers
At a high level, Section 889 of the NDAA prohibits the US government from buying or using telecommunications equipment, either directly or indirectly, made by certain companies. Section 889 lists those companies (i.e. Huawei, ZTE Corp, Hytera, Hangzhou Hikvision, and Dahua) but also states that the prohibition applies those companies’ subsidiaries and affiliates as well. Oregon State University has created a list of known subsidiaries and affiliates, and that list can be very useful as a reference. It is important to remember, however, that new subsidiaries and affiliates can be created by these companies at any time. FAR 52.204-26 therefore requires contractors to search SAM for all companies subject to the Covered Telecommunications Equipment prohibition.
Searching SAM
Unfortunately, the SAM website does not currently have a single link to a list like that prepared by Oregon State University. Instead, contractors must search each vendor individually.
To search SAM, open https://www.SAM.gov and click the “Search Records” link in the toolbar, as illustrated below.
In the following screen, enter the name of the vendor. You can search using the asterisk (*) as a “wild card”, meaning that any matches that include the text you entered should be returned. For example, to search for ZTE Corporation, you can enter “ZTE*” into the search window. The search results will look something like Figure 2, below.
As you can see, the search results include ZTE Corporation. You can also see that a prohibition/restriction has been placed on the company. Clicking the View Details button will give you more details, such as those illustrated below in Figure 3.
The additional details describe the prohibition/restrictions on the company. In this case, those prohibitions/restrictions are limited to those imposed by Section 889 of the NDAA.