Comments on Government Supply Chain Rule Push for Better Definitions and More Time

ESB Professional/Shutterstock.com

Featured eBooks
The IT Modernization Mission
Read Now

Ransomware Threat

Read Now

What's Next For Government Cloud

Read Now

Federal Agencies Exploring Computing at the Edge

Read Now
Mila Jasper By Mila Jasper

By Mila Jasper

|

Industry groups and other comments highlight the difficulty of complying with a provision of last year’s defense authorization act that requires the removal of products from companies including Huawei and ZTE. 

The broad, ambiguous language of Congressionally-mandated rule for government contractors to remove products and services from companies that pose threats to national security is complicating implementation, according to public comments.

The comment period for the interim Federal Acquisition Rule implementing Part B of Section 889—a provision of the 2019 National Defense Authorization Act—closes Monday, and the more than 30 comments submitted raise questions related to fundamental compliance issues.  

While in general, commenters agree with the rule’s intent, groups representing industry, including the National Defense Industrial Association, BSA | The Software Alliance, the Coalition for Government Procurement and the Internet Association submitted detailed letters to Regulations.gov outlining compliance challenges. Nearly all asked for extended timelines for implementation and better definitions for key terms and phrases used in the regulation. 

The Timeline

The condensed timeline for implementation frustrated stakeholders. The final language of the interim rule was not released until July 14, less than a month before it went into effect August 13. That turnaround left federal contractors scrambling to determine what they need to do and how they need to do it in order to avoid getting cut out of the federal acquisition process. 

In its letter, the Internet Association outlined several issues and unanswered questions related to the interim rule. Above all, it asked the Federal Acquisition Regulation Council to consider delaying implementation. 

“To do otherwise would result in a severe economic penalty to the [defense industrial base] and federal contractor ecosystem,” the letter reads. 

Kea Matory, legislative policy director for NDIA, told Nextgov companies need a delay of a year in order to be able to digest the rule and determine paths forward. The NDIA letter said if the FAR Council cannot delay implementation, then it should work with agency heads to recommend to Congress legislation to delay implementation for up to a year.

Tommy Ross, senior director for policy with BSA | The Software Alliance, told Nextgov focus needs to return to addressing legitimate national security objectives with specific, clear regulations.

Ross said there is a meaningful difference between a company that uses internet service from a telecommunications provider like British Telecom, which relies on Huawei equipment, than a potentially compromised hardware in the direct supply chain of a U.S. government contract. Scope of the mission shouldn’t creep so much that these two ends of the spectrum become conflated.

“There are gray areas in between, but I think that's where we've gone wrong is that the rule has been scoped so broadly, and with so much ambiguity, that it gets way past these specific U.S. national security interests that I think it was originally designed to protect,” Ross said. “What we're hoping for with the pause in implementation is that we can return to those sort of core questions about what we're trying to do and how we can best do it.”

Clear Definition of 'Use' Needed 

Timing problems could have been minimized were it not for the nebulous wording of the regulation. Chief among complaints was the lack of a clear—or any—definition of the word “use.” Compliance hinges on understanding the specific meaning of this word, but no definition was provided, leaving contractors to guess at the scope and scale this regulation is supposed to reach. 

In its letter, BSA said because there is no definition of the word use, “companies will be forced to make subjective judgments about the extent to which the Interim Rule’s use prohibition may apply to aspects of their business, with the risk that businesses could be removed from federal acquisitions if any agency disagrees with their judgment.”

The BSA letter goes on to say that this subjectivity could lead to inconsistent enforcement of the regulation as well as potentially exclude businesses from the federal acquisition process unfairly. 

Another sticking point is the rule indicates use covers all a company’s business activities, even if they are unrelated to a federal contract. BSA said this raises concerns that the scope of the regulation extends beyond pertinent national security concerns. 

The Internet Association suggests use should be limited to domestic instances only. Expanding the scope beyond the borders of the U.S., according to its letter, would make the rule so broad it would make compliance impossible. 

The main example industry organizations cite to explain this problem is internet access in other countries, like the British Telecom example Ross mentioned. Some local economies still rely on covered companies like Huawei and ZTE for broadband. 

The way the rule is written at the moment makes it unclear whether a contractor that happens to perform work overseas in such a nation would count as a prohibited use. Matory said she isn’t sure if the lawmakers who drafted Section 889 in the 2019 NDAA realized how wide-reaching the rule would be. 

“I don't know if they necessarily realized that Huawei, ZTE is so prevalent, especially overseas,” Matory said. 

But even limiting use to domestic cases would not address what companies who work in states where internet providers are still using covered Chinese equipment. This particularly affects rural areas of the United States where internet providers are challenged to build networks where there may not be enough customers to cover costs. 

“The middle of America where they're trying to pull those out with the rip and replace, they gave them a year to do it,” Matory said, referring to Federal Communications Commission regulations. “But our companies got 30 days.”

More Ambiguities 

Beyond the term “use,” contractors need clarification on several other issues. Though “reasonable inquiry”—the term used in the rule to describe the process contractors must go through to represent compliance—does have a definition in the rule, commenters said it’s still confusing. 

The NDIA letter argues the phrase “any information in the entities [sic] possession” is too vague, and could include information that is speculative or inaccurate, or drawn from outside sources like media reports. NDIA’s letter stipulates reasonable inquiry should include information sourced internally related to contracts and supply chain functions and information provided to an entity by the government. 

BSA agreed reasonable inquiry is another phrase that needs a better definition, though Ross added it is not as important an issue as defining “use.” Ross also pointed to the “any information” phrase as the key pain point.

“The idea is that the reasonable inquiry is designed as a way to reduce the burden on the companies to comply with the rule,” Ross said. “But in fact, because of phrases like that in the definition, it's not clear that it actually reduces the burden.” 

Unresolved issues still abound in interpreting to whom the regulation applies as well. Though Part B is not meant to flow down the supply chain to subcontractors, right now the rule is written so broadly that no one is certain how much supply chain policing needs to be done. 

In its comments, the Coalition for Government Procurement emphasized application of the rule should be limited to prime contractors, and the letter states the rule should not be expanded to include domestic parent companies or affiliates of the prime contractors. The FAR Council in the interim rule indicated it was considering extending the regulation to parents and affiliates.

“Members do not believe this expansion is helpful, as it would impose a heavy financial and operational burden on contractors, especially larger entities with multiple affiliates, with little meaningful benefit to the government,” the letter reads.

One commenter put it in even clearer terms: J. William Koegel, Jr., representing CACI International, Inc., said the fact that primes don’t need to flow down Part B requirements “is of no help.” 

“No contractor performing overseas realistically will be able to represent it does not use covered equipment in performing Government contracts or in non-Government contract operations,” Koegel said. 

Another issue revolves around the waiver process. Even if companies go through the arduous process of applying for one, waivers are limited with hard deadlines. Part B waivers expire Aug. 13, 2022. 

Matory said in some industry calls that included lawmakers, Congressional offices pointed to the waiver process as something to soften the burdens associated with implementation. But the General Services Administration said in a feedback session Thursday there are steep requirements for getting waivers, and that they would likely be a rarity. 

In order to get a waiver, contractors have to already identify specific equipment or services for which the waiver is needed. A business can’t ask for a waiver so that it can have more time to search through its supply chain and identify equipment or services for which it needs to find replacements. 

“That's where the waivers aren't really helpful,” Matory said. “And again, they are sort of going to be one-offs.”

NEXT STORY: Hackers Connected to China Have Compromised U.S. Government Systems, CISA says

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.