Industry groups and other comments highlight the difficulty of complying with a provision of last year’s defense authorization act that requires the removal of products from companies including Huawei and ZTE.
The broad, ambiguous language of Congressionally-mandated rule for government contractors to remove products and services from companies that pose threats to national security is complicating implementation, according to public comments.
The comment period for the interim Federal Acquisition Rule implementing Part B of Section 889—a provision of the 2019 National Defense Authorization Act—closes Monday, and the more than 30 comments submitted raise questions related to fundamental compliance issues.
While in general, commenters agree with the rule’s intent, groups representing industry, including the National Defense Industrial Association, BSA | The Software Alliance, the Coalition for Government Procurement and the Internet Association submitted detailed letters to Regulations.gov outlining compliance challenges. Nearly all asked for extended timelines for implementation and better definitions for key terms and phrases used in the regulation.
The condensed timeline for implementation frustrated stakeholders. The final language of the interim rule was not released until July 14, less than a month before it went into effect August 13. That turnaround left federal contractors scrambling to determine what they need to do and how they need to do it in order to avoid getting cut out of the federal acquisition process.
In its letter, the Internet Association outlined several issues and unanswered questions related to the interim rule. Above all, it asked the Federal Acquisition Regulation Council to consider delaying implementation.
“To do otherwise would result in a severe economic penalty to the [defense industrial base] and federal contractor ecosystem,” the letter reads.
Kea Matory, legislative policy director for NDIA, told Nextgov companies need a delay of a year in order to be able to digest the rule and determine paths forward. The NDIA letter said if the FAR Council cannot delay implementation, then it should work with agency heads to recommend to Congress legislation to delay implementation for up to a year.
Tommy Ross, senior director for policy with BSA | The Software Alliance, told Nextgov focus needs to return to addressing legitimate national security objectives with specific, clear regulations.
Ross said there is a meaningful difference between a company that uses internet service from a telecommunications provider like British Telecom, which relies on Huawei equipment, than a potentially compromised hardware in the direct supply chain of a U.S. government contract. Scope of the mission shouldn’t creep so much that these two ends of the spectrum become conflated.
“There are gray areas in between, but I think that's where we've gone wrong is that the rule has been scoped so broadly, and with so much ambiguity, that it gets way past these specific U.S. national security interests that I think it was originally designed to protect,” Ross said. “What we're hoping for with the pause in implementation is that we can return to those sort of core questions about what we're trying to do and how we can best do it.”
Clear Definition of 'Use' Needed
Timing problems could have been minimized were it not for the nebulous wording of the regulation. Chief among complaints was the lack of a clear—or any—definition of the word “use.” Compliance hinges on understanding the specific meaning of this word, but no definition was provided, leaving contractors to guess at the scope and scale this regulation is supposed to reach.
In its letter, BSA said because there is no definition of the word use, “companies will be forced to make subjective judgments about the extent to which the Interim Rule’s use prohibition may apply to aspects of their business, with the risk that businesses could be removed from federal acquisitions if any agency disagrees with their judgment.”
The BSA letter goes on to say that this subjectivity could lead to inconsistent enforcement of the regulation as well as potentially exclude businesses from the federal acquisition process unfairly.
Another sticking point is the rule indicates use covers all a company’s business activities, even if they are unrelated to a federal contract. BSA said this raises concerns that the scope of the regulation extends beyond pertinent national security concerns.
The Internet Association suggests use should be limited to domestic instances only. Expanding the scope beyond the borders of the U.S., according to its letter, would make the rule so broad it would make compliance impossible.
The main example industry organizations cite to explain this problem is internet access in other countries, like the British Telecom example Ross mentioned. Some local economies still rely on covered companies like Huawei and ZTE for broadband.
The way the rule is written at the moment makes it unclear whether a contractor that happens to perform work overseas in such a nation would count as a prohibited use. Matory said she isn’t sure if the lawmakers who drafted Section 889 in the 2019 NDAA realized how wide-reaching the rule would be.
“I don't know if they necessarily realized that Huawei, ZTE is so prevalent, especially overseas,” Matory said.
But even limiting use to domestic cases would not address what companies who work in states where internet providers are still using covered Chinese equipment. This particularly affects rural areas of the United States where internet providers are challenged to build networks where there may not be enough customers to cover costs.
“The middle of America where they're trying to pull those out with the rip and replace, they gave them a year to do it,” Matory said, referring to Federal Communications Commission regulations. “But our companies got 30 days.”
Beyond the term “use,” contractors need clarification on several other issues. Though “reasonable inquiry”—the term used in the rule to describe the process contractors must go through to represent compliance—does have a definition in the rule, commenters said it’s still confusing.
The NDIA letter argues the phrase “any information in the entities [sic] possession” is too vague, and could include information that is speculative or inaccurate, or drawn from outside sources like media reports. NDIA’s letter stipulates reasonable inquiry should include information sourced internally related to contracts and supply chain functions and information provided to an entity by the government.
BSA agreed reasonable inquiry is another phrase that needs a better definition, though Ross added it is not as important an issue as defining “use.” Ross also pointed to the “any information” phrase as the key pain point.
“The idea is that the reasonable inquiry is designed as a way to reduce the burden on the companies to comply with the rule,” Ross said. “But in fact, because of phrases like that in the definition, it's not clear that it actually reduces the burden.”
Unresolved issues still abound in interpreting to whom the regulation applies as well. Though Part B is not meant to flow down the supply chain to subcontractors, right now the rule is written so broadly that no one is certain how much supply chain policing needs to be done.
In its comments, the Coalition for Government Procurement emphasized application of the rule should be limited to prime contractors, and the letter states the rule should not be expanded to include domestic parent companies or affiliates of the prime contractors. The FAR Council in the interim rule indicated it was considering extending the regulation to parents and affiliates.
“Members do not believe this expansion is helpful, as it would impose a heavy financial and operational burden on contractors, especially larger entities with multiple affiliates, with little meaningful benefit to the government,” the letter reads.
One commenter put it in even clearer terms: J. William Koegel, Jr., representing CACI International, Inc., said the fact that primes don’t need to flow down Part B requirements “is of no help.”
“No contractor performing overseas realistically will be able to represent it does not use covered equipment in performing Government contracts or in non-Government contract operations,” Koegel said.
Another issue revolves around the waiver process. Even if companies go through the arduous process of applying for one, waivers are limited with hard deadlines. Part B waivers expire Aug. 13, 2022.
Matory said in some industry calls that included lawmakers, Congressional offices pointed to the waiver process as something to soften the burdens associated with implementation. But the General Services Administration said in a feedback session Thursday there are steep requirements for getting waivers, and that they would likely be a rarity.
In order to get a waiver, contractors have to already identify specific equipment or services for which the waiver is needed. A business can’t ask for a waiver so that it can have more time to search through its supply chain and identify equipment or services for which it needs to find replacements.
“That's where the waivers aren't really helpful,” Matory said. “And again, they are sort of going to be one-offs.”