The U.S. government’s policy to restrict federal agency exposure to products and services associated with Huawei Technologies and other China-based companies has gained the support of the U.S. information technology industry.
However, a wide swath of U.S. companies, including those in the IT sector, registered significant concerns about federal regulations designed to control the employment of China-sourced products by federal agencies and government contractors.
Government restrictions that prohibited the federal purchase of certain products from China were put into effect in 2019. Then, in August 2020 a whole set of new regulations went into effect to control or restrict the use of certain China-sourced technologies by federal contractors. The restrictions were adopted on an “interim” basis, and contractors were allowed to submit comments through mid-September. All comments will be considered in promulgating final regulations. But for now, companies must comply with rules that were issued in August.
In general, contractor groups contend that the security regulations not only will be costly to implement, but also could cost some companies the ability to compete for federal business.
The regulations implement provisions of recent National Defense Authorization Act, addressing security risks associated with technologies sourced from the People’s Republic of China. A PRC requirement that Huawei and other Chinese companies cooperate with Chinese intelligence agencies poses a “complex and growing threat to strategically important U.S. economic sectors and critical infrastructure,” according to the regulations.
Reducing the Threat from China Links
Since the PRC “possesses advanced cyber capabilities that it actively uses against the United States, a proactive cyber approach is needed to degrade or deny these threats before they reach our nation’s networks, including those of the federal government and its contractors,” the regulations said.
The contracting community, however, is troubled by the lack of clarity in the regulations. Two major issues appeared in the multiple comments submitted to the General Services Administration (GSA) and other federal acquisition authorities.
The first point of concern was the reference in the regulations to contractor operations associated with the use of the China-sourced technologies. Since the term “use” was not clearly defined, the regulations could affect virtually every aspect of a contractor’s operations, resulting from the interconnectivity of technology.
“Based on a plain reading of the language, and without further clarification or guidance on what ‘use’ means, I think we have to assume that broader IT and Internet service is included,” in the scope of operations subject to regulation, said Townsend Bourne, a partner at Sheppard Mullin.
Additionally, the term “use” is not limited to a contractor’s defense or government business but “is any telecom use by a contractor that holds a prime contract with the federal government,” she told the E-Commerce Times.
Compliance could get “quite complicated” especially during the pandemic with more remote working and the use of personal Internet connections, which “vastly expands the universe of potentially covered telecom,” Bourne said.
Lack of Clarity Creates Burden
To ferret out, modify, or even replace the components of the China-sourced products throughout a company’s operations could be an overwhelming task. By referencing “any” use of prohibited items, the interim rule actually goes beyond the scope of the underlying law to such a degree that it “prompts practical concerns whether it can be implemented by the government’s industrial base,” according to a blog posting by the Coalition for Government Procurement.
“Specifically, it is not clear how vendors can be expected to run to ground the vast number of attenuated connections to covered equipment or services that could constitute any use,” the group said.
The second troublesome provision according to contractors is that the interim rule fails to adequately specify what the government means by “covered” products and services from China. In general, the regulations reference certain telecommunications equipment and services emanating from Huawei or ZTE Corporation, as well as video surveillance products or telecom equipment from Hytera Communications, Hangzhou Hikvision Digital Technology, Dahua Technology, and their subsidiaries or affiliates.
Noting the huge multiplicity of Hauwei products, and the thousands of patents held by the company, any comprehensive listing of products could be “very long,” noted Bourne. The primary products “to be on the lookout for” are those that incorporate cellular, 5G, WiFi, and Bluetooth communications technology, she said.
David Berteau, president and CEO of the Professional Services Council (PSC) said that the organization “supports efforts to protect national security interests, critical technologies and contractor supply chains from potential threats.” Still, PSC has “serious reservations” about the rules, he said.
“Further clarifications are necessary for the government and the contractor community to implement the provision as intended. For example, there is no definition for what constitutes ‘use,’ nor is there any definitive list of both covered affiliates and subsidiaries and covered prohibited equipment and services,” Berteau said.
While the regulations permit waivers related to implementing the restrictions, the process for obtaining them also lacks clarity, according to contractors. To “minimize disruption, the final rule must clearly lay out what is expected of both contractors and agency representatives in the waiver process,” said the Council of Defense and Space Industry Associations (CODSIA).
“If a contractor identifies any use of banned equipment, the law allows the company to seek a waiver from its customer agencies in the short term while it works to remove the problematic technology. However, the waiver process outlined in the interim rule is muddled, time-consuming, and seems designed to discourage companies and government contracting officials from seeking a waiver altogether,” said Kelsey Kober, manager of policy, public sector, at the Information Technology Industry Council, in a blog posting.
Contractors See High Cost of Regulations
The expense of compliance with the regulations will be significant. Government estimates peg the cost to federal contractors at US$12 billion in just the first year of implementation, and $2.2 billion annually in subsequent years. Those estimates, however, failed to include several conditions of expense due to data limitations, with the result that the regulations constitute “one of the most expensive acquisition regulations ever enacted,” said CODSIA in its comments.
“Every company that does business with the federal government has to meet standards and comply with rules that are more extensive and more expensive than those in the commercial marketplace,” said the Professional Services Council’s Berteau.
“Those costs may lead companies to exit the federal contract marketplace, particularly small or mid-sized businesses, though we cannot predict how many would do so or when that might happen,” he told the E-Commerce Times. Under the interim rules, “if companies cease to bid because they cannot meet the requirements for a contract award, it could lead to less competition, less innovation, and higher prices.”