A leading legal voice for the federal contracting community warns a new regulation banning purchases of products from Huawei and other China-based tech companies will prevent some U.S. suppliers from bidding on contracts, which could force the government to do without certain services and components.
“Regulations have to conform to the statute which requires them. And this statute is severe in the method by which it operates, so it should not be surprising that the regulation also is severe,” Robert Metzger, of the law firm Rogers Joseph O'Donnell, said in an interview with Inside Cybersecurity.
He was referring to an interim rule issued by the Defense Department, General Services Administration and NASA on Aug. 13, as required by the fiscal 2019 National Defense Authorization Act. The rule is at the front edge of a broader U.S. effort to counter cybersecurity threats from China.
Metzger stressed the threat to the nation's supply chain is real, but questioned the blunt approach taken by the rule and the underlying law.
“Let's accept that there are genuine reasons to worry about the inclusion of these five China sources in systems provided to the federal government,” Metzger said referring to Huawei, ZTE and other companies covered by the NDAA purchasing restrictions.
“Here their response is effectively to ban them from such systems and to impose obligations on vendors, which are difficult, potentially impossible, to meet in order to know whether such [Chinese] vendors are present,” Metzger said.
“I support the objective of protecting key systems against reliance on certain sources from China,” he said. “But I expect that this regulation in fact will prove difficult, potentially problematic, both to the agencies who are its intended beneficiary, and to many companies who have every interest in providing secure products and services, but who will find actual compliance with this regulation difficult at least, potentially impossible, in a large number of cases.”
Metzger said the solution to the compliance problems posed by the new rule will be to revise the law.
“I appreciate that the regulation cannot deviate from the statute, but it would not surprise me, unfortunately, if the experience with the interim regulation causes both agencies and industry to seek some forms of relief or adjustment in the statute,” Metzger said.
He said the blunt approach adopted by the NDAA and the rule may have a disproportionate impact on government suppliers and agencies beyond the very real threat from China.
“This is a far-reaching regulation that will affect many suppliers to the federal civilian agencies as well as the Defense Department,” Metzger said. “It is possible...that we will look back in a year and conclude that the injury to agency interests and contractor opportunity is both disproportionate and greater than any actual realized security benefit, even though I agree with the importance of protecting our supply chain.”
Waiver provisions
Despite the presence of waiver provisions to address concerns about potential supply shortages, Metzger believes these measures will fall short in providing vendors with appropriate relief.
“This does not permit risk-informed decisions to be made by contracting officers, program offices or requiring activities,” Metzger said. “The exceptions that are provided are limited to those which were in the statute, and they are very specific to certain narrow but significant telecommunications functions.”
“No other exceptions are provided, nor are means present to create them,” Metzger said. “It is true that there is a waiver provision, but as required by the statute the implementation of the regulation makes the likelihood of a waiver, in my judgment, very small.”
These waivers have to be granted “by the head of an agency, on a one-time basis, with a compelling justification, with a plan to remediate, and with an obligation to report to Congress within 30 days,” Metzger noted. “I doubt many of the agencies affected will have either the resources or knowledge in place to intelligently address such waivers.”
Yet some larger agencies, such as the Pentagon, will have the resources to process those waiver requests.
“There will be some who do, of course,” Metzger said. “But I think the likelihood will be that waivers will be slow to process and rarely granted, and this is where... we may find that the agencies like this even less than the contractors because these functions of facility surveillance, infrastructure monitoring and telecommunications...are indispensable for agencies and for many and distinct purposes.”
Metzger raised concerns that the blunt approach by the regulation, and unspecified remedies, might have a chilling effect on the willingness of vendors to bid on federal contracts.
“We are in this situation between a rock and a hard place,” Metzger said. “The rock is that the threat is genuine and the execution of the threat would have terrible consequences. The hard place is that such a broad and strict ban on equipment, with little play in the joints, may produce a great deal of frustration for the agencies who are supposed to be protected, and there may be genuine effects upon the willingness of many types of companies to participate in the supply chain.”
Contractor unwillingness to bid
That potential unwillingness to do business with the government stems from the uncertainties about how regulators and agencies will respond to a given company's disclosure of the presence of China-based products in their supply chain, as required by the regulation.
“It's not set in the regulation, what happens if you make a report that you find you have one of the five sources,” Metzger asked. “Companies naturally will wonder whether such a report will expose them to sanctions.”
Metzger underscored as a key point: “They will see that they're given an opportunity to offer information about mitigation or avoidance, but ...there is nothing in the regulation, not anything, which would allow a program office, a contracting officer, a requiring activity, to review such mitigation information, consider the plan of remediation, and determine that it is acceptable and not in violation of the regulation and statute.”
The interim rule, issued under section 889 of the fiscal 2019 NDAA, is the first of a two-step process that will extend the ban on purchasing Huawei and ZTE products to federal contractors in August 2020, a move that will greatly expand these regulatory requirements throughout the economy by limiting what private companies can do if they want to maintain business with the government.
The drafting of the second phase of the purchasing ban was the focus of a public meeting hosted by DOD, GSA and NASA on July 19.
According to the rule, the NDAA defines "covered telecommunications equipment or services" as "Telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of such entities); For the purpose of public safety, security of Government facilities, physical security surveillance of critical infrastructure, and other national security purposes, video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities); Telecommunications or video surveillance services provided by such entities or using such equipment; or Telecommunications or video surveillance equipment or services produced or provided by an entity that the Secretary of Defense, in consultation with the Director of National Intelligence or the Director of the Federal Bureau of Investigation, reasonably believes to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country."
DOD and the other two federal agencies have set a 60-day public comment period on the interim rule, which went into effect when it was issued on Aug. 13. That public feedback could guide any potential requested revisions by the executive branch to the NDAA and the rule.
House and Senate conferees are set to begin negotiations on the fiscal 2020 National Defense Authorization Act when lawmakers return from recess in September, with sharp partisan differences over funding levels and a handful of other issues clouding the prospects for the typically bipartisan legislation.
For its part, the Commerce Department on Monday gave U.S. companies another 90 days to sell to Chinese telecom giant Huawei, even though the company remains on the Bureau of Industry and Security’s Entity List -- and as President Trump reiterated his belief that the firm is a “national security threat.”
Huawei was put on the Entity List in May, meaning U.S. companies could not sell to it without receiving an export license from Commerce. The department issued a 90-day general license shortly thereafter. That initial license was set to expire on Aug. 19.
Metzger is a co-author of a MITRE Corp. report, “Deliver Uncompromised,” which was issued in August 2018 and commissioned by the Pentagon for recommendations on reforming its acquisition process.
The report proposed security as a “fourth pillar” of the contracting process, along with cost, schedule and performance.
“The historical emphasis on 'cost, schedule, and performance' is a fundamental driver for actions of DOD as well as the [Defense Industrial Base],” the report states. “The DOD requirements process has not put security and integrity on an equal footing, with the result that the costs of assurance work against the usual program metrics.” -- Rick Weber (rweber@iwpnews.com)