SIA Coaches Sellers on NDAA 889B Blacklist WorkaroundsBy: Conor Healy, Published on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have failed to delay it, SIA is coaching sellers on workarounds to it.
In an August 4th SIA webinar, led by Jake Parker, Senior Director of Government Relations, and Lynn de Seve, SIA board member, joined by Dismas (Dis) Locaria, a partner in Venable's Government Contracts Group.
In this post, we cover key points & quotes from the webinar, including:
- Arguing that banned equipment is not touching critical systems
- Forcing contracting officers to give awards despite banned equipment
- Protests can lead to relief down the road
- How the government using the 'False Claims Act' for cybersecurity issues is a "worn out shtick"
- Shifting your assets to keep using banned equipment
- How reasonable inquiry does not require going back to your providers or vendors
Not Touching Critical Systems
The attorney argues that contractors can emphasize that banned equipment is 'not touching critical systems':
with that representation you’re supposed to provide explanation as to what your use is, and that’s an opportunity for contractors to explain that their use is not substantial, or essential, or critical. It’s not touching critical systems. [emphasis added]
While many contractors have argued for that distinction, e.g., when used in closed networks, nonetheless, the US government has not made such a distinction in this legislation or regulation.
Continuing, he contends that contracting officers may be forced to award with banned equipment:
And I think what you’re going to see is you're going to see contracting officers, which I have to imagine have zero desire to get into this analysis, but they're going to be forced to that are going to say “well, I agree it’s not substantial, essential, or critical", and they’re essentially going to award regardless of the representation. [emphasis added]
And, as contractors object to the blacklisting, the government will be motivated to provide 'relief down the road' from the ban:
My understanding is a lot of ordering agencies or buying agencies like GSA...have taken this stuff back to OMB and said, 'Look, our defense contractors can’t comply with this as written.' And my understanding is at the highest levels of GSA, they’ve gone back to OMB and said ‘Our community cannot deal with this.’ So what does this mean? You know, hopefully that means some relief down the road.
Worn Out Schtick
The attorney later complained about the government using the False Claims Act to seek damages from contractors making misrepresentations, saying that such tactics could be applied to Section 889 representations, calling it a 'worn-out schtick':
We’re starting to see False Claims Act cases coming against companies that are not meeting their cybersecurity obligations. The second to last bullet here says no new enforcement approach, but I guarantee you the government will use its worn-out schtick of the False Claims Act if there are folks that are misrepresenting under this. [emphasis added]
Another recommendation was to shift banned 'assets' to other parts of a conglomerate:
The regs are, I'll say, very open to the idea of interpreting [the applicability of the rules] more broadly, and applying it to parents and subsidiaries…in one case I have clients who are actually shifting their assets to other organizations who are not the offeror. Right, so then they can so well, 'we’re not using it, our downstream affiliate is using it.' So there are some prophylactics you can do to get around this.
Reselling Still An Open Question
However, they were indefinite about whether reselling was covered:
If you’re merely acquiring products to resell, and it might have prohibited technology embedded in it, is that use? Right. And I don't know. I wouldn’t think so. But use is not defined in the regulation. I think in those instances you might be able to take a more aggressive posture: that that is not use.
No Need to Go Back To Providers or Vendors
While many companies have been investigating their suppliers (e.g., via IPVM's Dahua OEM directory and Hikvision OEM directory), the attorney argued that the 'reasonable inquiry' standard in the FAR does not require that:
you're only you know, that reasonable inquiry under the regs is you only need to do kind of in internal analysis, you don't have to go back to your providers and your vendors and ask them whether they include Huawei or ZTE or any of the other prohibited technology [emphasis added]
Given the amount of historically hidden relabelling of Dahua and Hikvision and us of Huawei Hisilicon especially in low-cost products, it is quite common for users not to be aware of their true source and if they have a requirement to even ask or check on that source, this makes it easy to continue to use banned equipment so long as neither party asks nor tells.
Insightful Look At Seller Strategy / Risk To Security And Law
This SIA webinar provided an insightful look at how sellers may undermine this legislation and the government's national security stance. Undoubtedly, such tactics benefit sellers of banned China equipment in the short term though increases the risk to the US, as a whole, long term.