This is the fifth blog post in a series analyzing the 2019 National Defense Authorization Act (NDAA) as signed into law on Aug. 13, 2018. Stay tuned for more blog posts covering additional topics in the near future from Holland & Knight's Government Contracts Team.
The 2019 NDAA and a supply chain bill passed soon thereafter (the SECURE Technology Act) foretell significant changes to how government contractors will be required to monitor their supply chains. The provisions include requirements to voluntarily disclose vulnerabilities, prohibitions on utilizing certain Chinese companies for contractor deliverables and the establishment of a new Federal Acquisition Security Council that will be able to recommend the exclusion of companies that pose an unreasonable supply chain risk.
Section 889 of the of 2019 NDAA prohibits the procurement of certain technologies and services from companies connected with the People's Republic of China ("China"). Subsection (f)(3) lists the covered telecommunications equipment of services:
Section 889's prohibition is not as all-encompassing as it would seem at first glance because it is not absolute and does not cover all procurements. As noted in Subsection (a) of the provision, the prohibition only extends to situations where the covered equipment and services are a "substantial or essential component of any system, or as critical technology as part of any system." Because of that, there are situations where such equipment or services can be used. However, contractors should proceed with care: "substantial," "essential" and "critical technology" are not defined in Section 889 (though that may be subject to agency interpretation or further regulations).
Further, there is nothing in Section 889 that prohibits a contractor from using equipment from a covered company in its manufacturing process so long as the covered company's product is not included in the final deliverable to the Government. In addition, there is nothing prohibiting a contractor from utilizing covered products and services outside of its supply chain directed at the U.S. Government. Finally, as noted above, a covered product or service can even be an ancillary part of the deliverable to the Government (though extreme caution should be used due to a lack of definitions). That being said, there may be other laws or regulations that restrict the use of materials or services impacted by Section 889. For instance, the SECURE Act, discussed below, will give agencies additional flexibility in excluding sources or particular products.
Contractors potentially impacted by this provision should consider whether covered products are in their supply chains and, if so, whether the products or services are (or could be) sold to the federal government.
The above will be effective on Aug. 13, 2019 with respect to procured products and on Aug. 13, 2020 with respect to covered services.
With respect to procurements involving national security systems (or IT that is purchased for inclusion within a national security system), Section 881 of the 2019 NDAA allows the U.S. Government to shroud them in secrecy, elevates the importance of supply chain as an evaluation factor and limits bid protests challenging the determination that a procurement is covered under this provision. "National security systems" are defined in 44 USC § 3542(b)(2)(A) to include, among other things, systems involving intelligence agencies, command and control of armed forces and equipment that is "integral" to a weapons system.
More specifically, with respect to covered procurements, this provision of the NDAA allows the Government to:
If the Government acts against a contractor, a contractor is to be notified "only to the extent necessary to effectuate the covered procurement action." This language permits the Government to withhold from the prime contractor the reason why the subcontractor was excluded or not notify the proposed subcontractor at all. This provision will surely impact prime/subcontractor relations at some point.
A few other notable provisions in the 2019 NDAA impact supply chain management:
Perhaps even more significant than the supply chain provisions in the NDAA was Congress' passage of the SECURE Technology Act in the final days of the previous Congress. The SECURE Technology Act (which is short for the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act) is actually a combination of what had been two separate bills. The first part of the Act concerns the Department of Homeland Security's information and supply chain vulnerabilities while the second part concerns federal acquisition supply chain vulnerabilities and establishes a Federal Acquisition Security Council (FASC).
While a future blog post will examine the SECURE Act more closely, it offers important context to how the Government is looking at supply chain issues in the 2019 NDAA. If followed faithfully, the Act will completely alter the way the Government evaluates supply chain issues and whether to buy from certain contractors.
As noted above, Title II of the Act establishes the FASC. The FASC, which will be comprised of representatives from agencies across the Executive branch, will be chaired by a senior Office of Management and Budget official. The FASC will have wide-ranging responsibilities which include:
Perhaps most significant, the FASC will create standards for excluding companies or products that pose an unreasonable supply chain risk. Following the creation of those standards, the FASC will utilize those standards to recommend the exclusion of sources or products from the supply chain. A recommendation can be challenged by a company that is the subject of an exclusion recommendations. After that process, exclusion or removal orders may be issued by: the Department of Homeland Security (for civilian agencies), the Department of Defense and the Director of National Intelligence (for intelligence agencies and "sensitive compartmented information systems"). Any party that is subject to the exclusion or removal order must be notified of the decision and the decision to remove or exclude is required to be reviewed annually by the original exclusion official. This process standardizes and streamlines what some viewed as an ad hoc process that led to the removal of Kaspersky from the supply chain last year.
If company is on the receiving end of an exclusion or removal order, it may file a petition for judicial review with the United States Court of Appeals for the District of Columbia Circuit.
The recent actions by the Government demonstrate that supply chain compliance will grow in importance in 2019. Contractors will need to take responsibility supply chain monitoring and compliance or risk being excluded from doing business with the federal government.
Please note that email communications to the firm through this website do not create an attorney-client relationship between you and the firm. Do not send any privileged or confidential information to the firm through this website. Click "accept" below to confirm that you have read and understand this notice.