One of the biggest threats to our national security is that hostile actors could exploit vulnerabilities to access our government’s systems and data. Increasingly, the devices we all rely on — including the United States Federal government — are manufactured in countries considered potentially or even actively hostile towards our national interests. In some cases, devices manufactured in friendly countries use components exported from manufacturers in hostile nations.
Acting on credible information that these risks are real, and that they affect devices deployed on Federal government networks, the U.S. Department of Defense (DoD), General Services Administration, and NASA issued an interim rule amending the Federal Acquisition Regulation (FAR) to implement section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019.
The Interim Rule, which went into effect on August 13, 2020, addresses a new prohibition on the use of banned telecommunications equipment and services and clarifies the ban on buying such equipment that went into effect in 2019. Specifically, it prohibits federal agencies from doing business with any entity that uses telecommunications and video surveillance services or equipment from the following five vendors:
The Rule doesn’t stop at the walls of Federal agencies either. It creates two new compliance checks for prime contractors. They must:
The Rule also extends to the prime contractor’s subcontractors, with the prime contractor held responsible for both conditions. Making the situation even more complicated, the Rule defines “use” broadly as any use, “regardless of whether that use is in performance of work under a Federal contract.”
You might think the Rule impacts only contractors and suppliers working directly for the DoD, GSA, and NASA, but it has far-reaching implications. Many public and private organizations that deal with these agencies may or are considered contractors or subcontractors.
In many cases, the Rule may also extend to any healthcare contractor, payor, or provider paid by the U.S. Government, including contractors for the National Institutes of Health (NIH), Defense Health Administration (DHA), Department of Veterans Affairs (VA), and more.
If you have a contract with any United States Government agency; or plan to submit a proposal for work, you should take these steps now:
Many of our customers have expressed concern that they may have prohibited devices in their environments. The good news is that you can use Armis to find devices from these five vendors.
You can also build policies based on what devices Armis finds in your environment to alert you if any of this equipment is being used during your Federal contract performance. This capability helps you comply with the reporting provisions of the Rule. And you can also build policies in Armis that automatically block, quarantine, or sanction devices, helping you comply with the Rule’s risk mitigation requirements.
To learn more about how Armis can help protect you from these risks, schedule a live demonstration today.
Sign up to receive the latest news