One of the biggest threats to our national security is that hostile actors could exploit vulnerabilities to access our government’s systems and data. Increasingly, the devices we all rely on -- including the United States Federal government -- are manufactured in countries considered potentially or even actively hostile towards our national interests. In some cases, devices manufactured in friendly countries use components exported from manufacturers in hostile nations.
The Potential Risks Are Real
Acting on credible information that these risks are real, and that they affect devices deployed on Federal government networks, the U.S. Department of Defense (DoD), General Services Administration, and NASA issued an interim rule amending the Federal Acquisition Regulation (FAR) to implement section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019.
The Interim Rule, which went into effect on August 13, 2020, addresses a new prohibition on the use of banned telecommunications equipment and services and clarifies the ban on buying such equipment that went into effect in 2019. Specifically, it prohibits federal agencies from doing business with any entity that uses telecommunications and video surveillance services or equipment from the following five vendors:
- Huawei Technologies Company
- ZTE Corporation (or any subsidiary or affiliate of such entities)
- Hytera Communications Corporation
- Hangzhou Hikvision Digital Technology Company
- Dahua Technology Company (or any subsidiary or affiliate of those entities)
The Rule doesn’t stop at the walls of Federal agencies either. It creates two new compliance checks for prime contractors. They must:
- Make a “reasonable inquiry” before submitting offers for work regarding its use of prohibited equipment or services.
- Identify and report any previously undisclosed use of prohibited equipment or services within one day of identification and must also report within 10-days any further information and mitigation taken.
The Rule also extends to the prime contractor’s subcontractors, with the prime contractor held responsible for both conditions. Making the situation even more complicated, the Rule defines “use” broadly as any use, “regardless of whether that use is in performance of work under a Federal contract.”
You might think the Rule impacts only contractors and suppliers working directly for the DoD, GSA, and NASA, but it has far-reaching implications. Many public and private organizations that deal with these agencies may or are considered contractors or subcontractors.
In many cases, the Rule may also extend to any healthcare contractor, payor, or provider paid by the U.S. Government, including contractors for the National Institutes of Health (NIH), Defense Health Administration (DHA), Department of Veterans Affairs (VA), and more.
What Should You Do?
If you have a contract with any United States Government agency; or plan to submit a proposal for work, you should take these steps now:
- Review your IT asset inventory and your supplier agreements to determine whether you or your subcontractors use any equipment or services banned by the Rule.
- Build and have available any documentation that supports your “reasonable inquiry” regarding banned equipment or services.
- Identify equipment that can be replaced or isolated from contracted work.
- Implement risk-based mechanisms that help you comply with the Rule, including alerting of any banned equipment used during contract performance.
Armis Can Help
Many of our customers have expressed concern that they may have prohibited devices in their environments. The good news is that you can use Armis to find devices from these five vendors.
You can also build policies based on what devices Armis finds in your environment to alert you if any of this equipment is being used during your Federal contract performance. This capability helps you comply with the reporting provisions of the Rule. And you can also build policies in Armis that automatically block, quarantine, or sanction devices, helping you comply with the Rule’s risk mitigation requirements.
To learn more about how Armis can help protect you from these risks, schedule a live demonstration today.