August 13 is approaching and, for many in the Defense Industrial base (and beyond) that means it’s time for another regulatory complication to global trade, specifically the implementation of section 889.
Part of the 2019 NDAA (the massive spending bill that determines the DoD’s budget), Section 889 requires companies that count the US federal government as a customer to certify that they, and their extended supply chains, do not contain “covered telecommunication equipment or services” that are produced by Huawei, ZTE, Hytera, Hikvision, and Dahua and their subsidiaries as a “substantial or essential component of any system, or as critical technology as part of any system.”
The move is but one of many steps the U.S. government has taken to limit the exposure of critical infrastructure to Chinese threats. On June 30th the FCC designated Huawei and ZTE as national security threats, preventing U.S. carriers from using the organization’s 8.3 billion government subsidy program to purchase, maintain, or support equipment from those vendors.
But what will these regulatory changes mean to the wider Defense Industrial Base (DIB), or companies who may, unknowingly, rely on technology from the sanctioned companies through their network of third, fourth, fifth, and Nth parties. Even those indirect connections could present liabilities for those organizations. While the full extent of the regulation will not be understood until the DoD begins enforcing it, the language around section 889 is broad enough so that it will likely apply in situations where a company is using the named technologies exclusively in their commercial enterprises.
Section 889 is far from the only regulation large contractors are going to have to find new strategies to comply with. The SECURE Technology Act, Cybersecurity Maturity Model Certification (CMMC), the 2019 Executive Order on Securing the ICTS Supply Chain are all introducing new considerations and complications for major technology contractors.
889 isn’t the only NDAA provision with such an impact either. Sections 1654 and 1655 have created new disclosure requirements of their own, require contractors to alert the government if they have allowed foreign nationals to interact with the source code of a product system or service used by the DoD.
Keeping pace with the increasing number of regulatory requirements while preserving continuity of business will require many institutions to rethink their approach to third party risk management. Simply piling people on the problem is not a scalable solution, given the ever-expanding network of third parties the DIB relies upon. And identifying and monitoring the 3rd party of your 3rd party supplier is an ongoing and never ending task as subtier relationships and reliance changes. It’s just too hard for people to manage alone.
This challenge is even greater during these times of social distancing when in-person validation of third-party status can prove challenging. Large contractors will need to adopt solutions that can autonomously identify their connected third parties and track compliance across multiple regulations for their entire supply chains, across every tier, down to dirt.
To learn more about how Interos can help track Section 889 compliance, click here.
