This article originally appeared in the September 2023 issue of Security Business magazine. When sharing, don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter.
Each year the federal government passes an annual defense funding bill, better known as the National Defense Authorization Act (NDAA). This year’s NDAA enacted the new “Section 5949,” which includes a variety of new rules and regulations pertaining to the procurement of electronic parts, products, or services that include certain Chinese semiconductors. The updates also include provisions that prohibit federal contracting with any entity that procures or obtains said electronic parts from specific manufacturers and their subsidiaries, affiliates or successors.
While the government has yet to issue official definitions for “semiconductor” and “semiconductor products or services,” the August deadline for proposed definitions under the Federal Acquisition Regulation (FAR) means that answers will become clear soon.
These changes will have a significant impact on technology companies, as well as organizations across a broad range of industries, and manufacturers will need to be prepared to answer questions from partners, integrators, and end-users who want to know how the NDAA applies to them and how they can adapt their operations appropriately.
To do so, it is important for organizations to understand the history of the NDAA, how it is applied, and how Section 5949, Section 889, and other recent updates have changed the way the government approaches its private sector partnerships.
Understanding Recent Revisions to the NDAA
Before diving into Section 5949, it is important to understand Section 889, which went into effect in 2019. In many ways, NDAA Section 889 was the forebearer of Section 5949: it prohibited federal agencies, their contractors, and grant or loan recipients from procuring or using “telecommunications and video surveillance services or equipment” from several specific Chinese companies.
According to the federal government, these companies pose significant privacy and security risks, and Section 889 sought to mitigate these concerns.
It is important to note that Section 889 does not forbid companies from doing business with the Chinese companies it identifies; however, it does mean that anyone who does choose to do business with those companies will be effectively barred from both federal contracts and from partnering with other businesses that work with the government. That is a significant portion of the economy, which means Section 889 has had a serious impact on the security and telecommunications sectors as businesses in those industries have sought to quickly divest themselves of Chinese influence.
To further contend with the perceived national security and economic risks, the new Section 5949 takes matters one step further: it forbids federal procurement of electronic parts, products, or services that include certain Chinese semiconductors, and further prohibits federal agencies from contracting with any outside organization to acquire them.
This effectively expands the reach of Section 889 and Section 5949 to prohibit government agencies and their contractors from not just procuring and using products or services from specific Chinese companies, but from also procuring or using any product or service that includes or utilizes certain Chinese semiconductors.
As the framework expands to include specific, covered components, businesses will face new challenges when it comes to adhering to these regulations, which means to some extent, they will rely on integrators to provide them with trustworthy guidance.
The Different Intentions of Section 889 and Section 5949
While Section 5949 builds on a similar foundation to Section 889, it would be a mistake to assume that the reasons behind them are the same. Section 889 was implemented primarily for cybersecurity reasons – as the world becomes more interconnected, where and how countries source critical technology has become an increasing concern. The specific companies cited in Section 889 could not satisfy government requirements to provide safe and secure technology, which led the U.S. to implement restrictions on their use ingovernment and government-adjacent projects.
Section 5949 focuses on a different sort of security: supply chain security. The COVID-19 pandemic and resulting supply chain crisis led many countries – including the U.S. – to adopt a more protectionist economic stance.
The semiconductors cited in Section 5949 include passive components that do not represent a cybersecurity threat, but an economic one. Rather than allow Chinese companies to gain a further foothold in the American technology sector, the U.S. government has stepped in to protect its own manufacturing industry amid ongoing supply chain challenges. The effect on businesses is the same, but it is important to note that the motivation is different.
Who Is Responsible for Section 5949 Compliance?
There is no formal “certification” process for Section 5949, which means it is largely up to businesses to police themselves to ensure that they – as well as their vendors and partners – remain compliant. This can be tricky, as many organizations may lack specific knowledge regarding the components present in their own solutions, let alone those of their partners and vendors.
Manufacturers will need to be particularly careful about performing due diligence when it comes to their own devices, including verifying with their component providers that they do not include any banned materials or parts.
It will be critical for manufacturers to provide accurate, up-to-date information to integrators or customers who have questions about NDAA compliance.
The question remains: Who should be responsible for compliance: the vendor or the buyer? There are good arguments to be made on both sides, so a dose of due diligence is important for all parties in order to avoid suffering the consequences of a violation.
Even though there is not a formal audit process for NDAA compliance, an organization caught using banned products will almost certainly lose any future government contracts. If a company is found to be in violation of Section 5949 because a vendor failed to disclose an offending component, blaming the vendor certainly will not carry much water with the government.
If those contracts are important to a company, it is ultimately up to that company to verify that its partners are NDAA compliant. That said, it is worth noting that both Section 889 and Section 5949 require contractors to provide new certifications for the non-use of covered products or services and pay for any rework required because of the inclusion or use in covered products or services after the effective date.
This effectively puts the burden of compliance on the integrator for installed products and requires them to replace any non-compliant products at their own cost; thus, integrators will need to be able to trust that the information they are receiving from manufacturers with regard to NDAA compliance is accurate.
Forecasting the Impact of Section 5949
The most immediate and obvious impact of Section 5949 is that companies that wish to do business with a federal agency (including the Department of Defense) will need to comply with its rules.
The good news, however, is that Section 5949 includes a grace period: the prohibitions are not scheduled to take effect for another five years.
It is important to note that, unlike Section 889, products that contain Chinese semiconductors can still be installed throughout this five-year grace period (i.e., up until the date of compliance) and used for the duration of their lifecycle without needing to be replaced.
That said, organizations should work closely with their supply chain partners to ensure compliance by the set deadline in order to provide necessary documentation that verifies NDAA compliance to their customers.
When it comes to Section 5949 compliance, it is wise to adhere to the proverb, “Trust, but verify.” The reality is, close partnerships and due diligence play essential roles.
While Section 5949 offers a safe harbor provision whereby federal contractors can reasonably rely on compliance certifications from covered entities – namely manufacturers and subcontractors who supply electronic parts, products, or services – without having to conduct independent audits themselves, they are still liable for rework if the certifications are inaccurate. Accordingly, contractors should partner with vendors who have a solid reputation and a proven track record.
Fortunately, there is a precedent for compliance – the industry experienced a diligent response to Section 889. Nonetheless, everyone across the industry must take the time to fully understand the latest updates, definitions and requirements in order to ask the right questions and ultimately ensure compliance.
The inability to comply and provide proper assurances can impact more than just companies doing business with the government. There will be a ripple effect: if an organization violates Section 5949 in doing business with the government, that raises red flags to other private companies as well.
Furthermore, it is hard to predict the future, and just because an organization does not work with the government today doesn’t mean it won’t work with the government sometimes down the road.
Many organizations will decide that NDAA compliance is important to achieve regardless of their current status. With that in mind, integrators should be mindful that the impact of Section 5949 will be considerably more far-reaching than its written text implies. It will be important to help organizations recognize that just because Section 5949 does not apply to them today does not mean it will not impact them down the road.
Moving Forward with Confidence
Electronic products manufacturers and integrators will play a major role in helping organizations maintain compliance with NDAA Section 5949. Those who work with a large number of vendors will need to perform significant due diligence to ensure that all of them are compliant, or at least, to know which ones are not.
When advising organizations on which technology and solution providers to use, Section 5949 compliance will be an important factor to consider, and the ability to provide accurate guidance on that matter will be critical moving forward.
Ultimately, the goal of Section 5949 is to begin to move electronic component manufacturing out of mainland China and toward the U.S. and its allies in Europe and Asia. Whether it will be successful remains to be seen, but organizations need to take the appropriate steps to protect themselves regardless.
With no formal certification or verification process in place, it will be largely up to companies to police themselves, so erring on the side of caution will be critical. Section 5949 has the potential to block non-compliant companies not just from working with the government, but from partnering with any other company that works with the government. It is a steep penalty, and businesses will need trusted integrators who can provide them with the knowledge and insight to avoid paying it.