Full Report
A 2018 law generally prohibits executive agencies from procuring telecommunications and video surveillance equipment produced by certain companies, or their subsidiaries and affiliates, linked to the People’s Republic of China (referred to as “covered equipment”). Agencies are not prohibited from using covered equipment procured prior to this prohibition. Officials from four of six selected agencies—the…
Analysis Summary
# Regulation/Compliance: Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2018
## Overview
This regulation prohibits U.S. federal executive agencies from procuring or obtaining telecommunications and video surveillance equipment—and services—produced by specific Chinese entities and their subsidiaries/affiliates. The mandate is designed to mitigate national security risks, such as espionage and unauthorized data exfiltration, associated with "covered equipment" from foreign adversaries.
## Key Details
- **Issuing Authority:** U.S. Federal Government / GAO (oversight)
- **Effective Date:** August 2018 (Initial Legislation); Phased implementation 2019-2020
- **Jurisdiction:** Federal Executive Agencies and their contractors
- **Status:** In Effect (with ongoing GAO audits for compliance)
## Requirements
### Mandatory Requirements
1. **Procurement Ban:** Agencies must not procure or obtain any "covered" telecommunications or video surveillance equipment.
2. **Contractor Restrictions:** Agencies are prohibited from entering into contracts with entities that use covered equipment, even if that equipment is not used for the specific federal contract.
3. **Inventory Identification:** Agencies must conduct searches and scans to identify covered equipment within their IT and physical security networks.
4. **Removal/Blocking:** Identified equipment on classified or unclassified networks must be mitigated, typically through blocking external access followed by physical removal.
### Recommended Practices
1. **Supply Chain Mapping:** Work with vendors to obtain proprietary information regarding component origins.
2. **Continuous Monitoring:** Regularly update lists of subsidiaries and affiliates as Chinese corporate structures evolve.
3. **Network Isolation:** While awaiting removal, covered equipment should be logically isolated from the internet and sensitive data.
## Affected Organizations
- **Industries:** Government, Defense, Energy, Homeland Security, State, Treasury, and Justice.
- **Organization Size:** All federal executive agencies and any private-sector firm (regardless of size) serving as a government contractor.
- **Geographic Scope:** United States (domestic and international agency outposts).
## Compliance Timeline
- **August 2018:** NDAA 2018 signed into law.
- **August 2019:** Prohibition on agencies procuring/using covered equipment (Part A) took effect.
- **August 2020:** Prohibition on contracting with entities that use covered equipment (Part B) took effect.
- **May 2026 (Audit Date):** GAO reports agencies are still in the process of identifying and removing residual legacy equipment.
## Implementation Guidance
### Assessment Phase
- **Network Scanning:** Use IT discovery tools to identify MAC addresses and vendor IDs associated with prohibited entities.
- **Manual Audits:** Conduct physical inspections of video surveillance hardware (e.g., cameras in secure facilities).
- **Vendor Attestation:** Require vendors to certify that they do not use covered equipment in their own operations.
### Implementation Phase
- **Blocking:** If covered equipment is found, immediately configure firewalls to prevent the device from "phoning home" to external servers.
- **Procurement Controls:** Update internal purchasing policies to include a restricted vendor list.
### Validation Phase
- **Audit Verification:** Conduct deep-dive searches into subsidiaries/affiliates to ensure parent companies are not bypassing bans via shell companies.
## Technical Requirements
- **MAC Address Filtering:** Monitoring network traffic for OIDs (Organizationally Unique Identifiers) tied to prohibited Chinese manufacturers.
- **Firmware Verification:** Checking for components from "covered" entities embedded within white-labeled third-party hardware.
## Penalties & Enforcement
- **Fines:** Potential loss of contract value and civil penalties for contractors.
- **Other Consequences:** Immediate removal of equipment at agency expense; suspension or debarment of vendors.
- **Enforcement:** Enforced through the Federal Acquisition Regulation (FAR) and overseen by the Government Accountability Office (GAO).
## Related Standards
- **NIST SP 800-161:** Supply Chain Risk Management (SCRM) Practices for Federal Information Systems.
- **NIST SP 800-53:** Supply Chain protection controls (SR family).
## Resources
- **Official Documentation:** [gao[.]gov/products/gao-26-107668]
- **Guidance Documents:** Federal Acquisition Regulation (FAR) Case 2019-009.
## Practical Recommendations
- **Maintain a "Covered List":** Keep an updated database of prohibited manufacturers, including notable subsidiaries (e.g., Huawei, ZTE, Hikvision, Dahua).
- **Vendor Transparency:** Include "Right to Audit" clauses in contracts to force vendors to disclose component-level supply chain data.
- **Address Legacy Risks:** Even though the law allows the *use* of equipment bought before the ban, security best practices dictate replacing these devices as soon as possible due to unmitigated vulnerabilities.