Sec 889 of the 2019 NDAA & Potential Impact to Government Approved Moving Companies
This is a long, detailed email, but I recommend you read the entire message and make yourself familiar with this important topic.
13 August, 2020 marks the date where provisions of Section 889 of the 2019 National Defense Authorization Act (NDAA) take effect. Section 889 could potentially have an impact on your business. It’s time to start assessing if it does.
You can find a host of details on Sec 889 of the 2019 NDAA by simply googling the topic. In general, Section 889 of the Fiscal Year 2019 National Defense Authorization Act prohibits federal agencies and contractors doing business with the federal government from procuring or using “covered telecommunications equipment or services” (defined below) that are produced by certain designated entities as a “substantial or essential component of any system, or as critical technology as part of any system.”
Specifically, Section 889 creates a general prohibition on telecommunications or video surveillance equipment or services produced or provided by the following companies (and associated subsidiaries or affiliates):
- Huawei Technologies Company; or
- ZTE Corporation
It also prohibits equipment or services used specifically for national security purposes, such as public safety or security of government facilities, provided by the following companies (and associated subsidiaries or affiliates):
- Hytera Communications Corporation;
- Hangzhou Hikvision Digital Technology Company; or
- Dahua Technology Company
GSA will likely include a requirement for their approved TSPs to certify they are compliant with Sec 889 provisions in their next HTOS for CHAMPS. The DoD just released a policy memo on this topic that you can find in our IAM government newsfeeds; but how that policy will be implemented for DoD approved TSPs is still unclear.
Jake Pieroni, IAM’s Technology & Communications Committee Chair, sought input from committee members on Sec 889 impacts. Below are some of the insights from the committee:
- IAM members have to think about not just the devices, but who downstream could potentially be using the devices. We have to think about every warehouse that a shipment is passing through, and what camera systems they have in place and if they are logging data into their systems about the freight passing through their warehouse, then you’d have to consider the network equipment and software and cloud services THEY too are using.
- One of the technologies that would fall under this category and is being adopted in the freight industry is the use of IoT devices to track and log shipment information. Put it simply, it is like a GPS with sensors (like temperature) that "reports itself” to satellites and cellular networks.
Technology to think about that could be impacted include:
- Nest cameras for office security.
- Apps for e-logs. I guess the only way this would be an issue is if a driver had Huawei cell phone routers and switches for wired and wireless networks.
- Wireless hotspots for travel.
- GPS units in trailers.
- Email, video chat, etc...
A lot of attention has been paid toward hardware which could potentially be compromised - cheap security cameras, telecom equipment, network switches, etc. But the software aspect deserves equal attention (USTC is researching whether software is included in this prohibition, or if the law only applies to hardware).
- China has a sizable cloud presence with companies like Alibaba and Tencent.
- They offer affordable and competitive services to American cloud vendors like AWS, Google Cloud, and Azure.
- It can be hard (nigh impossible) to trace every step in the chain for software products, so I feel it is important to leverage programs that vet the supplier to ensure data privacy concerns are being addressed properly.
You’re going to be hearing more from the government on this topic. The time is now to work through your compliance.