301.519.9237 exdirector@nesaus.org

Starting next week, security integrators who want to do business with the federal government will have to eliminate products from Hikvision and Dahua – two of the world’s largest suppliers of video surveillance equipment – from their supply chains under the interim Federal Acquisition Regulation (FAR) that was published last month by the Department of Defense (DOD), General Services Administration (GSA) and NASA. Additionally, the rule, which goes into effect on Aug. 13, also applies to products from Huawei, ZTE Corporation and Hytera Technologies.

The rule does give agency heads the ability to grant a one-time waiver on a case-by-case basis that will expire no later than Aug. 13, 2022. The government estimates that it will cost contractors more than $80 billion to comply.

In anticipation of the rule’s implementation, Bosch recently sent a letter to its partners, which the company also provided to SecurityInfoWatch.com, listing several different products that will be removed from its U.S. portfolio. Here is the letter in its entirety:

On August 14, 2020, a provision of NDAA will go into effect that prevents a company from doing business with the U.S. government, if they are also selling video products that are not NDAA compliant to other non-government entities in the U.S.

As a result, there will be a few Bosch products that we will remove from our portfolio offering in the United States, including the DIVAR hybrid 3000 and 5000 recorders, DIVAR network 2000, 3000 and 5000 recorders, the DINION IP 4000, 5000, and 6000 bullet cameras, and the Sony SNC-WL862 Multi-Sensor Adjustable Dome Network Camera.

These products will be removed from our U.S. offering beginning August 14, so that Bosch can continue to do business with the government. However, we expect our distribution partners will have stock remaining and will continue to supply them to customers until their inventory is exhausted.

The interim FAR rule formally implements Part B of Section 889 of the 2019 National Defense Authorization Act (NDAA), which bars federal agencies from “entering into, or extending or renewing, a contract with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.” Part A, as previously reported, prohibits the heads of federal agencies from contracting with entities that would directly provide  products from any of the five aforementioned firms.

According to Alex Sarria, a lawyer and Member of the government contracts group of Miller & Chevalier, the rule goes much deeper than whether an integrator installs products from these companies, but rather how intertwined they are throughout the organization. 

“It is focused not just on, for example, whether an integrator is passing through a Hikvision or Dahua surveillance camera to the government, it is also looking at whether that integrator itself uses any equipment, system or service that may use technology or components manufactured or provided by any of those five named entities,” Sarria explains.

The rule also looks beyond a contractor’s use of the products in government-related work, as language included in the interim FAR states that it extends to entities’ use of these products “regardless of whether that usage is in performance of work under a Federal contract.”

Sarria acknowledges, however, that legitimate questions remain as to exactly what the government defines as “use” and whether sales and support of products from these manufacturers falls within the scope of the prohibition.

“The term ‘use’ is not defined, and the concept is much broader than simply what you may be using in your direct sales to the government. It really looks at what you are doing with this technology as an enterprise,” Sarria adds. “The interim rule puts contractors in a position of making their own risk-based calculations. In the absence of a clear definition of what constitutes use, it seems the government expects contractors to take a risk-based approach when conducting their reasonable inquiry.”

“That risk-based approach would apply to questions such as whether a sale of these products to other customers constitutes use,” he continues. “I can see different companies coming out differently on that question, but I think one prudently might conclude that selling one of these technologies would be considered ‘use’ – particularly if that product is plugging into a company’s internal systems or being used by the company to provide services. For example, if you provide monitoring services in conjunction with delivering video surveillance cameras to a commercial customer, I could see the government taking the position that it would constitute use and would be covered.”    

Subcontractors Likely Impacted

Although the Part B rule only applies to prime contractors, Sarria says that will not mean that subcontractors or suppliers are completely off the hook. “Because of the way that Part B is written, prime contractors are going to have to determine whether or not they use any equipment, system or service that uses covered telecommunications equipment or services,” Sarria says. “When you consider the fact that many prime contractors are procuring these products and services from subcontractors, vendors or service providers, I think subcontractors can naturally expect that prime contractors are going to be asking them if the equipment, systems or services that they are providing use any covered technologies.”

Some contractors have even expressed concerns about whether they may have to change logistics providers based on whether they use equipment from these manufacturers.

“A lot of companies, just as a function of operating their business, are working with mail carriers and private freight forwarders that deliver packages and other goods and supplies to the company,” Sarria explains. “One question we’ve encountered is whether contractors need to ask these entities if they are themselves relying on banned technology to provide delivery services. That’s a tough judgement call, because on the one hand I think there is a clear recognition, at least from a national security perspective, there are certain types of service providers that clearly create more risk; however, in that example, you are talking about a company that is providing an overhead or administrative function of just operating a business.”

Feds Want Feedback

While much remains in doubt, Sarria says one positive sign is that the FAR Council provided a number questions in the interim rule that they are seeking input on from affected industries and contractors, which could have a significant impact on the final rule that will be issued in the future.

“The FAR Council seems to be urging contactors and industry to really speak up about the actual impact that this rule will have on their operations and the increased costs that they might experience if the rule goes into effect as it is currently written,” he says.

Integrators can submit comments to the council on or before Sept. 14, 2020. 

Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at joel@securityinfowatch.com.