Jump to content

section 889 telecommunications prohibition


Fara Fasat

Recommended Posts

Most of us are painfully aware of the 2019 NDAA section 889 prohibition (implemented at FAR Subpart 4.21) against delivering telecommunications equipment to the government that is made by Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company, or their subsidiaries or affiliates, or using such equipment in a contractor's operations.

Does anyone know if any government agency maintains an updated list of the subsidiaries and affiliates, of which there are hundreds? There have been news reports that those 5 companies are constantly creating subsidiaries to get around this and being on the denied parties list.

In addition, the prohibition extends to companies that the "Secretary of Defense, ... reasonably believes to be an entity owned or controlled by, or otherwise connected to, the government of [China]." Does DoD publish such a list?

Link to comment
Share on other sites

On 9/15/2023 at 5:42 PM, Fara Fasat said:

Does anyone know if any government agency maintains an updated list of the subsidiaries and affiliates,

I don't know. But you may have success ordering a Dun & Bradstreet (D&B) report. https://docs.dnb.com/credit/en-US/viewing_a_report/ownership

Link to comment
Share on other sites

Thanks Carl. however that first link merely repeats the names of the 5 primary companies and does not list the subsidiaries, so it doesn't help much.

The second link looks more useful, but there is nothing on the document to identify it or where it came from. Was it created by DoD? If not, do you know what agency originated it? Is it published on a website so that we can access updates?

Link to comment
Share on other sites

Please be careful that you don't make this harder than it needs to be.  For example, see the definition of "reasonable inquiry" and an offeror's/contractor's duty thereto in FAR subpart 4.21 and the provision and clauses it prescribes.  And also, note that the contracting officer may generally rely on an offeror's representation of "does not" or "will not" in these matters.

Link to comment
Share on other sites

Definitely not my intent. However it does seem reasonable to learn the identities of the companies whose equipment you cannot sell to the government or use internally.

I found a little more information about the second link that Carl provided. Besides not knowing who created the list, it actually is a different list from the 889 prohibition. The provided link is a list of Chinese Military companies operating in the US, as required by the 2021 NDAA. There may be some overlap, but it is not a list of the subsidiaries covered by the 2019 NDAA telecommunications prohibition.

When the 889 prohibition first came out, the University of Minnesota and a couple law firms published lists. I'm wondering if they or anyone else maintain updated lists. I suppose it's too much to ask of the government itself to provide a list of the companies it has made subject to the prohibition. 

Link to comment
Share on other sites

I don’t think the government maintains any such list.  As noted in the original post, there are hundreds of subsidiaries and affiliates.  Plus there are multiple types of those.  It would be a huge task to identify all the potential sources and keep it current.  The solicitation certification below puts the responsibility of the offeror.  Offerors can query their suppliers if they don’t know themselves.
 

Quote

4.2103 Procedures.

(a)  Representations.

(1)  

(i) If the offeror selects "does not" in paragraphs (c)(1) and/or (c)(2) of the provision at  52.204-26 or in paragraphs (v)(2)(i) and/or (v)(2)(ii) of the provision at 52.212-3, the contracting officer may rely on the "does not" representation(s), unless the contracting officer has reason to question the representation. 

 

Link to comment
Share on other sites

20 hours ago, Fara Fasat said:

Was it created by DoD?

Annually - https://www.defense.gov/News/Releases/Release/Article/3180636/dod-releases-list-of-peoples-republic-of-china-prc-military-companies-in-accord/

20 hours ago, Fara Fasat said:

first link merely repeats the names of the 5 primary companies and does not list the subsidiaries

Did you read the reference 47 C.F.R. § 1.50000 et seq regarding how the list is prepared and inclusive of?

Link to comment
Share on other sites

21 hours ago, Fara Fasat said:

provided link is a list of Chinese Military companies operating in the US, as required by the 2021 NDAA. There may be some overlap, but it is not a list of the subsidiaries covered by the 2019 NDAA telecommunications prohibition.

When the 889 prohibition first came out, the University of Minnesota and a couple law firms published lists. I'm wondering if they or anyone else maintain updated lists. I suppose it's too much to ask of the government itself to provide a list of the companies it has made subject to the prohibition. 

Relying upon an offeror’s self certification is like burying your head in the sand. 

”Our Office has repeatedly explained that where an agency has no information prior to award that would lead to the conclusion that the vendor, or the product or service to be provided, fails to comply with the solicitation’s eligibility requirements, the agency can reasonably rely upon a vendor’s representation/certification of compliance. See, e.g., Kipper Tool Co., B-409585.2, B‑409585.3, June 19, 2014, 2014 CPD ¶ 184 at 5 (denying protest that agency could not reasonably rely on representations regarding compliance with the Trade Agreements Act); KNAPP Logistics Automation, Inc.,”

How is an offeror supposed to know if a company is or isn’t a subsidiary of a prohibited source? By relying upon a certification by that company?

When I was a consulting engineer in the late 1970’s, my boss repeatedly derided the entire idea of self “certications” by vendors and contractors. We avoided reliance upon certifications to the maximum possible extent. 

 

 

 

Link to comment
Share on other sites

5 hours ago, C Culham said:

Carl - you keep posting that. It is for a different NDAA. That list is in response to the 2021 NDAA, and is a list of Chinese military companies operating in the US. I'm looking for the companies prohibited by section 889 of the 2019 NDAA:  A) the subsidiaries of the 5 named companies (Huawei, ZTE, etc.) and B ) a list of companies designated by the SecDef ("an entity that the Secretary of Defense ... reasonably believes to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country."). 

 

5 hours ago, C Culham said:

Did you read the reference 47 C.F.R. § 1.50000 et seq regarding how the list is prepared and inclusive of?

*sigh* yes and again it is not relevant. The FCC list does not A) list the subsidiaries of the 5 named companies (Huawei, ZTE, etc.) or B ) list the companies designated by the SecDef. 

Link to comment
Share on other sites

23 hours ago, joel hoffman said:

How is an offeror supposed to know if a company is or isn’t a subsidiary of a prohibited source? By relying upon a certification by that company?

Yes.  "[W]here an agency has no information prior to award that would lead to the conclusion that the vendor, or the product or service to be provided, fails to comply with the solicitation’s eligibility requirements, the agency can reasonably rely upon a vendor’s representation/certification of compliance."

From the GAO case provided by Carl--

Quote

 

Compliance with Prohibited Telecommunications Regulations

V3Gate contends that the VA failed to meaningfully consider whether purchasing Lenovo products from AATD complied with FAR clause 52.204-25, which prohibits agencies from contracting for certain telecommunications equipment. V3Gate Protest at 10. In this regard, V3Gate broadly argues that the Lenovo computers quoted by AATD “fall within [the] expansive definition” of covered equipment found in FAR clause 52.204-25, as equipment linked to the Chinese government. Id. at 11. The protester asserts that the agency was required to analyze whether issuing a delivery order to AATD complied with FAR clause 52.204-25. Id. at 12.

In response, the agency asserts that it fully complied with the applicable regulatory prohibition. V3Gate MOL at 12. Specifically, the VA explains that it included the pertinent FAR clauses in the solicitation, and requested that vendors self-certify whether they provide covered telecommunications equipment in their quotations. Id. (citingFAR 4.2105, mandating the insertion of FAR clauses 52.204-24, Representation Regarding Certain Telecommunications and Video Surveillance Services or Equipment; 52.204-25, Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment; and 52.204-26, Covered Telecommunications Equipment or Services-Representation in the solicitation). The VA maintains that the contracting officer here reasonably relied on AATD’s representation that it did not provide covered equipment or services. Id. (citing FAR 4.2103); see V3Gate AR, Tab 15, AATD Quotation, AATD Self-Certifications at 2.

Our Office has repeatedly explained that where an agency has no information prior to award that would lead to the conclusion that the vendor, or the product or service to be provided, fails to comply with the solicitation’s eligibility requirements, the agency can reasonably rely upon a vendor’s representation/certification of compliance. See, e.g., Kipper Tool Co., B-409585.2, B‑409585.3, June 19, 2014, 2014 CPD ¶ 184 at 5 (denying protest that agency could not reasonably rely on representations regarding compliance with the Trade Agreements Act); KNAPP Logistics Automation, Inc.,

B-406303, Mar. 23, 2012, 2012 CPD ¶ 137 at 4 n.1 (same, with respect to the awardee’s small business size certification); New York Elevator Co., Inc., B‑250992, Mar. 3, 1993, 93‑1 CPD ¶ 196 at 2 (same, with respect to compliance with the Buy American Act).

Based on our review of the record, we find no basis to sustain this protest ground. At the outset, we agree with the VA that upon receiving a self-certification from AATD, representing that the company did not provide or use covered equipment, the agency could rely on the veracity of that representation. Specifically, FAR clause 52.204-26 mandates that a vendor should review the excluded entities list in the SAM, and then self-certify compliance with the prohibited telecommunications regulations. Further, FAR section 4.2103 provides that the contracting officer may rely on vendors’ “does not” or “will not” “representation(s) [included in FAR clauses 52.204-24 or 52.204-26], unless the contracting officer has reason to question the representation.” FAR 4.2103(a)(1)(i), (2)(i).

Here, there were no concrete indications that AATD was providing prohibited telecommunication equipment. In fact, V3Gate does not claim--nor can it--that Lenovo is subject to any exclusion listing. Rather, the protester asserts that, in light of the “well-known connection between Lenovo and the Chinese Government,” the VA should have investigated the truthfulness of AATD’s representation that its quoted products were not prohibited telecommunications equipment. V3Gate Comments & Supp. Protest at 11.

We see no merit to the protester’s contentions. While the protester cites to a number of publications, including a 2019 Department of Defense Inspector General report and the 2015 cybersecurity alerts issued by the Department of Homeland Security, which warn of cyberespionage risks associated with Lenovo products, there is no evidence that the contracting officer was aware of these sources or should have been. Accordingly, we do not find that this information gave rise to an obligation to investigate AATD’s FAR clauses 52.204-24 and 52.204-26 representations.

Nor do we agree with V3Gate’s allegation that the contracting officer was required to investigate “whether or not the Secretary of Defense . . . belie[ves that Lenovo was connected to the government of China, by] contacting the [Department of Defense] or reviewing other published lists of such published entities.” V3Gate Comments & Supp. Protest at 12; see also Protest at 12. We find no such a requirement in the existing regulations. This protest ground is denied.

 

A contracting officer's reliance on an offeror's self-certification in these circumstances is entirely reasonable.

But the OP might be asking from the offeror's perspective, which is different from the contracting officer's perspective.  An offeror needs to do what FAR 52.204-24/25/26 asks for.

Link to comment
Share on other sites

I thought I found the answer, but now I'm not sure. FAR 4.2102(d)(1) says that the 5 entities and their known subsidiaries will be recorded in SAM. 4.2102(d)(2) says that entities identified by the SecDef will be recorded in SAM. Great, the lists should be in SAM.

Not so fast. There don't appear to be any lists. Instead you have to either search for an excluded party, or you can download a list of all excluded parties. If you are looking for a list of subsidiaries of Huawei, ZTE, et al, good luck. You can't search for a name you don't know. If you download the entire list, it is almost 150,000 entries long. If you want only those subject to the telecom prohibition, again good luck. The only choices for the type of exclusion are "ineligible", "Prohibition/restriction", or "voluntary exclusion." 

Furthermore, I doubt the spreadsheet has all the subsidiaries. The last list I saw had 20-30 entries for Huawei, and the SAM spreadsheet only has 6 or 7. And who can tell whether it has the entities designated by the SecDef.

If anyone knows where the lists are buried in SAM (as required by 4.2102(d)), let us know. Otherwise, back to square one.

Link to comment
Share on other sites

3 hours ago, ji20874 said:

Yes.  "[W]here an agency has no information prior to award that would lead to the conclusion that the vendor, or the product or service to be provided, fails to comply with the solicitation’s eligibility requirements, the agency can reasonably rely upon a vendor’s representation/certification of compliance."

From the GAO case provided by Carl--

Relying on a self-certification in these circumstances is entirely reasonable.

And entirely stupid.

ji, I was fully aware of the GAO case. I quoted from it.

If the US is truly, deeply concerned about “Cybersecurity”, they wouldn’t rely upon self-certification by anybody, which apparently means that they don’t know who the constantly changing subsidiaries of the five listed firms are.

Fara Fasat rightfully wonders and is reasonably concerned where or if the US is tracking and/or listing subsidiaries.

Cybersecurity is critical, not to be trifled with.

Bureaucracy at its lowest.

My opinion. 

Link to comment
Share on other sites

13 hours ago, ji20874 said:

Relying on a self-certification in these circumstances is entirely reasonable.

Relying on self-certification is hollow, bureaucratic B.S. in these circumstances (Cybersecurity). It’s a gaping security hole.

I wonder what the new US Cyber Command would think of relying on contractor self-certification concerning their sources - especially when everyday government offices can’t even find a database of affiliates of the “big five”. 

19 hours ago, joel hoffman said:

Relying upon an offeror’s self certification is like burying your head in the sand. 

My opinion.

Maybe we need to rely more on ARTIFICIAL intelligence (AI) to seek out and maintain a current list of affiliates of banned companies if it is too much trouble for a government employee to do it.

Link to comment
Share on other sites

1 hour ago, Don Mansfield said:

@joel hoffman,

What do you expect a contracting officer to do? It seems like Fara Fasat is trying hard to do more than just rely on a self-certification, but is getting nowhere. 

@Don Mansfield, I’m on @Fara Fasat’s side!  I commend him/her for his/her concerns and efforts. I probably would have done something similar if I was still working - especially concerning cybersecurity in today’s world situation.

I learned from my boss 45 years ago not to rely on or trust certifications. It’s the system here that sucks.

I don’t agree with a statement that relying on a certification** concerning cybersecurity is “entirely reasonable”.

You go, Fara!!!
 
**especially from the business (sales) side of a firm. My consulting firm owner would NEVER accept a certification from the business side of a firm.

Link to comment
Share on other sites

6 hours ago, Fara Fasat said:

Carl - you keep posting that

Yes I did but the second post was in direct response to your question as to whether the list was DoD created?   In my first post I posted the "list" in my second post I posted the press release link that provided it.  Sorry it frustrated you but I simply answered your question!

I would also provide while you may disagree that the list is not Section 889 generated others do.   Reference -  https://www.pilieromazza.com/dod-releases-new-list-of-section-889-banned-entities/    

6 hours ago, Fara Fasat said:

*sigh* yes and again it is not relevant.

I will again leave you to your belief but my read and research suggests otherwise.  The reference CFR states that FCC's list includes "...Equipment or service being covered telecommunications equipment or services, as defined in section 889(f)(3) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115–232; 132 Stat. 1918); or A specific determination made by an appropriate national security agency;..."  Seems relational to me.

As I have followed and posted to the thread I have the feeling expressed by others.  You are trying too hard to find a "list" of subsidiaries and affiliates and what is before you is it!

Link to comment
Share on other sites

4 hours ago, Fara Fasat said:

Great, the lists should be in SAM.

My research suggests that it is inclusive of the excluded parties list in SAM.gov.   I am not going to take time to research whether all names on the lists I have referenced for you are therefore excluded parties but I suspect they are.   So again why worry up front?   A contractor is advised to review excluded parties.   And the government shall do the review for a contract to award.  If you are doing presolicitation research and hear of a firm of concern do the same.   And if you are worried about a sub do the same.

Reference - https://sam.gov/opp/b2ce0b6998b64976a935e7d5510397bd/view

"Offeror shall review the list of excluded parties in the System for Award Management (SAM) (https:// www.sam.gov) for entities excluded from receiving federal awards for covered telecommunications equipment or services."

Link to comment
Share on other sites

To attempt to effectively comply with the Section 889 ban, It would seem that solicitations for telecommunications equipment or services  should also require the proposers to identify all sources and specifically check SAM and specifically affirm that each source is not a disqualified firm in SAM.

The ban includes using any banned sources of equipment, services or systems/programs in a firm’s own business operations. I think it’s an unrealistic (unstated) expectation for a (all) prospective federal bidder, offeror, contractor to inventory every service or telecommunications device, then search SAM to determine compliance, then certify compliance with the ban.

If the Section 889 ban is truly an  Nationally important imperative, then similar to a performance specification, two simple certification check boxes don’t really make any sense without some substantiation requirement to verify that the proposer has actually cross-checked SAM for each equipment or service source .

As President Ronald Reagan learned, then proclaimed: “Trust but Verify”. *
 

*The Russian proverb “doveryai, no proveryai (доверяй, но проверяй)” means 'trust, but verify'.

https://en.m.wikipedia.org/wiki/Trust,_but_verify#:~:text=Soviet–American relations,-1985 Reagan–Gorbachev&text=Suzanne Massie%2C an American scholar,'trust%2C but verify'.

Edited by joel hoffman
Link to comment
Share on other sites

57 minutes ago, joel hoffman said:

To attempt to effectively comply with the Section 889 ban, It would seem that solicitations for telecommunications equipment or services  should also require the proposers to identify all sources and specifically check SAM and specifically affirm that each source is not a disqualified firm in SAM.

I am confused.  Does not 52.204-26 require this?  Onerous or not I think the message of the requirement to check is clear.

Link to comment
Share on other sites

5 hours ago, C Culham said:

I am confused.  Does not 52.204-26 require this?  Onerous or not I think the message of the requirement to check is clear.

Yes, you are confused.

Im proposing that the bidder/offeror/proposer provide substantiation beyond simply a certification X’d/checked box. That’s not verifiable.

They are already required to review SAM for each proposed source or supplier. To me then it should be no more onerous to identity/list them in their proposal and confirm that they specifically reviewed SAM.

I wrote performance specs during my career. Performance specifying should always include means of  “substantiation” (verification).

The same concept would seem prudent here - particularly since this is an important NATIONAL Cybersecurity issue. Fara Fasat has raised real concerns…

However, I don’t know any reasonable or practical way for either the company or the government to verify that the firm doesn’t have any prohibited sourced items or services in their own company operations.

Link to comment
Share on other sites

For gosh sakes Carl, that list you keep posting is for a different NDAA and is a different requirement. It is not, repeat, NOT, a list of entities covered by section 889 of the 2019 NDAA. Piliero made the same mistake. Their article claimed it was an 889 list, but then they link to a list whose title clearly states: "Entities Identifed as Chinese Military Companies Operating in the United States in Accordance with Section 1260H of the William M. ("Mac"} Thornberry National Defense Authorization Act for Fiscal Year 2021 (Public Law 116-283)." The title alone gives it away.

As for the FCC list, it just names the 5 companies (Huawei, ZTE, et al). Unless it is buried somewhere else, I do not see a list of all the subsidiaries and affiliates of those companies.

At this point, I think the only thing a company can do is go through its ERP system, identify all entities it has bought telecommunications equipment from, and then search for those companies in SAM. However I will add that I am not at all confident that all prohibited entities are entered in SAM. In addition, if the SecDef has designated (under FAR 4.2101) additional entities, is it that hard to make that list available on a DoD website, maybe DCMA or DLA?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...