With major concerns about IP theft and cyberattacks spreading through the government contracting world, government supply chain security has never been more important.
During a recent conversation with Roger Waldron, president of the Coalition for Government Procurement
, we learned more about two crucial rules gaining a lot of steam and how they impact resellers who contract with government agencies.
For those who don’t know, what is NDAA 889?
Section 889 of the FY19 National Defense Authorization Act (NDAA) generally bars government agencies from buying telecommunications equipment and services from Huawei, ZTE, and their subsidiaries and affiliates, as well as video surveillance equipment and services from three Chinese manufacturers (Hytera Communications Corp., Hangzhou Hikvision Digital Technology Company and Dahua Technology Company, as well as their subsidiaries and affiliates).
This rule was put into place to prevent cyberattacks and efforts to steal information and intellectual property by foreign adversaries, which pose risks for the U.S. government and industry.
By regulation, resellers must tell the government whether they and/or their subcontractors are providing covered products and services in fulfilling contracts. Also, the government cannot contract with an entity that uses the aforementioned products or services, whether in connection with a federal contract or not.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a security review process. There are five levels of cybersecurity “maturity,” and they are certified by independent third-party organizations. Contractors will pay for the audit and certification by these third-party organizations. The certification received is good for five years.
Contractors (resellers) that process, store, or transmit Controlled Unclassified Information (CUI) must achieve level 3 or higher. CMMC requirements will start appearing in approved solicitations in early 2021. Full implementation is anticipated by Oct. 1, 2025. Certification is not required until the time of award (so, resellers can bid in anticipation of being compliant at award). The key here is that contactors will have to be compliant, as determined by an independent CMMC Third-Party Assessor Organization and pay for this assessment.
What do these regulations mean for resellers?
Section 889, specifically, uses vague language about the “use” of covered technology and services, which may or may not impact resellers on government contracts. Implications are still being discussed. Secondly, there’s an ongoing obligation to monitor systems and report the finding of any covered product or services, and the timeframes for reporting and remediation are challenging (report in one day of finding; remediate in ten days). Finally, it requires each offeror, after conducting a “reasonable inquiry” for each offer they make to the government, to tell the government whether they use covered telecommunications equipment or services. These activities represent administrative burden, cost and risk for non-compliance.
Regarding CMMC, contractors (resellers) must pay for the third-party assessment, which may prove challenging. They’ll have to rely on the compliance of the entities whose products they are reselling.
For more information on the impact of these government supply chain regulations, contact Ingram Micro’s Public Sector team or Roger Waldron
at the Coalition for Government Procurement.
VIEW VIRTUAL EVENTS