There’s an often mistranslated Taoist adage that counsels “A journey of a thousand miles begins with a single step.” So it is presently with the Department of Defense’s (DoD’s) Cybersecurity Maturity Model Certification (CMMC), which continues its cybersecurity journey with the recently released update of standard CMMC .6.
In a rule published and effective October 9, 2019, China’s key manufacturers of video surveillance products have been added to the Bureau of Industry and Security (BIS) Entity List by an interagency End-User Review Committee (ERC) comprised of representatives of the Departments of Commerce State, Defense, Energy and, where appropriate, Treasury. The Entity List (15 CFR, Subchapter C, part 744, Supplement No. 4) identifies entities believed to be involved, or to pose a significant risk of being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States.
Our July article forecasted that additional Chinese companies would be added to the Entity List this year. There are now some 200 entries, not including subsidiaries, under the mainland China section of the Entity List. China, accounting for over 15.7% of the U.S. total trade in goods in fiscal year 2018 according to the Census Bureau, has become a veritable minefield for U.S. exporters in the high technology sector.
These additions essentially mean that all exports to the listed entities that are subject to the Export Administration Regulations (EAR) (15 CFR §§730-774) will require a license and, further, that such a license application will likely be denied. Specifically, BIS imposes a license requirement for all items subject to the EAR and a license review policy of case-by-case review for Export Control Classification Numbers (ECCNs) 1A004.c, 1A004.d, 1A995, 1A999.a, 1D003, 2A983, 2D983, and 2E983, e.g. protective and detection equipment and software employed to enable such equipment. BIS will also apply a policy of case-by-case review to items designated as EAR99 that are described in the Note to ECCN 1A995. Finally, BIS has adopted a license review policy of presumption of denial for all other items subject to the EAR.
What Triggered the Rule?
The ERC determined that the Xinjiang Uighur Autonomous Region (XUAR) People’s Government Public Security Bureau, eighteen of its subordinate municipal and county public security bureaus, and one subordinate institute engage in activities contrary to the foreign policy interests of the United States. Eight commercial entities are believed to be enabling activities contrary to the foreign policy interests of the United States. On the whole, these entities are implicated in human rights violations and abuses in connection with China’s campaign of repression, mass arbitrary detention, and high-technology surveillance of Uighurs, Kazakhs, and other members of Muslim minority groups in the XUAR.
Screen Your Customers Immediately
In addition to Hikvision and Dahua, several other artificial intelligence (AI) and facial recognition firms relevant to the video surveillance space were added to list, including IFLYTEK; Megvii Technology; Sense Time, Xiamen Meiya Pico Information Co. Ltd.; Yitu Technologies; and Yixin Science and Technology Co. Ltd. This action will have an immediate and lasting impact on both U.S. and non-U.S. companies that engage in business with the aforementioned companies. A license is now required, and will likely be denied, for the sale or transfer of any hardware, software, or technology subject to the EAR, irrespective of the situs of such a transaction. As noted above, certain items and technology related to the detection of or protection from chemical, radioactive, and biological agents will be reviewed on a case-by-case basis.
What Items Are Impacted?
This listing impacts the sale or transfer of any items subject to EAR, which include:
It is unlikely that BIS will issue any reprieve in the form of temporary general license to alleviate the economic impact on the U.S. suppliers affected by this rule. Therefore, it is crucial for industry to obtain the necessary guidance with regard to the de minimis rule. Product-specific origin and value review analysis should be conducted with experienced trade counsel prior to engaging in any transactions with the listed entities, whether from the United States or operations abroad.
So you want to acquire a government contractor? Makes sense, and you’re not alone. Over the past few years, the federal contracting landscape continues to evolve as a result of mergers and acquisitions (M&A), primarily involving the acquisition of small and midsize contractors by larger entities as a means to quickly expand into new federal markets. This trend is especially prevalent in the information technology (IT) market, where the acquisition of small or midsize IT firms with new capabilities can provide larger firms with shiny new toys to share with their roster of government clients to gain a larger share of the federal IT “pie,” if not create—almost overnight—new IT market leaders in areas such as cloud computing, cybersecurity, software, and predictive intelligence.
On August 6, 2014, plaintiff-relator Andrew Scollick filed a complaint in the United States District Court for the District of Columbia against eighteen defendants for multiple violations of the False Claims Act (“FCA”) in connection with an alleged scheme to submit bids and obtain millions of dollars in government construction contracts by fraudulently claiming or obtaining service-disabled veteran-owned small business (“SDVOSB”) status, HUBZone status, or Section 8(a) status, when the bidders did not qualify for the statuses claimed. United States ex. rel. Scollick v. Narula, et al., No. 14-cv-1339 (D.D.C.). Unique in this case were not the claims against the contractors, who were alleged to have falsely certified their status or ownership. Rather, what set this case apart was that Scollick also named as defendants the insurance broker who helped secure the bonding that the contractor defendants needed to bid and obtain the contracts, and the surety that issued bid and performance bonds to the contractor defendants. Scollick alleged that the bonding companies “knew or should have known” that the construction companies were shells acting as fronts for larger, non-veteran-owned entities violating the government’s contracting requirements—and thus the bonding companies should be held equally liable with the contractors for “indirect presentment” and “reverse false claims” under the FCA.
As the frequency and sophistication of existential threats to national security over the past decade have drastically increased, the United States’ reliance on software to identify threats, rapidly share information, and manage its military resources has increased. Accordingly, the federal government’s ability to timely develop, procure, and deploy software to the field has been—and continues to be—a critical component of national security. Notwithstanding the growing importance of software to national security, the Department of Defense (DoD) software-acquisition process mirrors the lengthy, inflexible process typically reserved for the acquisition of major weapon systems. As a result, the DoD’s software development and acquisition cycles are significantly longer for their commercial counterparts, thus affecting the DoD’s ability to deliver timely solutions to users and rapidly respond to urgent threats.
The Trump administration’s focus on enhancing “Buy American” requirements in federal procurement took a leap forward on July 15, 2019, with the issuance of an Executive Order (EO) on Maximizing Use of American-Made Goods, Products, and Materials. Unlike the administration’s previous executive orders – Executive Order 13788 of April 18, 2017 (Buy American and Hire American) and Executive Order 13858 of January 31, 2019 (Strengthening Buy American Preferences for Infrastructure Projects), this EO contains instructions to the FAR Council to change regulations that have been in place since the Eisenhower administration, tightening restrictions on acquiring foreign end products. In particular, the EO makes dramatic changes to the domestic origin requirements for iron and steel products.
As DOD continues to expand its supply chain cybersecurity demands on federal contractors, McCarter & English Government Contracts and Export Controls co-leaders Alex Major and Franklin Turner provide critical guidance for federal contractors in a two-part Feature Comment for Thomson Reuters’ The Government Contractor. In the comprehensive article they address not only the recent and planned updates to NIST publications, but also weigh those efforts against Defense Contract Management Agency’s (DCMA) auditing efforts, the revised Contractor Purchasing System Review (CPSR) Guidebook, and the new Cybersecurity Maturity Model Certification (CMMC) program. Information on how these efforts align along with practical guidance for weathering these changes can be found at Part 1 accessible here and Part 2 accessible here.
DoD’s recent efforts to address cybersecurity have caused confusion and chaos for Government contractors. As we all know, cybersecurity is an issue that is impossible to ignore, and the sobering reality is that compliance with federal cybersecurity requirements is critical to avoiding catastrophic liability. Recently, McCarter & English Government Contracts and Export Controls co-leaders Alex Major and Franklin Turner provided much-needed guidance for federal contractors in a two-part Feature Comment for Thomson Reuters’ The Government Contractor. The Feature Comment addresses certain changes to the NIST, the auditing effort underway by DCMA, and the Cybersecurity Maturity Model Certification (“CMMC”) program that will likely be implemented by DOD in the coming months.
Part 1 can be accessed here
As we stated last month, further restrictions are afoot on the use of Chinese technology in federal acquisitions. An Interim Rule issued by the Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) (collectively, the “FAR Council”) implements the first phase of Section 889 of the FY2019 National Defense Authorization Act (NDAA). The Interim Rule, effective August 13, 2019, broadly prohibits federal agencies, federal contractors, and grant or loan recipients from procuring “covered telecommunications equipment or services” produced by Huawei Technologies Company and ZTE Corporation and, with respect to certain public safety or surveillance applications, Hytera Communications Corporation, Dahua Technology Company, and Hangzhou Hikvision Digital Technology Company. In particular, federal suppliers are prohibited from sourcing “substantial or essential component of any system, or as critical technology as part of any system” from the foregoing companies.
Changes to the Federal Acquisition Regulation’s (FAR) small business subcontracting rules have been slow in coming, but the FAR Council is finally catching up with the Small Business Administration (SBA) in making regulatory modifications to implement a few changes intended to help prime contractors reach their small business subcontracting goals as required by Section 1614 of the National Defense Authorization Act of 2014 (2014 NDAA). Specifically, the changes focus on aiding prime contractors possessing an individual subcontracting plan for a contract with a single executive agency. Now, in such instances, the prime contractor will receive credit toward its subcontracting goals for awards made to small business concerns employed at any tier by subcontractors through their respective subcontracting plans. This should be helpful news to prime contractors.