This week, the FAR Council issued an interim rule implementing Section 889(a)(1)(A) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019, which prohibits contracting for certain telecommunications and video surveillance services or equipment from certain Chinese entities or affiliates (or those found to be connected to China). The interim rule demonstrates that, in connection with the e-commerce initiatives under Section 846 and other agency “pilots,” the market and the risk environment continue to evolve. Although these changes represent challenges for GSA and other agencies, they also present an opportunity for them to take time to address outstanding issues and reconcile their programs with existing law.
Among other things, the rule bars agencies from procuring, obtaining, or extending or renewing a contract to procure or obtain equipment or a system, or service that uses telecommunications equipment or services of certain Chinese entities “as a substantial or essential component of any system, or as critical technology as part of any system… .” Contractors are not barred from providing services connected to third-party facilities, like backhaul, roaming, or interconnections arrangements; nor are they barred from providing telecommunications equipment “that cannot route or redirect user data traffic or permit visibility into any user data or packets that such equipment transmits or otherwise handles.”
The interim rule’s restriction is implemented via a new contract clause, and it must be flowed down to subcontractors. Offerors must submit with their proposals representations about whether they will provide covered telecommunications equipment or services, and, if so, they must detail what will be provided. Further, the new rule requires representations both at the contract level and for individual orders under indefinite delivery contracts. This requirement includes orders under pre-existing indefinite delivery contracts where performance will occur on or after August 13th (e.g., orders under the Federal Supply Schedules).
Significantly, the FAR Council and the OFPP Administrator determined that the rule applies to acquisitions of commercial items, including COTS, as well as purchases at or below the Simplified Acquisition Threshold. The interim rule identified “an unacceptable level of risk for the Government” associated with these purchases, and it specifically stated,
[t]his level of risk is not alleviated by the fact that the equipment or service being acquired has been sold or offered for sale to the general public, either in the same form or a modified form as sold to the Government …, nor by the small size of the purchase … .
This week, GSA issued a class deviation addressing Section 889 implementation for GSA contracts. For all existing and new GSA contracts, the representation is required. The deviation takes a “risk-based” approach to applying the representation requirements, with the deviation applicable as the risk of use of covered equipment and services decreases. The deviation does not apply to high risk procurements, meaning representations are required at the contract and order level. (e.g., Networx, Alliant, and certain Schedule contracts). For medium risk procurements, the deviation only requires a representation at the contract level, unless the CO determines the potential for IT or communication technology to be involved requires representation at the order level (e.g., OASIS). The deviation applies to low risk procurements (i.e. representation only at the contract level), unless, again, the CO determines a potential for the use of IT or communication technology. Low risk contracts include the “vast majority” of FSS contracts that do not involve that technology.
The deviation does not mention implementation of e-commerce pursuant to Section 846, which may be rooted in the fact that a contract has yet to be awarded. The disconnect between the increasing supply chain and contract issues of that and other e-commerce “pilots,” however, will have to be addressed.
In its Section 846, Market Research and Consultation Report (the Phase II Report), GSA touched on supply chain risk considerations. GSA stated, in part, that, under the proof of concept, orders will be limited to values below the Micro-Purchase Threshold (MPT) because, “[b]y keeping purchases below this threshold, risk is reduced while maximizing the opportunity to modernize the experience.” This approach, however, contradicts the determinations of the FAR Council and the OFPP Administrator set forth in the Section 889 interim rule, and thus, it needs to be addressed in any implementation of Section 846.
The increased security concerns reflected in the interim rule suggest that it is time to reexamine the suitability of IT products offered, as well as the mechanisms used to purchase those products, under the Section 846 and other e-commerce “pilots.” GSA’ s e-Marketplace “Proof of Concept” draft CPI solicitation requires that order click-through text include a statement that order submission through the platform “creates a contract … between the provider of the item being purchased (Seller) and the Federal agency purchaser (Agency).” It is not clear how the representation requirements of the interim rule will be applied in this context, or, for that matter, in the context of other e-commerce portals that are being “piloted” without competition in some agencies.
Further, in its Phase II Report, GSA stated that it anticipates leveraging the supply chain risk practices that “commercial e-commerce portal providers already possess.” It stated that, from its conversations with those providers, it
…learned many already institute supply chain protection practices to address existing issues[,] such as counterfeit items, given such concerns are also important to their commercial business.
If such is the case, then it stands to reason that, as a matter of contract performance, an e-commerce solution provider should be required to implement restrictions on its very own platform to assure that non-compliant products are not offered for sale. Alternatively, the “Information technology or communication technology” identified by GSA in its deviation, as well as other sophisticated and/or critical products, like healthcare products, just may not be suitable for inclusion in GSA’s e-marketplace “Proof of Concept” as outlined in the recent draft CPI solicitation.
The Government has an opportunity to assess commercial solutions to the foregoing challenges by expanding its Proof of Concept beyond the e-Marketplace model (consistent with Section 846’s intent) to include e-Commerce and e-Procurement portals and their approach to facilitating cyber and supply chain security. Either way, GSA cannot avoid addressing e-Marketplace compliance with the interim rule, including how such provider networks are monitored; how warehousing and order fulfillment practices will be adjusted to assure that noncompliant products are not offered for sale; and what liabilities will exist for a breach here.
Clearly, as the market and the risk environment continue to evolve, concerns continue to arise. With these concerns, however, comes an opportunity for the Government. It can take the time to address challenges in a meaningful way, and thereby, it can improve the chances for program success. To this end, Coalition members offer their assistance as the Government sees fit.