Non-Tariff Supply-Chain Restrictions on IT/Telecom Products and Services (Part 1 of 3: Supply-Chain Rules Under DFARS Subpart 239.73)

In the ongoing trade war between the U.S. and China, the U.S. Government’s Section 301 tariffs on Chinese-origin goods has received most of the attention, and rightfully so. Effective September 1, 2019, these tariffs generally impact all Chinese-origin goods imported into the United States, including all information technology and telecommunications equipment (“Equipment”). However, there have also been a number of recent developments in U.S. law, relating to non-tariff restrictions on foreign-origin Equipment, with a particular focus on Chinese-origin products. This is the first installment of a three-part series on this topic. The purpose of this series is to provide a summary of several developments impacting U.S. IT and telecom enterprises.

First on the list, the Defense Federal Acquisition Supplement (“DFARS”) has contained the supply-chain rules contained at DFARS Subpart 239.73, and related Clauses 252.239-7017 and 252.239-7018, since November 18, 2013. These rules were scheduled to expire on September 30, 2018. On September 19, 2018, the Department of Defense (“DoD”) issued a Class Deviation (the “Class Deviation”) that removed the sunset provision and made these rules permanent, while not amending the substance of the rules. Most recently, DoD issued a final rule, effective February 15, 2019, that amended the DFARS consistent with the Class Deviation.

What These Rules Apply to:

These rules, which are embodied in DFARS Clauses 252.239-7017 and 252.239-7018, apply to all DoD procurements of “information technology” that is either (i) a “covered system,” (ii) a part of a “covered system,” or (iii) in support of a “covered system.”

Key Definitions:

The important definitions are as follows:

“Information technology” is defined to mean “any equipment, or interconnected system(s) or subsystem(s) of equipment, that is used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency.”

And “covered system” is defined to mean “any national security system,” which includes all information systems/networks that are used to store classified information, as well as:

“any telecommunications system, used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency—

(1) The function, operation, or use of which—

(i) Involves intelligence activities;

(ii) Involves cryptologic activities related to national security;

(iii) Involves command and control of military forces;

(iv) Involves equipment that is an integral part of a weapon or weapons system; or

(v) Is critical to the direct fulfillment of military or intelligence missions but this does not include a system that is to be used for routine administrative and business applications, including payroll, finance, logistics, and personnel management applications.”

Finally, “supply chain risk” is defined to mean “the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.” Note that neither China nor any other country is identified by name here. But, as discussed in the later installments of this article, the U.S. Government is obviously very concerned about Chinese-origin products/services being used in U.S. data infrastructure, and presumably would be more likely viewed as a “supply chain risk.”

The Clauses

With these definitions as background, DFARS Clause 252.239-7017 authorizes the procuring DoD agency to consider information relating to an offeror’s supply chain in the agency’s evaluation of the offeror’s bid/proposal—i.e., in the procurement decision. This Clause specifically authorizes the agency to consider both public and non-public information, including “all-source intelligence,” on the offeror’s supply chain. Moreover, if the Government exercises its statutory authority (10 U.S.C. § 2339a) to limit disclosure of any such information, the decision will not be subject to review in a bid protest.

DFARS Clause 252.239-7018 adds the obligation for the offeror/contractor to “mitigate supply chain risk in the provision of supplies and services to the Government.” No additional clarification is provided regarding the contractor’s duty to mitigate risk. However, contractors should exercise all reasonable diligence here, as a contractor’s failure to adequately “mitigate supply chain risk” during contract performance could potentially be used by the Government to support a termination for default or a negative past performance review.

Finally, these DFARS Clauses are not mandatory flow-downs to subcontractors. However, given DoD’s purpose to regulate “supply chains” for these products, prime contractors should flow these down.