Section 889(a)(1)(B) of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232) prohibits executive agencies from entering into, or extending or renewing, a contract with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system. The provision goes into effect August 13, 2020.

The statute covers certain telecommunications equipment and services produced or provided by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of those entities) and certain video surveillance products or telecommunications equipment and services produced or provided by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of those entities). The statute is not limited to contracting with entities that use end-products produced by those companies; it also covers the use of any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.

DoD, GSA, and NASA are amending the Federal Acquisition Regulation (FAR) to implement section 889(a)(1)(B) of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019 (Pub. L. 115-232).

In accordance with the authority in DoD Directive (DoDD) 5134.01 and the July 13, 2018 Deputy Secretary of Defense Memorandum, this issuance establishes policy and assigns responsibilities for management of materiel across the DoD supply chain.
The National Institute of Standards and Technology (NIST) estimate that 80% of malicious cyber intrusions happen via supply chains and that 98% of companies will be impacted by a supply chain breach. Two primary reasons make industrial supply chains the target of choice for cyber infiltrations.

By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:

Section 1. Policy.
The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors. The Federal Government must also carefully examine what occurred during any major cyber incident and apply lessons learned. But cybersecurity requires more than government action. Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector. The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace. In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.

Sec. 2. Removing Barriers to Sharing Threat Information.
(a) The Federal Government contracts with IT and OT service providers to conduct an array of day-to-day functions on Federal Information Systems. These service providers, including cloud service providers, have unique access to and insight into cyber threat and incident information on Federal Information Systems. At the same time, current contract terms or restrictions may limit the sharing of such threat or incident information with executive departments and agencies (agencies) that are responsible for investigating or remediating cyber incidents, such as the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other elements of the Intelligence Community (IC). Removing these contractual barriers and increasing the sharing of information about such threats, incidents, and risks are necessary steps to accelerating incident deterrence, prevention, and response efforts and to enabling more effective defense of agencies’ systems and of information collected, processed, and maintained by or for the Federal Government.

Sec. 3. Modernizing Federal Government Cybersecurity.
(a) To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity, including by increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties. The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.

Sec. 4. Enhancing Software Supply Chain Security.
(a) The security of software used by the Federal Government is vital to the Federal Government’s ability to perform its critical functions. The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors. There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended. The security and integrity of “critical software”—software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources)—is a particular concern. Accordingly, the Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.

Sec. 5. Establishing a Cyber Safety Review Board.
(a) The Secretary of Homeland Security, in consultation with the Attorney General, shall establish the Cyber Safety Review Board (Board), pursuant to section 871 of the Homeland Security Act of 2002 (6 U.S.C. 451).

Sec. 6. Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents.
(a) The cybersecurity vulnerability and incident response procedures currently used to identify, remediate, and recover from vulnerabilities and incidents affecting their systems vary across agencies, hindering the ability of lead agencies to analyze vulnerabilities and incidents more comprehensively across agencies. Standardized response processes ensure a more coordinated and centralized cataloging of incidents and tracking of agencies’ progress toward successful responses.

Sec. 8. Improving the Federal Government’s Investigative and Remediation Capabilities.
(a) Information from network and system logs on Federal Information Systems (for both on-premises systems and connections hosted by third parties, such as CSPs) is invaluable for both investigation and remediation purposes. It is essential that agencies and their IT service providers collect and maintain such data and, when necessary to address a cyber incident on FCEB Information Systems, provide them upon request to the Secretary of Homeland Security through the Director of CISA and to the FBI, consistent with applicable law.

The Office of Foreign Assets Control (“OFAC”) of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United​ States.

The Office of Foreign Assets Control (OFAC) does not maintain a specific list of countries that U.S. persons cannot do business with.

Here’s why:

U.S. sanctions programs vary in scope. Some are broad-based and oriented geographically (i.e. Cuba, Iran).Others are “targeted” (i.e. counter-terrorism, counter-narcotics) and focus on specific individuals and entities. These programs may encompass broad prohibitions at the country level as well as targeted sanctions. Due to the diversity among sanctions, we advise visiting the “Sanctions Programs and Country Information” page for information on a specific program.
OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”) has approximately 6,300 names connected with sanctions targets. OFAC also maintains other sanctions lists which have different associated prohibitions.

Many individuals and entities often move internationally and end up in locations where they would be least expected. Accordingly, U.S. persons are prohibited from dealing with SDNs regardless of location and all SDN assets are blocked. Entities that an SDN owns (defined as a direct or indirect ownership interest of 50% or more) are also blocked, regardless of whether that entity is separately named on the SDN List.
Because OFAC’s programs are dynamic, it is very important to check OFAC’s website regularly. Ensuring that your sanctions lists are current and you have complete information regarding the latest relevant program restrictions is both a best practice and a critical part of your due diligence responsibility.

For additional information about sanctions and OFAC, please take a look at our Frequently Asked Questions.