In order to safeguard national security, and protect sensitive information, the federal government has procurement restrictions regarding Information Technology (IT) services and products. Any company that sells IT goods or services to the federal government must abide by these requirements, including GSA Multiple Award Schedule (MAS) contract holders. These procurement regulations are fast-evolving compared to other facets of government acquisition because of the shifting nature of technology and cyber threats. There are some buzzwords floating around that you may have heard of, such as “covered telecommunications” and “C-SCRM.”
If you are a current or prospective contract holder wanting to know more about these concepts or IT procurement guidelines in government contracting, this blog is for you.
What is Section 889?
Section 889 is a collection of regulatory guidelines issued in the John S. McCain National Defense Authorization Act of 2019, and is also found within the Federal Acquisition Regulation (FAR). It directs the federal government from procuring “any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.” These regulations also extend to contractors of the federal government. Federal buyers are prohibited from awarding contracts to an entity that uses covered telecommunications in their performance of contract work.
Federal contractors are required to do their due diligence to ensure the goods provided don’t contain covered telecommunications. For service providers, they are also required to abide by Section 889 regulations by ensuring that they don’t use covered telecommunications in the work they perform for the federal government.
What Does “Covered Telecommunications” Mean?
Covered telecommunications is defined in another arm of FAR, Section 52.204-25. It includes any “telecommunications or video surveillance technology,” so any kind of IT products that are produced by specific foreign countries (see the full list in Section 52.204-25), or another unspecified entity that the federal government reasonably believes to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country. As of right now, “covered foreign countries” include Russia, Iran, North Korea, and China.
Are Covered Foreign Countries and Non-TAA Compliant Countries the Same?
The Trade Agreements Act (TAA) of 1979 was enacted to foster fair and open international trade, and it implements the requirement that the U.S. government may only acquire U.S. made or designated end products. As such, there are a list of designated, or TAA-compliant, countries that the federal government can procure goods from, and a list of non-compliant countries that they can’t procure goods from. While every defined covered foreign country is also a TAA non-compliant country currently, they’re not the same thing. Covered foreign countries are identified as such for national security reasons, and not every TAA non-compliant country is a covered foreign country.
What is C-SCRM and What Does it Have to Do With Section 889?
“C-SCRM” stands for Cybersecurity Supply Chain Risk Management. Within the context of Section 889, it’s sometimes also referred to as the more general “SCRM.” It’s the management of technology-related risks in all phases of the acquisition lifecycle and at all levels of the supply chain.
C-SCRM has been a focal point in how contractors ensure their offered goods and services are not considered covered telecommunications, because it’s not always obvious that an IT product, or a component of it, originated from a “covered” source.
GSA released a C-SCRM acquisition guide for federal buyers and contractors in 2024, where the agency describes how federal buyers should be incorporating C-SCRM into their procurement activities and documents, from the Request for Information (RFIs) to the contract Statement of Work (SOW). It also calls out programs that federal buyers can acquire C-SCRM specific and/or related products, services, and solutions, such as the Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) on the GSA MAS program, among other SINs.
So, what can we take away from this information? As a current or prospective federal contractor, expect to see C-SCRM become a bigger part of the acquisition process across the board, especially in the IT sector. To stay competitive in the federal marketplace, you’ll need to make sure your company has incorporated C-SCRM and other cybersecurity standards, such as CMMC or FedRAMP, into your quality control procedures and bid processes.
Need Help Keeping Up with Evolving Security Requirements?
The federal government is constantly making changes to their guidelines around technology acquisition to keep up with emerging security threats. If you’re a contractor in the federal market, it can be a lot of work to make sure your practices and supply chain reflects the most current guidelines surrounding cybersecurity. However, it will pay back in spades when you can quickly and competitively bid on government RFPs with stringent C-SCRM requirements. There are a few resources that can help you stay abreast of this evolving landscape.
Along with GSA’s 2024 C-SCRM guide, GSA MAS contractors can review the most recent solicitation publications to better understand the requirements for all contractors, and within the IT large category.
Proposed changes to FAR rules can be found in the Federal Register; having this as a resource can help you stay ahead of the game on changes to federal procurement.
Finally, subscribing to Winvale’s blog and monthly government contracting newsletter can provide timely insights to changing cybersecurity regulations. If you have any questions about keeping your contract up to date, or you’re preparing a GSA MAS contract proposal and want help with Section 889 regulations, reach out to one of our consultants today.
