NDAA 889 Guideline

Summary

The National Defense Authorization Act Section 889 (NDAA 889) prohibits executive agencies from entering into, or extending or renewing, a contract with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system, on or after August 13, 2020, unless an exception applies or a waiver is granted.

Body

Overview

The National Defense Authorization Act Section 889 (NDAA 889) prohibits executive agencies from entering into, or extending or renewing, a contract with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system, on or after August 13, 2020, unless an exception applies or a waiver is granted.

OU as a recipient of federal funding, is required to certify compliance with NDAA 889.

OU IT's Response

The Office of Information Technology, along with other University departments, have been working together to conduct a reasonable inquiry to ensure that OU complies with the new federal requirements.  This includes:

  • Confirming that specific restricted companies are NOT registered in an OU IT Vendor list.
  • Adding appropriate contract language and FAR clause(s) for vendor agreements.
  • Communications (such as this) will be shared broadly across the University.
  • Network Device registration process that will confirm Manufacturer.
  • Recurring network scans to identify prohibited equipment.

Prohibited Equipment

Covered telecommunications equipment or services is defined as:

  1. Telecommunications equipment produced by:
    1. Huawei Technologies Company,
    2. ZTE Corporation, or
    3. Any subsidiary or affiliate.
  2. Video surveillance and telecommunications equipment produced by:
    1. Hytera Communications Corporation
    2. Hangzhou Hikvision Digital Technology Company,
    3. Dahua Technology Company, or
    4. Any subsidiary or affiliate.
  3. Telecommunications or video surveillance services provide by such entities or using such equipment.

Below is a list of products common manufactured by these companies:

  • Huawei: mobile phones, laptops, routers, and switches
  • ZTE Corporation:  mobile phones, mobile hotspots, and network equipment, including routers and switches
  • Hytera Communications Corporation: radio transceivers and radio systems
  • Dahua Technology Company and Hangzhou Hikvision Digital Technology: video surveillance products and services.

How Can You Help

We are asking all faculty, staff, and administrators to be aware of these restrictions and to be mindful when planning a purchase in which telecommunications equipment or services are to be acquired. 

Please work with GRC when planning these purchase to identify appropriate vendors.  Also, be sure to monitor pCard purchases. 

Frequently Asked Questions

  1. My department, office or lab is not funded by the U.S. Government, do the prohibitions against using covered telecommunications equipment or services apply to my work at the University?

Yes, the prohibition on using covered telecommunications equipment or services applies regardless of whether the use is in performance of work under a Federal contract.

  1. If I have a personal cell phone that is covered telecommunications equipment (e.g. a Huawei phone), may I continue to use it?

You must not use the cell phone for University work, including checking email.  However, you may use the cell phone for personal use.

  1. Does it matter if the equipment or service being used was purchased prior to the effective date of these laws/regulations?

No, the prohibition on use of covered telecommunication equipment or services applies regardless of when the equipment was purchased or when the services were initiated.

  1. How will OU know if we are buying or using these devices?

OU Procurement will monitor purchase requests and pCard exception requests for vendors or manufacturers identified as Prohibited.  OU IT will monitor network device registration forms and recurring network discovery scans to identify manufacturers identifies as Prohibited.  GRC, as part of the System Security Assessment, will evaluate technology purchases for compliance.

  1. What if I purchase the device with a pCard?

OU Procurement will monitor pCard exception requests for vendor or manufacturers identified as Prohibited.

  1. What products contain Prohibited compnents?

There is no definitive list of products incorporating prohibited technology, but if there were it would be a very long list.  The Prohibited manufacturers produce consumer goods (phones, tablets, laptops, smart watches), telecommunications equipment, 5G technology.  The primary products to be on the lookout for are those products that incorporate celluar, 5G, WiFi, and/or Bluetooth communications technology.

  1. What if I’m a service provider?  How does this apply to me?

If you are a service provider, do not provide prohibited technology in support of your services.  For example, a department providing video surveillance monitoring, needs to be sure it is not using surveillance cameras that incorporate prohibited technology.  Similarly, a clinic providing medical services to veterans will have to be sure it is not using health monitors that incorporate prohibited technology. 

  1. Who do we need to notify if we are using or purchasing these devices?

Should questions arise related to potential purchases or vendors, please reach out to OU Procurement.  For questions related to the interpretation of the regulations or to report the use of prohibited equipment, please contact GRC@OU.EDU.

Details

Details

Article ID: 3159
Created
Wed 12/20/23 11:07 AM