Cybersecurity EO

Beyond the Headline: Examining the Biden Cybersecurity Executive Order

On May 12, 2021, the Biden administration released Executive Order 14028, “Improving the Nation’s Cybersecurity”, which implements new directives intended to strengthen the nation’s cybersecurity posture. Some industry observers describe the executive order (EO) as the foundation for a fundamental shift in how the nation prioritizes cybersecurity concerns. Notably, the EO is expected to send ripples across the private sector (particularly federal contractors) with an emphasis on spurring greater collaboration and transparency.

“The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector and ultimately the American people’s security and privacy,” the order states. It goes on to note, “In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.”

 The first of many steps

President Biden touted the EO as “the first of many ambitious steps” to modernize the federal government’s cyber defense system. SolarWinds, Microsoft Exchange and the Colonial Pipeline incidents are three recent examples of exploited cyber weaknesses that resulted in significant consequences. The EO stresses that the federal government “must lead by example” while also highlighting ways that the private sector needs to tighten cybersecurity defenses.

At a high level, the executive order includes these steps:

  • Remove barriers between the government and private sector that allow for better communication and more complete sharing of potential threats and breaches
  • Implement stronger, more modern cybersecurity standards throughout the federal government
  • Establish a Cybersecurity Safety Review Board, that is chaired by a combination of federal and private sector employees
  • Create a playbook to facilitate standardized responses to cyber incidents, both for the U.S. government and private businesses
  • Strengthen the government’s ability to detect cyber incidents
  • Improve investigative and remediation capabilities for federal departments and agencies

Protecting the software supply chain

Section 4: Enhancing Software Supply Chain Security is an important segment within the EO that should be understood in more depth. Given the recent string of significant cybersecurity attacks and the associated national security risks, federal contractors need to be aware of this section, in particular.

“The federal government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software,” the EO states. While the order emphasizes the security of “critical software,” the exact definition has yet to be announced.

Instead, the order directs the National Institute of Standards of Technology (NIST) to publish a definition of the term “critical software” which the EO states “shall reflect the level of privilege or access required to function, integration and dependencies with other software, direct access to networking and computing resources, performance of a function critical to trust, and potential for harm if compromised.”

Along with this definition, NIST is tasked with publishing further guidance that will identify practices enhancing the security of the software supply chain, such as establishing secure software development environments, employing automated tools for maintaining trusted source code supply chains and for detecting potential vulnerabilities, among other practices. Notably, in its guidance NIST will also include a provision requiring a Software Bill of Materials (SBOM).

Additionally, Section 4 of the EO sets the path for an ambitious timeline of a year filled with guidance to come from various agencies. Organizations should keep a close eye on guidance that is published in the next six months, while keeping May 12, 2022, in their sights. This date marks one year after the EO was published, when the Department of Homeland Security stated it will recommend contract language changes to the Federal Acquisition Regulatory (FAR) Council in order to implement the new software security standards and procedures.

The EO goes on to note that the purchasing power of the federal government can be a powerful tool to create a culture where contractors create software with tighter security and enhance the current security standards in place surrounding their software.

Further expected FAR changes

In addition to the changes already discussed, the EO requires the FAR Council to take up the topics of “cyber incident reporting” and “current cybersecurity requirements for unclassified system contracts.”  DFARS 252.204-7012 addresses cyber incident reporting and is a likely model that could be modified and proposed for inclusion in the FAR. While notably not called out by name, the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) is referenced in Section 2 (h). The section states, “Current cybersecurity requirements for unclassified system contracts are largely implemented through agency-specific policies and regulations.” The FAR Council will take up standardized contract language for appropriate cybersecurity requirements. These two topics represent significant changes that contractors need to prepare for now.

Will CMMC be the cybersecurity requirements that the EO discusses? It is difficult to forecast; however, a single standard across all agencies is a desirable outcome. Much of the EO calls on NIST to establish standards. This section does not call on the establishment of unclassified cybersecurity requirements like other portions of the EO. This is likely because the existing NIST 800-171 framework will be invoked. CMMC at Level 3 is heavily based on the NIST 800-171 framework. If CMMC is the selected cybersecurity requirement or an alternative set of requirements is chosen, it is highly likely that adopting NIST 800-171 is a useful effort.

What should government contractors do now?

Contractors who access government systems and possess sensitive unclassified information and software should be prepared to make changes to their own cyber practices and expect adjustments to their government contracts to adhere to the resulting new regulations. Baker Tilly is here to help walk you through the impending changes and the resulting impact on your business, your systems and your government contracts.

How To Mitigate Risk In Buying A Distressed Gov’t Contractor

The COVID-19 pandemic is creating challenges for many contractors, and for those already struggling with legal and/or financial issues before the pandemic, the risk of crisis is even more real today.

The pandemic, however, is also creating acquisition opportunities. Buying a government contractor in financial or legal distress can be lucrative if appropriate due diligence is conducted and the buyer proceeds with a clear understanding of the target company’s liabilities and potential exposure.

Through our collaborative work together as government contracts counsel, we periodically learn of sophisticated companies acquiring government contractors without appropriate due diligence only later to be surprised with a formal notice of proposed debarment, notice of suspension or show cause letter stemming from the alleged past misconduct of the target, or its former management or owners.

Now that promising acquisition has turned into a crisis and requires the immediate attention of leadership, a diversion of resources to this crisis and a significant investment of capital to address. Upon receipt of that debarment notice, immediately company leadership and its board of directors find themselves asking could we have done more diligence to avoid this situation.

In most of these cases, that debarment notice was avoidable had the buyer conducted more rigorous due diligence to better understand the risks involved and thereafter taken appropriate risk-mitigation measures to reduce, if not eliminate, the risk of debarment.

Let’s pretend you have not yet acquired that government contractor and there is still time to mitigate the risk of debarment. Imagine a scenario where you are evaluating the acquisition of a government contractor in financial or legal distress.

You are interested because that contractor offers some incredible synergies to your existing business and contract portfolio. You are also interested in several of the target’s significant government contracts and see opportunities for growth and expansion.

However, during the due diligence phase, you are informed that one or more of the company’s former management personnel are under criminal investigation by the U.S. Department of Justice for alleged misconduct relating to their prior roles in performing government contracts for the company. That information is quickly followed by the representation that such should not be a concern because the government has declined to pursue the company criminally.
Upon hearing this news, some may conclude that the matter is resolved, and the company is free and clear of any financial or legal exposure.

While it is certainly favorable news that the company is not being pursued criminally, the company is not necessarily free and clear from the other remedies in the government’s arsenal.

Indeed, the company could still face contractual remedies, civil False Claims Act exposure, including treble damages and penalties, and, as addressed herein, the risk of suspension and debarment under Federal Acquisition Regulation, or FAR, Subpart 9.4 looms large.
For buyers desiring to eliminate the risk of debarment for the alleged past misconduct, there’s some hope. This is truly one of those situations where an ounce of prevention is worth a pound of the cure.
Prior to acquiring the target or its assets, we want to ensure that the target has conducted an appropriate investigation and prepared an investigative report laying out the factual findings.

Without such a baseline level of knowledge, you are truly taking a gamble, much like walking into a casino and laying your entire investment on a hand of blackjack. Do you feel lucky? Do you know the dealer’s hand? Do you know how those ahead of you in the dealing line are going to play their hands? Unless you are clairvoyant, you are gambling. The risk is total loss.

Buying a distressed contractor can cost you far more than your investment including, the debarment of the target company, treble damages and penalties under the FCA, the risk that the government imputes the target company’s debarment to the buyer and other affiliates as defined in FAR 9.403, reputational harm to the target company and buyer, and, of course, substantial legal fees and costs, among others.

With a clear accounting of what happened, you can negotiate terms for the acquisition or asset purchase that protect you financially from exposure, including provisions providing for representations and warranties, indemnification, advancement of legal fees and holdbacks, among other protections.

These facts will enable you to evaluate whether appropriate corrective actions and remedial measures have been implemented to mitigate significantly the risk of reoccurrence. For example, assume the misconduct involved kickbacks. Here’s a few questions that come to mind:

  • Does the target have a values-based ethics and compliance program satisfying FAR 52.203-13, Contractor Code of Business Ethics & Conduct?
  • Does the target have a code of business ethics and conduct?
  • Does the target have an anti-kickback compliance policy?
  • Does the target have a gift policy and a conflict-of-interest policy?
  • Does the target provide live compliance training to personnel addressing these subjects?
  • How does the target evaluate the responsibility and ethics of its vendors and suppliers?
  • Does the target maintain financial controls requiring employees to document and memorialize any gifts they have provided or accepted involving customers, vendors, and suppliers? Same for business development expenditures?
  • What type of financial controls are in place?

These are just some of the questions that should be asked in evaluating the state of the target’s response to the events and its overall ethics and compliance program.

Once you understand what happened and how the company responded, if at all, to mitigate reoccurrence, you can begin assessing how the company, if acquired by you, would fare under a present responsibility assessment using the mitigating factors and remedial measures set forth at FAR 9.406-1. Explore the types of targeted remedial measures that you would need to undertake to show the government that you have done all you can to mitigate reoccurrence.

Additionally, you will want to be in a position to demonstrate that the company’s ethics and compliance program satisfies FAR Section 52.2013-13 and includes the following components: core values; an ethics and compliance officer to manage the day-to-day operations of the program; an ethics helpline allowing for anonymous reporting; an investigations policy; compliance policies and procedures; effective training programs and testing of such programs to gauge effectiveness; a disciplinary program; and a disclosure policy.

Once you have completed your due diligence on the target and assuming you decide to proceed with the acquisition, consider requiring as a condition to closing that you have the opportunity to proactively engage with and disclose the facts to the lead agency suspension and debarment official, or SDO, and ideally to receive comfort from the SDO’s office that they are satisfied with the company’s response to the events and do not intend to take administrative action (i.e., debarment) against the entity.

In some instances, the SDO’s office may desire a long-term compliance agreement, referred to as an “administrative agreement,” which has significant cost considerations and compliance obligations, including possible independent monitoring by a third party, quarterly reporting and enhancements to the existing compliance program, among other terms.

Administrative agreements are manageable, however, and often strengthen the company and make it even more valuable, but they do come at a cost that needs to be factored into the acquisition. If time does not exist before the closing of the transaction to eliminate the risk of debarment, make sure the acquisition agreement offers you appropriate financial protections to guard against a significant investment in remediation, an administrative agreement, independent monitoring, or debarment and loss of revenues for a period of time.

By engaging with the lead agency SDO’s office proactively, you are walking into the proverbial lion’s den, so it is important to be prepared.

In our experience, typically SDOs welcome proactive engagement by contractors and view such as an indication that the contractor is responsible and can be trusted. Moreover, if done prior to the acquisition, the SDO’s office is likely to be impressed with the buyer’s preacquisition due diligence.

Conversely, SDOs look less favorably upon buyers who proceed with an acquisition without appropriate due diligence. And, in most instances, the benefit of engaging with the SDO’s office proactively, whether before or after closing, is that you eliminate the risk of a surprise debarment notice at the most inopportune time and typically can resolve the SDO’s concerns.

By proactively engaging with the lead agency SDO’s office, you are investing in the future, mitigating the risk of debarment and gaining peace of mind. Otherwise, each day in front of you could bring an unfortunate surprise and one that will be far more costly to address in a crisis. Buying a distressed government contractor can be lucrative as long as you take appropriate measures to ensure you understand the risks and are protected.

What is an OTA

What is an OTA?

Stephanie Alexander and Katie Bilek explain what an Other Transaction Authority (OTA) is and how it helps government agencies find and attract innovative contractors.

BDO Accounting

Mergers & Acquisitions for Government Contractors: Steps to Navigating the post-LOI Phase

In this second insight of our three‑part Mergers and Acquisitions (M&A) Sell-Side series for government contractors (GCs), we outline considerations and action steps to help you navigate the post-LOI (Letter of Intent) phase of selling your GC business. The LOI outlines the structure of the acquisition, as well as the pricing and terms. Generally, this is the final step prior to the seller granting exclusivity (i.e., where the seller agrees to negotiate only with a particular prospective buyer). Once exclusivity is granted, the buyer engages a team of specialized professionals to address particular issues, such as quality of earnings, tax structuring, human resources (HR), insurance review, and operational, commercial, property and IT due diligence.

To the extent possible, a GC seller may wish to consider preparing the business to address any due diligence concerns before beginning the LOI phase, as the diligence process provides significant input to the ultimate investment thesis, the risk profile of the transaction and points of negotiation (e.g., transaction service agreement, stock or asset sale, working capital negotiation). Advisors can help guide the seller in focusing on key areas that can be prioritized for maximum impact. See our first insight in this series for more detailed information on steps that can be taken to prepare.

Once the LOI is signed, the seller may wish to consider the following as next steps (some of which may already be underway):

  1. Gather historical financial statements and supporting documents and post all documents in an electronic data room for the potential buyer to access and review.
  2. Obtain release letters from the potential buyer for access to independent advisors’ quality of earnings report.
  3. Have your advisors assist with buyer questions and requests.
  4. Determine whether there are any organizational conflicts of interest (OCI) with any of the buyer pools, and if so, seek assistance from the government compliance leadership team/advisor on possible mitigation strategies.

Armed with the quality of earnings report, information on risks uncovered during the due diligence process, synergy opportunities and the perspective of the deal team and the platform company management team (if the buyer is a private equity firm), the buyer will finalize the financial models and prepare for its investment committee meeting. The investment committee would have seen and approved moving forward with the deal several times before this final sign off, so issues should not arise at this stage.

Purchase and Sale Agreement

The final offer from the buyer, also known as the “purchase and sale agreement,” includes a number of critical elements, each of which may lead to multiple levels of selected diligence and negotiation. Once these are agreed upon, the legal teams and the investment banker can prepare for closing.

When reviewing the purchase and sale agreement, the seller should:

  1. Review definitions of the post-closing adjustment to address any changes in the value of assets between the time of the initial agreement and the closing of the deal.
  2. Understand the acquisition date. There is often confusion from a reporting perspective on closing balance sheets, and the determination of the date is a critical component that all parties should understand.
  3. Ensure that all terms are defined in the net working capital (NWC), including a listing of accounting policies where necessary (such as language specifying adjustment items are calculated consistent with the seller’s past accounting practices as opposed to an interpretive set of guidelines, such as GAAP.) The seller wants an “apples to apples” comparison of closing NWC and does not want the buyer to get a more favorable adjustment by changing the accounting rules.
  4. Determine if there are any earn-outs or other contingent consideration, and if so, analyze the feasibility of the proposed mechanisms.
    1. Ensure there is an understanding of the contingent consideration with the help of legal, accounting and valuation teams. For sellers, this can potentially lead to a higher sales price if performance criteria are met. If there are financial performance targets, it is important that the buyer is able to accurately track the performance of the acquired entity to minimize (or prevent) potential disagreements or issues relating to measurement of the performance criteria.
    2. Carefully review open-ended earnouts because they can reduce cash proceeds by causing early capital gains and later year capital losses that cannot be offset. Also, earnouts unnecessarily tied to continued employment potentially could create a risk that the payments would be characterized as ordinary income. Careful consideration of the terms and purpose of a non-compete clause can avoid unfavorable ordinary income treatment. Have your tax advisor review the term sheet/LOI and transaction document to prevent these costly mistakes.


Tax Considerations

Once the purchase agreement is drafted and undergoing review, the seller’s law firm may offer to have their tax team review the document. The law firm’s perspective is valuable and important to the process but is not a substitute for having your tax advisor review the document as well. The seller’s legal and tax advisors should look at the overall tax impact to the seller based on the proposed structure of the transaction. The tax advisor often assists with modeling to help visualize the tax impact, reviews reporting deliverables post-closing and helps the seller navigate the tax representations included in the agreement.

Your tax advisor should also be looking at the allocation and method for payment of taxes for the year of the transaction. Gaps in the agreement’s definition of pre-closing periods and the operation of the tax rules resulting from the transaction structure could have unintended consequences.

The buyer’s tax team is looking to identify any tax risks associated with the seller’s business on a tight time frame. As a result, the team may estimate associated exposure amounts using the limited data made available, which potentially could result in overstated estimated exposures. A sell-side tax advisor can help minimize or eliminate purchase price reductions or special tax escrows by reviewing tax exposure analyses prepared by the buyer’s tax team and helping the seller determine if better data or more appropriate assumptions should be used.

Minimizing Risk

To optimize the post-LOI phase overall, the seller should consider the following:

  • Be involved in the negotiation of various terms in the purchase and sale agreement to drive maximum value.
  • Work with an advisor, legal and deal teams to provide support with preparation of detailed disclosure schedules.
  • Ensure HR engagement to provide clarity around continuing employment of the company workforce and their benefits post-closing.
  • Support customer communication and engagement. In the government contracting space, customers expect to be informed of a potential change in ownership, due to the nature of contracts.
  • In a carve-out situation, evaluate the necessity of a transition services agreement (TSA), and work with advisors to ascertain requirements on both sides. A TSA provides proper documentation of each party’s expectations, along with clear terms of engagement. This may include back-office services such as finance, HR or IT support, which may be needed to support the divested organization until those functions are transitioned to a buying organization. It is also important to understand impacts if both parties financials will exist in the same accounting system during a transition period. Proper identification of the seller costs associated with the various services provided should be maintained to allow for collection of costs in the proper indirect pools and ensure that any unallowable amounts can be removed from future claims.
  • While sellers are understandably motivated to get the highest sales price possible, the consequent tax exposure can make the seemingly “best” deal potentially less optimal. When a buyer and seller are negotiating the terms of the deal, there are various components that can be manipulated (such as using future earnouts, rollovers, buying assets vs stock, etc.). Having a model prepared where the seller can compare the net impact of these proposals puts the seller in a position to make the best overall decision. The highest price may not always be the best answer.



Once the seller reviews and finalizes the closing statements, including the purchase and sale agreement and all associated schedules and disclosures, you should prepare the funds flow statement and communication materials, including FAQs, and communicate the change to the Defense Contract Audit Agency (DCAA) and the Defense Contract Management Agency (DCMA).

Given the potential for substantial consideration to be paid for your company, a good and open working relationship with the buyer is paramount. Such relationships are often tested given the potential NWC issues, as defined in the agreement. We see more successful acquisitions and transitions with companies whose sellers and buyers are flexible or open to negotiation as it relates to closing balance sheet amounts. Given the demands of a highly active M&A market like we are currently experiencing, buyers and sellers should be prepared to consider a tailored approach to getting deals done.

Another typical issue is that sellers are inclined to keep the circle of knowledge around the deal small and minimize costs by excluding external advisors from due diligence requests and calls. An alternative approach may be to enlist the assistance of external advisors who can provide guidance. Business owners are not necessarily experts in all fields and can provide responses that prompt further questions from the buyer simply because of the language used or assumptions as to why a particular position was taken. Having the advisor present to speak to this precisely can help prevent additional unnecessary information requests.

In conclusion, while it’s critical to have a systematic process in place during the post-LOI phase of selling a GC business, as described above, there are financial reporting and tax issues to work through. In our experience, it’s equally important to focus on the “soft” issues.

Data Governance & the CMMC Framework

Data governance is the process of managing the availability, usability, integrity, and security of the data in enterprise systems, based on internal data standards and policies that also control data usage. Effective data governance ensures data is consistent, trustworthy, and doesn’t get misused. Before we explore it’s role in CMMC, let’s explore the basics.


Data governance is a set of principles and practices that ensure high quality through the complete lifecycle of your data. According to the Data Governance Institute (DGI), it is a practical and actionable framework to help a variety of data stakeholders across any organization identify and meet their information needs.

How important is data governance for your company?

Data governance is a set of processes ensuring important data assets are formally managed throughout the enterprise. It also ensures that trusted information is used for critical business processes, decision making, and accounting.

What are some core principles of data governance?

There are certain core principles which drive a successful data governance implementation:

Recognizing data as an asset – In any organization, data is the most important asset.

Data classification – The process of organizing data into categories making it is easy to retrieve, sort, and store for future use. A well-planned data classification system makes essential data easy to find and retrieve. This can be of particular importance for risk management, legal discovery, and compliance.

Data ownership and accountability – In a successful data governance process, ownership and accountability of data must be clearly defined.

Data retention – Data retention is an important step in helping protect an organization’s data and avoid financial, civil, and criminal penalties that increasingly accompany poor data management practices.

What are the business drivers for data governance?

Regulatory compliance – This is affecting all organizations. And, at the lowest denominator, all organizations need to comply with their own country’s financial regulations. Then there are region specific data privacy regulations, some stricter than others, but noncompliance to those can also end up costing the organization large sums of money, as well as bad publicity. This tends to score high in the list of data governance drivers because of the high risks and costs associated with noncompliance.

Data driven decision making – This is an umbrella for a few drivers, so sometimes you might see this stated simply as “implementing a Business Intelligence (BI) program.” Other times you hear about “starting data analytics” or “big data adoption;” even improving overall efficiency and customer satisfaction. You should consider all of these under one driver because they all fall into the idea of knowing the best decisions to make based on your company’s data.

The quality of your data – It all boils down to data quality (the reason why a lot of organizations point to this as the main driver). Even those who want to start a BI program, ensure regulatory compliance, become more efficient, increase customer satisfaction, and so on – need to ensure the data is clean and accurate, as well as in agreement with the data quality dimensions that matter to the business. If you don’t have good data quality, then you won’t accurately know that the right customer unsubscribed from your newsletters and you’re still continuing to send to them. You might overcharge someone, send inaccurate financials to the IRS, mislabel ingredients on a product, incorrectly categorize those medical lab tests, or draw inaccurate conclusions from revenue projections. The state of quality of your data can make or break everything –and for this you need a good data governance.


The concept of Data Governance is a focal point in the CMMC world. Identifying information as FCI, CUI, or CTI is crucial in knowing how to handle the information at hand and to be able to classify and label it accordingly.

Knowing how to classify your data is key in managing Access Control (AC); as an example, AC.2.16, a level 2 practice, talks explicitly about controlling the flow of CUI in accordance with approved authorizations. Knowing how to classify your data is key in knowing who in your organization is authorized to access CUI to manage their access accordingly.

Example 1: When it comes to Data Classification, companies should know in advance whether a Team or SharePoint site will contain CUI data when it is provisioned. The Community Service Team should be open to all personnel and data about the unit’s volunteer opportunities should be free to be widely shared. However, the unit’s readiness report is probably sensitive information. As such, it needs to be labeled “CUI” and live in a Team site that is clearly marked as such. In other words, the Community Service Team can be labeled “public” while the Readiness Team should be labeled “Readiness – Restricted – CUI.”

Example 2: When it comes to Lifecycle Management, a good Data Governance policy includes a Lifecycle Management plan. Periodic reviews or certain events (for example, the end of a contract) should initiate an archiving process that may even include the deletion of the workspace. This eliminates sprawl and can reduce clutter, which in turn also reduces the attack surface of the environment.

Data is a critical asset for every business, and it is a powerful asset when well-governed. Remember, ad-hoc approaches to how to handle your business data are likely to come back to haunt you. Data governance has to become systematic, as big data multiplies in type and volume and people seek to answer more complex business questions. That means setting up standards and processes for acquiring and handling data, as well as procedures to make sure those processes are being followed. That said, achieving enterprise-wide Data Governance is a not trivial task. It makes sense to break that initiative down into more manageable steps.

Some things you should consider:

  • Identifying current and desired data governance levels
  • Focusing on strategic quick wins to build support
  • Building toward the facets of a sound data governance framework/program

Most organizations do not have the people, nor do they have the expertise, to tackle such an important program. Involving a third-party is often critical for success; an organization with the expertise to help you map out a Data Governance framework specific to your business and industry and let you decide how mature you would like that program to be over time.

Ways To Enhance Benefits If You Are A Government Contractor

Government contractors enjoy a range of benefits from stable employment and timely payments, to flexible work and a competitive income. While benefits such as health insurance, retirement accounts and disability are staples for many federal service contractors, fringe benefits are not as widely available.

In a competitive environment, fringe benefits are necessary to demonstrate that the business is willing to go above and beyond for their employees. Here are some of the top ways for government contractors to enhance benefits.


Prohibition on Certain Telecommunications Equipment and Services for Federal Grant Awardees

Many federal award recipients are unaware that on August 13, 2020, 2 CFR § 200.216  Prohibition on certain telecommunications and video surveillance services or equipment went into effect. This prohibition covers all non-federal entities receiving federal grant awards, cooperative agreements, and loans or loan guarantees. Under § 200.216, non-federal entities are prohibited from spending or obligating federal award funds to procure or obtain covered telecommunications equipment or services from China. The equipment and services are thought to be compromised and not safe for use.  The prohibition is for the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes.

The language in § 200.216, states:

“Recipients and subrecipients are prohibited from obligating or expending loan or grant funds to:

  1. Procure or obtain;
  2. Extend or renew a contract to procure or obtain; or
  3. Enter into a contract (or extend or renew a contract) to procure or obtain equipment, services, or systems that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”

Covered Telecommunications Equipment and Services

  • Telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of such entities). These companies produce mobile phones, laptops, tablets, and routers among other items.
  • For the purposes of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes, video surveillance and telecommunications equipment produced by
    • Hytera Communications Corporation [mobile phones, mobile hotspots, and network equipment];
    • Hangzhou Hikvision Digital Technology Company [mobile phones, mobile hotspots, and network equipment]; or
    • Dahua Technology Company
    • (or any subsidiary or affiliate of such entities)
  • Telecommunications or video surveillance services provided by such entities or using such equipment
  • Telecommunications or video surveillance equipment or services produced or provided by an entity that the Secretary of Defense . . . reasonably believes to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country [i.e. the People’s Republic of China].

The federal agencies are to prioritize available funding and technical support to assist affected businesses, institutions and organizations as is reasonably necessary for those affected entities to transition from covered communications equipment and services, to procure replacement equipment and services, and to ensure that communications service to users and customers is sustained.

What to Do

The trickiest part is that much of this technology is used as a component within a bigger object. For instance, the brand of laptops your company uses may very well have parts within it that come from the covered companies listed above.

Federal award recipients need to be aware of this prohibition that was effective August 13, 2020. Organizations should add new language to their procurement policies, if they haven’t already, as well as add steps that involve researching the background of any telecommunication or surveillance equipment that might be purchased.