Procurement

4 agencies get new rules on China IT sourcing

China Cyber Stock Image - iStockPhoto/FCW

A new IT security measure included in the continuing resolution signed into law on March 26 requires several government departments to take China sourcing into account when procuring computer systems.

Under the new legislation, the Commerce Department, Justice Department, NASA and the National Science Foundation must consider "any risk associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People's Republic of China."

The new rules will only apply to a few agencies at first, but it is possible that they will be used as a template for other civilian agencies in the next round of appropriations. And while it is not a permanent statutory change, the language in the law might have a shelf life well beyond the current appropriations.

Rep. Frank Wolf (R-Va.), chairman of the Appropriations Committee's Commerce, Justice, Science and Related Agencies Subcommittee, inserted a version of the measure in an appropriations bill for fiscal 2013 drafted last year. It was subsequently added to the Senate's version of the continuing resolution that covered full appropriations for several agencies, including Commerce, Justice, NASA and NSF.

Senate appropriators adopted Wolf's measure on a bipartisan basis in large part because of a report released last October by the House Permanent Select Committee on Intelligence that alleged possible intellectual property theft and cyber espionage on the part of Chinese firms Huawei and ZTE. The report recommended that government systems and contractors exclude components manufactured by those companies.

Rep. C.A. Dutch Ruppersberger (D-Md.), ranking member of the intelligence committee, told FCW that he supports the language in the continuing resolution because of the "long-term security risks associated with doing business with Chinese companies." Firms like Huawei and ZTE, he said, "can't be trusted to be free of foreign state influences."

Although the companies have denied involvement in intellectual property theft and cyber espionage, concerns about vulnerabilities in the global supply chain remain. A March report prepared for the U.S.-China Economic and Security Review Commission found that the "close relationship between some of China's -- and the world's -- largest telecommunications hardware manufacturers creates a potential vector for state-sponsored or state-directed penetrations of the supply chains for microelectronics supporting U.S. military, civilian government, and high-value civilian industry such as defense and telecommunications, though no evidence for such a connection is publicly available."

The new language puts the spotlight on U.S. and global firms that have supply chain connections to China, which is basically the entire commercial IT sector. "You'd be hard-pressed to find a technology product that isn't touched in some way by a company with a PRC presence," said Trey Hodgkins, a senior vice president at trade association TechAmerica. "Government can't afford to buy technologies with a bulletproof supply chain. The commercial business model doesn't provide for it."

Fallout from the new rules could include some vendors deciding that compliance is too expensive. Stewart Baker, a lawyer and former assistant secretary for policy at the Department of Homeland Security, told FCW, "There are going to be some glitches in implementing this language that could be painful or controversial, but if the alternative is to sit around waiting for our IT infrastructure to become completely dependent on companies that can't really be trusted in a crisis, then something like this was probably inevitable."

In a blog post, Baker predicted the new rules "will force the pace of retaliation probably faster than the administration would like."

Under the provision, risk assessments would have to be made in consultation with the FBI or another appropriate federal entity, which could include elements of the intelligence community or the National Institute of Standards and Technology, depending on how the rules are written. An agency leader who wishes to acquire an IT system without going through this process would have to explain to congressional appropriators why such a purchase is in the national interest.

"We will be monitoring each agency carefully," said an aide to Wolf, who spoke to FCW on background. "We expect them to take it seriously and follow the law."

Through a spokesperson, the office of NASA's CIO indicated that the agency was still assessing how the legislative language would affect its procurement strategy.

About the Author

Adam Mazmanian is a staff writer covering Congress, the FCC and other key agencies. Connect with him on Twitter: @thisismaz.

Who's Fed 100-worthy?

Nominations are now open for the 2015 Federal 100 awards. Get the details and submit your picks!

Featured

Reader comments

Tue, Apr 2, 2013

Buy Panasonic. It's made in Japan with all Japanese parts.

Fri, Mar 29, 2013

How am I expected to determine that an information technology system was produced, manufactured or assembled by entities owned, directed, or subsidized by the People's Republic of China? Part of this is understanding what "directed" and "subsidized" mean? Here is a true example: It turns out that Hewlett-Packard, the silicon valley pioneer that was as American as you can get when it was founded, sells network equipment to us that is produced, manufactured and assembled in China. The design is done completely in China by a company called H3C and even includes key technology from Huawei. These routers are branded "HP" and, using the standard loophole, a tranformation is performed (tape an English manual to it, or whatever) so that HP can claim they meet the Trade Agreement Act. These products are on the DoD approved products list. Here's the deal, though... do these HP products really meet the criteria? Is the production, manufacturing or assembly done by a company that is "owned", "directed", or "subsidized" by the PRC? Owned--nope, the company that makes the products is owned by HP. They bought it from 3Com, who bought it from Huawei. Directed--not sure. Certainly, HP directs the company as any company would a subsidary. However, the company and employees were a business unit of Huawei that was sold intact (ultimately) to HP. Are the people in the company "directed" by their Chinese intelligence handlers? Many believe Huawei is "directed" by the PRC, so should I think this company is also? Subsidized--not sure. I wouldn't expect that this subsidary of HP is receiving subsidization from the PRC. However, the company is a dominant supplier of network equipment to the Chinese government. If the PRC threatened to purchase from another Chinese supplier unless the company complied with requests in the national interest, what would the Chinese company CEO do? Should I consider the revenue and profit from this large Chinese government market share consititutes a subsidization? Until this situation with HP network equipment was brought to my attention, I would not have imagined how hard it will be to determine when I need to consult with the FBI on a purchase from an "American" company. (One of our network administrators at Sandia Labs recently detected the installation of HP routers, suspected they were of Chinese orgin, and sounded the alarm. The equipment was removed, pending a security review.) I think they need to turn it around and make it illegal to sell any product produced, manufactured or assembled by entities owned, directed, or subsidized by the People's Republic of China to us. Put some burden and risk on these companies that obscure the source of their products. They could also close the loopholes in the TAA. I don't know how I can be expected to do what they ask.

Thu, Mar 28, 2013

This is insane by Congress. Do they not realize that this will cause costs to triple? That's if any company will even be willing to sell to the gov't

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above