The Hill

China-sourcing rules for IT reappear in appropriations

China cyber risk

Rep. Frank Wolf (R-Va.), chairman of the House appropriations subcommittee that funds NASA, the National Science Foundation and the departments of Commerce and Justice, has once again include language in an funding bill that puts restrictions on the ability of those agencies to acquire IT systems that include components sourced to companies that are “owned, directed or subsidized” by the Chinese government. The bill was approved by the subcommittee on July 10.

Nearly identical language was inserted into the continuing resolution that currently funds government operations, that is set to expire at the end of September. So far, the federal government has yet to establish rules for how agencies are supposed to interpret the provisions currently on the books.

Wolf told FCW that the current law is being implemented poorly. "The Obama administration is slow-walking it," he said.

The restrictions, he said, are designed to address risks posed by state-owned enterprises including Huawei and ZTE, which were alleged by the House Intelligence committee to be active in cyber-espionage, according to an influential report issued last October. The language in the appropriations bill, "are precisely the recommendations made in a bipartisan way by the chairman and ranking member of the Intelligence committee," Wolf said.

Because the work of developing rules to comply with the legislative language is being done behind the scenes in the federal government, it is difficult to get a picture of how the restrictions are playing out with regard to current agency acquisitions.

Joe Klimavicz, CIO at the National Oceanic and Atmospheric Administration, said the statutory directive, "hasn't stifled acquisitions." Currently, the Commerce Department is working with NASA, NSF and the FBI to establish an overall process. "I think in the end we're going to use our existing boards and review processes. It's another check that we've got to do," Klimavicz told FCW in a brief interview after a July 10 industry event.

Some of these existing review processes include supply chain risk guidance from the National Institute on Standards and Technology and recommendations on IT supply chain management required under President Obama's cybersecurity executive order. Additionally, the White House Office of Intellectual Property Enforcement is due to release a strategy on policing the infiltration of counterfeit products into the government supply chain.

Some in industry think existing measures are sufficient to the problem, and that the legislation, though well-intentioned, is unworkable. Trey Hodgkins, senior vice president, global public sector for the trade association TechAmerica, said the measure "has had an impact and has stopped delivery of technology." He has heard from member companies that NASA has adopted the most aggressive posture in trying to enforce the measure, but Commerce and Justice are also asking vendors if their products are compliant.

"Agencies are asking companies to demonstrate compliance without defining what compliance is, or without defining terms of the statute would mean," Hodgkins said. "The challenge is trying to demonstrate compliance without guidance."

A source familiar with NASA's verification efforts said the legislation effectively requires an entire new level of supply-chain management. Agencies will need to set up databases of cleared products, and vendors will be pushed to document the provenance of components in the products they hope to sell to the government. TechAmerica is hoping to head off the inclusion of the legislative language in 2014 appropriations. The group sent a letter July 11 to Reps. Hal Rogers (R-Ky.) and Nita Lowey (D-N.Y.), respectively the chairman and ranking member of the House Appropriations Committee, urging the deletion of the language from the final bill. In the letter, Hodgkins states that "federal agencies have already put performance under existing contracts on hold" as they work to implement the legislative language, and that renewing the measure would "impede the U.S. government's ability to acquire the latest, most advanced IT products." The measure would also raise costs for vendors and agencies, decrease competition, and invite other countries to retaliate against American IT companies, TechAmerica warns.

Wolf, however, expressed incredulity that U.S. IT firms are lining up against the measure. "They have all been hit. The Chinese are stripping their [intellectual property] and spying on them, and they're up there fronting for Chinese government operations. They are wimps," Wolf said.

Given the pace at which federal rules are written, reviewed and promulgated, it is possible that the term of the current continuing resolution will expire without the Office and Management and Budget publishing rules on how the affected agencies are supposed to enforce the current law.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above