China-sourcing restrictions spelled out in SEWP

NASA's new five-year IT acquisitions vehicle interprets and effectively extends legislative restrictions on sourcing computer gear manufactured in China that were included in the continuing resolution that is funding the government through the end of the current fiscal year.

Under the terms of Section 516 of the continuing resolution, NASA, along with the National Science Foundation and the Commerce and Justice departments, must conduct a risk assessment of IT hardware or software manufactured or assembled by "entities that are owned, directed or subsidized by the People's Republic of China." Before acquiring Chinese-made gear, the affected agencies must make a determination that such a procurement is in the national interest.

The inclusion of the language in the fifth iteration of Solutions for Enterprise-Wide Procurement (SEWP V), valued at up to $20 billion, pushes the lifespan of the provision beyond the current continuing resolution, which is set to expire Sept. 30.

"Seeing it extended into a five-year time frame makes it more permanent," said Erica McCann, manager of procurement policy at the trade group TechAmerica, which opposes the China sourcing rules. "This is the first time we're seeing it in a longer term platform that companies are going to have to pay attention to and protect against."

The SEWP request for proposals reiterates guidance published in June that puts the onus on NASA's CIO to assess the cyber-espionage risk of Chinese-made IT. Vendors must include details of any gear produced in China or from Chinese-owned firms to facilitate checking. In that June 6 circular, NASA said it would assess the security of new IT systems using the National Institution for Standards and Technology standards spelled out in the NIST 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. It advised its own procurement staff to follow the security check procedure before obligating fiscal 2013 funds for IT.

NASA indicates that the Section 516 language applies to NASA orders only, not to procurements made by other agencies using the SEWP vehicle.

"Since these are NASA contracts, first and foremost, we can include specific NASA requirements at the contract level," SEWP Program Manager Joanne Woytek told FCW.  "We assume that other agencies, such as Justice Department, are handling SEWP and non-SEWP orders within their own agency through their own agency processes.  Each agency's CIO office should be making determinations for their own agency – NASA's CIO cannot make purchasing decisions or determination for non-NASA agencies."

The House version of the bill to fund NASA would extend the restrictions into fiscal 2014. Rep. Frank Wolf (R-Va.), chairman of the subcommittee that writes the legislation for the affected agencies, is a stanch advocate of restrictions on IT built by Chinese state-owned companies in federal procurement. In July, Wolf told FCW the Obama administration was "slow-walking" implementation of the sourcing provision.

The Senate version of the bill would require agencies to evaluate supply-chain risk of all "high impact information systems," using NIST security standards, but does not single out China.

Both versions have been approved by their respective Appropriations panels, but  there is a long legislative road ahead before the restrictions on Chinese IT are re-upped or altered for 2014.