4 agencies get new rules on China IT sourcing

A new IT security measure included in the continuing resolution signed into law on March 26 requires several government departments to take China sourcing into account when procuring computer systems.

Under the new legislation, the Commerce Department, Justice Department, NASA and the National Science Foundation must consider "any risk associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People's Republic of China."

The new rules will only apply to a few agencies at first, but it is possible that they will be used as a template for other civilian agencies in the next round of appropriations. And while it is not a permanent statutory change, the language in the law might have a shelf life well beyond the current appropriations.

Rep. Frank Wolf (R-Va.), chairman of the Appropriations Committee's Commerce, Justice, Science and Related Agencies Subcommittee, inserted a version of the measure in an appropriations bill for fiscal 2013 drafted last year. It was subsequently added to the Senate's version of the continuing resolution that covered full appropriations for several agencies, including Commerce, Justice, NASA and NSF.

Senate appropriators adopted Wolf's measure on a bipartisan basis in large part because of a report released last October by the House Permanent Select Committee on Intelligence that alleged possible intellectual property theft and cyber espionage on the part of Chinese firms Huawei and ZTE. The report recommended that government systems and contractors exclude components manufactured by those companies.

Rep. C.A. Dutch Ruppersberger (D-Md.), ranking member of the intelligence committee, told FCW that he supports the language in the continuing resolution because of the "long-term security risks associated with doing business with Chinese companies." Firms like Huawei and ZTE, he said, "can't be trusted to be free of foreign state influences."

Although the companies have denied involvement in intellectual property theft and cyber espionage, concerns about vulnerabilities in the global supply chain remain. A March report prepared for the U.S.-China Economic and Security Review Commission found that the "close relationship between some of China's -- and the world's -- largest telecommunications hardware manufacturers creates a potential vector for state-sponsored or state-directed penetrations of the supply chains for microelectronics supporting U.S. military, civilian government, and high-value civilian industry such as defense and telecommunications, though no evidence for such a connection is publicly available."

The new language puts the spotlight on U.S. and global firms that have supply chain connections to China, which is basically the entire commercial IT sector. "You'd be hard-pressed to find a technology product that isn't touched in some way by a company with a PRC presence," said Trey Hodgkins, a senior vice president at trade association TechAmerica. "Government can't afford to buy technologies with a bulletproof supply chain. The commercial business model doesn't provide for it."

Fallout from the new rules could include some vendors deciding that compliance is too expensive. Stewart Baker, a lawyer and former assistant secretary for policy at the Department of Homeland Security, told FCW, "There are going to be some glitches in implementing this language that could be painful or controversial, but if the alternative is to sit around waiting for our IT infrastructure to become completely dependent on companies that can't really be trusted in a crisis, then something like this was probably inevitable."

In a blog post, Baker predicted the new rules "will force the pace of retaliation probably faster than the administration would like."

Under the provision, risk assessments would have to be made in consultation with the FBI or another appropriate federal entity, which could include elements of the intelligence community or the National Institute of Standards and Technology, depending on how the rules are written. An agency leader who wishes to acquire an IT system without going through this process would have to explain to congressional appropriators why such a purchase is in the national interest.

"We will be monitoring each agency carefully," said an aide to Wolf, who spoke to FCW on background. "We expect them to take it seriously and follow the law."

Through a spokesperson, the office of NASA's CIO indicated that the agency was still assessing how the legislative language would affect its procurement strategy.