The NDAA Includes Prohibitions Targeting Semiconductors Similar to Section 889
WHAT: Congress is advancing the final version of the National Defense Authorization Act (NDAA) for Fiscal Year 2023 (FY 2023). With provisions similar to Section 889 of the FY 2019 NDAA, Section 5949 of the FY 2023 NDAA prohibits executive agencies from procuring or contracting with entities to obtain any electronic parts, products, or services that include covered semiconductor products or services from certain Chinese companies.
WHEN: The House passed the FY 2023 NDAA on December 8, 2022, and the Senate is expected to vote this week, which will send the bill to the President for his signature. The semiconductor prohibitions will not take effect until five years after the date of enactment, and the Federal Acquisition Regulatory (FAR) Council will issue regulations implementing the prohibitions three years from the enactment date.
WHAT DOES IT MEAN FOR INDUSTRY: The semiconductor prohibitions resemble Section 889 of the FY 2019 NDAA, which covered telecommunications equipment and services and video equipment and services produced by certain Chinese companies. Like the representations contractors must complete in SAM.gov for Section 889, rules promulgated under the new Section 5949 will require contractors to provide new certifications for covered semiconductor products or services. Contractors will need to carefully scrutinize any electronic parts, products, or services provided to the Government to ensure they do not include or use covered semiconductor products or services.
Section 5949 Part A Prohibits Agencies From Acquiring Products/Services That Use Certain Chinese Semiconductors.
Section 5949 applies to any “covered semiconductor product or services” that are produced by Semiconductor Manufacturing International Corporation (SMIC), ChangXin Memory Technologies (CXMT), Yangtze Memory Technologies Corp (YMTC), or any subsidiary or affiliate of such entities. These companies represent a sizeable and growing share of the semiconductor chips market, and a broad range of electronic equipment imported into the United States (including mobile phones, networking equipment, and automobile parts), which incorporates chips by these entities or their affiliates. Section 5949 also authorizes the Secretary of Defense or the Secretary of Commerce to designate other products or services as covered if they determine that the product or service is provided by an entity owned, controlled by, or connected to the government of a “foreign country of concern,” currently China, Russia, North Korea, and Iran.
The primary prohibition, Part A, prohibits executive agencies from procuring, obtaining, or contracting for any electronic parts, products, or services that include covered semiconductor products or services.
Section 5949 Has a “Part B,” But It’s Not as Onerous as Section 889.
Section 5949’s semiconductor prohibition includes a “Part B” for covered semiconductor products or services. Infamously, Section 889’s Part B prohibits the Government from contracting with entities that use covered equipment or services that, in turn, use covered telecommunications equipment or services. Unlike Section 889, Part B of Section 5949 prohibits executive agencies only from contracting “with an entity to procure or obtain electronic parts or products that use any electronic parts or products that include covered semiconductor products or services.” Section 5949’s Part B focuses on whether the procured electronic parts or products use additional parts/products that include covered semiconductor products or services; it does not prohibit the contractor from using covered semiconductor products or services for its internal operations. This distinction makes Section 5949—and later certification requirements—less onerous than Section 889’s requirements. Nevertheless, there will be contractor compliance costs to procure products and services with non-prohibited semiconductor chips for delivery to the Government, including equipment component re-designs to accommodate the substitutions.
In addition, Part B applies only to products or services that include covered semiconductor products or services in systems that are “critical systems,” which are defined as telecommunications or information systems operated by the Government for certain defense, intelligence, or national security activities. The limitation of these Part B prohibitions to critical systems may also limit the universe of contractors that will be subject to the prohibitions through their contracts.
The Prohibitions Are Prospective and Do Not Affect the FCC’s Covered List.
Section 5949 includes a Rule of Construction providing that the prohibitions—both Part A and Part B—will not require entities to remove or replace any covered semiconductor products or services that are “resident” in existing equipment, systems, or services before the effective date—five years after the date of enactment. Entities can continue to use existing equipment that includes covered semiconductor products or services “throughout the lifecycle of such existing equipment.”
Additionally, the Rule of Construction states that Section 5949 will not require the Federal Communications Commission (FCC) to designate covered semiconductor products or services on its Covered Communications Equipment Services List maintained under the Secured and Trusted Communications Networks Act of 2019. This list identifies communications equipment and services that the FCC has determined to pose an unacceptable risk to national security or the security and safety of United States persons.
Section 5949 Provides Waiver Authority to Several Entities.
Section 5949 authorizes the following individuals to waive the prohibitions after the effective date for “critical national security interests”: the Secretary of Defense, the Director of National Intelligence, the Secretary of Commerce, the Secretary of Homeland Security, and the Secretary of Energy. Further, the head of an executive agency may waive prohibitions, for a renewable period of no more than two years per waiver, if certain other determinations are made in consultation with the Secretary of Commerce, as well as the Secretary of Defense or Director of National Intelligence.
The FAR Council Will Issue Regulations Implementing Section 5949.
Within three years after the enactment date, the FAR Council must promulgate regulations implementing the prohibitions. The Federal Acquisition Security Council (FASC) is tasked with providing recommendations for these regulations no later than two years after enactment. (Section 5949 also extends the Federal Acquisition Security Supply Chain Act of 2018, and therefore the FASC’s operations, through December 31, 2033, which is ten years after its initial expiration date.)
The regulations will require contractors that supply electronic parts or products to agencies to certify the non-use of covered semiconductor products or services in those parts or products; detect and avoid the use or inclusion of covered semiconductors in such products or services; and pay for any rework or corrective action required to remedy any use or inclusion of covered semiconductors in such products and services. The cost of any rework or corrective action would not be allowable under federal contracts.
The regulations will also create a number of obligations for “covered entities,” which are defined as entities that develop “a design of a semiconductor that is the direct product of United States origin technology or software” and that purchase semiconductor products or services from SMIC or any other products/services that the Secretary of Defense or the Secretary of Commerce designate as covered. Importantly, covered entities will be required to disclose to their direct customers whether their parts/products/services include covered semiconductor products or services. If a covered entity fails to disclose such inclusions, then the covered entity will be responsible for any rework or corrective action. Although this provision appears to be an attempt to shift obligations and liability further down the supply chain, covered entities might not hold prime contracts with the Government, and enforcement will therefore be left to higher-tier subcontractors or prime contractors through “flow down” clauses.
The regulations will also require covered entities, prime contractors, and subcontractors to report to the Government in writing within 60 days if the entity “becomes aware, or has reason to suspect” that an end item, component, or part of any critical system purchased by or for the Government contains covered semiconductor products or services. This, too, will require contractors to establish additional compliance and reporting processes and procedures. Agencies will notify Congress of such reports within 120 days.
Congress Has Created Safe Harbors.
Section 5949 includes a few safe harbors. First, contractors can reasonably rely on certifications from covered entities regarding the inclusion (or not) of covered semiconductor products or services in electronic products and parts, and they do not have to conduct third-party audits or formal review of those certifications. Second, contractors and subcontractors that notify the Government that a critical system contains actual or suspected covered semiconductor products or services will not be subject to civil liability or determined to be non-responsible. If the notification involves parts or products manufactured or assembled by the notifying contractor/subcontractor, that company must make an effort to identify and remove the covered products or services.
Section 5949 Creates Several Semiconductor Reporting Requirements and Initiatives.
Section 5949 requires the Office of Management and Budget, in coordination with the Director of National Intelligence and the National Cyber Director, to provide a report and briefing on the implementation of the prohibitions and the effectiveness of the waiver provisions.
Within 180 days after enactment, the Secretary of Commerce, in coordination with the Secretary of Defense, the Secretary of Homeland Security, the Director of National Intelligence, and the Secretary of Energy, is required to conduct analyses, assessments, and strategies regarding risks posed by covered semiconductors as well as domestic and allied country semiconductor production capacity.
Within two years after the date of enactment, the Secretary of Commerce, in coordination with the Secretary of Homeland Security, the Secretary of Defense, the Director of National Intelligence, the Director of the Office of Management and Budget, and the Director of the Office of Science and Technology Policy, and in consultation with industry, must establish a “microelectronics traceability and diversification initiative.”
The United States has grown increasingly focused on China’s growing semiconductor capabilities, the dangerous weapons systems that those capabilities enable for governments and entities that may be hostile to the United States, and the potential for “backdoors” to be built into America’s defense, telecommunications, and energy systems. These concerns have given rise to Section 5949, as well as the U.S. Government’s ongoing tightening of export control restrictions targeting China’s chip capabilities and use of the International Emergency Economic Powers Act to address potential risks to the United States economic system. Section 5949 adds to these efforts, including through the Executive Order on Securing the Information and Communications Technology and Services Supply Chain, the existing prohibitions on U.S. Government contractors having Chinese Military Company entities in their supply chains (pursuant to Section 1260H of the FY 2021 NDAA), and outbound investment restrictions related to Chinese Military-Industrial Complex companies.