Congress Sends NDAA FY23 to Biden’s Desk, Adds Semiconductor Procurement Restrictions

semiconductor chipset

Bill would authorize more than $850 billion for national security programs

Congress has advanced the final version of the National Defense Authorization Act (NDAA) for fiscal year 2023 (FY 2023); included in the legislation is the authorization for more than $850 billion for national security programs.

Included in the “must-pass” package are procurement provisions addressing semiconductors and products that contain them, which are in some ways similar to Section 889 of the FY 2019 NDAA enacted in FY19 to restrict federal procurement of products from five different Chinese firms (Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, and Dahua Technology), which created a fundamental shift in the telecommunications and video surveillance industries.

Section 5949 of the FY 2023 NDAA, prohibits executive agencies from directly procuring or contracting [JP1] to obtain any electronic parts, products, or services that include covered semiconductor products or services from three Chinese companies:  Semiconductor Manufacturing International Corporation (SMIC), Yangtze Memory Technologies Corp (YMTC), and ChangXin Memory Technologies (CXMT).

While the final product negotiated by House and Senate Armed Services Committee leaders doesn’t expand Section 889 by simply adding these products, as originally proposed, it does create a separate, less restrictive prohibition specific to semiconductors from SMIC, YMTC and CXMT in an effort to ensure U.S. economic competitiveness, address security threats, and improve the resiliency of semiconductor supply chains.

This is significant because while Section 5949 includes a prohibition on federal procurement similar to Section 889 Part A, it does not include a similar requirement to that section’s Part B, that could have imposed a prohibition to contractors who supply the federal government covering use of  covered semiconductor products or services from SMIC, YMTC and CXMT, even if unrelated to products or services provided to the federal government.  Concerns had been expressed to negotiators by many in the federal contracting community that the latter could present substantial implementation challenges due to that fact that such semiconductors are reportedly found in a wide array of commercial products, and determining their presence could be extremely difficult.

Additionally, unlike Section 889, the Section 5949 restrictions only apply to products or services being supplied to the federal government that include semiconductor products from SMIC, YMTC and CMXT, that are used in a “critical system.”

A critical system is a national security system, a telecommunications or information system operated by the Federal Government involved in:  intelligence activities; cryptologic activities; command and control of military forces; weapon or weapon systems; or the direct fulfillment of military intelligence missions

Potential Impact on Contractors in the Security Industry

The effective date for Section 5949 is set for five years after passage. The restrictions will not require entities to remove or replace any covered semiconductor products or services in existing equipment or systems acquired by the Federal government before the effective date and entities can continue to use existing equipment that contains covered semiconductor products or services through the equipment lifecycle.

The five-year deadline should give SIA members and the security industry time to audit their products and processes and make any adjustments necessary to ensure no SMIC, YMTC and CXMT semiconductors are used in the products or services they provide to the federal government for critical systems.

Important Highlights from Section 5949

Certifications & Safe Harbors

  • Much like with Section 889, Section 5949 will require contractors to provide new certifications for the non-use of covered semiconductors products or services and pay for any rework required because of the inclusion or use of covered products or services in critical systems after the effective date. Rework costs are not allowable under federal contracts.
  • And similar to Section 889, Section 5949 offers a safe harbor, where federal contractors can reasonably rely on compliance certifications from covered entities and subcontractors who supply electronic parts, products or services without conducting independent audits or reviews.
  • Covered entities, prime contractors and subcontractors are required to report to the Government within 60 days if they become aware or suspect that any part, product or services sold to the Government contains covered semiconductors products or services.
  • In situations where contractors or subcontractors notify the Government that a critical system contains actual or suspected semiconductor products from the covered entities, they can avoid civil liability and be deemed non-responsible (but they must make an effort to identify and remove the covered products or services) by following the requirements.

Waivers

  • In situations where necessary, i.e. situations critical to the U.S.’s national security interests or where no compliant product or service is available (or is prohibitively expensive), the Secretaries of Defense, Energy, Commerce and Homeland Security, as well as the Director of National Intelligence may provide waivers. Heads of an executive agency (in consultation with the Secretary of Commerce, Secretary of Defense or the Director of National Intelligence) are also able to grant waivers (for no more than two years per waiver). Waivers will have to be justified to Congress.

Implementation

  • The Federal Acquisition Regulation Council must promulgate regulations around implementation within three years after enactment.
  • The Federal Acquisition Security Council (FASC) is tasked with providing recommendations for those regulations within two years after enactment.
  • FASC, with the Department of Defense, will be working to identify systems other than national security systems that need to be included as critical systems, which could bring potential impacts for the security industry down the road, but FASC is statutorily required to consult with relevant industry stakeholders when developing recommendations related to mitigating supply chain security risks so it is important that security industry suppliers participate in those discussions.
  • Within two years of passage, Commerce, Homeland Security, Defense and National Intelligence, with the Director of the Office of Management and Budget and the Director of the Office of Science and Technology Policy – in consultation with industry – must establish a new “microelectronics traceability and diversification initiative.”

Section 5949 will require the Commerce Department, in coordination with the other relevant departments and agencies, to conduct an analysis of domestic semiconductor production capacity – looking specifically at the risks covered semiconductor products or services pose to federal systems, the supply chains of federal contractors and subcontractors and even non-federal systems.

The security industry will need to continue to track these developments as the FAR Council, FASC and the various agencies work through the implementation process.