Are agencies doing enough to enforce Section 889?

It has been a while since Section 889 of the 2019 National Defense Authorization Act has gotten prominence.

At a broad level: that law bans government agencies from using certain telecommunications equipment from China-based manufacturers such as Huawei, ZTE, Hytera and a few others.

But a newly-released Government Accountability Office bid protest decision raises several issues involving how agencies are enforcing law. This is one of the few protests that have involved Section 889. GAO made the ruling in January and unsealed it on Tuesday.

In this case, the Veterans Affairs Department used the governmentwide SEWP contract vehicle to purchase personal computers, related equipment and warranty support services.

Minburn Technology Group won a delivery order to supply Dell products, as did AATD LLC for providing Lenovo products.

The Lenovo products were the sticking point for two protesters in Sierra7 and V3Gate, both of which argued the VA didn’t investigate whether the Lenovo products complied Section 889.

In fact, they said the products weren’t in compliance. They cited a 2019 Defense Department inspector general report and 2015 cybersecurity alerts that warned of risks associated with Lenovo products.

For this competition, the VA said it would accept self-certification by the bidders that their products were in compliance with Section 889.

GAO said that was fine and the VA was not required to investigate further.

Why is that determination important? We now turn to Lucas Hanback, co-chair of the government contracts practice at the Rogers Joseph O’Donnell law firm.

In a LinkedIn post, Hanback wrote that the decision further clarifies GAO’s stance on Section 889. It is okay for agencies to rely on a company's representations about Section 889 compliance.

“In order to prevail on a protest that the awardee is non-compliant with Section 889, protesters will have to point to something in the proposal itself that contradicts the compliance representation,” Hanback wrote.

Information outside of the proposal doesn’t count apparently.

I’m not a lawyer and I’m not a contracts and compliance expert by any means, but I think GAO may have gotten this wrong.

I know the market is in an era of self-certification, but isn’t verification part of what the evaluation process is about?

Perhaps the protesters should have filed a protest in the pre-award stage to claim the VA should have had a certification process as part of the solicitation.

GAO writes that V3Gate cited reports, but “no evidence that the contracting officer was aware of these sources or should have been.”