On December 23, 2022, President Biden signed into law the National Defense Authorization Act for Fiscal Year 2023 (“FY2023 NDAA”). Section 5949 of FY2023 NDAA (“Section 5949”) would prohibit executive agencies from procuring or contracting with entities to obtain any electronic parts, products, or services that include covered semiconductor products or services from certain Chinese companies. The semiconductor prohibitions will not take effect until five years after the date of enactment, and the Federal Acquisition Regulatory (“FAR”) Council will issue regulations implementing the prohibitions no later than three years from the enactment date.
Below we expand on these prohibitions and summarize the key takeaways for potentially impacted companies.
Part A
The semiconductor-related prohibitions in Section 5949 expand upon Section 889 of the FY2019 NDAA (“Section 889”), which covered telecommunications and surveillance products and services from certain Chinese companies. See our prior blog post on Section 889 here.
Part A of Section 5949 prohibits federal executive agencies from procuring, obtaining, or contracting for any electronic parts, products, or services that include covered semiconductor products or services. This prohibition applies to any “covered semiconductor products or services” that are produced by Semiconductor Manufacturing International Corporation (“SMIC”), ChangXin Memory Technologies, Yangtze Memory Technologies Corp, or any subsidiary or affiliate of those entities. These companies represent a sizeable and growing share of the semiconductor chips market, and a broad range of electronic equipment imported into the United States (including mobile phones, networking equipment, and automobile parts) incorporate chips produced by these entities or their affiliates. Section 5949 also authorizes the Secretary of Defense or the Secretary of Commerce to designate other products or services as “covered” if they determine that the product or service is produced or provided by an entity owned, controlled by, or connected to the government of a “foreign country of concern,” currently China, Russia, North Korea, and Iran.
Part B
Part B of Section 5949 prohibits federal executive agencies from entering into a contract (or extending or renewing a contract) with an entity to procure or obtain electronic parts or products that use any electronic parts or products that include covered semiconductor products or services. The prohibition focuses on whether the procured electronic parts or products themselves use parts/products that include covered semiconductor products or services and, unlike Part B of Section 889, does not prohibit the contractor from using covered semiconductor products or services in the contractor’s own internal systems.
In addition, unlike Part A, this prohibition applies only to products or services that include covered semiconductor products or services in systems that are “critical systems.”1 The limitation of these prohibitions to “critical systems” may limit the scope of contractors that will be subject to Part B through their contracts.
Prohibitions are not Retroactive and Will Not Affect the FCC’s Covered List
Section 5949 contains a Rule of Construction provision stipulating that the prohibitions will not require entities to remove or replace any covered semiconductor products or services that are “resident” in existing equipment, systems, or services before the effective date (five years after the date of enactment). Entities can continue to use existing equipment that include covered semiconductor products or services “throughout the lifecycle of such existing equipment.” In addition, the Rule of Construction provision states that Section 5949 will not require the Federal Communications Commission (“FCC”) to designate covered semiconductor products or services on its Covered Communications Equipment Services List maintained under the Secured and Trusted Communications Networks Act of 2019, as it does with certain telecommunications equipment, software, and services under Section 889. This list identifies communications equipment and services that the FCC has deemed to pose an unacceptable risk to U.S. national security or the security and safety of U.S. persons.
Waiver Authority and Safe Harbors
Section 5949 contains a Waiver Authority provision that authorizes the Secretaries of Defense, Commerce, Homeland Security, and Energy, as well as the Director of National Intelligence, to waive the prohibitions after the effective date for “critical national security interests.” Moreover, the head of an executive agency may waive prohibitions, for a renewable period of no more than two years per waiver, if certain determinations are made in consultation with the Secretaries of Commerce and Defense or the Director of National Intelligence.
Section 5949 also includes a number of safe harbors. First, government contractors can reasonably rely on certifications from covered entities and subcontractors regarding the inclusion (or not) of covered semiconductor products or services in electronic products and parts, and they do not have to conduct third-party audits or formal review of those certifications. Second, contractors and subcontractors that notify the government that a critical system contains actual or suspected covered semiconductor products or services will not be subject to civil liability or determined to be non-responsible if they have not manufactured or assembled the impacted products. If the notification involves parts or products manufactured or assembled by the notifying contractor/subcontractor, that company must make an effort to identify and remove the covered products or services from the federal supply.
Effective Dates
Not later than two years after enactment, the Federal Acquisition Security Council (“FASC”) must issue recommendations to mitigate supply chain risks relevant to federal government acquisition of semiconductor products and services, and recommendations for regulations implementing the prohibitions. Within three years after the enactment date, the FAR Council must issue regulations implementing the prohibitions. The semiconductor prohibitions will take effect five years after the date of enactment.
Implementing Regulations
The regulations promulgated by the FAR Council within three years after the enactment date to implement the prohibitions will include a number of key requirements.
- A requirement for government contractors that supply electronic parts or products to agencies to (1) certify the non-use of covered semiconductor products or services in those parts or products; (2) detect and avoid the use or inclusion of covered semiconductors in such products or services; and (3) remedy any use or inclusion of covered semiconductors in such products and services (the cost of any such rework or corrective action would not be allowable under federal contracts).
- A requirement for “covered entities,”2 prime contractors, and subcontractors to report to the government in writing within 60 days if the entity “becomes aware, or has reason to suspect” that an end item, component, or part of any critical system purchased by or for the government contains covered semiconductor products or services.
- A requirement of covered entities to disclose to their direct customers whether their parts, products, or services include covered semiconductor products or services. If a covered entity fails to disclose such inclusions, the covered entity will be responsible for any rework or corrective action.
- A requirement for prime contractors to incorporate the substance of the prohibitions and implement contract clauses into contracts for the supply of electronic parts or products.
Takeaways for Companies
- Similar to the representations that government contractors must complete in SAM.gov for Section 889, the rules promulgated under the new Section 5949 will require contractors to provide certifications for covered semiconductor products or services. It will also require government contractors to establish additional compliance and reporting processes and procedures.
- While the semiconductor prohibitions included in Section 5949 will not take effect until five years after the enactment of the FY2023 NDAA, government contractors will need to begin to take steps to assess supply chain risks and carefully scrutinize any electronic parts, products, or services provided to the government to ensure they do not include or use covered semiconductor products or services. Preparing now will minimize future disruptions for companies and help ensure compliance when Section 5949’s prohibitions go into effect.
- Government contractors will likely need to incur compliance costs to procure products and services with non-prohibited semiconductor chips for delivery to the government, including equipment component re-designs to accommodate the substitutions.
- Going forward, companies should conduct comprehensive due diligence when selecting products, service providers, vendors, suppliers, and contract manufacturers that have a nexus to Section 5949’s prohibitions. While Section 5949 imposes government supply chain prohibitions on major chipmakers in China, it also provides executive agencies with the authority to designate additional companies to the prohibited list if they determine that the product or service is provided by an entity owned, controlled by, or connected to the government of a “foreign country of concern,” including China, Russia, North Korea, and Iran.
1 “Critical System” is defined in Section 5949 as (1) “a telecommunications or information system operated by the Federal Government, the function, operation, or use of which: (A) involves intelligence activities; (B) involves cryptologic activities related to national security; (C) involves command and control or military forces; (D) involves equipment that is an integral part of a weapon or weapons system;” or (E) is critical to the direct fulfillment or military or intelligence missions; (2) other systems identified by the Federal Acquisition Security Council; and (3) additional systems identified by the U.S. Department of Defense. “Critical System” does not include systems used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications).
2 “Covered Entity” is defined in Section 5949 as an entity that develops “a design of a semiconductor that is the direct product of United States origin technology or software” and that purchases semiconductor products or services from SMIC or any other products or services that the Secretaries of Defense or Commerce designate as covered.