The Fiscal Year 2023 National Defense Authorization Act (“NDAA”) precludes acquisition of products or services that include certain semiconductors originating in China and other “foreign countries of concern.” The NDAA, as passed by Congress, must now be signed into law by President Biden, which is expected to happen any day. Under Section 5949(a), US federal agencies will be prohibited from:
- “procur[ing], obtain[ing], or extend[ing] or renew[ing] a contract to procure or obtain, any electronic parts or products, or services that include covered semiconductor products or services,” (Section 5949(a)(1)(A)); and
- entering into a contract “with an entity to procure or obtain electronic parts or products that use any electronic parts or products that include covered semiconductor products or services” (Section 5949(a)(1)(B)). Under the applicable rule of construction (Section 5949(a)(2)(B)), this use prohibition applies when the covered semiconductor products or services are in “critical systems,” which are defined as “national security systems,” i.e., telecommunication or information systems operated by the federal government, which involves intelligence and cryptologic activities, command and control of military forces, equipment that is an integral part of a weapon or weapons system, or any other system identified by the Federal Acquisition Security Council or the Department of Defense (“DoD”).
Although the prohibitions have five years to take effect, contractors (and their subcontractors and suppliers) must start now to thoroughly analyze their supply chains and identify any products sold to the federal government that contain covered semiconductor products or services. Contractors will then need to take steps to source Section 5949-compliant semiconductor products and services.
What Is a “Covered Semiconductor Product or Service”?
Section 5949 broadly defines “covered semiconductor product or service” to mean a semiconductor, a semiconductor product, a product that incorporates a semiconductor product, or a service that uses such a product that is designed, produced or provided by, Semiconductor Manufacturing International Corporation (“SMIC”), ChangXin Memory Technologies, Yangtze Memory Technologies Corp, or any subsidiary, affiliate, or successor of these entities.
The definition also includes any product or service that the Secretary of Defense or Secretary of Commerce determines was produced or provided by an entity “owned or controlled by, or otherwise connected to . . . a foreign country of concern.” The provision focuses on entities from China but also applies to entities from North Korea, Russia, and Iran.
What Does It Mean to “Use” a Prohibited Semiconductor?
Although the intent of Congress in Section 5949 is that federal contractors and their subcontractors/suppliers “not utilize companies connected to foreign countries of concern that threaten national security,” the actual language of Section 5949(a)(1)(B) applies to “critical systems” and prohibits federal agencies from contracting with entities to procure “electronic parts or products that use any electronic parts or products that include covered semiconductor products or services.” That language contrasts with Section 889(a)(1)(B) of the FY2019 NDAA, which prohibits agencies from contracting with any entity that uses any equipment, system or service that uses “covered” (i.e., produced by the identified Chinese companies) telecommunications equipment or services as a substantial or essential component of any system or as critical technology as part of any system.
Section 5949(a)(1)(B) appears to allow contractors to use covered semiconductor products or services in electronic parts or products for other than “critical systems.” To the extent that an entity provides a commercial product that is not used in a “critical system,” the product would not be covered (i.e., the prohibition does not apply). However, commercial products and technologies are sometimes used in “critical systems,” e.g., command and control of military forces or in the direct fulfillment of military or intelligence missions. Companies selling electronic parts or products should thoroughly review solicitations to determine whether these products will be used in a “critical system” and inquire as appropriate.
Effective Date and Applicability
Section 5949(c) requires the prohibitions to take effect five years after enactment. Under Section 5949(a)(2), the statute’s Rule of Construction makes clear that the prohibitions will not be retroactively applied and will not require entities to remove or replace any covered semiconductor products or services that are “resident in equipment, systems, or services before the effective date [‘Existing Equipment’].” Moreover, entities can continue to use Existing Equipment throughout that equipment’s lifecycle even if it overlaps with the effective date of the prohibitions.1
Implementation of Section 5949
Section 5949(c) requires the Federal Acquisition Regulatory Council (FAR Council) to “prescribe regulations implementing the [section’s] prohibitions” within three years of its enactment. Within two years of enactment, the Federal Acquisition Security Council will provide recommendations to the FAR Council on these regulations. Importantly, any regulation will require prime contractors to flow down the substance of implementing contract clauses to subcontractors and suppliers.
The FAR Council’s prescribed regulations will include similar certification provisions to those previously required by Section 889 of the FY 2019 NDAA regarding telecommunications and surveillance equipment from China (FAR 52.204-24, 52.204-26). Under Section 5949(h), contractors must certify to “the non-use of covered semiconductor products or services” contained in electronic parts or products. Moreover, contractors will have the affirmative responsibility to detect and avoid the use or inclusion of these covered products, and contractors will be responsible for “any rework or corrective action” required to “remedy the use or inclusion” of covered semiconductor products in electronic parts or products.
The prescribed regulations will impose additional requirements on “covered entities,” which are entities that “develop a design of a semiconductor that is the direct product of United States origin technology or software” and purchase covered semiconductor products or services from SMIC or that are produced by an entity designated by the Secretary of Defense or the Secretary of Commerce. These covered entities must disclose to their direct customers whether their electronic parts, products, or services include a covered semiconductor product or service. If a covered entity fails to disclose the inclusion of covered semiconductor products or services to its direct customers, the covered entity will be responsible “for any rework or corrective action” to remedy the use of any covered semiconductor product or service and any of these costs are not allowed to be recovered under the federal contract. This provision (in conjunction with Section 5949’s liability provisions discussed below) focuses responsibility on the point of noncompliance within the supply chain and provides protection to prime contractors or higher-tiered subcontractors regarding liability. Contractors at all levels also should consider adding an indemnification provision to, or revise an existing provision in, their agreements with subcontractors and suppliers to protect themselves from any noncompliance with these prohibitions.
The prescribed regulations also include a notification requirement. A contractor, subcontractor, or covered entity must notify federal authorities, within 60 days of “becom[ing] aware, or ha[ving] reason to suspect, that any end item, component, or part of a critical system purchased by the Federal Government, or purchased by a Federal contractor or subcontractor for delivery to the Federal Government for any critical system, contains covered semiconductor products or services.” Agencies, in turn, must report to Congress the purchase or delivery of covered semiconductor products or services within 120 days.2
Section 5949’s Liability Protections for Government Contractors
Under Section 5949(h)(5), contractors can “reasonably rely” on certificates of compliance from subcontractors and covered entities. Moreover, contractors have no obligation to conduct third-party audits to verify the accuracy of the certifications. However if the circumstances are such that the prime (or higher-level) contractor should have reasonably known about problems with the certification, a “see/hear/speak no evil” approach is unlikely to provide a robust shield.
If contractors and subcontractors provide the required notifications described above, Sections 5949(h)(6) and (h)(7) protect them from both civil liability and debarment—which could occur under FAR Part 9.4 if the agency’s suspending and debarring official finds that the contractor or subcontractor is not “presently responsible.” When a notification involves electronic parts or products manufactured or assembled by the contractor or subcontractor making the notification, section 5949(h)(7) further requires the contractor or subcontractor to make “a comprehensive and documentable effort to identify and remove covered semiconductor products or services from the Federal supply.”
Waiver Authorities Applicable to Section 5949’s Prohibitions
Section 5949 entrusts the authority to waive the restrictions set forth in Section 5949 to the Secretary of Defense, Director of National Intelligence, Secretary of Commerce, Secretary of Homeland Security, and Secretary of Energy in the event any one of those officials determines that the waiver is in the “critical national security interests of the United States.” Congress’s Joint Explanatory Statement explains that “critical national security interests” may include “protecting the Nation’s economic security and its technological competitiveness relative to strategic competitors.”
Section 5949 also provides the heads of executive agencies with a renewable, two-year waiver authority when both of these determinations are made:
- First, in consultation with the Secretary of Commerce, the head of an agency must determine that “no compliant product or service is available . . . at United States market prices or a price that is not  prohibitively expensive.”
- And, second, the head of an agency must determine, in consultation with either the Secretary of Defense or Director of National Intelligence, that a waiver will not “compromise the critical national security interests of the United States.”
Requirements for Analysis, Assessment, and Developing Strategies
Section 5949(e) requires the executive branch to provide various reports to Congress on different timelines. These reports must analyze implementation of the prohibitions and the development of strategies related to domestic semiconductor production.
First, within 270 days of enactment, the Office of Management and Budget, in coordination with the Director of National Intelligence and the National Cyber Director, must provide a report on implementing the prohibitions and the effectiveness of the waiver authorities under Section 5949.
Second, within 180 days of enactment, the Secretary of Commerce, in coordination with the Secretary of Defense, the Secretary of Energy, the Secretary of Homeland Security, and the Director of National Intelligence must (i) conduct analyses of the domestic design and production capacity of semiconductors (with “domestic” including allied or partner countries); (ii) conduct assessments on the risks presented by covered semiconductor products or services; and (iii) develop strategies to improve domestic semiconductor design and production capacity and to improve supply traceability to enforce the prohibitions described above. The Secretary of Commerce must then provide a report to the Federal Acquisition Security Council.
Third, within two years of enactment, the Secretary of Commerce, in coordination with the Secretary of Homeland Security, the Secretary of Defense, the Director of National Intelligence, the Director of the Office of Management and Budget, and the Director of the Office of Science and Technology Policy, and in consultation with industry, must establish a “microelectronics traceability and diversification initiative to coordinate analysis of and response to the Federal Government microelectronics supply chain vulnerabilities.”
- The Section 5949 prohibitions make clear the vital importance the United States places on its national security and economic interests. These prohibitions are examples of DoD’s efforts to reduce China’s influence in the critical markets (and supply chains) while the Department of Commerce simultaneously attempts to expand domestic design and production capacity in crucial markets. (Commerce is doing so here by implementing the Creating Helpful Incentives to Produce Semiconductors (CHIPS) Fund.3)
- Although Section 5949 is being implemented during the next five years, prime contractors, subcontractors and their suppliers must begin thoroughly analyzing and identifying products sold to the Government that contain covered semiconductor products or services—particularly those products that are or may be used in “critical systems."
1 Under the Rule of Construction set forth in Section 5949, the Federal Communications Commission is not required to “designate covered semiconductor products or services to its Covered Communications Equipment or Services List maintained under  the Secured and Trusted Communications Networks Act of 2019.” This is a list of communications equipment and services that pose an unacceptable risk to the national security of the United States or the security and safety of United States persons. See https://www.fcc.gov/supplychain/coveredlist.
2 Section 5949(h)(5) is unclear concerning whether the federal agency must report to Congress within 120 days of the incident or within 120 days of receipt of a report from a contractor, subcontractor, or covered entity.
3 Mayer Brown’s September 2022 Legal Update explains in detail the CHIPS Fund and upcoming $38 billion federal award program to expand US semiconductor production and $11 billion dedicated to research and development (“R&D”) initiatives.