National Defense Authorization Act (NDAA)

NDAA Section 889 overview

Section 889 of the 2019 National Defense Authorization Act (NDAA) prohibits US federal government agencies, contractors, and grant and loan recipients from procuring or using certain covered telecommunications equipment and services as described in the statute. NDAA Section 889 seeks to mitigate privacy and security risks to US government by prohibiting the purchase and use of such equipment. These prohibitions were implemented in two phases:

  • Section 889(a)(1)(A) prohibits federal agencies from purchasing covered telecommunications equipment and services. It became effective on 13 August 2019. The US Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) issued two interim rules amending the Federal Acquisition Regulation (FAR) to implement Section 889(a)(1)(A). For more information, see interim rule 1 and interim rule 2.
  • Section 889(a)(1)(B) prohibits federal agencies from entering into, or extending or renewing, a contract with a company that uses covered telecommunications equipment and services. It became effective on 13 August 2020, and it has much broader scope than the first phase. It's aimed at ensuring that US government doesn't conduct business with companies that use covered telecommunications equipment and services. DoD, GSA, and NASA issued an interim rule amending the FAR to implement Section 889(a)(1)(B).

The detailed definition of covered telecommunications equipment and services is provided in the statute as follows:

  • (A) Telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of such entities).
  • (B) For the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes, video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities).
  • (C) Telecommunications or video surveillance services provided by such entities or using such equipment.
  • (D) Telecommunications or video surveillance equipment or services produced or provided by an entity that the Secretary of Defense, in consultation with the Director of the National Intelligence or the Director of the Federal Bureau of Investigation, reasonably believes to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country.

Microsoft support for NDAA Section 889

For purposes of NDAA Section 889(a)(1)(B), Microsoft understands that its partners and customers are conducting “reasonable inquiries“ regarding their use of prohibited covered telecommunications equipment and services. Microsoft Azure, Office 365, Dynamics 365, and Surface current products and services offerings in the United States don't use equipment or services of Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company.

NDAA Section 1634 overview

On 15 June 2018, DoD, GSA, and NASA published an interim rule in the Federal Register to revise the FAR to implement section 1634 of Division A of the NDAA, which prohibits the use of products and services of Kaspersky Lab and its related entities by the Federal Government. Among other things, the interim rule added a corresponding contract clause at 52.204-23 that must be included by contracting officers in solicitations issued on or after 16 July 2018, and in resulting contracts.

Microsoft support for NDAA Section 1634

For purposes of FAR 52.204-23, Microsoft cloud services, including Azure, Dynamics 365, Microsoft 365, and Power Platform, don't use any hardware, software, or services provided by Kaspersky Lab.

Frequently asked questions

What are covered telecommunications equipment and services?
Detailed definitions are provided in the 2019 National Defense Authorization Act (NDAA), as mentioned in the Overview section previously.

Does FedRAMP require compliance with Section 889 of the NDAA?
Yes. Effective 20 May 2021, the FedRAMP Joint Authorization Board (JAB) updated the SA-04 control parameter within the Low, Moderate, and High baselines, specifying that the cloud service providers must comply with Section 889 of the NDAA. Control SA-04 Acquisition Process is part of the System and Services Acquisition (SA) control family. Both Azure and Azure Government maintain a FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the JAB.

Do NDAA Section 889 assurances apply to Microsoft online services outside the United States?
No. The commitment exists only for service offerings in the United States. NDAA Section 889 restrictions are applicable only to procurement by US federal government agencies, contractors, and grant loan recipients.

Resources