DIB and NDAA Compliance (cameras)

old.reddit.com / @/u/ApprehensiveTree7184, https://old.reddit.com/user/ApprehensiveTree7184

I wouldn't think NDAA or general FAR regulations would be mentioned at all for the purposes of CMMC, but it does dovetail into conversations with a DIB client addressing a legacy camera system.

Our client has a legacy camera system with known vulnerabilities, and for the purposes of CMMC compliance we have advised they do one of the following: prevent this system from being publicly accessible, VLAN the system and implement (if possible) some form of whitelisted access control, or replace the system altogether. However, it has recently been pointed out that the current camera system is not NDAA compliant (the cameras are made by a Chinese manufacturer). Does anyone know if NDAA camera compliance applies to non-prime contractors (contractors that receives work from the primes) or not? Here are some excerpts that muddy the water for me:

"Section 889(a)(1)(A) prohibits the Federal Government from procuring or obtaining, or extending or renewing a contract to procure or obtain “any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system,” on or after August 13, 2019, unless an exception applies or a waiver is granted" and "Section 889(a)(1)(B) prohibits executive agencies from entering into, or extending or renewing, a contract with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system unless an exception applies or a waiver is granted." https://www.acquisition.gov/Section-889-Policies

The 52.204-25 prohibition under section 889(a)(1)(A) will continue to flow down to all subcontractors; however, as required by statute the prohibition for section 889(a)(1)(B) will not flow down because the prime contractor is the only “entity” that the agency “enters into a contract” with, and an agency does not directly “enter into a contract” with any subcontractors, at any tier. https://www.federalregister.gov/documents/2020/07/14/2020-15293/federal-acquisition-regulation-prohibition-on-contracting-with-entities-using-certain#h-51

submitted by /u/ApprehensiveTree7184
[link] [comments]

published about 1 month ago


Previous

How granular do I need to be?
published about 1 month ago

Next

Team Effort, or Solo Endeavor?
published about 1 month ago
See all items from the same source