Section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 imposes a certification requirement on every prime contractor: certify, on the basis of a reasonable inquiry, that the entity does not use covered telecommunications equipment or services. The Federal Acquisition Regulation defines reasonable inquiry narrowly. The certification is binary, the consequences of misrepresentation are severe, and the technical evidence that supports the certification is not specified anywhere in the rule.
That gap is what most compliance officers fall into. They attest to having conducted a reasonable inquiry. When the contracting officer asks for the documentation, they send a vendor questionnaire and a procurement policy. Both are real evidence. Neither is sufficient if the asset inventory cannot reconcile to the certification, the Software Bill of Materials shows components from prohibited entities, or network telemetry detects covered equipment in production. The cybersecurity team gets blindsided by a question the procurement team thought it had answered.
This article shows you the four information-technology artifacts that turn a soft attestation into auditable evidence: Software Bill of Materials at the runtime layer, asset inventory at the device layer, procurement-pipeline controls at the supply layer, and network telemetry at the operational layer. It is the technical companion to the Part A versus Part B explainer that lives on Amerifusion GovCon, and it is written for the contractor whose Section 889 certification has to survive a contracting-officer inquiry.
Bottom Line Up Front. Section 889 Part B requires every prime contractor to certify a reasonable inquiry into the use of covered telecommunications equipment. The FAR defines reasonable inquiry narrowly as “documentation or other records” but does not specify the documentation modality. Most contractors satisfy the certification with a vendor questionnaire and a procurement policy and stop there. This article shows you the four IT artifacts that turn a soft attestation into auditable evidence: SBOM at the runtime layer, asset inventory at the device layer, procurement-pipeline controls at the supply layer, and network telemetry at the operational layer. It is the technical companion to the Part A vs Part B explainer that lives on AmerifusionGovCon.
What Reasonable Inquiry Actually Means
The Federal Acquisition Regulation defines a reasonable inquiry as “an inquiry designed to uncover any information in the entity’s possession, primarily documentation or other records, about the identity of the producer or provider of covered telecommunications equipment or services used by the entity.” A reasonable inquiry need not include an internal or third-party audit. It must, however, produce documentation. The certification is not satisfied by a vendor questionnaire alone if no internal documentation supports the answer.
The covered entities are listed in Section 889 of the FY19 NDAA and incorporated in FAR 52.204-25. They include Huawei Technologies, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology, and Dahua Technology, plus their subsidiaries and affiliates. The same supply-chain scrutiny that governs DFARS 252.204-7012 compliance for cybersecurity controls extends, under Section 889, to telecommunications equipment across the contractor’s full operations. Part A prohibits the federal government from procuring such equipment. Part B prohibits the federal government from contracting with any entity that uses such equipment, anywhere in its operations, regardless of whether that use touches the federal contract.
The Part B reach is the part that makes the certification consequential. A contractor performs federal work on a federal program; that program may have nothing to do with the company’s other commercial operations; and yet a Hikvision camera in a private warehouse is enough to disqualify the entire entity. The reasonable inquiry must cover the entity’s full operations, not just the federal contract.
The Four IT Artifacts That Evidence Reasonable Inquiry
The reasonable inquiry standard maps to four technology artifacts that each cover a layer of the operational stack. Together, they constitute the documentary basis the certification requires. Separately, none is sufficient. Most contractors produce one or two and treat the certification as covered.
| Layer | Artifact | What It Evidences | Source System |
|---|---|---|---|
| Runtime | Software Bill of Materials | Software components and dependencies in the production environment | SBOM tooling: Anchore, JFrog Xray, Snyk, Mend |
| Device | Asset Inventory | Physical and virtual assets, with manufacturer and model | IT Asset Management: ServiceNow, Lansweeper, Microsoft Intune |
| Supply | Procurement-Pipeline Controls | What can be purchased; how purchase requests are screened | Procurement systems: SAP Ariba, Coupa, Workday |
| Operational | Network Telemetry | What is communicating on the network; from what device class | NDR/SIEM: Vectra, ExtraHop, Splunk, Microsoft Sentinel |
Runtime Layer: Software Bill of Materials
The Software Bill of Materials at the runtime layer documents the actual components present in the production environment, including transitive dependencies pulled at install time. The runtime SBOM is distinct from the source-repository SBOM, which captures only what the developer intended to include. The runtime SBOM evidences what is actually deployed, which is what Section 889 cares about.
The SBOM should be in CycloneDX 1.5 or SPDX 2.3 machine-readable format, refreshed at least quarterly, and stored with version control so that a historical SBOM can be produced for any past quarter. The same OSCAL-compatible data pipelines that FedRAMP RFC-0024 mandates for cloud service providers create natural infrastructure for Section 889 SBOM management in dual-market contractors. The Section 889 verification is straightforward: parse the SBOM, search for components attributable to covered entities, and produce a clean signal or a hit. A clean signal becomes part of the certification evidence. A hit triggers the remediation process.
The SBOM is the only one of the four artifacts that detects software-level covered components, including embedded firmware libraries that may originate from covered entities even when the device manufacturer is not on the list. The runtime SBOM is the artifact that catches the supply-chain inheritance problem the other three cannot.
Device Layer: Asset Inventory
The asset inventory documents the physical and virtual assets in the entity’s environment, with manufacturer, model, and location. The inventory must be comprehensive: corporate offices, remote-work endpoints, data center hardware, cloud infrastructure, manufacturing equipment, video surveillance, telephony, and industrial control systems. Section 889 covers all of these because Part B covers the entity’s full operations.
The asset inventory must include both information-technology and operational-technology assets. Contractors pursuing CMMC Level 2 assessment preparation typically build the asset inventory as a shared artifact, since the CMMC-scoped system boundary and the Section 889 entity-wide scope share the same device-level data requirements. Hikvision and Dahua cameras frequently appear in the operational-technology category, controlled by facilities or security operations rather than information technology, and asset inventories that only cover IT miss them. The inventory should reconcile to procurement records and to network telemetry. Three independent sources of asset data converging on the same answer is the strongest evidence the certification can rest on.
The inventory must be refreshed at least quarterly, with continuous updates for in-flight changes. A static inventory more than 90 days old is not evidence of the current state; the certification is current as of the date of submission, and the inventory must support that currency.
Supply Layer: Procurement-Pipeline Controls
The procurement-pipeline controls document what can be purchased and how purchase requests are screened. The control should prevent covered equipment from entering the entity in the first place, not just detect it after arrival. The procurement system should maintain a blocked-vendor list that includes the Section 889 covered entities and their subsidiaries, with the list updated as new subsidiaries are identified.
The screening should occur at the requisition stage, not at the invoice stage. A requisition for a Hikvision camera should be flagged before approval. A requisition that passes through approval and triggers the flag at the invoice stage means the equipment is already on its way to the entity, and remediation is more expensive.
The procurement-pipeline control evidences the prevention layer. The asset inventory and the network telemetry evidence the detection layers. A contractor whose procurement controls are mature enough to prevent purchase, whose detection layers confirm prevention is working, and whose SBOM confirms no software-level inheritance, has the strongest possible reasonable-inquiry evidence stack.
Operational Layer: Network Telemetry
Network telemetry documents what is communicating on the network and from what device class. Most network detection and response platforms maintain device fingerprinting libraries that can identify Hikvision, Dahua, and Huawei equipment by network signature, often with high confidence even when the device is configured to obscure its identity.
The telemetry serves two purposes. First, it detects covered equipment that may have entered through channels the procurement controls did not catch: shadow IT, employee-purchased equipment connected to corporate networks, vendor-installed equipment in shared facilities, and equipment inherited from acquisitions. Second, it provides ongoing monitoring that converts the certification from a point-in-time attestation into a continuously verified statement.
The telemetry should run continuously and feed alerts to the security operations center on detection of covered-entity device signatures. The detection log is the artifact that demonstrates ongoing reasonable inquiry; a contractor whose telemetry has produced clean detections for 24 months has stronger evidence than one whose certification rests on a one-time inventory check.
The Reconciliation Test
The four artifacts are individually useful and collectively powerful when they reconcile. A reasonable inquiry that produces four sources of evidence converging on the same answer is a reasonable inquiry that survives a contracting-officer challenge or a False Claims Act inquiry. A reasonable inquiry whose four sources disagree is a reasonable inquiry that has not been completed; the disagreement must be resolved before the certification is signed.
The reconciliation test runs as follows. The asset inventory lists all assets with manufacturer and model. The procurement system lists all purchases with the same. The two should match for every asset acquired through procurement; assets in the inventory but not in procurement records require an explanation (acquisitions, donations, asset transfers from acquired entities). The network telemetry detects what is on the network; everything on the network should appear in the asset inventory. Devices on the network not in the inventory are the shadow IT problem and a Section 889 risk. The SBOM lists software components; the procurement records of software licenses and subscriptions should align.
A contractor running this reconciliation quarterly produces a continuously fresh certification basis. A contractor running it once a year before the federal contract submission produces a stale basis that may not survive a mid-year challenge.
The 90-Day Implementation Plan
For a contractor whose Section 889 certification rests on a vendor questionnaire and a procurement policy today, the 90-day implementation plan brings all four artifacts into evidence quality.
Days 1 through 30: Asset Inventory. Stand up or refresh the asset inventory across IT, operational technology, video surveillance, and telephony. Confirm the inventory covers corporate offices, remote endpoints, data centers, cloud infrastructure, and any manufacturing or industrial control environments. Reconcile to procurement records.
Days 15 through 45: Procurement-Pipeline Controls. Add the Section 889 covered-entity list to the procurement system blocked-vendor list. Update the list to include known subsidiaries. Implement requisition-stage screening. Document the procedure with an internal control narrative.
Days 30 through 60: Network Telemetry. Contractors operating DoD Impact Level 5 environments should confirm that the supply-chain controls required for NSS classification and Section 889 reasonable inquiry share the same provenance evidence. Confirm the network detection capability includes device-fingerprint identification for Hikvision, Dahua, Huawei, ZTE, and Hytera. If the existing tooling does not, evaluate whether the SIEM or NDR platform can be augmented or whether additional tooling is required. Configure alerting on detection. Establish a 24-month detection log.
Days 45 through 75: Software Bill of Materials. Implement runtime SBOM generation across the production environment. CycloneDX is the operational default. Establish quarterly SBOM refresh. Implement SBOM parsing for Section 889 components.
Days 60 through 90: Reconciliation and Certification Update. Run the four-artifact reconciliation. Resolve any discrepancies. Document the reconciliation methodology in the Section 889 certification process. Update the contractor’s standard certification language to reference the four artifacts and the reconciliation evidence.
Frequently Asked Questions
Is a vendor questionnaire enough for the certification?
Alone, no. The Federal Acquisition Regulation defines reasonable inquiry as documentation in the entity’s possession. A vendor questionnaire is the vendor’s representation, not the entity’s documentation. The questionnaire should be one input to a reasonable inquiry, not the inquiry itself.
Does Section 889 cover operational technology and video surveillance?
Yes. Part B covers the entity’s full operations. Hikvision and Dahua cameras in non-IT environments (facilities, manufacturing, parking lots) are within scope. Asset inventories that exclude operational technology miss the most common Section 889 violations.
What if my acquired entity used covered equipment?
The acquisition inherits the obligation. A reasonable inquiry covers the post-acquisition entity. Discovery of covered equipment in an acquired environment triggers remediation. The contractor should integrate Section 889 due diligence into acquisition reviews.
How often should the four artifacts be refreshed?
Asset inventory and SBOM should refresh at least quarterly, with continuous updates for changes. Procurement-pipeline controls should be continuous. Network telemetry should run continuously. The certification basis should be no more than 90 days old at the time of certification.
What network detection capability identifies covered equipment?
Most modern Network Detection and Response platforms and security information and event management systems with device-fingerprinting capabilities can identify covered-entity equipment by network signature. The capability should be confirmed in advance; not all SIEM-bundled detection libraries include the relevant fingerprints.
What if I find covered equipment after certification?
Disclose to the contracting officer. The False Claims Act risk attaches to false certification, not to good-faith discovery and remediation after certification. Document the discovery, the remediation plan, and the timeline. The disclosure protects the contractor more than the discovery embarrasses it.
The verdict. Section 889 is one of the cleanest examples of a regulatory requirement whose technical evidence is unspecified by the rule and unforgiving when challenged. The four-artifact evidence stack converts the certification from a soft attestation into a verifiable statement. Most contractors will discover, on running the reconciliation for the first time, that one of the four artifacts is materially incomplete. That discovery is the value of the exercise. The certification rests on the reconciliation, not on the questionnaire, and the contractor whose four artifacts converge on the same answer is the contractor whose Section 889 posture survives the contracting-officer inquiry.
