U.S. FAR Section 889 — Prohibition on Certain Telecommunications and Video Surveillance Services or Equipment

Overview

U.S. FAR Section889 is a federal regulation that helps organizations mitigatecybersecurity and compliance risks by prohibiting the use of certaintelecommunications and video surveillance equipment and services fromspecified foreign entities. The regulation aims to protect U.S.government operations and sensitive data from unauthorized access andsupply chain threats.

Published by theU.S. General Services Administration (GSA) as part of the FederalAcquisition Regulation (FAR), Section 889 applies to federalagencies, contractors, and subcontractors engaged in governmentprocurement activities. The regulation covers areas such as supplychain security, vendor risk management, and compliance oversight,specifically focusing on entities linked to national securityconcerns.

Organizationsimplement Section 889 requirements by conducting supplier duediligence, updating procurement controls, and certifying the absenceof prohibited technologies in their systems. Integrating thesecontrols supports regulatory compliance, strengthens risk managementprograms, and aligns with broader supply chain security practicesmandated by federal and industry cybersecurity standards.

Why it Matters

U.S. FAR Section889 is critical for protecting government operations and informationby minimizing foreign supply chain risks through regulatory scrutiny.

Key benefitsinclude:

•  Strengthen supply chain oversight

Enableorganizations to better assess, monitor, and manage the security ofsuppliers throughout procurement activities.

•  Enhance regulatory compliance

Supportadherence to federal acquisition rules and facilitate smooth contracteligibility during government procurement processes.

•  Improve risk management

Reduce exposureto vendors and technologies associated with national securitythreats, improving organizational risk posture.

•  Increase audit readiness

Facilitate cleardocumentation and certification processes to streamline compliancevalidation in federal agency audits.

•  Protect sensitive government data

Reduce thelikelihood of unauthorized access or data exposure by prohibiting useof high-risk communications and surveillance equipment.

How it Works

U.S. FAR Section889 establishes a regulatory requirement within the FederalAcquisition Regulation, prohibiting federal contractors and agenciesfrom procuring or using certain telecommunications and videosurveillance equipment or services from specified Chinese companies.This framework is structured around explicit compliance clauses andreporting obligations, detailing the prohibited sources and requiringself-certification, supply chain due diligence, and ongoing vendorassessment as part of organizational governance and risk management.

In practice,organizations implement Section 889 by reviewing and updatingprocurement processes, performing supply chain risk assessments, andverifying that no covered equipment or services are present withintheir operations or those of their subcontractors. Regular complianceassessments, documentation of supplier attestations, and ongoingmonitoring of vendor relationships are central to meeting regulatoryrequirements. Security controls are applied to ensure that new andexisting contracts do not violate the provision, supporting broadercompliance and governance efforts.

With SmartSuite,organizations streamline Section 889 compliance by leveraging controllibraries to document regulatory requirements, maintaining riskregisters to catalog supply chain risks, and managing policygovernance. SmartSuite supports the collection of supplierattestations as evidence, enables compliance tracking throughdashboards, and facilitates remediation workflows to address anyidentified non-compliance, contributing to audit readiness andcontinuous monitoring.

Key Elements

•  Covered Entity Definition

Specifies whichgovernment contractors and subcontractors fall under the scope ofSection 889 compliance requirements.

•  Prohibited Technologies List

Providesdetailed criteria identifying telecommunications and videosurveillance equipment that are banned under this regulation.

•  Acquisition and Supply Chain Restrictions

Describeslimitations on the procurement and use of covered technologies withincontractor supply chains and purchasing processes.

•  Disclosure and Reporting Obligations

Establishesmandatory requirements for vendors to report the presence or use ofcovered equipment in their systems.

•  Contract Certification Criteria

Outlinescertification and attestation processes required to confirm ongoingcompliance with Section 889 during the contract lifecycle.

•  Implementation and Review Procedures

Detailsprocesses for monitoring, reviewing, and updating compliance withSection 889 within organizational operations.

Framework Scope

U.S. FAR Section889 applies to federal contractors, subcontractors, and suppliersproviding goods or services to the U.S. government. It governstelecommunications and video surveillance equipment, informationsystems, and organizational supply chains, and is typically enforcedduring contract procurement, vendor risk management, and supportingcompliance with federal procurement requirements.

Framework Objectives

U.S. FAR Section889 establishes required controls to reduce risk from prohibitedtelecommunications and surveillance equipment.

•  Protect organizational data by excluding high-risktelecommunications technology from operations

•  Strengthen cybersecurity risk management through enforcedsupplier and vendor compliance

•  Enhance governance and oversight of technology acquisition andsupply chain practices

•  Improve regulatory compliance with federal supply chain securityrequirements

•  Promote operational resilience by minimizing exposure tounauthorized security controls

•  Support audit readiness by maintaining verifiable records ofcompliance actions U.S. FAR Section 889 is a federal regulation thatrestricts the use of certain telecommunications and videosurveillance equipment, particularly for contracts with the U.S.government. It often aligns with supply chain security controls inframeworks like CMMC and NIST 800-171. Organizations implement FAR889 for regulatory compliance in federal procurement and to managesupply chain risk.

Common Framework Mappings

FAR Section 889is often mapped to other security and procurement frameworks toensure broad compliance, manage supply chain risk, and align vendormanagement practices across global regulatory and securityrequirements.

Mappedframeworks include:

CIS CriticalSecurity Controls

FedRAMP

ISO/IEC 27001

ISO/IEC 27002

NISTCybersecurity Framework

NIST SP 800-53

NIST SP 800-171

PCI DSS

SOC 2

UK CyberEssentials