Key Takeaways
- A 2018 law (Section 889 of the FY 2019 NDAA) bars federal agencies from procuring telecommunications and video‑surveillance equipment made by certain Chinese‑linked companies, though equipment bought before the ban may still be used.
- Of six agencies reviewed, only the Department of Defense (DOD) and the Department of Energy (DOE) reported finding any covered equipment; DOD identified three instances that have been isolated from external access while removal actions proceed.
- Agencies employed a mix of IT hardware asset inventories, network scans, procurement‑record reviews, and physical searches, each offering strengths but also limitations—especially regarding classified or segmented networks.
- Obstacles to detection include limited visibility into manufacturers’ supply chains, reluctance of vendors to share proprietary data, and the dynamic nature of corporate subsidiaries and affiliates.
- The GAO study was undertaken because the federal government relies heavily on telecom and surveillance gear that could be exploited by foreign adversaries, with China viewed as the most active cyber threat.
Legal Framework and Scope of the Prohibition
The John S. McCain National Defense Authorization Act for Fiscal Year 2019 includes Section 889, which generally prohibits executive agencies from acquiring “covered telecommunications equipment” produced by firms tied to the People’s Republic of China, their subsidiaries, or affiliates. The ban applies to new procurements; equipment obtained prior to the effective date may remain in service unless agencies determine it poses an unacceptable risk. GAO’s review focused on how six selected agencies have implemented this restriction and what they have discovered about existing covered equipment in their IT environments.
Agency‑Level Findings on Covered Equipment
Officials from the Departments of Homeland Security, Justice, State, and Treasury reported that they did not identify any covered equipment connected to their information‑technology networks. In contrast, DOD and DOE disclosed that recent searches uncovered minimal amounts of such gear. DOD specifically noted three instances of covered equipment linked to its network; these devices have been blocked from external communication while the department works to remove or replace them. DOE indicated it had found little covered equipment and is undertaking remedial steps consistent with its risk‑management processes.
Department of Defense Actions
Upon discovering the three covered‑equipment items, DOD officials instituted immediate containment measures, including disabling external access points and monitoring the devices for anomalous activity. The agency is coordinating with its acquisition and cybersecurity offices to develop a removal plan that complies with both the Section 889 prohibition and broader supply‑chain security requirements. DOD emphasized that the limited number of findings suggests its existing inventory controls are largely effective, but it continues to refine detection capabilities.
Department of Energy Approach
DOE reported that its searches yielded only trace amounts of covered equipment, primarily in legacy systems slated for upgrade. The agency has initiated a phased replacement program, prioritizing equipment that handles sensitive energy‑infrastructure data. DOE’s approach combines inventory validation with vendor attestations and periodic network‑traffic analysis to ensure no prohibited gear remains operational.
Overview of Search Methods Employed Since 2019
All six agencies have used a combination of four primary methods to locate covered equipment: IT hardware‑asset inventory searches, IT network scans, procurement‑record reviews, and physical inspections. The table supplied by GAO shows that each agency employed at least two of these techniques, with DOD, DOE, DHS, Justice, and Treasury using both inventory searches and network scans, while State relied solely on inventory and network scans. No agency reported conducting physical searches for covered equipment, reflecting a reliance on electronic and documentary controls.
IT Hardware Asset Inventories
Agencies maintain detailed records of owned IT hardware, which serve as a foundational tool for identifying covered equipment. By cross‑referencing inventory entries with lists of prohibited manufacturers, officials can flag devices that require further investigation. This method is effective for equipment that is fully documented and tied to a specific asset tag, but it may miss items that are undocumented, temporarily loaned, or embedded within larger systems where the host device is not individually tracked.
IT Network Scans
Network‑scanning software probes active devices on an agency’s IT infrastructure, collecting identifiers such as MAC addresses, IP addresses, and device signatures. Scans can quickly reveal unauthorized or unknown equipment connected to the network. However, officials noted that scans often fail to reach classified or air‑gapped networks, and they may not detect devices that are powered off, disconnected, or operating behind network segmentation that blocks scan traffic.
Procurement Record Searches
Reviewing purchasing contracts, invoices, and requisition records helps agencies verify whether acquisitions complied with the Section 889 ban. This retrospective check can uncover cases where covered equipment was inadvertently procured before the prohibition took effect or where vendor misrepresentations occurred. Limitations arise when procurement data are incomplete, when contracts use generic descriptions that obscure the manufacturer, or when third‑party resellers complicate traceability.
Physical Searches
Although none of the selected agencies reported conducting systematic physical inspections for covered equipment, the method remains a valuable complement to electronic controls. Physical checks can verify the presence of equipment in secure facilities, validate asset tags, and detect gear that may have been omitted from digital inventories. Challenges include the labor intensity of sweeping large campuses, the need for specialized personnel to identify obscure components, and the difficulty of accessing classified or high‑security zones without disrupting operations.
Challenges in Identifying Covered Equipment
Officials cited several recurring obstacles. First, manufacturers frequently guard supply‑chain details as proprietary, limiting agencies’ ability to ascertain whether a product contains components from prohibited entities. Second, the lack of a centralized, authoritative directory of Chinese‑linked subsidiaries and affiliates means that reliance on vendor‑provided lists can quickly become outdated as companies reorganize, acquire, or divest businesses. Third, the dynamic nature of corporate structures demands continual updating of reference data, which agencies find resource‑intensive. Finally, segmented or classified network environments impede the effectiveness of network‑based discovery tools, creating blind spots where covered equipment could persist undetected.
Purpose and Methodology of the GAO Study
GAO undertook this review because the federal government depends extensively on telecommunications and video‑surveillance equipment to support mission operations and public communication, and because foreign adversaries—particularly China—are assessed as the most active and persistent cyber threat to these systems. The study examined (1) the volume of covered equipment identified by six CFO Act agencies with Intelligence Community components and the steps they have taken to mitigate associated risks, and (2) the methods those agencies reported using to search for such equipment and the challenges they encountered. GAO collected screenshots of network scans and inventory searches, reviewed agency policies against NIST cybersecurity standards, and interviewed officials to validate findings.
Conclusion and Implications
The GAO analysis indicates that, while most reviewed agencies have not detected covered equipment on their networks, DOD and DOE have identified limited instances and are actively managing them. The mixed‑method search strategy employed by agencies offers a layered defense but is hampered by technical, procedural, and information‑sharing barriers. Enhancing supply‑chain transparency, maintaining up‑to‑date prohibited‑entity lists, and extending scanning capabilities to classified and segmented networks would improve the government’s ability to enforce the Section 889 prohibition and reduce potential cyber‑risk exposure. Continued oversight and periodic reassessment of detection practices will be essential as the threat landscape and corporate structures evolve.