Vendors might have to vouch for product authenticity

The federal government is considering a rule that would require contractors selling information technology products to the government to pledge that the equipment is authentic.

The rule is the result of a two-year investigation by the FBI, in which the bureau seized more than 400 pieces of counterfeit Cisco network hardware that had an estimated retail value of more than $76 million. When it released its findings in May, the FBI blamed the government's acquisition policies for making it possible for fake, and inferior, equipment to find its way into government networks and said the counterfeit routers could have caused a failure of networks or a loss of sensitive data.

The notice of the rule change, which was published this week in the Federal Register by the General Services Administration, the Defense Department and NASA, asks industry and agencies to comment on whether vendors selling hardware and software to the government should be required to represent that the goods they sell are authentic.

The notice also asks for comments on what contractor liability should be if products sold are not original. A public meeting on the rule change will be held at NASA on Dec. 11.

Currently the government does not require companies to stand behind the authenticity of the equipment they use to develop networks and applications, said Ed Chambers, a Federal Acquisition Regulation analyst with GSA's contract policy division. Adding that requirement could be a more involved process than it may appear.

"In theory they would have almost a chain of custody [for the products] with a chain of representations of authenticity," he said. GSA is waiting to gauge the public reaction to the proposed rule before deciding how to manage the problem of counterfeit IT equipment, he added.

"I'm hearing more about it, and I'm sensing this may be a pervasive problem," said Chambers, citing the case of the Cisco routers that the FBI uncovered. "That probably went a long way to advancing this case."

Some IT professionals, however, have complained that making contractors liable for the authenticity of products will add to what they say is an already large regulatory burden the government has placed on vendors.

"It would create a significant liability for providers of hardware," said Trey Hodgkins, vice president of federal government programs for the lobbying group Information Technology Association of America. "Depending on where you are in the chain of provision, you have to support or take on that liability. Systems integrators are going to have to ensure the products delivered are authentic."

The contracting community is likely to be split on the issue, with original equipment manufactures predisposed to some sort of safeguards, while resellers, which might have a harder time assessing that the equipment they buy is original, are likely to oppose the additional liability.

"The OEM has an interest in making sure the stuff that's sold is their stuff," said Larry Allen, president of the Coalition for Government Procurement. "Their reputation takes a hit when fake goods are sold and the user is unhappy."

Allen said most large resellers make good-faith efforts to get their equipment from legitimate sources and adhere to myriad trade agreements and regulations that affect government contractors.

"There are a lot of things on your mind as a reseller, a lot of hoops to jump through," he said. "The distribution system is so diverse and decentralized that it makes it [easy] for fakes to end up in the system."

Chambers anticipates a lively dialogue on the topic. "I've gotten a couple calls already and I'm sensing [the meeting] is going to be well-attended," he said. "I think this will be a hot, controversial topic."

One of the main questions to answer, he said, will be whether manufacturers' concerns about counterfeit goods outweigh the additional burden of validating authenticity. He predicted that companies such as Cisco, which has been the target of counterfeits, will be open to regulation.

"If they've been burned, maybe they will be a little more eager to take on the additional burden, rather than someone who has not been affected substantially to date by counterfeiting," Chambers said.

He said the purpose of the December meeting will be to generate ideas, which his organization will collect and publish to determine the best approach.