889 Compliance Just Got Real: What Small GovCons Need to Do Now

Written By Jameson Barlow

The days of checking a box and hoping for the best on Section 889 compliance are officially over. A recent wave of enforcement guidance, updated FAR clauses, and real-world exclusions makes it crystal clear: if you’re bidding on federal work, you better be able to prove your supply chain is clean, or risk losing the contract entirely.

If you’re a small or mid-sized government contractor (especially in IT, professional services, or anything telecom-adjacent), this isn't just a “compliance” issue, it's a survival issue. Here's what changed, why it matters, and how to get your house in order fast.

What’s New With Section 889 (and Why It Matters Right Now)

Section 889 of the 2019 NDAA has two main parts:

  • Part A (in effect since 08/13/2019) bars agencies from buying or renewing contracts for any product or service that uses covered telecom from companies like Huawei, ZTE, Hytera, Hikvision, or Dahua.

  • Part B (in effect since 08/13/2020) goes further, banning agencies from contracting with any company that uses such tech anywhere in its operations, not just in connection with the federal work.

You’ve probably certified compliance with FAR clauses 52.204-24, 52.204-25, and 52.204-26. But here’s the kicker: enforcement is ramping up. GSA and DOD are pushing annual "reasonable inquiry" reviews. The new FASCSA exclusion list means vendors can be banned in real-time. And GAO has been clear, your self-representation better be truthful, or your award could be tossed.

So What? Why Should You Care?

Because small businesses are often the ones caught off guard.

  • If your network firewall or video conferencing tools use banned components, you're out of compliance.

  • If your subcontractor’s vendor two tiers down uses Huawei routers, you're on the hook.

  • If you misrepresent compliance on your SAM.gov registration or proposal reps, you risk bid protests, or worse, False Claims Act penalties.

This hits GovCons across all industries: construction firms using IP cameras, IT shops using outdated SD-WAN gear, consultants using overseas video platforms. And with cyber and supply chain security under scrutiny from every direction (CMMC 2.0 rollout starts 11/10/2025), you're expected to clean house.

Action Items: The 889 Survival Checklist for SMBs

You don’t need a compliance department to fix this, just a clear plan and a few hours a month. Start here:

1. Run a network scan.
 Use existing tools or free open-source scanners to check for banned telecom equipment in your IT setup. Document your findings and replace anything questionable.

2. Get vendor attestations.
 Update your subcontractor and supplier intake forms to include a 52.204-26-style checkbox: “We do/do not use covered telecommunications equipment.” Keep signed copies in your files.

3. Check SAM exclusions regularly.
 Run your key vendors through SAM.gov’s Excluded Parties List and FASCSA Orders. If a name pops up, it’s time for a replacement, not a waiver excuse.

4. Build an annual review into your calendar.
 Tie your Section 889 checkup to your SAM renewal or internal IT/security audit. Make sure no new equipment has slipped in through unmanaged procurement.

5. Confirm every UEI and CAGE code.
 Make sure your subs and suppliers are registered and active in SAM.gov. If they still give you a DUNS number, it’s a red flag.

6. Check state registration status.
 A quick SOS lookup can save you from working with a dissolved or non-compliant business. Most states offer free business entity searches.

7. Document everything.
 Keep a digital trail: scans, attestations, vendor checks, even internal emails showing your review. If you’re ever audited or protested, this is your defense.

What About CMMC-Lite? Do I Need to Worry?

Yes. Even though full CMMC enforcement doesn’t begin until November 2025, the DoD expects all contractors to start self-assessing against Level 1 or Level 2 requirements now. That includes:

  • MFA for all users

  • Unique logins and access logs

  • Encrypted backups of CUI

  • A System Security Plan (SSP) and POA&M

  • Written self-attestation of NIST 800-171 compliance

And just like with Section 889, failure to maintain “current” compliance could be seen as a False Claims Act violation.

The ROI on Compliance Is Real

Doing these checks won’t just keep you out of trouble, they can actually help you win.

  • Agencies are more risk-averse than ever, a clean 889 and CMMC record can be a proposal differentiator.

  • You’ll be ahead of the curve when audits ramp back up.

  • You’ll avoid costly surprises mid-performance, like being forced to drop a subcontractor or replace equipment under a modification.

Think of this like preventive maintenance. A few low-cost fixes now can save you from a total breakdown later.

If you're serious about staying competitive in the federal market, don’t treat 889 and CMMC as background noise. They're becoming the price of entry.

Need help building a quick 889 compliance checklist or vendor intake form? That’s exactly the kind of thing we cover in our latest post: SLED Is Your Shutdown Backup: Why SMB GovCons Should Be Eyeing Local Education Contracts Now.

If you aren't a Squared Compass partner, what are you waiting for? From getting your business set up with specific government set aside programs at both the State and Federal level, to being empowered by a Fractional Capture team to win government contracts, to receiving tailored government contract opportunities Squared Compass delivers immense value which helps propel our partners to success. Schedule a chat with our team today.

Jameson Barlow
Previous

Idle But Not Ignored: How to Document Shutdown Delays for a Stronger REA
Next

SLED Is Your Shutdown Backup: Why SMB GovCons Should Be Eyeing Local Education Contracts Now