Figuring out how to comply with a new federal requirement was quite a puzzle

It’s a good thing that Danny Nguyen enjoys a very hard puzzle.

That’s exactly what Nguyen, a Project Manager with ITS Communication Technologies, was handed last September when he was brought into a campus-wide effort to comply with a new federal government requirement. The government had provided little guidance, and peer institutions were trying to figure out how to comply too so they couldn’t offer advice. What’s more, the deadline had already come and gone. Oh, and there was this global pandemic that the University was busy grappling with.

The National Defense Authorization Act (NDAA) of 2019 set a compliance deadline of August 13, 2020. The United States government was and is concerned about risks from the Chinese government: theft of intellectual property, cyber security attacks and research conflicts of interest and conflicts of commitment.

“The increasing reliance on foreign-owned or controlled equipment and services” makes U.S. supply chains vulnerable, the regulation said. To address those vulnerabilities, NDAA Section 889 prohibits the federal government from contracting with entities that use certain telecommunications and video surveillance services and equipment. Federal contractors, including UNC-Chapel Hill, were required by August 13, 2020, to certify whether they use the covered telecom equipment or services or use any equipment, system or service that in turn uses covered telecom equipment or services.

Risk areas touched such UNC-Chapel Hill units as central and unit-based IT, the Office of Sponsored Research, SOM Sponsored Programs Office, UNC Global, Accounts Payable, Procurement and Export Control. Various University units began tackling this latest federal regulatory change in response to concerns over inappropriate foreign influence.

Manages ITS warehouse

Nguyen was pulled in because he manages CommTech’s Materials Management & Logistics unit. MM&L includes the ITS warehouse, through which everything telecommunications infrastructure and equipment flows. Nguyen’s team is responsible for purchasing, inventory control, storage and handling, and managing outside labor contracts for ITS CommTech. A year earlier Nguyen and his team had cleaned up the warehouse database, meaning the team had an even clearer understanding of the inventory it had available to offer University groups.

For the federal compliance effort, Nguyen expected he’d share what ITS is buying and from which vendors. “I know my vendors,” he said. “I know who I’m talking to and buying from.”

But then other groups from ITS and across campus added to Nguyen’s task list, and the search for this federal requirement needed to cover telecommunications services, not just products. Nguyen, a project manager with a background both in business and IT, was asked to help identify all the University vendors of telecom services and their contact information. His role ballooned.

Nguyen wasn’t the project manager. The Office of Sponsored Research (with Assistant Director Brian Collier as lead, now Director of Science & Security) and the Office of University Counsel (with Judy Faubert as lead, now also Chief Compliance Officer) were coordinating the effort, and there was a campus working group. Many people were involved. (From ITS, Assistant Vice Chancellors Mark Johnson and John Mack were significant in this project.) Nguyen had the responsibility to tackle much legwork and collaborate with stakeholders to identify and collect information about who was using what from central IT.

Where to start?

But where to start? It was like “grasping at straws to try and figure out what and how do we meet this requirement,” Nguyen recalled. “What do we do, how do we even start, what is in scope and out of scope, and what are some definitions that we need to abide by? That’s kind of where we started.”

As a start, Nguyen “looked at it from all the purchases that we had made as a University in the past fiscal year and any of the items that ITS was aware of,” he said. “There was going to be a lot of duplication among all of these spreadsheets that we would be creating,” and he’d need to juggle multiple spreadsheets “to synthesize this into something that’s manageable and actionable so that we could comply in a timely manner.”

Nguyen mentally walks aisle to aisle in the ITS warehouse before he names examples of products that had to be accounted for in this effort. These aisles have anything that’s telecom related: faceplates, data jacks, patch cables, fiber jumpers, network cabling, splice case housings, racks, patch panels and so on. There are thousands of products and 10 to 15 distributors that ITS buys from on a regular basis.

Decentralized buying

While central IT makes up most of the products and services potentially covered by the federal regulation, the University also has many decentralized units. Campus units use central IT services, but they also make purchases into which ITS has no visibility, and they buy through a variety of sources, like on a P-Card or vouchers.

Nguyen and his team contacted people in individual IT groups across campus and asked them for an administrator or technical lead who was knowledgeable about purchases from the past year. That technical lead, in turn, could coordinate with internal customers. A chemistry unit, for example, might have somebody who knows if the unit buys a specific microscope that connects to the internet.

Began with 7,000 vendors

From the previous fiscal year, Nguyen assembled vendor statements for a total of 1,804,842 lines of purchases. Among those purchases, there were 6,930 unique vendors.

“Now you’ve got something to work with, right? You can say, OK, I’ve got almost 7,000 vendors that I need to figure out if they are providing products or services that would be considered covered under this telecommunications requirement,” Nguyen said. “That is now easier for me to work with because I have a starting point.”

From there, he needed to whittle down the list: which items might be covered by the regulation and which were definitely not covered, and which expenses were not related to telecommunications in any way. He could eliminate such items as library materials, hotel stays, taxi costs, some HR items, and P-Card purchases.

Collaborative effort

That reduced the spreadsheet to 173,887 lines of purchases and 6,065 unique vendors. Then Nguyen, along with other stakeholders and their teams, went through the spreadsheet and were able to further reduce by applying other parameters.

Finally, they trimmed the list from 1,861 items to 80 unique vendors. By then, Christmas was approaching.

Over the course of identifying items and vendors, Nguyen had been sending out compliance statements for top executives of these vendor companies to sign. They had been trickling in. But Christmas was only a week or so away, people were beginning to take time off, and the project team wanted to be done with the first phase of the project by January 31, 2021. Nguyen was the primary contact with vendors and fielded questions on behalf of the University, at times working well into the night to be responsive to international vendors.

This compliance effort was occupying at least half of Nguyen’s time between September to the end of the calendar year, and he had to accomplish other work outside of this project. He leaned on his own group, the MM&L team. That was one of the most satisfying aspects of the project, he said. They jumped in and came up with the contacts for the vendors. Finding appropriate contacts who were authorized representatives, he noted, was the most time-consuming part of the effort.

“Pulling in more resources was paramount to having this project succeed,” Nguyen said. “There’s no way this project would have gotten anywhere close to completion if not for their efforts.”

This project was unruly, certainly, Nguyen said. Of the high-impact, campus-wide projects he’s worked on, this one had the most stakeholders.

‘Very thorough investigation’

“There was just so much going on at once. I think that was the biggest challenge — trying to organize your thoughts and say we’re going to go above and beyond,” he said.

Nguyen always tells people to give him their hardest projects because, as we said earlier, he enjoys those tough puzzles. In this endeavor, “we put a best effort forward,” he said. “I feel like we did a good job. We did a very thorough investigation. We left no stone unturned.”

The University will need to continue to follow this compliance requirement for future purchases. Now there’s a methodology, Nguyen said.

This compilation of information also will benefit the University from a big-picture logistics management perspective, he said. Now that the University knows what everyone is buying, UNC-Chapel Hill could consolidate some of its buying.