889 compliance

889 appears to cover federal procurement of equipment and contracts related to telecommunications equipment.

DEF CON is not the telephone company or a network equipment maker or seller. WiFi has been offered at DEF CON but not required. Attendees are welcome to use their own phone services for data and voice. Contracts between an attendee and their service provider are beyond the scope of DEF CON.

The Hotel/Casino provides their own WiFi and telecommunication services, which guests are not required to use.

I do not see how this would apply to DEF CON or any conference when any telecommunications service provided are not required.

Would you like to elaborate how it might apply to conferences when attendees are not required to use any forbidden equipment?

Next, how are federal employees or contractors able to differentiate between equipment officially used at a location isn't equipment brought by an unscrupulous actor, or someone that appreciates shenanigans? People running rogue access points with the same name as official access points are always a risk, and not just at DEF CON.

If in doubt, just do not use telecommunication services provided at a conference.

If you believe this is still an issue, please pose your argument for how and in what scope it would apply to DEF CON when attendees have their own mobile telecommunication service available.

Thanks for your thoughts.

Thank you for your response! I completely understand your point of view and will do my best to provide some additional background with help from my colleagues who has gone through this.

The law restricts us from purchasing services from any entity using the prohibited equipment to provide a service to the Federal Government. Services such as conference. Paying for registration to a conference in an official capacity means the conference organizers (in this case DEF CON) needs to show our Purchasing Officer some basic compliance information. The compliance information consists of the organizer either declaring none of the prohibited equipment or services are used by the conference, or they can declare such equipment are being used by the conference. If the conference is using this equipment, my management will either restrict our use of such services during the conference or we’ll be prohibited from attending.

We had several other conferences this year where we had to ask for the 889-compliance statement from the organizers before any of our staff could attend. This was never much of a problem during the pandemic. But we’re running into this now as our staff are returning to in-person attendance.

Showing compliance can be as simple as an email or something posted to a sticky on the forum containing specific compliance languages. Our agency has a form to help as a guide. Even an email or declaration posted to the forum with the compliance language are probably acceptable, as long as our Purchasing Officer can access the note.
​
As for an unscrupulous actor in the area using these prohibited equipments, well, we're not trying to purchase anything from them.

I hate asking this from the conference. But I hope this help explains the challenge those of us not coming in undercover are facing this year.

I can pass this on, but I have doubts about it: I also do not see how an in-person conference is a network/telecommunication service to have it apply to 889.

We do not have demands on the hotels or casinos where we have content, local ISP may or may not have this equipment used to provide local service. People running contests such as hacking 889-forbidden IoT or SCADA system or DSL/cable modems, or switches or routers may bring these and put them on the DEF CON network, as part of contests. If this would only be about equipment that DEF CON owns in Las Vegas, and does not include any 3rd party equipment used by the hotel, casino, ISP, attendees, contests, villages, telecommunication companies, etc. it might be possible.

Thank you very much for passing this on. I'll hope for the best. You are also correct: this compliance statement will be only about equipment that DEF CON owns and does not include any 3rd party equipment used.

Have a great day!

mmup0wn Hmm, according to https://www.acquisition.gov/Section-889-Policies

Do you have a copy of the contract you would like DEF CON to enter into? Selling admission to a conference is not a procurement contract as far as I know.

Thanks for jumping in!

On the page you cited, if you take a look at the ‘introduction’ link (https://www.federalregister.gov/docu...5-introduction) there is a short paragraph on there (https://www.federalregister.gov/d/2019-17200/p-9) and it says “This rule applies to all acquisitions, including acquisitions at or below the simplified acquisition threshold and to acquisitions of commercial items, including commercially available off-the-shelf items. It may have a significant economic impact on a substantial number of small entities.”

So even though DEF CON is not going into a contract with the government, the rule applies to all acquisition. Acquisition such as purchasing registration to a DEF CON.

The only thing our acquisition officer needs is a statement with the specific compliance language. Is very simple. Can I upload a blank PDF, highlighted at the section they need, so you can better ascertain what they are asking for?

Thank you again!​

Thank you. I converted the PDF to PNG. Page 1 is the form and I provide a blank one, and another one where I highlighted the boxes that needs to be filled and information requested. Page 2 is just information. ​ I'm not familiar with posting files to the forum, please let me know if you're unable to read these.

I hate to bother your guys about this again this year. But I wanted to see if it you guys have considered having an 889 conformance statement for this year. We will be attending RSA24 and they were able to provide us with this conformance statement. This permitted staff from our office to attend that conference. Some of our staff are still very interested in attending DEFCON and we hope you can help them out. You guys probably have your own contact with RSA, but please feel free to contact me directly if you like the information for the RSA staff who helped us out.

Nice work to all who pivoted the conference. We hope to see you guys there.

Not affiliated with Defcon in anyway so take this for what it's worth but I think you should double check this. There are multiple federal agencies sending people to Defcon without this rigamarole. I don't know what agency you work for but I think someone has their head inserted someplace it shouldn't be. I can speak from personal past experience.