Photo of Adelicia R. CliffePhoto of Alexandra Barbee-GarrettPhoto of Michael G. Gruden, CIPP/GPhoto of Evan D. Wolff

On November 15, 2024, the Department of Defense (DoD) issued a Proposed Rule implementing Section 1655 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019 (P.L. 115-232), over six years after Congress enacted the requirement. 

DoD’s issuance of the Proposed Rule, rather than an interim final rule, is notable in and of itself because progress toward implementing Section 1655 was already stalled “pending resolution of technical issues” from May 2019 until mid-2024. Now, DoD’s implementation will be pushed out further while DoD considers comments. Comments are due on January 14, 2025. 

Stemming from concerns about Chinese government access to U.S. technology, Section 1655 requires DoD contractors providing products, services, or systems relating to information technology (IT), cybersecurity, industrial controls, or weapons systems to disclose whether in the five years preceding the FY 2019 NDAA’s enactment, the contractor has allowed a foreign government or person to review its offering’s code or is obligated to provide such a review, and whether the contractor had an export license for that review. To implement these requirements, the Proposed Rule contemplates pre- and post-award disclosures of any foreign government or person’s actual review or legal right to review the code underlying the contractor’s product or service since August 2013. The disclosure obligation would attach to IT, cybersecurity, industrial controls or weapons system product or service offerings that DoD is using or will use, and any such offerings developed for DoD.

The Proposed Rule follows the recent trend of extending regulatory requirements for supply chain security beyond those imposed by statute. In particular, the Proposed Rule applies to commercial products and services, despite the statute’s clear language stating that the disclosure requirement applies only to noncommercial items developed for DoD. In addition, the Proposed Rule fails to define what it means for a foreign government or person to “review” the contractor’s code (or have the option to do so), which may require contractors to disclose instances where a foreign government had an unexercised one-time right to view a contractor’s code on a contractor device, where a foreign government would be unable to copy or modify the code.

Contractors should consider commenting on the Proposed Rule to request more definition and fidelity to the statutory requirements. In the meantime, contractors should also consider implementing measures to track disclosure of code for products or services, including the identity and nationality of the party receiving the disclosure and the reason for source code disclosure. Contractors should also make sure to have documented any export licenses or invocation of license exemptions.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Adelicia R. Cliffe Adelicia R. Cliffe

Adelicia Cliffe is a partner in the Washington, D.C. office, a member of the Steering Committee for the firm’s Government Contracts Group, and a member of the International Trade Group. Addie is also co-chair of the firm’s National Security practice. Addie has been…

Adelicia Cliffe is a partner in the Washington, D.C. office, a member of the Steering Committee for the firm’s Government Contracts Group, and a member of the International Trade Group. Addie is also co-chair of the firm’s National Security practice. Addie has been named as a nationally recognized practitioner in the government contracts field by Chambers USA.

Photo of Alexandra Barbee-Garrett Alexandra Barbee-Garrett

Alexandra Barbee-Garrett is an associate in Crowell & Moring’s Washington, D.C. office, where she practices in the Government Contracts Group.

Alex represents government contractors in both litigation and counseling matters. Her practice includes bid protests before the Government Accountability Office (GAO), the U.S.

Alexandra Barbee-Garrett is an associate in Crowell & Moring’s Washington, D.C. office, where she practices in the Government Contracts Group.

Alex represents government contractors in both litigation and counseling matters. Her practice includes bid protests before the Government Accountability Office (GAO), the U.S. Court of Federal Claims, and the U.S. Court of Appeals for the Federal Circuit. Alex’s practice also focuses on federal regulatory compliance, mandatory disclosures to the government, contract disputes under the Contract Disputes Act (CDA), prime-sub disputes, and False Claims Act and internal investigations.

Prior to joining Crowell & Moring, Alex was a law clerk to Judge Richard A. Hertling of the U.S. Court of Federal Claims and a government contracts associate at another large law firm. Alex graduated honors from The George Washington University Law School, where she was an articles editor of The Public Contract Law Journal. Alex won the 2015 Government Contracts Moot Court Competition and served as chair for the 2016 competition. Prior to law school, Alex worked as a health care legislative assistant for Rep. Rick Larsen (WA) in the U.S. House of Representatives. She received her B.A. in international studies and anthropology from the University of Washington.

Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.