Photo of Adelicia R. CliffePhoto of Alexandra Barbee-GarrettPhoto of Michael G. Gruden, CIPP/G

On November 15, 2024, the Department of Defense (DoD) issued a Proposed Rule implementing Section 1655 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019 (P.L. 115-232), over six years after Congress enacted the requirement. 

DoD’s issuance of the Proposed Rule, rather than an interim final rule, is notable in and of itself because progress toward implementing Section 1655 was already stalled “pending resolution of technical issues” from May 2019 until mid-2024. Now, DoD’s implementation will be pushed out further while DoD considers comments. Comments are due on January 14, 2025. 

Stemming from concerns about Chinese government access to U.S. technology, Section 1655 requires DoD contractors providing products, services, or systems relating to information technology (IT), cybersecurity, industrial controls, or weapons systems to disclose whether in the five years preceding the FY 2019 NDAA’s enactment, the contractor has allowed a foreign government or person to review its offering’s code or is obligated to provide such a review, and whether the contractor had an export license for that review. To implement these requirements, the Proposed Rule contemplates pre- and post-award disclosures of any foreign government or person’s actual review or legal right to review the code underlying the contractor’s product or service since August 2013. The disclosure obligation would attach to IT, cybersecurity, industrial controls or weapons system product or service offerings that DoD is using or will use, and any such offerings developed for DoD.

The Proposed Rule follows the recent trend of extending regulatory requirements for supply chain security beyond those imposed by statute. In particular, the Proposed Rule applies to commercial products and services, despite the statute’s clear language stating that the disclosure requirement applies only to noncommercial items developed for DoD. In addition, the Proposed Rule fails to define what it means for a foreign government or person to “review” the contractor’s code (or have the option to do so), which may require contractors to disclose instances where a foreign government had an unexercised one-time right to view a contractor’s code on a contractor device, where a foreign government would be unable to copy or modify the code.

Contractors should consider commenting on the Proposed Rule to request more definition and fidelity to the statutory requirements. In the meantime, contractors should also consider implementing measures to track disclosure of code for products or services, including the identity and nationality of the party receiving the disclosure and the reason for source code disclosure. Contractors should also make sure to have documented any export licenses or invocation of license exemptions.

Tags: Cybersecurity, government contracts
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Adelicia R. Cliffe Adelicia R. Cliffe

Adelicia Cliffe is a partner in the Washington, D.C. office, a member of the Steering Committee for the firm’s Government Contracts Group, and a member of the International Trade Group. Addie is also co-chair of the firm’s National Security practice. Addie has been…

Adelicia Cliffe is a partner in the Washington, D.C. office, a member of the Steering Committee for the firm’s Government Contracts Group, and a member of the International Trade Group. Addie is also co-chair of the firm’s National Security practice. Addie has been named as a nationally recognized practitioner in the government contracts field by Chambers USA.

Read more about Adelicia R. Cliffe
Show more Show less
Photo of Alexandra Barbee-Garrett Alexandra Barbee-Garrett

Alexandra Barbee-Garrett is a counsel in Crowell & Moring’s Washington, D.C. office, where she practices in the Government Contracts Group.

Alex helps companies navigate the complex requirements around doing business with the U.S. government, with a particular focus on government contracts and grants

Alexandra Barbee-Garrett is a counsel in Crowell & Moring’s Washington, D.C. office, where she practices in the Government Contracts Group.

Alex helps companies navigate the complex requirements around doing business with the U.S. government, with a particular focus on government contracts and grants compliance issues, government ethics, and lobbying laws. Her practice spans a broad range of counseling, investigatory, and litigation matters, including: compliance reviews and enhancing contractor compliance programs; representing clients in suspension and debarment proceedings; counseling on supply chain security and sourcing issues; voluntary and mandatory disclosures; internal investigations related to the False Claims Act, the Procurement Integrity Act, and other civil and criminal matters; and bid protest and claim litigation. Alex also helps clients understand developing legislative requirements in the supply chain and government contracting spaces.

Prior to joining Crowell & Moring, Alex was a law clerk to Judge Richard A. Hertling of the U.S. Court of Federal Claims. Before law school, Alex worked as a health care legislative assistant for Rep. Rick Larsen (WA) in the U.S. House of Representatives.

Read more about Alexandra Barbee-Garrett
Show more Show less
Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Read more about Michael G. Gruden, CIPP/G
Show more Show less
Related Posts
DHS Announces Virtual Town Halls on CIRCIA Final Rule
February 20, 2026
FedRAMP Proposes Updates to Authorization Process—Six New RFCs Released for Public Comment
January 22, 2026
An ITAR-ly Critical Reminder of Cybersecurity Requirements: DOJ Settles with Swiss Automation, Inc.
December 29, 2025