Supply chain security and domestic preferences
In response to supply chain disruptions and shortages, lawmakers included several provisions focused on strengthening the supply chain for critical defense products, encouraging the use of domestic products, and further restricting reliance on goods and services from U.S. adversaries, including China, Russia, Iran and North Korea. These restrictions and the corresponding compliance obligations are summarized as follows:
- Section 848 precludes the procurement of products mined, produced, or manufactured by forced labor from the China’s Xinjiang Uyghur Autonomous Region (XUAR) or any entities that used forced labor from that region. Within 90 days, DoD is required to issue rules requiring offerors to certify they have made a good faith effort to determine that forced labor from XUAR was not, and will not, be used in performance of the contract.
- Section 851, in apparent recognition of a lack of alternative reliable suppliers, delays the implementation of the FY 2021 NDAA restrictions on sourcing printed circuit boards from North Korea, China, Russia, or Iran from 1 January 2023 to 1 January 2027. The provision also provides for rulemaking that exempts acquisition of commercial products, commercial services, and commercially available off-the-shelf items when certain conditions are met.
- Section 855, which takes effect 1 July 2022, requires companies bidding on DoD contracts or subcontracts that exceed $ 5 million to report if any work on the contract will be performed in China. In addition, parties to such contracts are required to make recurring disclosures in FY 2023 and FY 2024 about any employees who perform work in China on such contracts.
The NDAA also requires DoD to conduct several studies and assessments that relate to the defense supply chain. These include:
- Section 841 directs DoD to develop a capability to map supply chains and assess supply chain risks for major end items.
- Section 842 expands a list of high priority goods and services regarding which DoD must analyze and make recommendations as required by the FY 2021 NDAA. New products added to this list include: beef products, molybdenum, optical transmission equipment (including fiber cable), armor on tactical ground vehicles, graphite processing, and advanced AC-DC power converters.
- Section 847 requires DoD to develop and implement a plan to (1) reduce reliance on services, supplies and materials from China, Russia, Iran, and North Korea and (2) mitigate any risks to national security that stem from reliance on supplies or materials from these countries that are used to meet critical defense requirements.
- Section 1251 requires comparative assessments of the efforts of the United States Government and the Government of China to develop and deploy critical modernization technology with respect to military applications in each of the following areas: (i) Directed energy systems; (ii) Hypersonics; (iii) Emerging biotechnologies; (iv) Quantum science; (v) Cyberspace capabilities.
- Section 5502 directs DoD to develop a list of covered contractors it should seek to avoid contracting with for telecommunications, telecommunications equipment or IT equipment. The term “covered contractor” refers to a provider of telecommunications, telecommunications equipment, or information technology equipment, that has knowingly assisted or facilitated a cyber-attack or conducted surveillance, against the U.S. on behalf of (1) a government identified as a cyber threat actor or (2) individuals for the purposes of suppressing dissent or intimidating critics on behalf of a foreign country.
Regarding domestic preferences, Section 808 requires DoD to brief congressional committees about the extent to which information about waivers to domestic preference laws is publicly available. This briefing is required within 180 days. Additionally, Section 809 requires DoD to issue an annual report documenting reports it receives about violations of certain domestic preference laws. Covered laws include the Buy American Act, the Berry Amendment, and the Specialty Metals Statute.
Innovative technology procurement and more flexibility for research contracts
A number of provisions in the FY 2022 NDAA aim to improve DoD’s ability to procure innovative technologies and invest in research.
- Section 213 authorizes DoD to expand the efforts of the Defense Innovation Unit (DIU) to engage and collaborate with industry and communities to accelerate technology adoption. The DIU is the only DoD organization focused exclusively on fielding and scaling commercial technology across the U.S. military at commercial speeds. DIU currently is focused on six technology areas where the commercial sector is operating at the leading edge: advanced energy & materials, artificial intelligence, autonomy, cyber, human systems, and space.
- Section 227 requires DoD to modify the Joint Common Foundation program managed by the Joint Artificial Intelligence Center to ensure that DoD “can more easily contract with leading commercial artificial intelligence [(AI)] companies to support the rapid and efficient development and deployment of applications and capabilities.” The section directs DoD to take actions to increase the number of commercial artificial intelligence companies eligible to provide support to DoD and to the maximum extent practicable, use Federal Acquisition Regulation (FAR) Part 12 commercial item procedures.
- Section 232 authorizes a pilot program to establish data repositories accessible to public and private sector organizations to facilitate the development of improved AI capabilities for DoD.
- Section 807 instructs DoD to evaluate “impediments and incentives” to implementing a preference for commercial procurements. The evaluation’s primary goal is to support the rapid adoption of commercial advances in technology, and the assessment should include a review of policies, regulations, and oversight processes; acquisition workforce training; role of requirements in adaptive acquisition framework; role of the budgeting process; systemic biases in favor of custom solutions; allocation of technical data rights; strategies to control costs; organizational incentives and disincentives risks to contracting officers and procurement officials pursuing commercial solutions; and potential reforms.
- Section 803 builds upon previous NDAAs and grants authority to DoD to acquire innovative commercial products and commercial services using general solicitation competitive procedures for new technology, processes, or methods, including research and development.
- Section 831 revises 10 U.S.C. § 2357, which generally requires contractors to bear half the cost of design and development contracts that seek to incorporate technology protection features into certain DoD “designated systems.” This section allows the Secretary of Defense to deem the contractor’s portion of these costs allowable independent research and development costs under specified circumstances and requires that DoD revise regulations accordingly within 120 days of enactment of the NDAA.
- Section 833 requires the establishment of a pilot program to develop and implement unique acquisition mechanisms designed to speed the adoption of new technologies. The DoD Under Secretary of Defense for Acquisition and Sustainment is tasked with establishing this program and is also required to establish mechanisms to waive DoD regulations or policies for projects awarded under the Pilot Program as needed, unless prohibited by federal statute or common law.
- Section 834 establishes a separate competitive, merit-based program for innovative technologies that will give priority to small businesses and non-traditional defense contractors.
The Government’s use of “Other Transaction” authority has increased significantly in recent years and has had the effect of attracting nontraditional defense contractors to the DoD market. In this regard, Title VIII Subtitle C of the FY2022 NDAA, entitled “Provisions Relating to Other Transaction Authority,” includes several sections that enhance DoD’s ability to enter into agreements for research or prototype development projects:
- Section 821 revises 10 U.S.C. § 2371, which authorizes the Secretary of Defense and the Secretary of each military department to enter into transactions other than contracts, cooperative agreements, and grants (that is, OT agreements) to carry out basic, applied, and advanced research projects. This section eliminates a requirement that DoD implement regulations before exercising OT authority. Instead, DoD is instructed to issue guidance.
- Section 822 changes DoD’s authority to award cash prizes and other types of prizes that the Secretary determines are appropriate to recognize outstanding achievements in basic, advanced, and applied research, technology development, and prototype development. Specifically, section 822 revises this authority, found in to 10 U.S.C. § 2374a, to authorize the award of “procurement contracts and other agreements” as an “other type of prize.” This new authority permits prizes, including procurement contracts and other agreements in excess of $10,000,000 with the approval of the Under Secretary of Defense for Research and Engineering.
- Section 824 directs DoD to assess its current use of OT authorities and possible modification or expansion of those authorities given their increased use over the past few years. Areas for consideration by DoD include, among others, the use of force majeure provisions, determinations of traditional or nontraditional status of an entity, and the ability to award agreements for prototypes with all costs of the project provided by private sector partners to allow for expedited transition into follow-on production agreements.
- Section 825 requires DoD to create procedures to identify, collect, and publish information about individual projects awarded using certain OT agreements and individual task orders through the use of an online, public, and searchable database.
Cybersecurity
Although the FY2022 NDAA omitted some of the more notable cybersecurity provisions introduced by the House and Senate, including cyber incident reporting requirements, Congress nonetheless signaled its ongoing concerns about cybersecurity by requiring several assessments, reports, and plans on the topic.
- Section 866 requires a separate report about the impact of DoD’s Cybersecurity Maturity Model Certification (CMMC) program on small businesses and how DoD will mitigate the negative impacts on small businesses. CMMC is a unified cybersecurity standard and certification program for all DoD contractors.
- Section 1508 requires U.S. Cyber Command to establish, by 1 January 2023, a voluntary process to engage with private sector information technology and cybersecurity companies to explore and develop coordinated efforts against foreign malicious cyber actors.
- Section 1510 directs DoD to conduct a comprehensive assessment of its capability to diminish and defend against the threat of ransomware attacks and develop recommendations to deter and counter such attacks, such as identifying legislative or administrative action to more effectively counter the threat of ransomware attacks. DoD must brief Congress on its assessment and recommendations by the end of July 2022.
- Section 1513 requires DoD to report on how it can provide assistance to the Cybersecurity and Infrastructure Security Agency (CISA) to raise awareness of threats to critical infrastructure.
- Section 1521 gives DoD until the end of 2022 to designate an executive agent for the enterprise-wide procurement of “cyber data products and services” who must also establish a program management office for such procurement. Thereafter, no later than July 2023, DoD components will be prohibited from independently procuring a cyber data product or service that has been procured by the program management office, unless a component is able to procure the product or service at a lower price or the executive agent approves such independent purchase.
- Section 1528 instructs DoD’s Chief Information Officer and the commander of U.S. Cyber Command, not later than 270 days, to jointly develop a strategy on implementing zero trust architecture across DoD’s information network, including classified networks, operational technology, and weapons systems. Each military service must include an assessment of the adequacy of funding to implement the zero trust strategy within their annual budget certification.
- Section 1526 directs DoD, as part of its framework to enhance cybersecurity for the United States defense industrial base, to address in more detail the DoD CUI Program. Specifically, DoD must assess the extent to which it is identifying CUI and marking such information in a clear and consistent manner; regulatory or policy changes to ensure consistency and clarity in CUI identification and marking requirements; circumstances under which commercial information is considered CUI, and any impacts to the commercial supply chain associated with security and marking requirements; benefits and drawbacks of requiring all CUI to be marked with a unique CUI legend, versus requiring that all data marked with an appropriate restricted legend be handled as CUI; the extent to which it clearly delineates Federal Contract Information (FCI) from CUI; and examples or scenarios to illustrate information that is and is not CUI.
- Section 1533 requires DoD report on the CMMC within 90 days, to include the required budget, responsibilities of prime contractors for managing subcontractor cybersecurity, plans for assisting small businesses, and the rulemaking strategy.
- Section 6423 addresses Sensitive Security Information (SSI), a category of CUI common to the transportation sector. Under this section, the Transportation Security Administration (TSA) has until March 2022 to ensure clear and consistent designation of SSI; develop a schedule to update SSI identification guidelines; track SSI redaction and designation challenges and document related changes; and ensure TSA personnel are adequately trained on designation policies. TSA must also engage in stakeholder outreach to raise awareness of TSA’s policies and guidelines governing the designation and use of SSI.
- The NDAA includes several sections that impact CISA, including:
- Section 1543 requires the CISA to submit report on how the agency carries out vulnerability disclosures and disseminates actionable protocols to mitigate cybersecurity vulnerabilities related to information systems and industrial control systems.
- Section 1546 amends the Homeland Security Acy of 2002 (6 U.S.C. § 660) to require CISA to update the National Cyber Incident Response Plan no later than every two years and requires CISA to engage with industry on the government’s roles and responsibilities for cyber incident response.
- Section1547 establishes a National Cyber Exercise Program for CISA to evaluate the National Cyber Incident Response Plan, which must factor in current risk assessments and simulate the partial or complete incapacitation of a government or critical infrastructure network resulting from a cyber incident.
- Section 1550 outlines a pilot program whereby CISA will assess public-private partnerships with “internet ecosystem companies” on disrupting malicious cyber activity. The section defines “internet ecosystem company” as a U.S. business providing cybersecurity, internet, content delivery, cloud, and telecommunications services, among others.
Unusually Hazardous Risks
Congress included Section 1684 to address concerns that DoD was pushing responsibility for hazardous activities onto contractors. Section 1684 requires the Secretary of Defense to report to Congress each indemnification request made by a current or prospective DoD prime contractor for unusually hazardous risk within 90 days of receipt. These reports must be made from the date of enactment through September 30, 2023. The Section also requires DoD, within 90 days, to conduct a review of the implementation of section 10 U.S.C § 2354 and Executive Order 10789, as amended, pursuant to Public Law 85-804 (50 U.S.C. §§ 1431 et seq.) with regard to indemnifying a contractor for the performance of a contract that includes unusually hazardous risk. For purposes of this Section, ‘‘Unusually hazardous risk’’ is defined as the burning, explosion, detonation, flight or surface impact, or toxic or hazardous material release associated with one or more of the following products or programs:
- Products or programs relating to any hypersonic weapon system, including boost glide vehicles and airbreathing propulsion systems.
- Products or programs relating to rocket propulsion systems, including, at a minimum, with respect to rockets, missiles, launch vehicles, rocket engines or motors or hypersonic weapons systems using either a solid or liquid high energy propellant inclusive of any warhead, if any, in excess of 1000 pounds of the chemical equivalent of TNT.
- Products or programs relating to the introduction, fielding or incorporating of any item containing high energy propellants, inclusive of any warhead, if any, in excess of 1000 pounds of the chemical equivalent of TNT into any ship, vessel, submarine, aircraft, or spacecraft.
- Products or programs relating to a classified program where insurance is not available due to the prohibition of disclosure of classified information to commercial insurance providers, and without such disclosure access to insurance is not possible.
- Any other product or program for which the contract under which the product or program is carried out includes a risk that the contract defines as unusually hazardous.
Small businesses and accelerated payments addressed
Section 814 amends 10 U.S.C. § 2307(a)(2)(B), which addresses the eligibility of prime contractors that subcontract with small businesses to receive accelerated payments. This section requires that the prime contractors “agree” to make payments to the small business in accordance with the accelerated payment date in order to be eligible for the accelerated payment. It is no longer sufficient that the prime contractor merely “propose” to make such payment.
Looking ahead
The NDAA provides a broad array of compliance requirements and other provisions that will create challenges and opportunities for DoD contractors. The statute strengthens domestic preference requirements while adding another layer of compliance obligations that relate to supply chain and DoD national security concerns. Contractors that offer new and innovative technologies may benefit from the statute’s provisions intended to promote and streamline the acquisition of such items. For those contractors that perform unusually hazardous activities, the statute provides a layer or oversight of government decisions that deny indemnification requests even where the activity is well within the scope of statutory or regulatory authority. And, as usual, the NDAA includes numerous requirements for reports and studies that will yield changes to the procurement system that will become apparent only in the years to come. Contractors that monitor the implementation of the NDAA’s provisions may find new opportunities to expand its DoD relationships while navigating the ever-complex array of cyber, domestic preference, and supply chain requirements.
Authored by Mike Mason, Mike Bell, Stacy Hadeka, Ari Fridman, and Rebecca Umhofer.