As the Senate approaches the end of its debate on the National Defense Authorization Act for Fiscal Year 2019, provisions of the bill regarding access to and review of information technology code deserve close attention.  These sections, if enacted, would significantly impact Department of Defense contractors and also would affect matters associated with investments subject to review by U.S. national security agencies.

As drafted, the provisions could expose current and prospective contractors to intrusive scrutiny and significant risks.  They lack clarity on key definitions, leaving the precise scope of those risks unclear.  We summarize major issues and concerns below.  We expect these provisions to receive scrutiny during the House-Senate conference on the NDAA over the summer. 

Synopsis of the Proposed Legislation

Three sections of the Senate’s version of the NDAA, which passed the Senate Armed Services Committee in May, would establish new rules designed to mitigate “risks posed by providers of information technology with obligations to foreign governments.”  Those risks involve the access that foreign governments may have to code in products or services that are offered to the Department of Defense.  The provisions also impose new disclosure requirements on the efforts of a prospective vendor to obtain a license under the Export Administration Regulations (“EAR”) or the International Traffic in Arms Regulation (“ITAR”).

The pending legislation would require proactive disclosure of those matters, and would impose an ongoing duty to supplement those disclosures during the period of performance on the contract.  The Secretary of Defense would be authorized to assess and mitigate any resulting national security risks through contractual provisions or other performance requirements.

The bill directs the Secretary to create a “prioritized list of countries of concern regarding cybersecurity,” using factors designed to assess those countries’ capabilities, intentions, and past practice with respect to U.S. and “coalition forces.”  It would also require the Secretary to develop a “third-party testing standard” for commercially available off-the-shelf (“COTS”) items “to use when dealing with foreign governments.”  Finally, the bill would require the Secretary to consolidate the disclosures in a master registry and make the information available to “any agency conducting a procurement pursuant to the Federal Acquisition Regulations or the Defense Federal Acquisition Regulations.”

Definition Issues and Coverage Concerns 

The scope of the legislation is broad, and coverage is not clearly defined.  The disclosure requirements apply to any “product, service, or system relating to information or operational technology,  cybersecurity, an industrial control system, a weapons system, or computer antivirus” offered to the Department.

One subset of disclosure obligations applies to “custom-developed” products, systems, or services.  Any person offering such products, services, or systems must disclose “[w]hether the person has allowed a foreign government to review or access the code of a product, system, or service custom-developed for the Department, or is under any obligation to allow a foreign person or government to review or access the code of a product, system, or service custom-developed for the Department as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government.”

The bolded terms all raise questions.  The bill does not define “custom-developed,” which is not a recognized term of art in procurement law.  A broad interpretation could, for instance, sweep in a commercial item where the manufacturer made only a minor modification for the Department.  Presumably, if a product was custom-developed for the Department, any necessary restrictions on sharing the source code would have been imposed contractually on the manufacturer.  If such a limitation was not imposed at the time of the contract, it is not clear that the government should impose new restrictions post-agreement.

The concept of “review or access” is also open to interpretation.  For example, if a company keeps full custody of the code but allows a customer, including a foreign government, to have an authorized representative inspect the code under the company’s control, it is not clear that such an arrangement would constitute a materially risky “review,” let alone “access.”  That structure would not involve a company relinquishing control of the code, and it might not be sufficient to allow the customer/government to identify vulnerabilities.  Furthermore, a “review” that entails only an analysis of results of testing conducted by the company or an agreed-upon third party would be even farther removed from the risk, but could still be considered a “review” by a foreign government under the text of the bill.  It is unclear if the only code at issue is the code associated with a government-specific modification, or also the underlying commercial item product (i.e., background vs. foreground intellectual property).

The term “foreign person” also invites questions about scope.  It could include employees of companies that create the product, if those employees are citizens of another country.  It could also include resident aliens, or dual citizens.  The structure of the bill implies that the term “foreign” would be interpreted broadly; unlike other sections of the bill that focus on the prioritized list of “countries of concern,” this section has no such limitation.

With respect to the “countries of concern,” a broader disclosure obligation applies to any goods or services, not just those “custom-developed” for the Department.  Under the terms of that section of the bill, offerors must disclose whether they have allowed a listed government to access source code.  While the language addressing “access or review” of source code is limited to high-risk foreign governments identified by the prioritized list, a broader prohibition applies as to products where the seller is “under any obligation” to allow any foreign person or government to review or access the product or service as a condition to entering an agreement with a foreign government or person on behalf of such a government.  “Obligation” is not defined and could be interpreted more broadly than just contractual obligations.  Whether contractual or not, in some instances, software products need to be modified to interface with a customer’s information systems.  It is unclear whether access just to the modifications to the code that may be necessary to accomplish this interface with a foreign commercial customer’s systems would trigger a disclosure requirement.

Consequently, those disclosure obligations apply to any product, service, or system, and to a broad universe of “foreign” interests.

Opacity of Procedures to Mitigate Risks

Definitional issues also arise in the context of the mitigation provisions.  For instance, the language allows the Secretary to determine whether the disclosure reveals “a risk to the national security infrastructure or data of the United States, or any national security system under the control of the Department” and then “take such measures as the Secretary considers appropriate to mitigate such risks.”  Neither legislative text nor industry-wide common understanding explain what comprises “national security infrastructure” or “data of the United States.”  The latter term could mean proprietary data of the U.S. government, or any data residing in the United States.

The legislation leaves practical implementation questions unaddressed.  There is no timeframe or clear trigger for initial disclosure, nor discussion of procedures for mitigation.  If the disclosure is made after contract award, the legislation could arguably give the government grounds for termination.

Other key operational questions include the following:

  • If mitigation is to be imposed pre-award in a competitive procurement, can the Secretary allow one offeror to add such mitigation to its proposal without opening discussions with all offerors?
  • Would that mitigation be reported in the “registry” along with the other disclosure elements?
  • Could mitigation include outright exclusion? If so, what is the process for aggrieved offerors to contest that exclusion, if not the normal bid protest channels?
  • Once a product is identified as a risk, is it excluded from future Department of Defense procurements, or is this determination done on a procurement-by-procurement basis? What procedural safeguards would be established to addressed this limit on competition?

The pending legislation also fails to identify which agency within the Department would develop and enforce these conditions.  It could be left to the discretion of each service or component, or a central agency could manage the process on behalf of the entire Department.  In that case, likely candidates would be the Defense Security Service, the Chief Information Officer, or the National Security Agency.

Export Control and Third-Party Testing Questions

The lack of precision raises other questions in the provisions on export controls and the standards to be used with third-party testing.  The bill appears to provide the Department with nearly unfettered discretion to prohibit exports of certain technology, products, or services beyond any controls imposed by the ITAR.  Even the issue of what is covered is left to the discretion of the Department.  The consequences of the resulting EAR/ITAR-related disclosures are also unclear.  Offerors are required to disclose whether they hold or have applied for any licenses, and that data will presumably be considered by the Secretary.  However, there is no indication as to how the Department will utilize that information to determine whether it will use the product, service, or system.

The third-party testing standard also raises a number of operational questions, and the accompanying Committee Report language offers few indicators of congressional intent.  If the purpose is to direct the Department to develop the standard that COTS companies can use to deal with foreign governments, it is an open question whether the U.S. government would then apply that standard to its own testing.  The provisions also offer no resolution if a disconnect arises between U.S. government requirements the standard developed by the Department pursuant to this third-party testing provision.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government…

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government contractors and represents her clients before the Defense Contract Audit Agency (DCAA), Inspectors General (IG), and the Department of Justice with regard to those investigations.  From 2008 to 2012, Ms. Cassidy served as in-house counsel at Northrop Grumman Corporation, one of the world’s largest defense contractors, supporting both defense and intelligence programs. Previously, Ms. Cassidy held an in-house position with Motorola Inc., leading a team of lawyers supporting sales of commercial communications products and services to US government defense and civilian agencies. Prior to going in-house, Ms. Cassidy was a litigation and government contracts partner in an international law firm headquartered in Washington, DC.

Photo of David Fagan David Fagan

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

Mr. Fagan has been recognized by Chambers USA and…

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

Mr. Fagan has been recognized by Chambers USA and Chambers Global for his leading expertise on bet-the-company CFIUS matters and has received multiple accolades for his work in this area, including twice being named Dealmaker of the Year by The American Lawyer for 2016 and 2019. Clients laud him for providing “excellent advice,” “know[ing] everything there is to know about CFIUS” and being “extremely well regarded” by key regulators. (Chambers USA)

In the foreign investment and national security area, Mr. Fagan is known for his work on matters requiring the mitigation of foreign ownership, control or influence (FOCI) under applicable national industrial security regulations, including for many of the world’s leading aerospace and defense firms, private equity firms, and sovereign investors, as well as telecommunications transactions that undergo a public safety, law enforcement, and national security review by the group of agencies known as “Team Telecom.”

Mr. Fagan’s practice covers representations of both foreign and domestic companies before CFIUS and related national security regulators. The representations encompass matters in which the principal assets are in the United States, as well as those in which there is a smaller U.S. nexus but where solving for the CFIUS issues – including through proactive mitigation and carve-outs – is a critical path for the transaction. Mr. Fagan is also routinely called upon to rescue transactions that have run into challenges in CFIUS, and to negotiate solutions with the U.S. government that protect national security interests, while preserving shareholder and U.S. business interests.

Reflecting his work on U.S.-China investment issues and his experience on complex U.S. national security matters intersecting with China, Mr. Fagan is regularly engaged by multi-national companies, including the world’s leading technology companies, to advise on strategic legal projects, including supply chain matters, related to their positioning in the emerging competition between the U.S. and China. Mr. Fagan also has testified before a congressional commission regarding U.S. national security, trade, and investment matters with China.

In the privacy and data security area, Mr. Fagan has counseled companies on responding to some of the most sophisticated documented cyber-based attacks on their networks and information, including the largest documented infrastructure attacks, as well as data security incidents involving millions of affected consumers. He has been engaged by boards of directors of Fortune 500 companies to counsel them on cyber risk and to lead investigations into cyber attacks, and he has responded to investigations and enforcement actions from the Federal Trade Commission (FTC) and state attorneys general. Mr. Fagan has also helped clients respond to ransomware attacks, insider theft, vendor breaches, hacktivists, state-sponsored attacks affecting personal data and trade secrets, and criminal organization attacks directed at stealing personal data, among other matters.

In addition, he routinely counsels clients on preparing for and responding to cyber-based attacks on their networks and information, enhancing their supply chain and product development practices, assessing their security controls and practices for the protection of data, developing and implementing information security programs, and complying with federal and state regulatory requirements. He also frequently advises clients on transactional matters involving the transfer of personal data.

Photo of Frederic Levy Frederic Levy

Frederic Levy is one of the nation’s leading suspension and debarment lawyers, focusing his practice on the resolution of complex compliance and ethics issues. He has successfully represented numerous high-profile corporations and individuals under investigation by the government in civil and criminal matters…

Frederic Levy is one of the nation’s leading suspension and debarment lawyers, focusing his practice on the resolution of complex compliance and ethics issues. He has successfully represented numerous high-profile corporations and individuals under investigation by the government in civil and criminal matters, including False Claims Act cases, and in suspension and debarment proceedings to ensure their continued eligibility to participate in federal programs. He has also conducted numerous internal investigations on behalf of corporate clients, particularly in the areas of program fraud and export controls, and often involving sensitive personnel or fiduciary matters. He has also advised corporations in voluntary or mandatory disclosures to a variety of federal agencies. Mr. Levy regularly counsels clients on government contract performance issues, claims and terminations, and he litigates such matters before the boards of contract appeals and in the Federal Circuit.

Photo of Heather Finstuen Heather Finstuen

Heather Finstuen is a partner in the firm’s CFIUS practice and a co-chair of the Foreign Direct Investment initiative. She represents international and domestic companies in numerous industries in securing the approval of CFIUS and provides counseling on negotiating, implementing, and complying with…

Heather Finstuen is a partner in the firm’s CFIUS practice and a co-chair of the Foreign Direct Investment initiative. She represents international and domestic companies in numerous industries in securing the approval of CFIUS and provides counseling on negotiating, implementing, and complying with CFIUS national security agreements. She frequently advises clients on national industrial security regulations and engages with the Defense Counterintelligence and Security Agency (“DCSA”), the Department of Energy, and other cognizant security agencies on topics including the determination and mitigation of foreign ownership, control, or influence (“FOCI”).

Heather has been involved in many complex CFIUS and FOCI matters, including Nexen Inc. in its $15 billion sale to China National Offshore Oil Corporation, GLOBALFOUNDRIES’ $1 billion acquisition of the IBM Microelectronics Division, Micro Focus on transactions including its $8.8 billion acquisition of HPE’s software business and $2.5 billion sale of its SUSE business, CenturyLink’s $2.2 billion sale of its Savvis data center business, Publicis Groupe’s $3.7 billion acquisition of Sapient, numerous matters for BAE Systems, and multiple transactions for The Carlyle Group.