Skip to content
Synopsis of the Proposed Legislation
Three sections of the Senate’s version of the NDAA, which passed the Senate Armed Services Committee in May, would establish new rules designed to mitigate “risks posed by providers of information technology with obligations to foreign governments.”  Those risks involve the access that foreign governments may have to code in products or services that are offered to the Department of Defense.  The provisions also impose new disclosure requirements on the efforts of a prospective vendor to obtain a license under the Export Administration Regulations (“EAR”) or the International Traffic in Arms Regulation (“ITAR”).The pending legislation would require proactive disclosure of those matters, and would impose an ongoing duty to supplement those disclosures during the period of performance on the contract.  The Secretary of Defense would be authorized to assess and mitigate any resulting national security risks through contractual provisions or other performance requirements.The bill directs the Secretary to create a “prioritized list of countries of concern regarding cybersecurity,” using factors designed to assess those countries’ capabilities, intentions, and past practice with respect to U.S. and “coalition forces.”  It would also require the Secretary to develop a “third-party testing standard” for commercially available off-the-shelf (“COTS”) items “to use when dealing with foreign governments.”  Finally, the bill would require the Secretary to consolidate the disclosures in a master registry and make the information available to “any agency conducting a procurement pursuant to the Federal Acquisition Regulations or the Defense Federal Acquisition Regulations.”

Definition Issues and Coverage Concerns 

The scope of the legislation is broad, and coverage is not clearly defined.  The disclosure requirements apply to any “product, service, or system relating to information or operational technology,  cybersecurity, an industrial control system, a weapons system, or computer antivirus” offered to the Department.

One subset of disclosure obligations applies to “custom-developed” products, systems, or services.  Any person offering such products, services, or systems must disclose “[w]hether the person has allowed a foreign government to review or access the code of a product, system, or service custom-developed for the Department, or is under any obligation to allow a foreign person or government to review or access the code of a product, system, or service custom-developed for the Department as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government.”

The bolded terms all raise questions.  The bill does not define “custom-developed,” which is not a recognized term of art in procurement law.  A broad interpretation could, for instance, sweep in a commercial item where the manufacturer made only a minor modification for the Department.  Presumably, if a product was custom-developed for the Department, any necessary restrictions on sharing the source code would have been imposed contractually on the manufacturer.  If such a limitation was not imposed at the time of the contract, it is not clear that the government should impose new restrictions post-agreement.

The concept of “review or access” is also open to interpretation.  For example, if a company keeps full custody of the code but allows a customer, including a foreign government, to have an authorized representative inspect the code under the company’s control, it is not clear that such an arrangement would constitute a materially risky “review,” let alone “access.”  That structure would not involve a company relinquishing control of the code, and it might not be sufficient to allow the customer/government to identify vulnerabilities.  Furthermore, a “review” that entails only an analysis of results of testing conducted by the company or an agreed-upon third party would be even farther removed from the risk, but could still be considered a “review” by a foreign government under the text of the bill.  It is unclear if the only code at issue is the code associated with a government-specific modification, or also the underlying commercial item product (i.e., background vs. foreground intellectual property).

The term “foreign person” also invites questions about scope.  It could include employees of companies that create the product, if those employees are citizens of another country.  It could also include resident aliens, or dual citizens.  The structure of the bill implies that the term “foreign” would be interpreted broadly; unlike other sections of the bill that focus on the prioritized list of “countries of concern,” this section has no such limitation.

With respect to the “countries of concern,” a broader disclosure obligation applies to any goods or services, not just those “custom-developed” for the Department.  Under the terms of that section of the bill, offerors must disclose whether they have allowed a listed government to access source code.  While the language addressing “access or review” of source code is limited to high-risk foreign governments identified by the prioritized list, a broader prohibition applies as to products where the seller is “under any obligation” to allow any foreign person or government to review or access the product or service as a condition to entering an agreement with a foreign government or person on behalf of such a government.  “Obligation” is not defined and could be interpreted more broadly than just contractual obligations.  Whether contractual or not, in some instances, software products need to be modified to interface with a customer’s information systems.  It is unclear whether access just to the modifications to the code that may be necessary to accomplish this interface with a foreign commercial customer’s systems would trigger a disclosure requirement.

Consequently, those disclosure obligations apply to any product, service, or system, and to a broad universe of “foreign” interests.

Opacity of Procedures to Mitigate Risks

Definitional issues also arise in the context of the mitigation provisions.  For instance, the language allows the Secretary to determine whether the disclosure reveals “a risk to the national security infrastructure or data of the United States, or any national security system under the control of the Department” and then “take such measures as the Secretary considers appropriate to mitigate such risks.”  Neither legislative text nor industry-wide common understanding explain what comprises “national security infrastructure” or “data of the United States.”  The latter term could mean proprietary data of the U.S. government, or any data residing in the United States.

The legislation leaves practical implementation questions unaddressed.  There is no timeframe or clear trigger for initial disclosure, nor discussion of procedures for mitigation.  If the disclosure is made after contract award, the legislation could arguably give the government grounds for termination.

Other key operational questions include the following:

If mitigation is to be imposed pre-award in a competitive procurement, can the Secretary allow one offeror to add such mitigation to its proposal without opening discussions with all offerors?

Would that mitigation be reported in the “registry” along with the other disclosure elements?

Could mitigation include outright exclusion? If so, what is the process for aggrieved offerors to contest that exclusion, if not the normal bid protest channels?

Once a product is identified as a risk, is it excluded from future Department of Defense procurements, or is this determination done on a procurement-by-procurement basis? What procedural safeguards would be established to addressed this limit on competition?

The pending legislation also fails to identify which agency within the Department would develop and enforce these conditions.  It could be left to the discretion of each service or component, or a central agency could manage the process on behalf of the entire Department.  In that case, likely candidates would be the Defense Security Service, the Chief Information Officer, or the National Security Agency.

Export Control and Third-Party Testing Questions

The lack of precision raises other questions in the provisions on export controls and the standards to be used with third-party testing.  The bill appears to provide the Department with nearly unfettered discretion to prohibit exports of certain technology, products, or services beyond any controls imposed by the ITAR.  Even the issue of what is covered is left to the discretion of the Department.  The consequences of the resulting EAR/ITAR-related disclosures are also unclear.  Offerors are required to disclose whether they hold or have applied for any licenses, and that data will presumably be considered by the Secretary.  However, there is no indication as to how the Department will utilize that information to determine whether it will use the product, service, or system.

The third-party testing standard also raises a number of operational questions, and the accompanying Committee Report language offers few indicators of congressional intent.  If the purpose is to direct the Department to develop the standard that COTS companies can use to deal with foreign governments, it is an open question whether the U.S. government would then apply that standard to its own testing.  The provisions also offer no resolution if a disconnect arises between U.S. government requirements the standard developed by the Department pursuant to this third-party testing provision.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain and cybersecurity requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Photo of David Fagan David Fagan

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

David has been recognized by Chambers USA and Chambers

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

David has been recognized by Chambers USA and Chambers Global for his leading expertise on bet-the-company CFIUS matters and has received multiple accolades for his work in this area, including twice being named Dealmaker of the Year by The American Lawyer. Clients laud him for “[seeing] far more matters than many other lawyers,” his “incredible insight,” and “know[ing] how to structure deals to facilitate regulatory reviews” (Chambers USA).

David’s practice covers representations of both foreign and domestic companies before CFIUS and related national security regulators. The representations encompass matters in which the principal assets are in the United States, as well as those in which there is a smaller U.S. nexus but where solving for the CFIUS issues—including through proactive mitigation and carve-outs—is a critical path for the transaction. David has handled transactions for clients across every sector subject to CFIUS review, including some of the most sensitive and complex matters that have set the template for CFIUS compliance and security agreements in their respective industries. He is also routinely called upon to rescue transactions that have run into challenges in CFIUS, and to negotiate solutions with the U.S. government that protect national security interests, while preserving shareholder and U.S. business interests.

Reflecting his work on U.S.-China investment issues and his experience on complex U.S. national security matters intersecting with China, David is regularly engaged by the world’s leading multi-national companies across a range of industries to advise on strategic legal projects, including supply chain matters, related to their positioning in the emerging competition between the U.S. and China, as well as on emerging legal issues such as outbound investment restrictions and regulations governing information and communications technologies and services (ICTS). David also has testified before a congressional commission regarding U.S. national security, trade, and investment matters with China.

In addition, in the foreign investment and national security area, David is known for his work on matters requiring the mitigation of foreign ownership, control or influence (FOCI) under applicable national industrial security regulations, including for many of the world’s leading aerospace and defense companies and private equity firms, as well as telecommunications transactions that undergo a public safety, law enforcement, and national security review by the group of agencies known as “Team Telecom.”

In his cybersecurity practice, David has counseled companies on responding to some of the most sophisticated documented cyber-based attacks on their networks and information, including the largest documented infrastructure attacks, as well as data security incidents involving millions of affected consumers. He has been engaged by boards of directors of Fortune 500 companies to counsel them on cyber risk and to lead investigations into cyber attacks, and he has responded to investigations and enforcement actions from the Federal Trade Commission (FTC) and state attorneys general. David has also helped clients respond to ransomware attacks, insider theft, vendor breaches, hacktivists, state-sponsored attacks affecting personal data and trade secrets, and criminal organization attacks directed at stealing personal data, among other matters.

Photo of Frederic Levy Frederic Levy

Fred Levy is senior counsel in the firm’s Government Contracts and White Collar Defense and Investigations Practice Groups. He is a leading suspension and debarment lawyer, focusing his practice on the resolution of complex compliance and ethics issues. He has successfully represented numerous…

Fred Levy is senior counsel in the firm’s Government Contracts and White Collar Defense and Investigations Practice Groups. He is a leading suspension and debarment lawyer, focusing his practice on the resolution of complex compliance and ethics issues. He has successfully represented numerous high-profile corporations and individuals under investigation by the government in civil and criminal matters, including False Claims Act cases, and in suspension and debarment proceedings to ensure their continued eligibility to participate in federal programs. He has also conducted numerous internal investigations on behalf of corporate clients and advises corporations on voluntary or mandatory disclosures to federal agencies. Fred regularly counsels clients on government contract performance issues, claims and terminations, and litigates matters before the boards of contract appeals and in the Federal Circuit.

Related to his work involving program fraud, Fred counsels clients in the area of contractor “responsibility.” He is involved in the development and implementation of contractor ethics and compliance programs that meet the standards of the Federal Acquisition Regulation, Federal Sentencing Guidelines, and Sarbanes-Oxley, and he regularly conducts ethics and compliance training.

Fred is a principal editor of Guide to the Mandatory Disclosure Rule, and of The Practitioner’s Guide to Suspension and Debarment, 4th Edition. He is a vice-chair of the Debarment and Suspension Committee of the ABA Public Contract Law Section, and a former co-chair of that committee and of the Procurement Fraud Committee. He is a graduate of Columbia College and Columbia Law School.

Photo of Heather Finstuen Heather Finstuen

Heather Finstuen has extensive experience advising clients on cross-border investment and related national security matters, as well as leading internal investigations and responding to U.S. government civil and criminal investigations.

In the national security area, Heather represents domestic and international companies in numerous industries…

Heather Finstuen has extensive experience advising clients on cross-border investment and related national security matters, as well as leading internal investigations and responding to U.S. government civil and criminal investigations.

In the national security area, Heather represents domestic and international companies in numerous industries in securing the approval of the Committee on Foreign Investment in the United States (CFIUS) and provides counseling on negotiating, implementing, and complying with CFIUS national security agreements. She frequently advises clients on national industrial security regulations and engages with the Defense Counterintelligence and Security Agency, the Department of Energy, and other cognizant security agencies on topics including the determination and mitigation of foreign ownership, control, or influence (FOCI). She also counsels defense contractors on National Industrial Security Program Operating Manual (NISPOM) requirements, obtaining and maintaining facility and personnel security clearances, safeguarding requirements, supply chain considerations, and investigating and responding to compliance concerns.

Heather has been involved in many complex CFIUS and FOCI matters, including Nexen Inc. in its $15 billion sale to China National Offshore Oil Corporation, GLOBALFOUNDRIES’ $1 billion acquisition of the IBM Microelectronics Division, Micro Focus on transactions including its $8.8 billion acquisition of HPE’s software business and $2.5 billion sale of its SUSE business, CenturyLink’s $2.2 billion sale of its Savvis data center business, Publicis Groupe’s $3.7 billion acquisition of Sapient, numerous matters for BAE Systems, and multiple transactions for The Carlyle Group.

Heather also represents and counsels government contractors in connection with internal investigations, mandatory disclosures, federal inquiries and investigations, and compliance policies and procedures. Heather has led numerous internal fraud and ethics investigations in various industries (defense, manufacturing, software, banking and finance, healthcare, food) into a range of issues including cyber security, labor charging, billing and claims, sourcing requirements, manufacturing and quality control processes, accounting, compensation structures, and mortgage foreclosure practices.

Before joining the firm, Heather served as a law clerk to the Honorable Carolyn Dineen King of the United States Court of Appeals for the Fifth Circuit.