Defense Issues

On November 15, 2024, the Department of Defense (“DoD”) published a Notice of Proposed Rulemaking (“Proposed Rule”) entitled “Defense Federal Acquisition Regulation Supplement: Disclosure of Information Regarding Foreign Obligations.”  The Proposed Rule would impose new disclosure obligations on “Offeror[s]” (pre-award) and “Contractor[s]” (post-award) that are triggered in certain circumstances by review or by an obligation to allow review of their source or computer code either by a foreign government or a foreign person.  If the Proposed Rule takes effect, the obligations would apply to any “prospective contractor” or any existing contractor.  The Proposed Rule also does not distinguish between companies based in or outside the United States.

The Proposed Rule would implement the requirement of National Defense Authorization Act for Fiscal Year 2019 (“NDAA”) section 1655 which states that “[DoD] may not use a product, service, or system procured or acquired after the date of the enactment of this Act relating to information or operational technology, cybersecurity, an industrial control system, or weapons system provided by a person unless that person” makes certain disclosures related to: (1) foreign government or foreign person access to computer or source code, and (2) the person’s Export Administration Regulations (“EAR”) or International Traffic in Arms Regulations (“ITAR”) applications or licenses.  Importantly, per the NDAA, these disclosure obligations include activities dating back to August 13, 2013.

A summary of the obligations and key definitions as described by the Proposed Rule are below.

Disclosure Obligations

Disclosure of Source or Computer Code

The Proposed Rule would require any “Offeror” or “Contractor” for defense contracts to disclose in the Catalog Data Standard in the Electronic Data Access (“EDA”) system (https://piee.eb.mil) “[w]hether, and if so, when, at any time after August 12, 2013,” they (1) “allowed a foreign person or foreign government to review” or (2) “[are] under any obligation to allow a foreign person or foreign government to review, as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government”:

  • “The source code for any product, system, or service that DoD is using or intends to use; or
  • The computer code for any other than commercial product, system, or service developed for DoD.”

When this clause is included in a solicitation, by submitting its offer to the government or higher tier contractor, an “Offeror” is representing that it “has completed the foreign obligation disclosures in EDA and the disclosures are current, accurate, and complete.”  For post-award disclosures, the requirements would most likely first be added in new task orders, delivery orders, and options. Continue Reading Department of Defense Publishes Notice of Proposed Rulemaking on Disclosure of Computer and Source Code to Foreign Entities

As the world anticipates the return of Donald Trump to the White House, the European Union (“EU”) braces for significant impacts in various sectors. The first Trump administration’s approach to transatlantic relations was characterized by unpredictability, tariffs on imported goods, a strained NATO relationship, and withdrawal from the Iran nuclear deal and the Paris climate agreement. If past is prologue, the EU must prepare for a renewed era of uncertainty and potential adversarial policies.

Trade Relations

Trump’s self-proclaimed identity as a “tariff man” suggests that trade policies would once again be at the forefront of his administration’s priorities. His campaign promises, which include imposing global tariffs on all goods from all countries in the range of 10 % to 20%, signal a departure from traditional U.S. trade policies. Such measures could have severe repercussions for the EU, both directly through increased tariffs on its exports and indirectly via an influx of dumped products from other affected nations, particularly China. Broad-based tariffs of this nature would likely provoke retaliatory measures from the EU.

The EU’s response toolkit would likely mirror many of the actions it employed between 2018 and 2020 in reaction to U.S. tariffs imposed during the first Trump administration. These measures would include retaliation on U.S. products to maximize political pressure by targeting Trump-supporting constituencies, pursuing chosen legal challenges against the U.S. at the World Trade Organization, and implementing safeguards to shield the EU market from an influx of Chinese and other diverted goods following U.S. tariff hikes. Very practically, the EU has suspended tariffs on US exports of steel and aluminum to its market worth €2.8 billion. The suspension expires on 1 March 2025, requiring an active decision on whether to reintroduce them or not.

In executing these measures, the EU is expected to collaborate with allies such as the UK, Canada, Japan, Australia, and South Korea to amplify its response. The EU may also explore smaller trade agreements or informal “packages” with the U.S. as part of a negotiated tariff truce. Broader protective measures could also be pursued, focusing on subsidies and industrial policies aimed at strengthening Europe’s strategic sectors, beyond actions specific to the U.S. Some cooperation with the U.S. on China may also be possible in areas like export control, investment control, and dual-use technologies.Continue Reading Policy Implications for Europe Under a Second Trump Administration

On Tuesday, October 22, 2024, Pennsylvania State University (“Penn State”) reached a settlement with the Department of Justice (“DoJ”), agreeing to pay the US Government (“USG”) $1.25M for alleged cybersecurity compliance violations under the False Claims Act (“FCA”).  This settlement follows a qui tam action filed by a whistleblower and former employee of Penn State’s Applied Research Laboratory.  The settlement agreement provides some additional insight into the priorities of DoJ’s Civil Cyber Fraud Initiative (“CFI”) and the types of cybersecurity issues of interest to the Department.  It also highlights the extent to which DoJ is focusing on the full range of cybersecurity compliance obligations that exist in a company’s contract in enforcement actions.

DoJ’s Civil Cyber-Fraud Initiative

On October 6, 2021, following a series of ransomware and other cyberattacks on government contractors and other public and private entities, DoJ announced the CFI.  We covered the CFI as it was first announced in more detail here, and in a comprehensive separately published article here.  As explained by Deputy Attorney General Lisa Monaco and other DoJ officials, DoJ is using the civil FCA to pursue government contractors and grantees that fail to comply with mandatory cyber incident reporting requirements and other regulatory or contractual cybersecurity requirements.  Moreover, depending on the facts, DoJ Criminal likely will be interested in some of these cases.

About the Settlement

On October 5, 2022, a relator – the former chief information officer for Penn State’s Applied Research Laboratory – filed a qui tam action in the United States District Court of the Eastern District of Pennsylvania.  The relator alleged in an amended complaint from 2023 that he discovered and raised non-compliance issues, which Penn State management did not address, and that Penn State falsified compliance documentation.  On October 23, 2024, DoJ formally intervened and notified the court that it reached a settlement agreement with Penn State.  The settlement agreement alleges that Penn State violated the FCA by failing to implement adequate safeguards and to meet cybersecurity requirements set forth under National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”  As set forth in the settlement agreement, these issues related to fifteen contracts and subcontracts involving the Department of Defense (“DoD”) and the National Aeronautics and Space Administration (“NASA”) between January 2018 and November 2023. Continue Reading Penn State Agrees to Pay $1.25M in Settlement for Cybersecurity Non-Compliance False Claims Act Allegations

On July 18, 2024, the President of the European Commission, Ursula von der Leyen, was reconfirmed by the European Parliament for a second five-year term. As part of the process, she delivered a speech before the Parliament, complemented by a 30-page program, which outlines the Commission’s political guidelines and

Continue Reading The Future of EU Defence Policy and a Renewed Focus on Technology Security

On May 2, 2024, the Federal Communications Commission (FCC) released a draft Notice of Proposed Rulemaking (NPRM) for consideration at the agency’s May 23 Open Meeting that proposes to “prohibit from recognition by the FCC and participation in [its] equipment authorization program, any [Telecommunications Certification Body (TCB)] or test lab

Continue Reading FCC to Consider Prohibiting “Covered List” Entities from Participation in Agency’s Equipment Authorization Program

This is part of a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs  described the actions taken by

Continue Reading March 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

In early March, the EU released its first-ever European Defence Industrial Strategy (EDIS), accompanied by a proposed regulation establishing the European Defence Industry Programme (EDIP). The aim is to boost defence capabilities in Europe through greater and more efficient spending. In particular, the strategy seeks to reverse recent trends, whereby 78% of defence acquisitions by EU countries since Russia’s full-scale aggression against Ukraine were made with non-EU producers, with U.S. firms accounting for 63%. It also addresses recent concerns by the defence industry over ESG constraints on obtaining private financing.

The ultimate benchmark for success, as recounted by one EU foreign minister, is whether these measures will help deter Russia and other adversaries. Nonetheless, it reflects greater operational focus of the EU on defence and security issues, and what in practice the European Commission and other EU institutions can do to bolster capabilities in a policy area that will remain the primary prerogative of EU Member States.

Plugging Defence Gaps

Since the end of the Cold War, European defence has suffered from perennial underinvestment and lack of policy support for the defence industry. Whereas Europe collectively spent on defence over half of the U.S. totals in the early 1990s, it now spends about one-third compared to the United States—arguably at a time of much greater security threats to Europe compared to America. There are simply not enough soldiers, tanks, planes, ships, missiles, guns, and ammunition in Europe, nor domestic facilities to produce the necessary weapons systems and materiel. Moreover, EU countries have procured defence products at a national level, exacerbating fragmentation within the European market. This fragmentation has led to the creation of national industrial silos and numerous defence systems that often lack interoperability.Continue Reading Mobilizing Greater Defence Capabilities in Europe: the EU’s Defence Industrial Strategy

This year’s Munich Security Conference reemphasized the need for Europe to invest in greater defense capabilities and foster a regulatory environment that is conducive to building a defense and technological industrial base. In Munich, President Ursula von der Leyen committed to appointing a European Commissioner for Defence, if she is reselected later this year by the European Council and European Parliament. And the EU is also due to publish shortly a new defense industrial strategy, mirroring in part, the first-ever U.S. National Defense Industrial Strategy (NDIS) released earlier this year by the Department of Defense.

The NDIS, in turn, recognizes the need for a strong defense industry in both the U.S. and the EU, as well as other allies and partners across the globe, in order to strengthen supply chain resilience and ensure the production and delivery of critical defense supplies. And global leaders generally see the imperative of working together over the long-term to advance integrated deterrence policies and to strengthen and modernize defense industrial base ecosystems. We will continue tracking these geopolitical trends, which are likely to persist regardless of electoral outcomes in Europe or the United States.

These developments across both sides of the Atlantic follow on a number of significant new funding streams in Europe over the past couple of years, for instance:

  • The 2021 revision of the European Defense Fund Regulation allocated €8 billion for common research and development projects, meant to be spent during the 2021-2027 multi-annual financial framework (MFF).
  • As a direct response to Ukraine’s request for assistance with the supply of 155 mm-caliber artillery rounds, the EU adopted the 2023 Act in Support of Ammunition Production (ASAP), with a €500 million fund to scale up production of ammunition and missiles.
  • Most recently, the EU adopted the 2023 European Defense Industry Reinforcement through Common Procurement Act (EDIRPA), introduced a joint procurement fund of €300 million to facilitate Member States’ collective acquisition of defense products.
  • The European Peace Facility (EPF), an off-budget instrument, with an overall financial ceiling exceeding €12 billion, is primarily destined toward procurement of military material and large-scale financing of weapon supplies to allied third countries (including €6.1 billion for Ukraine).

Continue Reading Insights from the Munich Security Conference: Towards an Expanding U.S.-EU Defense Taxonomy?

On December 14, 2023, the U.S. Congress passed the National Defense Authorization Act for FY 2024 (NDAA), authorizing $886 billion in defense spending. Amid its numerous provisions, there is the concept of the “national technology and industrial base,” which now includes the United States, Canada, the United Kingdom, Australia, and New Zealand and could potentially serve as the basis for wider industrial cooperation with European and other global partners. This could provide useful synergies with ongoing efforts in Europe to galvanize defense production and help ensure an enduring competitive edge for the wider West over potential adversaries—within NATO and with global partners.

The Global “National Technology and Industrial Base”

The national technology and industrial base (NTIB) is defined in U.S. law as “the persons and organizations that are engaged in research, development, production, integration, services, or information technology activities” in national security and dual-use areas. First established in 1994, NTIB initially included only Canada in addition to the United States. In 2016, however, United Kingdom and Australia were added, followed by New Zealand in 2022. NTIB entities may receive preference for certain limited procurement actions and may be exempted from certain foreign ownership or control/influence requirements.

The logic behind this initial expansion was to foster industrial defense cooperation among the Five Eyes allies, which already had provisions for intelligence sharing potentially required for sophisticated military projects. And the expected benefits were to leverage economies of scale, promote innovation, and increase interoperability.

Given Russia’s large-scale war of aggression against Ukraine and the longer-term challenge from China, the NTIB could be expanded further to ensure that the wider West is able to produce the military materiel required to deter and confront any security challenges. The United States and its NATO Allies have already faced stockpile constraints in providing weapons supply to Ukraine to continue waging its defense. Now, the 2024 NDAA has added Israel and Taiwan to a program started to expedite delivery and replenishment of munitions to Ukraine, which will put further pressure on existing production. The NTIB could also serve as the fulcrum to leverage European defense initiatives in light of Russia’s war of aggression.

European Defense Initiatives

The European defense landscape has long been characterized by severe under-investment and fragmentation among Member States, with less than one-fifth of investments in defense programs conducted in cooperation. In 2009, the European Union expressed its willingness to facilitate joint procurement with the adoption of procurement rules for munitions, arms, and war material in the Defense Procurement Directive. However, implementation was lacking, and most procurement contracts were still awarded without an EU-wide tender.Continue Reading U.S. Defense Bill’s Implications for European and Global Partners

Following our recent overview of key topics to watch in the National Defense Authorization Act (“NDAA”) for Fiscal Year (“FY”) 2024, available here, we continue our coverage with a “deep dive” into NDAA provisions related to the People’s Republic of China (“China” or “PRC”) in each of the House and Senate bills.  DoD’s focus on strengthening U.S. deterrence and competitive positioning vis-à-vis China features prominently in the 2022 National Defense Strategy (“NDS”) and in recent national security discourse.  This focus is shared by the Select Committee on Strategic Competition Between the United States and the Chinese Communist Party (“Select Committee”), led by Chairman Mike Gallagher (R-WI) and Ranking Member Raja Krishnamoorthi (D-IL). 

It is no surprise, then, that House and Senate versions of the NDAA include hundreds of provisions—leveraging all elements of national power—intended to address what the NDS brands as China’s “pacing” challenge, including many grounded in Select Committee policy recommendations.  Because the NDAA is viewed as “must-pass” legislation, it has served in past years as a vehicle through which other bills not directly related to DoD are enacted in law.  In one respect, this year is no different—the Senate version of the NDAA incorporates both the Department of State and Intelligence 2024 Authorization bills, each of which includes provisions related to China. 

To get a flavor of the approach to China in this year’s NDAA, look no further than the “Ending China’s Developing Nation Status Act” in Section 1399L of the Senate bill, which would require U.S. opposition to granting China “developing nation” status in treaties under negotiation and by international organizations of which the U.S. and China are members, such as the World Trade Organization.  Classification as a “developing nation” affords China access to preferential loans and other economic benefits intended to increase trading opportunities, notwithstanding its current status as an upper-middle income country (as determined by the World Bank), and the world’s second largest economy, trailing only the U.S.  Not to be outdone, Section 155 of the House bill contains a provision mandating expedited deployment of advanced radars to track high-altitude balloons and other potential threats to the U.S., in direct response to the incident earlier this year in which a Chinese balloon flew across the U.S. before being shot down by the Air Force.

Given these provisions, and many more (some we discuss below), this year’s NDAA strikes us as different.  It incorporates many more China-related provisions and many of these would impose greater obligations on government contractors to limit their interactions with the PRC and entities affiliated with the PRC Government.  Whether the laundry list of China-related provisions in the current NDAA survive, and in what form, will be determined by the conference process currently underway.  But these provisions have the potential to impose significant near-term burdens on contractors—requiring them to assess their obligations and make adjustments to ensure compliance.  Indeed, these provisions may be far more disruptive than requirements imposed by prior year NDAA China provisions that contractors have navigated by reassessing supply chains and increasing due diligence.  All government contractors and suppliers to government contractors with any connection to China would be well advised to monitor how the NDAA conference approaches resolution of this legislation over the coming months.Continue Reading Not to Be Outpaced: NDAA Presents Measures Addressing China