Defense Issues

Barely noticed in the firehose stream of presidential activity since the inauguration was a brief Oval Office mention of cutting a deal with Ukraine for access to its critical minerals. Securing steady access to uranium, the rare earth elements, and other critical minerals is a natural priority for an America First agenda, so President Trump’s February 3 statement is unlikely to be his last. Changes to the tax code, permitting reform, regulatory incentives, and partnerships with allies as well as troubled nations are among the actions to watch for.

A Bipartisan Issue

Leaders of both parties agree that action is needed. “Whether it’s critical minerals with China … or uranium from Russia, we can’t be dependent on them,” Secretary of the Interior Doug Bergum asserted in his confirmation hearing. “We’ve got the resources here. We need to develop them.” Virginia Senator Mark Warner (D, VA) recently charged, “China dominates the critical mineral industry and is actively working to ensure that the U.S. does not catch up.” He urged, “The U.S. must, alongside allies, take meaningful steps to protect and expand our production and procurement of these critical minerals.” President Biden’s State Department was even more blunt, asserting that China is intentionally oversupplying lithium to “lower the price until competition disappears.”

Several recent developments have increased U.S. policymakers’ concerns about future supplies of critical minerals. New technologies, including artificial intelligence, promise to dramatically boost demand. China, meanwhile, is using new export control laws to curtail exports to the United States. A resurgent war in the eastern provinces of the Democratic Republic of the Congo (DRC), ostensibly over tribal rivalries, is actually a fight over the country’s rich mineral resources. These include gold and diamonds, but also coltan, an ore from which tantalum is extracted. Tantalum is extremely valuable for its use in the capacitors found in smartphones, laptops, and medical equipment.

The number of minerals in question (51), the usual number of steps in the production chain (4), and the variety of international agreements, public laws, private initiatives, and emerging technologies add up to a dizzyingly complex set of issues. Nevertheless, the bipartisan alignment evident in the above statements signals that impacted industries should watch closely for fast-moving legislative and regulatory developments.

Market Overview

Critical minerals are essential for a long list of industrial and defense-related needs. Attention is often focused on the 17 ‘rare earth elements,’ (REEs) but the U.S. Geological Survey (USGS) has a broader list of 50 mineral commodities that are critical to the nation’s economy and national security. Uranium is excluded by a statutory definition but is often tracked in parallel. Together, these 51 elements are used for a far wider array of products than is often recognized. The 17 REEs alone are also needed for oil refining, guided missiles, radar arrays, MRI machines, computer chips, hydrogen electrolysis, lasers, aluminum manufacturing, cameras, jet engines, satellite manufacturing, and a long list of other advanced applications.Continue Reading What President Trump Might Do on Critical Minerals

This is the first blog in a series covering the Fiscal Year 2025 National Defense Authorization Act (“FY 2025 NDAA”).  This first blog will cover: (1) NDAA sections affecting acquisition policy and contract administration that may be of greatest interest to government contractors; (2) initiatives that underscore Congress’s commitment to strengthening cybersecurity, both domestically and internationally; and (3) NDAA provisions that aim to accelerate the Department of Defense’s adoption of AI and Autonomous Systems and counter efforts by U.S. adversaries to subvert them. 

Future posts in this series will address NDAA provisions targeting China, supply chain and stockpile security, the revitalized Administrative False Claims Act, and Congress’s effort to mature the Office of Strategic Capital and leverage private investment to accelerate the development of critical technologies and strengthen the defense industrial base.  Subscribe to our blog here so that you do not miss these updates.

FY 2025 NDAA Overview

On December 23, 2025, President Biden signed the FY 2025 NDAA into law.  The FY 2025 NDAA authorizes $895.2 billion in funding for the Department of Defense (“DoD”) and Department of Energy national security programs—a $9 billion or 1 percent increase over 2024.  NDAA authorizations have traditionally served as a reliable indicator of congressional sentiment on final defense appropriations. 

FY 2025 marks the 64th consecutive year in which an NDAA has been enacted, reflecting its status as “must-pass” legislation.  As in prior years, the NDAA has been used as a legislative vehicle to incorporate other measures, including the FY 2025 Department of State and Intelligence Authorization Acts, as well as provisions related to the Departments of Justice, Homeland Security, and Veterans Affairs, among others.

Below are select provisions of interest to companies across industries that engage in U.S. Government contracting, including defense contractors, technology providers, life sciences firms, and commercial-item suppliers.Continue Reading President Biden signs the National Defense Authorization Act for Fiscal Year 2025

This is part of a series of Covington blogs on the implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through October 2024.  This blog describes key actions taken to implement the Cyber EO, the U.S. National Cybersecurity Strategy, and other actions taken that support their general principles during November 2024. 

National Institute of Standards and Technology (“NIST”) Publishes Draft “Enhanced Security Requirements for Protecting Controlled Unclassified Information”

On November 13, 2024, NIST published a draft of Special Publication (“SP”) 800-172 Rev. 3 that “provides recommended security requirements to protect the confidentiality, integrity, and availability of [Controlled Unclassified Information] when it is resident in a nonfederal system and organization and is associated with a high value asset or critical program.”  In particular, the draft requirements “give organizations the capability to achieve a multidimensional, defense-in-depth protection strategy against advanced persistent threats . . . and help to ensure the resiliency of systems and organizations.”  The draft requirements “are intended for use by federal agencies in contractual vehicles or other agreements between those agencies and nonfederal organizations.”  In the publication, NIST stated that it does not expect that all requirements are needed “universally.”  Instead, the draft requirements are intended to be “selected by federal agencies based on specific mission needs and risks.”

These requirements serve as a supplement to NIST SP 800-171, and apply to particular high-risk entities.  To that end, the current version of this NIST SP 800-172 (i.e., Rev. 2) is used by the U.S. Department of Defense (“DoD”) for its forthcoming Cybersecurity Maturity Model Certification (“CMMC”) program, which we discussed in more detail here.  Specifically, contractors must implement twenty-four controls that DoD selected from SP 800-172 Rev. 2 in order to obtain the highest level of certification – Level 3.  Just as the CMMC Final Rule incorporated Rev. 2 of SP 800-171 (rather than Rev. 3), the CMMC program will not immediately incorporate SP 800-172 Rev. 3 requirements.  However, the draft requirements provide insight into how CMMC could evolve.Continue Reading November 2024 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy

From January to June 2025, Poland will hold the Presidency of the Council of the European Union, presenting an ambitious agenda organized around the concept of security to tackle some of the EU’s most pressing challenges. This blog outlines the announced focus areas for technology, trade, defense, and ESG. Each of these topics is pivotal to ensuring the EU’s competitiveness, resilience, and sustainability in an increasingly complex global landscape.

Technology: Driving Innovation and Digital Transformation

The EU’s technological landscape is at a crossroads, driven by competition with the U.S. and China, and regulatory reforms such as the Digital Markets Act and the AI Act. The Polish Presidency will advance digital resilience by focusing on cybersecurity and AI governance. It commits to “promote the strengthening of European AI research, development and competence centres across the EU and support EU activities for entrepreneurs implementing disruptive technologies.” Poland also pledges to develop a “a comprehensive and horizontal approach to cybersecurity” by holding “a discussion on best practices in Member States on investing in cybersecurity” and creating a “new EU cybersecurity strategy.”

The EU-U.S. Trade and Technology Council (TTC), which has facilitated transatlantic cooperation, faces uncertain prospects under evolving political landscapes. If disbanded, new bilateral arrangements like a UK-EU TTC may emerge. In technology diplomacy, the EU will likely prioritize collaborations on export control, investment screening, and dual-use technologies with allies​, including the U.S.

Trade: Enhancing Competitiveness and Reducing Dependencies

The EU’s trade policy faces heightened complexities in balancing openness with economic security. Amidst Russia’s destabilizing actions and the economic decoupling from China, the Polish Presidency prioritizes reinforcing the EU’s economic sovereignty. Enhancements to the EU Customs Union and trade components of the Association Agreements with Ukraine and Moldova are expected, aligning economic cooperation with strategic resilience.Continue Reading “Security, Europe!” Priorities of the Polish Presidency of the EU Council

On November 15, 2024, the Department of Defense (“DoD”) published a Notice of Proposed Rulemaking (“Proposed Rule”) entitled “Defense Federal Acquisition Regulation Supplement: Disclosure of Information Regarding Foreign Obligations.”  The Proposed Rule would impose new disclosure obligations on “Offeror[s]” (pre-award) and “Contractor[s]” (post-award) that are triggered in certain circumstances by review or by an obligation to allow review of their source or computer code either by a foreign government or a foreign person.  If the Proposed Rule takes effect, the obligations would apply to any “prospective contractor” or any existing contractor.  The Proposed Rule also does not distinguish between companies based in or outside the United States.

The Proposed Rule would implement the requirement of National Defense Authorization Act for Fiscal Year 2019 (“NDAA”) section 1655 which states that “[DoD] may not use a product, service, or system procured or acquired after the date of the enactment of this Act relating to information or operational technology, cybersecurity, an industrial control system, or weapons system provided by a person unless that person” makes certain disclosures related to: (1) foreign government or foreign person access to computer or source code, and (2) the person’s Export Administration Regulations (“EAR”) or International Traffic in Arms Regulations (“ITAR”) applications or licenses.  Importantly, per the NDAA, these disclosure obligations include activities dating back to August 13, 2013.

A summary of the obligations and key definitions as described by the Proposed Rule are below.

Disclosure Obligations

Disclosure of Source or Computer Code

The Proposed Rule would require any “Offeror” or “Contractor” for defense contracts to disclose in the Catalog Data Standard in the Electronic Data Access (“EDA”) system (https://piee.eb.mil) “[w]hether, and if so, when, at any time after August 12, 2013,” they (1) “allowed a foreign person or foreign government to review” or (2) “[are] under any obligation to allow a foreign person or foreign government to review, as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government”:

  • “The source code for any product, system, or service that DoD is using or intends to use; or
  • The computer code for any other than commercial product, system, or service developed for DoD.”

When this clause is included in a solicitation, by submitting its offer to the government or higher tier contractor, an “Offeror” is representing that it “has completed the foreign obligation disclosures in EDA and the disclosures are current, accurate, and complete.”  For post-award disclosures, the requirements would most likely first be added in new task orders, delivery orders, and options. Continue Reading Department of Defense Publishes Notice of Proposed Rulemaking on Disclosure of Computer and Source Code to Foreign Entities

As the world anticipates the return of Donald Trump to the White House, the European Union (“EU”) braces for significant impacts in various sectors. The first Trump administration’s approach to transatlantic relations was characterized by unpredictability, tariffs on imported goods, a strained NATO relationship, and withdrawal from the Iran nuclear deal and the Paris climate agreement. If past is prologue, the EU must prepare for a renewed era of uncertainty and potential adversarial policies.

Trade Relations

Trump’s self-proclaimed identity as a “tariff man” suggests that trade policies would once again be at the forefront of his administration’s priorities. His campaign promises, which include imposing global tariffs on all goods from all countries in the range of 10 % to 20%, signal a departure from traditional U.S. trade policies. Such measures could have severe repercussions for the EU, both directly through increased tariffs on its exports and indirectly via an influx of dumped products from other affected nations, particularly China. Broad-based tariffs of this nature would likely provoke retaliatory measures from the EU.

The EU’s response toolkit would likely mirror many of the actions it employed between 2018 and 2020 in reaction to U.S. tariffs imposed during the first Trump administration. These measures would include retaliation on U.S. products to maximize political pressure by targeting Trump-supporting constituencies, pursuing chosen legal challenges against the U.S. at the World Trade Organization, and implementing safeguards to shield the EU market from an influx of Chinese and other diverted goods following U.S. tariff hikes. Very practically, the EU has suspended tariffs on US exports of steel and aluminum to its market worth €2.8 billion. The suspension expires on 1 March 2025, requiring an active decision on whether to reintroduce them or not.

In executing these measures, the EU is expected to collaborate with allies such as the UK, Canada, Japan, Australia, and South Korea to amplify its response. The EU may also explore smaller trade agreements or informal “packages” with the U.S. as part of a negotiated tariff truce. Broader protective measures could also be pursued, focusing on subsidies and industrial policies aimed at strengthening Europe’s strategic sectors, beyond actions specific to the U.S. Some cooperation with the U.S. on China may also be possible in areas like export control, investment control, and dual-use technologies.Continue Reading Policy Implications for Europe Under a Second Trump Administration

On Tuesday, October 22, 2024, Pennsylvania State University (“Penn State”) reached a settlement with the Department of Justice (“DoJ”), agreeing to pay the US Government (“USG”) $1.25M for alleged cybersecurity compliance violations under the False Claims Act (“FCA”).  This settlement follows a qui tam action filed by a whistleblower and former employee of Penn State’s Applied Research Laboratory.  The settlement agreement provides some additional insight into the priorities of DoJ’s Civil Cyber Fraud Initiative (“CFI”) and the types of cybersecurity issues of interest to the Department.  It also highlights the extent to which DoJ is focusing on the full range of cybersecurity compliance obligations that exist in a company’s contract in enforcement actions.

DoJ’s Civil Cyber-Fraud Initiative

On October 6, 2021, following a series of ransomware and other cyberattacks on government contractors and other public and private entities, DoJ announced the CFI.  We covered the CFI as it was first announced in more detail here, and in a comprehensive separately published article here.  As explained by Deputy Attorney General Lisa Monaco and other DoJ officials, DoJ is using the civil FCA to pursue government contractors and grantees that fail to comply with mandatory cyber incident reporting requirements and other regulatory or contractual cybersecurity requirements.  Moreover, depending on the facts, DoJ Criminal likely will be interested in some of these cases.

About the Settlement

On October 5, 2022, a relator – the former chief information officer for Penn State’s Applied Research Laboratory – filed a qui tam action in the United States District Court of the Eastern District of Pennsylvania.  The relator alleged in an amended complaint from 2023 that he discovered and raised non-compliance issues, which Penn State management did not address, and that Penn State falsified compliance documentation.  On October 23, 2024, DoJ formally intervened and notified the court that it reached a settlement agreement with Penn State.  The settlement agreement alleges that Penn State violated the FCA by failing to implement adequate safeguards and to meet cybersecurity requirements set forth under National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”  As set forth in the settlement agreement, these issues related to fifteen contracts and subcontracts involving the Department of Defense (“DoD”) and the National Aeronautics and Space Administration (“NASA”) between January 2018 and November 2023. Continue Reading Penn State Agrees to Pay $1.25M in Settlement for Cybersecurity Non-Compliance False Claims Act Allegations

On July 18, 2024, the President of the European Commission, Ursula von der Leyen, was reconfirmed by the European Parliament for a second five-year term. As part of the process, she delivered a speech before the Parliament, complemented by a 30-page program, which outlines the Commission’s political guidelines and

Continue Reading The Future of EU Defence Policy and a Renewed Focus on Technology Security

On May 2, 2024, the Federal Communications Commission (FCC) released a draft Notice of Proposed Rulemaking (NPRM) for consideration at the agency’s May 23 Open Meeting that proposes to “prohibit from recognition by the FCC and participation in [its] equipment authorization program, any [Telecommunications Certification Body (TCB)] or test lab

Continue Reading FCC to Consider Prohibiting “Covered List” Entities from Participation in Agency’s Equipment Authorization Program

This is part of a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs  described the actions taken by

Continue Reading March 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order