DoD Proposes New Rules Requiring Disclosure Of Foreign Access To Software Code

On November 14, the U.S. Department of Defense (DoD) issued a proposed rule that would effectively require DoD contractors to disclose whether they have permitted or agreed to permit a foreign government or person to review software code for certain categories of products and services. For non-commercial code that is custom-developed for DoD, contractors would also be required to confirm whether they hold or have sought a license under U.S. export controls for products and services containing such code.

After more than six years, the proposed rule would finally implement requirements imposed under the National Defense Authorization Act (NDAA) for Fiscal Year 2019. However, the rule would significantly expand the NDAA's requirements.

Covered Products, Services, and Code

Under the proposed rule, DoD would include new clauses in solicitations and contracts when it is acquiring a product or service that broadly relates to:

1. information or operational technology;
2. cybersecurity;
3. an industrial control system; or
4. a weapon system.

When applicable, companies would be required to report on a DoD database whether, at any time since August 13, 2013, they permitted or promised to permit a foreign government or person to review the following categories of code:

1. source code for any product or service that DoD uses or intends to use; and
2. source code or object code for any non-commercial product or service developed for DoD.

Contractors would be prohibited from providing any covered product or service unless they continue to make required disclosures for the duration of any award.

Additional Reporting Obligations

Companies offering non-commercial products or services that include code that is custom‑developed for their offering would also need to report on the DoD database whether they hold or have sought a license under the Export Administration Regulations or International Traffic in Arms Regulations for information technology products or services containing such code. With this information, DoD could ultimately adopt a practice of regularly requesting additional details when instances of foreign access are disclosed without reference to a corresponding license.

The foreign access and license disclosure requirements would apply to both prime contractors and subcontractors. In addition, prime contractors would need to update their own disclosures when receiving disclosures from subcontractors.

Partial Open-Source Exception

The proposed rule permits DoD to acquire products or services without required disclosures to the extent they only include open-source software. However, contrary to the NDAA, the proposed rule would not exempt open-source software from reporting requirements. Accordingly, companies would not be able to rely on the open-source exception to avoid reporting unless it is expanded when the proposed rule is finalized.

The proposed rule currently defines open-source software broadly to mean any software that is "available for use, study, reuse, modification, enhancement, and redistribution by the users of such software." This open-ended definition raises many considerations that could go unresolved for some time, such as:

1. the extent to which software needs to be available to the public, if at all;
2. whether software can be licensed for a fee;
3. whether source code for software needs to be made available in addition to object code; and
4. whether software can be subject to any limitations on use.

By comparison, definitions of open-source software normally emphasize that its source code must be publicly available, usually without a fee, to almost anyone for almost any purpose.

Key Considerations for Industry

1. The Propose Rule Requires Broad Disclosures for Commercial Products and Services. For companies that made business decisions relating to foreign customers over the past six years based on the scope of the NDAA, the proposed rule significantly expands disclosure requirements for commercial products and services. Under the NDAA, disclosure would have only been required for commercial products and services if code were shared with specifically designated foreign countries of concern for cybersecurity. Other countries would have not been covered by the NDAA except when dealing with non-commercial products and services. However, the proposed rule does not make this distinction and requires broad disclosure for any foreign access to source code regardless of whether commercial products or services are involved.
2. Disclosure Requirements for Source Code Broadly Cover Foreign Persons. Without comment, the proposed rule also expands the NDAA to cover foreign persons in addition to foreign governments. Accordingly, if the proposed rule is finalized in its current form, companies seeking to provide products or services to DoD will often need to consider whether they have ever permitted or agreed to permit any foreign person to review source code included in their offerings. Importantly, unless DoD provides different guidance in the future, disclosures would be required even if source code is classified as EAR99.

Many companies may not have this data, especially because reporting obligations go all the way back to August 13, 2013 due to the delay in the proposed rule's implementation. In addition, the proposed rule does not define foreign persons, which may raise questions about whether lawful permanent residents and certain protected individuals that are considered U.S. persons for export control purposes can be considered U.S. persons under the proposed rule.

As a result, when pursuing opportunities that include the new clauses, companies will need to carefully consider whether to submit a disclaimer about the scope of available documentation, their diligence efforts, and their understanding of the definition of foreign persons.

1. Subsequent Foreign Sales of DoD Products Can Be Covered. That the proposed rule requires reporting of foreign access to object code for non-commercial products and services developed for DoD could also trigger disclosure requirements if such code is later repurposed for a foreign customer. Although cloud-based, software-as-a-service offerings may not be covered if code is not directly accessed, sharing an executable with object code initially developed for DoD could trigger reporting under the new clauses while a covered DoD contract remains in effect. For non-commercial products and services, this scenario would most likely arise in sales to foreign governments, particularly for military applications.
2. DoD Can Require Mitigation. Both the NDAA and proposed rule recognize that DoD can include mitigation provisions in contracts that require companies to take steps to mitigate national security risks associated with foreign access. Although DoD has yet to provide additional detail on potential mitigation, it could conceivably require companies to terminate foreign contracts or develop separate branches of code as a condition of entering into a covered DoD contract.
3. Interactions with Existing Frameworks May Produce Unexpected Results. The new clauses would be implemented under a variety of existing frameworks that could interact with reporting requirements in unexpected ways.

For example, companies seeking to obtain marketing approvals in other jurisdictions for regulated products, such as medical devices, often need to share code with foreign regulators. Taking this step could easily trigger disclosures under the new clauses.

Also, although not addressed in the proposed rule, the NDAA suggests that required disclosures are not automatically exempt from release under the Freedom of Information Act. As a result, companies may need to take steps to prevent agencies from publicly releasing reported information about foreign access, including potentially suing agencies to prevent disclosure. Marking disclosures as confidential commercial information will likely be an important step in protecting them from release.

Moreover, other restrictions on sharing software code continue to apply. For example, sharing code that is considered controlled unclassified information may be restricted by U.S. Government contracts absent a lawful U.S. Government purpose that permits such sharing. The U.S. Government also has new authorities to blackball companies and products under the Federal Acquisition Supply Chain Security Act of 2018 if, for example, prior sharing of code raises unmitigable national security concerns. These concerns may now be more readily revealed to agencies through foreign access disclosures under the proposed rule.

In addition, agencies in the U.S. intelligence community have long imposed contractual requirements related to identifying foreign disclosures and development of code, which would continue to apply in addition to traditional sourcing requirements, such as those imposed under the Trade Agreements Act. As a result, some companies may now be required to track numerous details about code, such as how it has been accessed and developed and where it is compiled.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.