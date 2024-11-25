ARTICLE
25 November 2024

Six Years In The Making, DoD Releases Proposed Rule Requiring Disclosure Of Foreign Review Of Code For IT, Cybersecurity, Critical Infrastructure, And Weapons System Products And Services

CM
Crowell & Moring LLP

Contributor

Crowell & Moring LLP logo
Our founders aspired to create a different kind of law firm when they launched Crowell & Moring in 1979. From those bold beginnings, our mission has been to provide our clients with the best services of any law firm in the world through a spirit of trust, respect, cooperation, collaboration, and a commitment to giving back to the communities around us.
Explore Firm Details
On November 15, 2024, the Department of Defense (DoD) issued a Proposed Rule implementing Section 1655 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019 (P.L. 115-232), over six years after Congress enacted the requirement.
United States Technology
Photo of Adelicia R. Cliffe
Photo of Alexandra Barbee-Garrett
Photo of Michael G. Gruden, CIPP/G
Photo of Megan L. Wolf
Photo of Evan D. Wolff
Authors

On November 15, 2024, the Department of Defense (DoD) issued a Proposed Rule implementing Section 1655 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019 (P.L. 115-232), over six years after Congress enacted the requirement.

DoD's issuance of the Proposed Rule, rather than an interim final rule, is notable in and of itself because progress toward implementing Section 1655 was already stalled "pending resolution of technical issues" from May 2019 until mid-2024. Now, DoD's implementation will be pushed out further while DoD considers comments. Comments are due on January 14, 2025.

Stemming from concerns about Chinese government access to U.S. technology, Section 1655 requires DoD contractors providing products, services, or systems relating to information technology (IT), cybersecurity, industrial controls, or weapons systems to disclose whether in the five years preceding the FY 2019 NDAA's enactment, the contractor has allowed a foreign government or person to review its offering's code or is obligated to provide such a review, and whether the contractor had an export license for that review. To implement these requirements, the Proposed Rule contemplates pre- and post-award disclosures of any foreign government or person's actual review or legal right to review the code underlying the contractor's product or service since August 2013. The disclosure obligation would attach to IT, cybersecurity, industrial controls or weapons system product or service offerings that DoD is using or will use, and any such offerings developed for DoD.

The Proposed Rule follows the recent trend of extending regulatory requirements for supply chain security beyond those imposed by statute. In particular, the Proposed Rule applies to commercial products and services, despite the statute's clear language stating that the disclosure requirement applies only to noncommercial items developed for DoD. In addition, the Proposed Rule fails to define what it means for a foreign government or person to "review" the contractor's code (or have the option to do so), which may require contractors to disclose instances where a foreign government had an unexercised one-time right to view a contractor's code on a contractor device, where a foreign government would be unable to copy or modify the code.

Contractors should consider commenting on the Proposed Rule to request more definition and fidelity to the statutory requirements. In the meantime, contractors should also consider implementing measures to track disclosure of code for products or services, including the identity and nationality of the party receiving the disclosure and the reason for source code disclosure. Contractors should also make sure to have documented any export licenses or invocation of license exemptions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Find out more and explore further thought leadership around Technology Law and Digital Law
Authors
Photo of Adelicia R. Cliffe
Adelicia R. Cliffe
Photo of Alexandra Barbee-Garrett
Alexandra Barbee-Garrett
Photo of Michael G. Gruden, CIPP/G
Michael G. Gruden, CIPP/G
Photo of Megan L. Wolf
Megan L. Wolf
Photo of Evan D. Wolff
Evan D. Wolff
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More