DoD Proposed Rule Requires Government Contractors To Report On Code Disclosures To Foreign Persons

     In a recent GovCon Video Blog, we briefly discussed rules that government contractors need to be mindful of when outsourcing work to foreign subcontractors.  On November 15, 2024, the U.S. Department of Defense (DoD) issued a Proposed Rule that would require government contractors who work with foreign companies and personnel to meet additional reporting requirements.

     The Proposed Rule requires companies to report to DoD on their disclosures of certain computer and source code to foreign persons or foreign governments since August 2013.  DoD’s Proposed Rule purports to implement requirements enacted in the National Defense Authorization Act for Fiscal Year 2019 (NDAA 2019).  But, in fact, the Proposed Rule appears to expand the scope of the NDAA 2019 reporting requirements.

NDAA 2019 Section 1655

     Section 1655 of NDAA 2019 prohibits DoD from using a product, service, or system relating to information or operational technology, cybersecurity, an industrial control system, or a weapons system provided by a company unless that company has met certain reporting requirements. 

     More specifically, companies must report if, as of 5 years of the date of NDAA 2019’s enactment, they have allowed a foreign government to review code of a non-commercial product, system, or service developed for DoD or source code of a product, system, or service that DoD is using or intends to use.  

     Similarly, NDAA 2019 also requires companies to report if, as of 5 years of the date of NDAA 2019’s enactment, they have entered into a sales or transaction agreement with a foreign government or foreign person acting on behalf of a foreign government that requires them to disclose to a foreign government or foreign person code of a non-commercial product, system, or service developed for DoD or source code of a product, system, or service that DoD is using or intends to use.   

     The reporting requirements under NDAA 2019 related to code disclosures, thus, are triggered by disclosures of code to foreign governments and by agreements with foreign governments or foreign agents acting on their behalf.

     NDAA 2019 also requires companies to report if they have sought export licenses under the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR) for information technology products, components, software, or services that contain code custom developed for a non-commercial product, system, or service that is used or intended to be used by DoD. 

The Proposed Rule

     As under NDAA 2019, the Proposed Rule conditions the award of a DoD contract for information or operational technology, cybersecurity, industrial control systems, or weapon systems on certain reporting requirements, which are to be completed in DoD’s Catalog Data Standard within the Electronic Data Access (EDA) system (https://piee.eb.mil).

     Specifically, contractors must report on whether or not they hold or have sought a license under EAR or ITAR to export information technology products, components, software, or services that contain computer code custom-developed for a non-commercial product, system, or service that DoD is procuring or is using or intends to use.  

     The Proposed Rule, also like NDAA 2019, requires government contractors to disclose if, as of August 12, 2013, they have been required under a sale or transaction agreement with a foreign government or foreign person acting on behalf of a foreign government to allow a foreign person or foreign government to review the source code for any product, system, or service that DoD is using or intends to use, or the computer code for any non-commercial product, system, or service developed for DoD.

     The Proposed Rule, however, expands the scope of reporting under NDAA 2019 by requiring government contractors to report not only if, as of August 12, 2013, they have allowed a foreign government to review the source code for any product, system, or service used by or intended to be used by DoD or the computer code for any non-commercial product, system, or service developed for DoD, but also if, during the same time period, they have allowed any foreign person to review the source code or computer code.  In other words, while NDAA 2019 imposes a reporting requirement on disclosures of source or computer code to foreign persons acting on behalf of foreign governments, under the Proposed Rule the disclosure of source or computer code to any foreign person – whether acting on behalf of a foreign government or not – triggers a reporting requirement under the Proposed Rule.

     The Proposed Rule also imposes a flow-down requirement mandating government contractors to insert the reporting requirements in subcontracts for the acquisition of products, services, or systems relating to information or operational technology, cybersecurity, industrial control systems, or weapon systems, including those for commercial products and commercial services.

     Comments to the Proposed Rule must be submitted by January 14, 2025.