HOW WELL DO YOU KNOW YOUR SUPPLY CHAIN?
Section 1655 of the Act addresses supply chain IT risk. The Department of Defense (“DoD”) “may not use a product, service, or system procured or acquired … relating to information or operational technology, cybersecurity, an industrial control system, or weapons system provided by a person,” unless that person discloses certain information to the Secretary of Defense:
NATIONAL DEFENSE AUTHORIZATION ACT 2019 (NDAA)
President Donald Trump signed the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (NDAA or the Act H.R. 5515) was signed into law on August 13, 2018. The appropriations law authorizes a $716 billion national defense budget and includes wide-ranging provisions on cyber security, touching everything from enhancing the military’s ability to respond to cyber attacks to protecting the IT supply chain and encouraging greater public-private collaboration.
The Department of Defense (DoD), Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the Intelligence Community (IC) in particular are seeking to integrate national security considerations into the acquisition process and expect contractors to be the first line of defense.
President Donald Trump signed the John S McCain National Defense Authorization Act (NDAA) for fiscal year 2019 into law on Monday afternoon, at an event at Fort Drum military base in upstate New York. Speaking before a crowd of soldiers, President Trump described the legislation he was about to sign as follows:
“NDAA is the most significant investment in our military and our warfighters in modern history, and I am very proud to be a big, big part of it. It was not very hard. You know, I went to Congress; I said, “Let’s do it. We got to do it. We’re going to strengthen our military like never, ever before.” And that’s what we did. . . After years of devastating cuts, we’re rebuilding our military like we never have before, ever”.
A main objective of the House and Senate armed services committees in drafting the 2019 NDAA was to update U.S. military forces in order to ensure that they are prepared to address modern national security challenges. These include the possibility of a war with another major power like China or Russia, which was the major focus of the National Defense Strategy (NDS) released earlier this year.
How can we assist you with NDAA 2019?
We can assist you to manage and comply with:
Flow Down Clauses
Contract and Sub K Agreement
Laws and jurisdiction
Identify small and large business
Cost accounting standards
Cost and Indirect Costs
Quality Assurance (substitution
Open source software license
Different types of contracts
Changes to work clause
Utilization of small business concerns
Business process reingeneering
Claims / Disputes reviews
Sub K obligations: safety / compliance
Limitation of liability
Establishing clear and unambiguous contracts
Work effort integration
Interfaces between Prime and Sub K
Integration among the Sub K
WBS - progress reporting
Good Faith Commitments
Compliance : Import / Export - ITAR / EAR
Software asset management
Few Highlights of the NDAA 2019
Commercial Item Contracting (Sections 836-838)
NDAA revises the definition of “commercial item” by separating it into two new definitions: “commercial product” and “commercial service.” The term “commercial product” is consistent with the first few prongs of the current commercial item definition. Thus, a “commercial product” will be one that is of a type customarily used by the general public or nongovernmental entities for nongovernmental purposes and either
(i) has been sold, leased, licensed or offered to the general public, in its original or slightly modified state, or
(ii) is not yet available but will be in time to satisfy the Government’s requirements.
Also included in the definition of “commercial products” are nondevelopmental items that were developed exclusively at private expense and have been sold competitively to multiple state, local, or foreign governments. “Commercial services” will include services provided to the public, sold competitively in substantial quantities in the commercial marketplace, and procured by the federal Government for support of commercial products.
Section 902 of the NDAA expands his statutory responsibilities to include implementation of the NDS throughout the department.
Section 914 requires the Assistant Secretary of Defense for Special Operations and Low Intensity Conflict to coordinate with the commander of U.S. Special Operations Command to assess the adequacy of special forces doctrine and processes in addressing the needs of geographic combatant commanders.
Section 901 directs the Secretary of the Navy to conduct a “comprehensive review” of its operational and administrative chains-of-command to clarify responsibilities, ensure readiness, and eliminate redundancies.
Section 1075 of the NDAA instructs the Secretary of Defense to provide Congress with a comprehensive report reevaluating the highest priority missions of the Defense Department and individual armed services.
Sections 503 through 507 of the NDAA install a number of reforms intended to facilitate more merit-based promotions among military officers and avoid concerns that specialization will hinder promotion opportunities.
Section 501 increases the military’s ability to recruit specialized mid-career civilians by repealing certain age restrictions.
Section 502 provides constructive service credit for relevant civilian training or experience.
Section 532 which makes domestic violence an offense under the Uniform Code of Military Justice.
Section 536 requires the Secretary of Defense to establish standard procedures for expedited transfer for service-members who are victims of sexual assault or physical domestic violence.
Section 545 requires the creation of sexual assault resource guides for service academies
Section 547 requires assessments of how often sexual assault victims face accusations of misconduct or adverse career actions.
Use of Military Force:
Section 1031 of the NDAA amends existing statutory provisions that obligate the Defense Department to report “sensitive military operations” to congressional committees by redefining that term to encompass any lethal or capture operations targeting specific individuals—whether conducted by U.S. armed forces or by foreign armed forces in coordination with U.S. armed forces—as well as operations conducted by U.S. armed forces in self-defense or in defense of foreign partners, except where such operations occur in Afghanistan, Iraq or Syria.
Section 1031 also installs new reporting requirements for military action taken in defense of foreign partner forces. Such “collective self-defense” has occurred with non-state actors in Somalia and Syria in recent years and has been criticized for inadequate reporting.
Section 1205 directs the secretaries of defense and state to review the processes used to implement existing requirements that no assistance be provided to units that have committed gross human rights violations (one of two provisions commonly referred to as “Leahy laws”) and to update Congress within 180 days of enactment.
Section 1271 revises existing authorities for the use of acquisition and cross-servicing agreements (ACSAs), a type of international agreement that the Defense Department uses to share certain equipment and supplies with select allied militaries.
Foreign Investment and Trade Restrictions
Several provisions of the NDAA address U.S. legal restrictions on various forms of foreign commerce that may impact national security, including foreign investment in the United States and exports of strategic significance.
Section 1701 relates to Foreign Investment Risk Review Modernization Act (FIRRMA) of 2018 .
Section 1751 of the NDAA also contains the Export Controls Reform Act (ECRA) of 2018 and consists of two parts:
· the Export Controls Act of 2018 and
· the Anti-Boycott Act of 2018.
Section 1758, directs the establishment of new export controls for “emerging and foundational technologies” identified as essential to U.S. national security by an interagency committee.
Section 889 of the NDAA would also prohibit executive-branch agencies from procuring or contracting for certain covered telecommunications equipment or services from companies that are associated with or believed to be owned or controlled by the People’s Republic of China.
This prohibition would begin for executive-branch agencies one year after enactment of the NDAA and would extend to the beneficiaries of any grants, loans or subsidies from such agencies two years after enactment.
Under this provision, the head of any federal agency may issue a onetime waiver for up to two years, while only the director of national intelligence may issue subsequent waivers.
Notably, however, the NDAA does not include a provision from the Senate version of the NDAA that would have reimposed the penalties against ZTE that the Commerce Department controversially revoked earlier this year.
Addressing Foreign Influence Operations
In an apparent response to Russian interference in the 2016 presidential election and related measures, the NDAA contains several provisions that direct the executive branch to take steps to counter foreign influence operations.
Section 1043 formally amends the statutory functions of the National Security Council (NSC) to include coordinating the U.S. government response to malign foreign influence operations and campaigns.
Section 1043 directs the NSC to provide relevant congressional committees with a strategy for achieving this objective within nine months of enactment.
Section 1085 amends existing rules governing foreign media outlets that operate in the United States, imposing registration requirements on them that resemble those required of foreign agents under the Foreign Agents Registration Act (FARA).
Nuclear Weapons and Missile Defense
Consistent with the recent Nuclear Posture Review (NPR)
Section 1673 - NDAA authorizes several actions that would fortify or expand upon the U.S. nuclear arsenal.
Section 3111 authorizes the Secretary of Energy to develop low-yield nuclear weapons capable of more tactical use and deterrence, as called for by the NPR.
Section 1663 similarly seeks to accelerate programs to develop both a ground-based strategic deterrent and long-range standoff weapons.
Section 1665 prohibits the Defense Department from reducing the number of intercontinental ballistic missiles the United States has deployed below 400 or related responsiveness or alertness levels, except where necessary for maintenance or safety reasons.
Section 1668 directs the Secretary of Defense to develop a plan for better training service members in nuclear command and control in order to develop “a mature cadre of officers with nuclear command, control, and communications expertise” within 180 days of enactment, and to implement that plan within 18 months.
Section 1669 directs the Secretary of Defense to procure an independent study on the potential benefits and risks associated with different options for increasing the amount of time that the president has to decide whether to use nuclear weapons in response to a given incident.
Section 3122 specifically prohibits any use of funds to enter into a contract with or provide assistance to Russia relating to atomic energy defense activities. (exception)
Section 1601 amends existing authorities to establish a subordinate unified command under the auspices of U.S. Strategic Command. This command is responsible for coordinating and directing military activities in relation to outer space across the different military services.
Section 1675 amends existing authorities to direct the Defense Department to begin development of a missile defense system. That said, it withholds a portion of associated funds until the Defense Department provides Congress with a previously-requested report on how it intends to develop and deploy such a system.
Sections 1676 and 1680 do much the same with existing authorities related to boost phase intercept capabilities and a space-based ballistic missile intercept layer, authorizing the development of both subject to appropriations.
Iraq and Syria
Section 1231 relates to train-and-equip program for “vetted Syrian opposition”
Section 1233 relates to assistance for Iraq to counter the Islamic State
Section 1235 relates to the Office of Security Cooperation in Iraq (Section 1235).
The NDAA also addresses the question of accountability for war crimes in Syria.
Section 1232 directs the secretary of state to prepare a report describing possible occurrences of war crimes, crimes against humanity and genocide committed by the Assad regime, forces fighting on its behalf, or nongovernmental forces, as well as an assessment of steps the United States has taken to ensure that evidence and other relevant information is available for future transitional justice processes.
Section 1636 establishes a more aggressive policy on cyberspace, cybersecurity, cyber warfare, and cyber deterrence stating that the U.S. should “employ all instruments of national power, including the use of offensive cyber capabilities, to deter if possible, and respond to when necessary, all cyber attacks or other malicious cyber activities of foreign powers that target United States.”
Section 889 of the Act prohibits the head of an executive agency from procuring covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system. Covered telecommunications equipment or services are defined as:
1. Telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of such entities).
2. Video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities) when used for the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes.
3. Telecommunications or video surveillance services provided by such entities or using such equipment.
4. Telecommunications or video surveillance equipment or services produced or provided by an entity that the Secretary of Defense believes to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country.
The term “covered foreign country” means the People’s Republic of China.
Supply Chain Cyber-security
Section 1655 of the Act addresses supply chain IT risk. The Department of Defense (“DoD”) “may not use a product, service, or system procured or acquired … relating to information or operational technology, cybersecurity, an industrial control system, or weapons system provided by a person,” unless that person discloses certain information to the Secretary of Defense, including:
· Whether an organization or person has allowed within the five years prior to the enactment of the 2019 NDAA, or is under an obligation to allow, a foreign government to review the code of a noncommercial product, system, or service developed for DoD.
· Whether an organization or person has allowed within the five years prior to the enactment of the Act, or is under an obligation to allow, a foreign government or person from the countries listed in Section 1654, Identification of Countries of Concern Regarding Cybersecurity, to review the source code of a product, system, or service that DoD is using or intends to use.
· Whether a person holds or has sought a license pursuant to Export Administration Regulations under Subchapter C of Chapter VII of Title 15, Code of Federal Regulations, the International Traffic in Arms Regulations under Subchapter M of Chapter I of Title 22, Code of Federal Regulations, or successor regulations, for information technology products, components, software, or services that contain code custom developed for the noncommercial product, system, or service DoD is using or intends to use.
Section 1642 grants authority to “disrupt, defeat, and deter cyber attacks” originating from the Russian Federation, People’s Republic of China, Democratic People’s Republic of Korea, or Islamic Republic of Iran, including attempts in influence American elections and democratic processes.
Section 1657 of the Act calls for a study of the costs, benefits, technical merits, and other merits of the following technologies related to vulnerability assessments of nuclear systems and nuclear command and control, a critical subset of conventional power projection capabilities, cyber command and control, and other critical defense infrastructure. It will cover:
· Technology acquired, developed, and used by Combat Support Agencies of the DoD to discover flaws and weaknesses in software code.
· Cloud-based software fuzzing-as-a-service to continuously test the security of DoD software repositories at large scale.
· Formal programming and protocol language for software code development and other methods and tools developed under various programs.
· The binary analysis and symbolic execution software security tools developed under the Defense Advanced Research Projects Agency program.
· Any other advanced or immature technologies with respect to which DoD determines there is particular potential for application to the vulnerability assessment and remediation of the systems.
Section 1643 states that, within 180 days of enactment, one official will be designated to be responsible for matters relating to integrating cybersecurity and industrial control systems for DoD. That official shall be responsible for “developing Department-wide certification standards for integration of industrial control systems and taking into consideration frameworks set forth by the NIST for the cybersecurity of such systems.”
Other Important Cyber-Related Provisions
· Committee on Foreign Investment in the United States (“CFIUS”) Review – Certain investments in critical technology and critical infrastructure companies and companies that maintain or collect sensitive personal data of U.S. citizens will be subject to CFIUS review if the investment could afford a foreign person access to material nonpublic technical information, board membership or observer rights or the right to nominate a board member, or certain substantive decision-making involvement.
· Section 1632 affirms the authority of DoD to conduct military activities and operations in cyberspace including clandestine military activities or operations. These clandestine activities or operations will be considered “traditional military activity,” as defined in the National Security Act of 1947.
· Section 880 states, “the use of lowest price technically acceptable source selection (LPTA) criteria shall be avoided in the case of a procurement that is predominately for the acquisition of information technology services, cyber security services, systems engineering and technical assistance services, advanced electronic testing, audit or audit readiness services, health care services and records, telecommunications devices and services, or other knowledge-based professional services.”
· In the case of “a significant loss of personally identifiable information (PII) or controlled unclassified information (CUI) by a cleared defense contractor,” the Secretary “shall promptly submit to the congressional defense committees notice in writing of such loss.” Whether or how this provision will impact notification requirements for contractors and vendors remains to be seen.
· In consultation with NIST, DoD shall take actions to “enhance awareness of cybersecurity threats among small manufacturers and universities” working on DoD programs and activities. This is aimed at enhancing security in the Defense Industrial supply chain. Outreach activities include training, courses, and self-certification to help these parties improve cybersecurity.
· DoD has greater authority for cyber-related grants and scholarships and the Secretary will establish a Cyber Institute. Further, within 240 days, a report shall be submitted to congressional committees on the feasibility of establishing a Cybersecurity Apprentice Program to support on-the-job training for certain cybersecurity positions and facilitate the acquisition of cybersecurity certifications.
NDAA provisions are intended to shape the U.S. relationship with Russia. Some impose or threaten sanctions for certain Russian actions. Others restrict the Trump administration’s ability to engage with Russia, reflecting some congressional anxiety about President Trump’s relationship with Russian President Vladimir Putin.
Section 1241 prohibits the Defense Department from using funds for any activity that recognizes the sovereignty of the Russian Federation over Crimea.
Section 1242 prohibits the Air Force from using certain funds intended to bring the United States into compliance with the Treaty on Open Skies—a multilateral treaty that authorizes reciprocal overflights to verify progress on counterproliferation objectives—until the president or the secretary of state certifies that the United States has responded to perceived Russian violations and informs Congress. It also prohibits the United States from using any funds to implement any multilateral decision to use certain types of surveillance technology unless and until relevant U.S. officials certify at least 90 days in advance that the Russian Federation is in full compliance with that treaty.
Two other provisions of the NDAA similarly address Russia’s alleged violation of the Intermediate-Range Nuclear Forces (INF) Treaty.
Section 1243 requires the president to provide relevant congressional committees with a determination as to whether Russia is in material breach of its treaty obligations and, as a result, whether related treaty prohibitions on the production and testing of shorter- and intermediate-range missiles remain binding on the United States.
Section 1244 then expresses the sense of Congress that Russia’s violations of the INF Treaty entitle the United States to suspend its operation and requires that the president inform Congress whether he has implemented certain sanctions and related measures authorized by last year’s NDAA against individuals and entities who have contributed to Russia’s treaty violations by Nov. 1, 2018.
Section 1245 requires the president to report to relevant congressional committees whether he has engaged the Russian government on whether it considers certain weapons systems to be “strategic offensive arms” subject to limitations under the New START Treaty and whether their position impacts the viability of that treaty or requires additional U.S. responses.
Section 1246 further extends security assistance for Ukraine originally provided in the 2016 NDAA.
Section 1247 extends a much-discussed prohibition imposed in the fiscal 2018 NDAA that prohibits the use of funds for any military cooperation with Russia.
As a corollary to provisions relating to Russia, the NDAA also addresses the U.S. relationship with NATO, which President Trump’s open skepticism has recently brought into question.
Section 1264 prohibits the Defense Department from using any funds to reduce the number of active-duty members of the U.S. armed forces in South Korea below 22,000—an apparent response to rumors that the Trump administration has considered reducing U.S. force levels in South Korea, either as a result of negotiations with North Korea or to pressure South Korea in ongoing trade negotiations.
Section 1264 provides that this limitation may be waived only if the secretary of defense certifies to Congress that this reduction is in the U.S. national security interest; that it would not significantly undermine the security of U.S. allies in the region; and that it has been appropriately consulted with those allies, including South Korea and Japan
Section 1265 establishes certain reporting requirements that would allow Congress to verify any Trump administration claims that the Kim Jong Un regime is making progress toward denuclearization.
Section 1282 instructs the secretaries of defense and state to submit a report on U.S.-Turkish relations to Congress within 90 days of enactment. Section 1282 prohibits the Defense Department from delivering any F-35 aircraft to Turkey
Section 1274 directs the secretary of defense to conduct a review to determine whether U.S. armed forces or coalition partners have violated U.S. federal law, the laws of armed conflict or Defense Department policy while conducting operations in Yemen.
Section 1290 requires the secretary of state to certify within 30 days of the NDAA’s enactment and biannually thereafter, that the United Arab Emirates and Saudi Arabia are undertaking “urgent and good faith” efforts to support a diplomatic end to the civil war in Yemen; pursuing appropriate measures to alleviate humanitarian conditions there; reducing the risk of harm to civilians from military operations; and in the case of Saudi Arabia taking appropriate actions to reduce delays in shipments related to secondary inspect and clearance processes beyond those implemented by the United Nations.