On November 15, 2024, the Department of Defense (“DoD”) published a Notice of Proposed Rulemaking (“Proposed Rule”) entitled “Defense Federal Acquisition Regulation Supplement: Disclosure of Information Regarding Foreign Obligations.” The Proposed Rule would impose new disclosure obligations on “Offeror[s]” (pre-award) and “Contractor[s]” (post-award) that are triggered in certain circumstances by review or by an obligation to allow review of their source or computer code either by a foreign government or a foreign person. If the Proposed Rule takes effect, the obligations would apply to any “prospective contractor” or any existing contractor. The Proposed Rule also does not distinguish between companies based in or outside the United States.
The Proposed Rule would implement the requirement of National Defense Authorization Act for Fiscal Year 2019 (“NDAA”) section 1655 which states that “[DoD] may not use a product, service, or system procured or acquired after the date of the enactment of this Act relating to information or operational technology, cybersecurity, an industrial control system, or weapons system provided by a person unless that person” makes certain disclosures related to: (1) foreign government or foreign person access to computer or source code, and (2) the person’s Export Administration Regulations (“EAR”) or International Traffic in Arms Regulations (“ITAR”) applications or licenses. Importantly, per the NDAA, these disclosure obligations include activities dating back to August 13, 2013.
A summary of the obligations and key definitions as described by the Proposed Rule are below.
Disclosure Obligations
Disclosure of Source or Computer Code
The Proposed Rule would require any “Offeror” or “Contractor” for defense contracts to disclose in the Catalog Data Standard in the Electronic Data Access (“EDA”) system (https://piee.eb.mil) “[w]hether, and if so, when, at any time after August 12, 2013,” they (1) “allowed a foreign person or foreign government to review” or (2) “[are] under any obligation to allow a foreign person or foreign government to review, as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government”:
- “The source code for any product, system, or service that DoD is using or intends to use; or
- The computer code for any other than commercial product, system, or service developed for DoD.”
When this clause is included in a solicitation, by submitting its offer to the government or higher tier contractor, an “Offeror” is representing that it “has completed the foreign obligation disclosures in EDA and the disclosures are current, accurate, and complete.” For post-award disclosures, the requirements would most likely first be added in new task orders, delivery orders, and options.
The Proposed Rule would be an expansion of the requirement mandated in the NDAA, which only required disclosure of foreign person access when the entity is under an obligation to disclose. DoD took this requirement a step further and included disclosures regarding whether a foreign person has ever been allowed access (not just obligated to provide access as a condition to a sale). Furthermore, for a “product, system, or service that DoD is using or intends to use,” the NDAA only required a disclosure when certain foreign governments were provided access, as set out in a list that was to be developed under the NDAA of “Countries of Concern” under section 1654. The Proposed Rule recognizes this in the preamble language noting that “[t]he second part of the disclosure pertains to whether, since August 12, 2013, the entity making the disclosure has allowed, or is under an obligation to allow, a foreign government in the list required by section 1654 of the NDAA for FY 2019 to review the source code of a product, system, or service that DoD is using or intends to use.” However, as drafted, the Proposed Rule itself does not limit the disclosure to the section 1654 list but states it applies to disclosures to “a foreign person or foreign government.” This will need to be clarified in the final rule.
Disclosure of EAR and ITAR Applications and Licenses
The Proposed Rule would also require the “Offeror” or “Contractor” to disclose whether the “Offeror” or “supplier,” respectively, “holds or has sought a license pursuant to the [EAR] or the [ITAR] for information technology products, components, software, or services that contain computer code custom-developed for the other than commercial product, system, or service” that is the subject of the contract (proposed or executed). Unlike the code review disclosure obligations, which apply to activities after August 12, 2013, the Proposed Rule does not establish a cut-off date for EAR and ITAR applications and licenses.
When Disclosures Apply
These disclosures would be required both pre-award and post-award and are to be maintained “for the life of the contract.” Furthermore, the “substance” of the Proposed Rule, as applicable, must be included “in subcontracts or other contractual instruments” and subcontractors would similarly have to disclose foreign obligations before a subcontract is awarded. The disclosure requirements would apply to commercial products and services acquisition, and would “appl[y] at or below the micro-purchase threshold.” The prohibition would exclude open source software.
The Proposed Rule is open for public comment until January 14, 2025.
Key Definitions
- Computer code is defined as “a set of instructions, rules, or routines recorded in a form that is capable of causing a computer to perform a specific operation or series of operations. It includes both source code and object code.”
- Open source software is defined as “software for which the human-readable source code is available for use, study, reuse, modification, enhancement, and redistribution by the users of such software.”
- Source code is defined as “any collection of code, with or without comments, written using a human-readable programming language, usually as plain text. This code is later translated into machine language by a compiler. The translated code is referred to as object code.”