This is the first blog in a series covering the Fiscal Year 2025 National Defense Authorization Act (“FY 2025 NDAA”). This first blog will cover: (1) NDAA sections affecting acquisition policy and contract administration that may be of greatest interest to government contractors; (2) initiatives that underscore Congress’s commitment to strengthening cybersecurity, both domestically and internationally; and (3) NDAA provisions that aim to accelerate the Department of Defense’s adoption of AI and Autonomous Systems and counter efforts by U.S. adversaries to subvert them.
Future posts in this series will address NDAA provisions targeting China, supply chain and stockpile security, the revitalized Administrative False Claims Act, and Congress’s effort to mature the Office of Strategic Capital and leverage private investment to accelerate the development of critical technologies and strengthen the defense industrial base. Subscribe to our blog here so that you do not miss these updates.
FY 2025 NDAA Overview
On December 23, 2025, President Biden signed the FY 2025 NDAA into law. The FY 2025 NDAA authorizes $895.2 billion in funding for the Department of Defense (“DoD”) and Department of Energy national security programs—a $9 billion or 1 percent increase over 2024. NDAA authorizations have traditionally served as a reliable indicator of congressional sentiment on final defense appropriations.
FY 2025 marks the 64th consecutive year in which an NDAA has been enacted, reflecting its status as “must-pass” legislation. As in prior years, the NDAA has been used as a legislative vehicle to incorporate other measures, including the FY 2025 Department of State and Intelligence Authorization Acts, as well as provisions related to the Departments of Justice, Homeland Security, and Veterans Affairs, among others.
Below are select provisions of interest to companies across industries that engage in U.S. Government contracting, including defense contractors, technology providers, life sciences firms, and commercial-item suppliers.
Acquisition Policy and Contract Administration
- Section 316 extends the prohibition on required disclosures of information related to greenhouse gas emissions by most defense contractors to December 22, 2026.
- Section 804 codifies middle tier acquisition authority for rapid prototyping and rapid fielding, with the objective of completing a program or project within 5 years of the development of an approved requirement. For an operational requirement fielded under middle tier authority, the new law authorizes continuous iterative prototyping and fielding for that product for an unlimited number of 5-year periods.
- Section 805 codifies and enhances DoD’s existing software acquisition pathway, currently set forth in DoD Instruction 5000.87, Operation of the Software Acquisition Pathway, including by authorizing use of the pathway for the procurement of commercial or non-developmental hardware in which software acquired via the pathway is embedded.
- Sections 806 streamlines the Milestone A approval process—by eliminating certain requirements for Military Department Secretary, Service Chief, and Director, Cost Assessment and Program Evaluation concurrence—and enumerates factors to be considered before a Major Defense Acquisition Program (“MDAP”) is authorized to enter the technology maturation and risk reduction phase.
- Section 807 streamlines the Milestone B approval process and factors to be considered before an MDAP is authorized to progress to the engineering and manufacturing development phase.
- Section 814 clarifies that a DoD contract or subcontract for a product or service acquired under FAR part 12, Acquisition of Commercial Products and Commercial Services, shall serve as a prior commercial product or commercial service determination, even when subject to minor modifications, unless the prior determination was not approved by a DoD contracting officer or a senior procurement executive determines that it is no longer appropriate to acquire the product or service using commercial acquisition procedures. This determination applies even to products that may have changed part numbers but provide substantially the same functionality.
- Section 815 requires DoD contracting officers to rely upon historical data of recent prices paid in determining whether the costs of a subcontract, a purchase order, or modification thereof are fair and reasonable.
- Section 816 authorizes approval of other transactions (“OT”) valued at up to $500 million by officials at a lower level of authority than currently required. Section 817 clarifies that follow on production awards may be provided for in an OT for a prototype project and that a follow-on production project may be awarded via one or more separate contracts, OTs, or combination thereof. Section 888 requires DoD to track the number and amounts of OT awards to small businesses and non-traditional defense contractors, including awards made via consortia.
- Section 819 requires DoD to make publicly available any standards for implementation of modular open system approaches for contracts unless the service acquisition executive and the Secretary of Defense specifically determine to the contrary.
- Section 820 increases Earned Value Management (“EVM”) contract value thresholds associated with requiring EVM on cost or incentive contracts from $20 million to $50 million, and increases the contract value threshold at which a contractor is required to use an approved EVM system from $50 million to $100 million.
- Section 824 extends until December 31, 2025, the temporary authority to modify contracts based on the effects of inflation.
- Section 848 directs DoD to develop and maintain a list of all domestic nonavailability determinations for items covered by the Berry Amendment, and develop a plan for sharing the list with industry.
- Section 863 extends to 2029 the pilot program for streamlining awards for innovative technology projects to small businesses and nontraditional defense contractors.
- Section 864 creates a pilot program to allow DoD contracting officers to use an alternative capability-based analysis to determine whether the proposed price or fee for a commercial product or commercial service offered by a small business or nontraditional defense contractor is fair and reasonable.
- Section 881 requires an amendment to the FAR to clarify that a waiver granted for an organizational conflict of interest must include written justification and cannot be delegated below the level of the deputy agency head (the Deputy Secretary of Defense in the case of DoD).
- Section 882 requires DoD to create a pilot program that would use streamlined procedures to produce parts or other items through reverse engineering or re-engineering, when technical data for such items is not available or rights in such technical data do not allow for manufacturing of the items and:
- the production of the item may be required for point of use manufacturing or for a contested logistics environment;
- the manufacturer of the item will not meet the schedule for delivery required by the contracting officer to maintain weapon system readiness or responsiveness in the event of mobilization; or
- the item can only be acquired via sole source contract and the service acquisition executive determines that reverse engineering or re-engineering of the item is beneficial to sustain DoD training or operations.
- Section 885 requires the General Accountability Office (“GAO”), in coordination with the DoD, to submit a proposal for a process by which an unsuccessful protester in a bid protest filed at GAO would reimburse the government and the contract awardee in accordance with government cost and contractor lost profit rate benchmarks to be established under the legislation. See our Inside Government Contracts blog for a deeper dive into section 885.
- Section 1601 authorizes the Air Force to establish a Space Contractor Responsibility Watchlist that identifies contractors that have performed poorly on space procurement contracts, and prohibits the solicitation of, or award, subcontract, grant, or other funding to an entity on the watchlist, absent a high-level written determination that there is a compelling reason to do so.
Cybersecurity Initiatives
- Section 1323 authorizes up to $300 million in defense and security assistance for Taiwan, including for cyber defense capabilities, electronic warfare assets, and secure communications equipment, aiming to bolster Taiwan’s resilience against potential cyber threats.
- Section 1503 formalizes the establishment of a DoD Hackathon program to carry out at least four Hackathon events each year.
- Section 1504 mandates the implementation of tabletop cyber threat simulation exercises for entities in the defense industrial base, aiming to improve preparedness and response strategies against potential cyberattacks.
- Section 1513 requires the DoD Chief Information Officer to develop guidance for application of DoD’s “Zero Trust Strategy” to Internet of Things hardware, including human wearable devices, and other smart technology used in military operations.
- Section 1514 compels the development of a strategy for the management and cybersecurity of DoD’s multi-cloud environments, including a means for rationalizing user identities and securing endpoints across clouds and protecting government data used or stored in the cloud.
- Section 1515 requires DoD to identify products and services to improve the cybersecurity of and mitigate the risk of cyberattacks against mobile devices used by DoD, and to report to Congress a determination whether DoD should procure any such technologies.
- Section 1522 mandates modernization of DoD’s “Authorization to Operate” process, including by regularly updating a digital directory of DoD authorizing officials and establishing a presumption of reciprocity in software accrediting standards such that a DoD authorizing official must adopt, without additional review, the security analysis and artifacts of a cloud-hosted platform, service, or application that has already been authorized by another such DoD official.
- Section 1612 charges DoD to create a dedicated cyber intelligence unit to support military cyber operations and enhance offensive and defensive cyber capabilities.
- Section 5124 authorizes the Secretary of State to award grants totaling $15 million annually in FYs 2025 and 2026 to support tools and programs that enhance unrestricted internet access, ensure the availability of information regarding digital safety in Iran, and increase the availability of internet freedom tools to overcome technical and political obstacles to internet access.
- Section 5405 provides an additional $3 billion to the Federal Communications Commission’s “rip-and-replace” initiative aimed at replacing insecure telecommunications equipment, particularly from Chinese manufacturers like Huawei and ZTE, to enhance the security of U.S. communication networks.
- Section 7302 requires the Secretary of State to take action to protect mobile devices used by the State Department and USAID from foreign commercial spyware, and to catalogue instances in which devices were compromised and the effects of any loss of data or sensitive information.
AI and Autonomous Systems
Notably, several NDAA provisions require the DoD and U.S. intelligence agencies to establish guidelines and principles to govern their procurement and use of AI, including standards for human oversight and safety guidelines developed in collaboration with U.S. allies and partners. These provisions stand in contrast to several bipartisan AI bills that were not included in the NDAA and would have established government-wide AI governance and accountability standards through civilian organizations, like the Department of Commerce’s U.S. AI Safety Institute. Overall, the NDAA vests the DoD with significant authority to (1) develop cutting-edge applications of AI and autonomous systems; and (2) manage their safe, secure, and responsible procurement and use. Among other provisions related to AI and autonomous systems, the NDAA would require the DoD to:
- Carry out initiatives to accelerate AI adoption for internal operational purposes, including a pilot program on uses of AI for DoD workflow and operations tasks related to depots and shipyards and contract administration (sec. 237), financial audits (sec. 1007), and data processing (secs. 233, 1533).
- Develop programs and initiatives to accelerate the DoD’s use of AI and autonomous systems for offensive and defensive military applications, including testing of automated target recognition algorithms (sec. 235), a pilot program for national security-related biotechnology applications of AI through public-private partnerships (sec. 236), a testing program for general-purpose military AI applications (sec. 1532), an examination of methods for using AI to address biological attacks (sec. 1069), and various activities to integrate autonomous and unmanned vehicles into DoD missions (see, e.g., secs. 125, 229, and 1032).
- Assess and augment DoD’s capabilities to counter the use of powerful AI models and unmanned systems by foreign adversaries (sec. 225), codify the AI Security Center within the National Security Agency to develop guidance on preventing the manipulation and subversion of national security AI systems (“counter-AI techniques”) and promote secure AI adoption practices (sec. 6504), and respond to threats from unmanned vehicles and aircraft (secs. 152, 353, 925, 1073, and 1090).
- Establish and implement safety guidelines, best practices, and techniques for managing AI risks and ensuring appropriate human oversight of autonomous systems through:
- Annual reports to Congress on the deployment of lethal autonomous weapons systems reviewed, approved, not approved, or waived under DoD Directive 3000.09 (sec. 1066);
- An AI initiative between the DoD and U.S. allies and partners for testing and evaluating AI, identifying AI interoperability solutions for intelligence sharing and battlefield awareness, managing AI system data, and sharing AI procurement and adoption best practices (sec. 1087);
- An AI Human Factors Integration Initiative to improve the human-usability of DoD AI systems, ensure that “human integration elements” are considered in AI procurement, adoption, and use, and develop human oversight guidance based on the DoD’s current autonomous weapons policy, DoD Directive 3000.09 (sec. 1531);
- A Federated AI-Enabled Weapon Systems Center of Excellence for collaborating with industry, academia, and nonprofits on AI weapons systems and for collaborating with foreign partners on AI best practices, safety guidelines, and standards (sec. 1534); and
- A forum for U.S. warfighting combatant commands to identify AI risk management guidelines, identify near-term AI use cases, and identify opportunities to improve AI procurement (sec. 1547).