On December 23, 2022, President Biden signed the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2023, authorizing $858 billion in defense spending. The NDAA sets out defense policy and budget priorities for the Department of Defense (DoD). Each year, Congress also employs the NDAA as a vehicle for establishing new initiatives and making changes to federal procurement policy.
This year’s NDAA includes new measures aimed at securing the U.S. supply chain, with a focus on curtailing the influence of China; efforts to enhance cybersecurity, including for cloud services; and modifications to important small business programs. We highlight key takeaways and notable provisions for government contractors and all companies that do business with the DoD.
Passing the NDAA with bipartisan support has become an important end-of-year legislative ritual in Congress, as the NDAA has been enacted annually for more than six decades. This year, the U.S. Senate passed a compromise version of the bill by a vote of 83 to 11 on December 15, following its passage by the U.S. House of Representatives (by a vote of 350 to 80) on December 8.
New Measures Aimed At Curbing China’s Influence on the Supply Chain
Several provisions in the FY2023 NDAA establish new restrictions or prohibitions on Chinese-made products. These provisions reflect continued and growing concern regarding China’s influence on the U.S. supply chain, particularly the defense industrial base. Most prominently, a new prohibition on certain Chinese semiconductors is similar to Section 889 from the FY2019 NDAA, the so-called “Huawei ban,” which prohibited the use of telecommunications equipment from several Chinese companies, including Huawei. Contractors would be wise to examine their supply chains and begin taking steps to ensure they will be in compliance when these provisions take effect.
- Prohibition on Certain Chinese Semiconductors—Section 5949 prohibits all federal agencies from procuring or contracting for any electronic parts, products, or services that use semiconductor products or services from specified Chinese companies (Semiconductor Manufacturing International Corporation, ChangXin Memory Technologies, and Yangtze Memory Technologies Corp.). The prohibition applies when the specified semiconductor products or services are in “critical systems” (i.e., national security systems). It takes effect five years after the NDAA is signed, with the FAR Council required to issue regulations implementing the prohibition within three years after enactment of the NDAA. There are also requirements for various reports, analyses, and assessments on the implementation of this new provision and the risks posed by the prohibited semiconductors, among other related issues. Note that the semiconductor prohibition in Section 5949 is distinct among most NDAA acquisition provisions because the prohibition applies to all executive agencies, not only the DoD. Given the breadth of this prohibition, contractors should not wait to begin assessing their supply chains and taking action as needed to become compliant.
- Prohibition on Foreign-Made Unmanned Aircraft Systems (UAS)—Section 817 expands a prohibition on foreign-made UAS purchases from China, Russia, Iran, and North Korea to include Chinese drone-maker Da-Jiang Innovations, or any subsidiary or affiliate, and other entities subject to certain restrictions. The prohibition on foreign-made UAS purchases was first implemented in the FY2020 NDAA.
- Prohibition on Procurements from China’s Xinjiang Uyghur Autonomous Region (XUAR)—Section 855 codifies new DoD restrictions on products mined, produced, or manufactured by forced labor from China’s XUAR.
- Restrictions on Certain Technology by Chinese Military Companies—Section 857 expands restrictions on the procurement of military and dual-use technologies by Chinese military companies. This section also requires disclosures by DoD contractors relating to the place of origin and other supply chain information for rare earth elements and strategic and critical materials contained in “permanent magnet” products.
- Assessment of Companies with Chinese Investments—Section 6502 requires a report to Congress that identifies the risk to national security of the use of (1) telecommunications companies with an investment of 10% or greater by a person owned or controlled by China that is operating in the United States or providing services to affiliates and personnel of the intelligence community, and (2) hospitality and conveyance companies with “substantial” investment by China that the intelligence community utilizes for travel.
Continued Focus on Cybersecurity & Cloud Services
Improving cybersecurity throughout DoD’s supply chain continues to be an area of focus for Congress and is reflected in many provisions of the NDAA. For instance, under one provision, DoD is required to develop new plans for testing the cybersecurity of commercial cloud services that use or store classified DoD data. Codification of the Federal Risk and Authorization Management Program (FedRAMP), the government-wide, standardized assessment and certification program for cloud services, reflects the government’s continued move towards cloud computing.
- FedRAMP Authorization Act—Section 5921 codifies authorization of the General Services Administration’s (GSA) FedRAMP, which implements a government-wide, standardized approach to security assessment and certification of cloud computing products and services. This statutory authorization reflects the growing importance of FedRAMP as the federal government has increased its reliance on cloud computing. This provision also updates FedRAMP in key ways. For instance, it establishes a “presumption of adequacy” for FedRAMP-certified products and services, which aims to streamline the agency authorization process for cloud services. It also creates a new advisory committee that includes representatives from cloud service providers, to ensure effective and ongoing coordination between GSA, agency cybersecurity and procurement officials, and industry.
- Controlled Unclassified Information (CUI) Guidance—Section 884 requires DoD to incorporate guidance for the proper marking for CUI into all program classification guides (for classified programs) and all program protection plans (for unclassified programs) at their next regularly scheduled update and before January 1, 2029. It also requires a process for monitoring DoD’s progress in including the CUI guidance in all programs, and updated training for government and contractor personnel using the guides. Proper and consistent marking of CUI is essential to DoD’s efforts to enhance cybersecurity across its supply chain, including under the key DFARS requirement (252.204-7012) and under the Cybersecurity Maturity Model Certification (CMMC) program.
- Plan for Commercial Cloud Test and Evaluation—Section 1553 requires DoD to implement, within 180 days of enactment of the NDAA, a policy and plan for testing and evaluation of the cybersecurity of commercial cloud services that provide or are intended to provide storage or computing of classified DoD data. The policy must allow DoD to conduct independent “threat-realistic” assessments of the commercial cloud infrastructure.
- Operational Testing for Commercial Cybersecurity Capabilities—Section 1514 requires DoD and branch Chief Information Officers (CIOs) to develop plans to ensure that specified cybersecurity capabilities are tested, evaluated, and proven operationally effective, suitable, and survivable prior to operation on a DoD network. This requirement includes commercial and commercially available off-the-shelf (COTS) items, as well as certain noncommercial items. DoD policies, guidance, and regulations necessary to carry out this section are required by February 1, 2022.
- Protection of Critical Infrastructure—Section 1511 permits the President to authorize military cyber activities or operations in foreign cyberspace to deter, safeguard, or defend against active, systematic, and ongoing cyberspace attacks by a foreign power against the government or U.S. critical infrastructure.
- Proactive Cybersecurity—Section 6320 requires each element of the intelligence community to survey their use of proactive cybersecurity initiatives, continuous activity security testing, and active defense techniques.
Supporting Small Business
Just like in previous years, the NDAA contains numerous provisions aimed at supporting small businesses that provide goods and services to the federal government. Notably, there are new requirements that DoD perform due diligence to assess security risks that may be presented by small businesses seeking Small Business Innovation Research (SBIR) or Small Business Technology Transfer (STTR) awards, and establish a program to aid small businesses in identifying threats to the company from malicious foreign actors.
- Small Business Administration (SBA) Scorecard—Section 871 codifies and expands reporting requirements for the SBA’s annual Scorecard, which measures how well federal agencies reach their small business contracting goals. This provision adds new requirements to report, for prime contracts, the number (expressed as a percentage) and total value of awards made through sole-source contracts and restricted set-aside competitions, to women-owned small businesses (WOSB), small businesses located in Historically Underutilized Business Zones (HUBZones), service-disabled veteran-owned small businesses (SDVOSB); and qualified 8(a) small disadvantaged businesses.
- DoD Mentor-Protégé Program (MPP)—Section 856 codifies the MPP, under which small businesses are partnered with larger companies to help the small businesses become established within the DoD supply chain. This provision lowers the threshold for eligibility of mentors from $100 million to $25 million in total defense contracts for the prior fiscal year, and extends program participation from two to three years. It also establishes a five-year pilot program designed to encourage protégé participation in engineering, software development, or manufacturing customization contracts.
- SBIR and STTR Programs—Section 872 clarifies the new requirement, implemented by the 2022 SBIR Reauthorization Act, that DoD perform due diligence to assess security risks presented by small businesses seeking SBIR or STTR awards. This provision requires DoD to perform risk assessments only for the presumptive awardees of SBIR or STTR awards, prior to notification of award, until DoD’s Under Secretary for Research and Engineering certifies the full implementation of DoD’s due diligence program. The required due diligence assessments include scrutiny of cybersecurity practices, patents, employees, and financial ties and obligations to foreign entities.
- Commercial Due Diligence for Small Business—Section 875 requires DoD to establish, by Dec. 31, 2027, a program to demonstrate commercial due diligence tools, techniques, and processes to support small businesses in identifying attempts by malicious foreign actors to gain undue access to, or foreign ownership, control, or influence over, the small business or any technology a small business is developing pursuant to a DoD contract.
- Homeland Procurement Reform Act—Section 7112 requires that, to the maximum extent possible, one-third of funds obligated for the procurement of covered items for “frontline operational components” (i.e., Customs and Border Protection; TSA; FEMA; among others) are manufactured or supplied in the United States by small business concerns.
Other Notable Government Contracting Provisions
- Clauses Implementing Executive Orders—Section 805 requires that a new clause implementing the requirements of an executive order, which is unilaterally inserted into an existing DoD contract, order, or other transaction by a contracting officer, must be treated as a change under the contract’s Changes clause. For contractors who are required to incorporate new obligations stemming from executive orders into their contracts, this provision clarifies that they may seek equitable adjustments to recover the costs.
- Inflationary Relief for Fixed-Price Contracts—Section 822 provides DoD with new authority for inflationary relief on fixed-price contracts for defense contractors. Specifically, it allows DoD to modify eligible contracts when the contractor’s cost of performance is greater than the price of the contract, solely due to economic inflation. This provision will sunset on Dec. 31, 2023. Despite the many questions regarding its implementation, this provision reflects a growing awareness of the challenges that contractors with fixed-price contracts are facing due to inflation, and it aims to offer at least temporary assistance.
- Other Transaction Authority (OTA) Clarification—Section 843 clarifies the definition of a “prototype project.” It also permits DoD to establish a two-year pilot program for using OTAs to carry out prototype projects that enhance DoD’s ability to prototype the design, development, or demonstration of new construction techniques or technologies that improve military installations or facilities. The pilot program would be limited to two prototype projects per fiscal year and $200 million aggregate value of all transactions entered under the program.
- DoD Authority for Certain Prototype Projects—Section 842 clarifies DoD authority to carry out transactions for follow-on production contracts or transactions awarded without the use of competitive procedures and expected to exceed $100 million (including all options) if certain criteria are satisfied, including that it is essential to meet national security objectives.
- Pilot Program for Innovative Technology Companies—Section 882 directs DoD to conduct a five-year pilot program to assist innovative technology companies that are performing DoD contracts by sponsoring their employees’ personal security clearances. The pilot acts as a bridge while the government adjudicates the companies’ facility clearance applications, which include assessment and mitigation of foreign ownership, control, or influence over the innovative technology company.
These NDAA provisions will impose new or expanded restrictions and requirements on federal contractors, especially those companies that do business with the DoD. Contractors should take steps now to ensure they will be in compliance when these provisions take effect. If you have questions about how these provisions will affect your business, please contact one of the RJO attorneys with whom you regularly work or the authors of this article.
The materials provided in this document are offered for informational and educational purposes only and are not offered as and do not constitute legal advice or legal opinions. The transmission or receipt of information through this document, or communications with Rogers Joseph O’Donnell via email does not constitute or create an attorney-client relationship between us and any recipient.