Key takeaways
- Proposed rule imposes disclosure conditions on defense contractors to address national security risks.
- Offerors must disclose past and current foreign access to source and computer code and any export licenses for information technology products.
- Contractors must maintain and update disclosures throughout the contract term.
Overview of the proposed rule
On November 15, 2024, the U.S. Department of Defense (DoD) issued a proposed rule to implement section 1655(a) and (c) of the National Defense Authorization Act for fiscal year 2019 (Pub. L. 115-232), aiming to enhance cybersecurity and mitigate national security risks. The rule would prohibit DoD from acquiring certain information technology (IT), cybersecurity or weapon systems products and services unless contractors disclose foreign access to their source and computer code. Under the proposed rule, contractors must affirm whether they have allowed, or are obligated to allow, foreign persons or governments to review noncommercial code developed for DoD use. Contractors must also disclose whether they have sought export licenses for custom-developed IT components or software related to DoD procurements. Post-award, contractors must maintain and update these disclosures for the duration of the contract. Viewed in the aggregate, the rule empowers DoD to implement risk mitigation measures and impose conditions on agreements to safeguard national security interests.