SUPPLEMENTARY INFORMATION:

I. Background

DoD is proposing to revise the DFARS to implement section 1655(a) and (c) of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019 (Pub. L. 115-232). Section 1655(a) prohibits DoD from acquiring products, services, or systems relating to information or operational technology, cybersecurity, industrial control systems, or weapon systems through a contract unless the offeror or contractor provides disclosures related to sharing source code and computer code with foreign governments. Section 1655(c) requires contracts for those products, services, or systems to include a clause requiring the disclosures during the contract period of performance if an entity becomes aware of information requiring disclosure.

The first part of the disclosure is related to whether, after August 12, 2013, the entity making the disclosure has allowed, or is under an obligation to allow, a foreign government to review the code of a noncommercial product, system, or service developed for DoD. The second part of the disclosure pertains to whether, after August 12, 2013, the entity making the disclosure has allowed, or is under an obligation to allow, a foreign government in a list required by section 1654 of the NDAA for FY 2019 to review the source code of a product, system, or service that DoD is using or intends to use.

The third part of the disclosure is related to whether the entity making the disclosure holds or has sought a license pursuant to the Export Administration Regulations (15 CFR chapter VII, subchapter C), the International Traffic in Arms Regulations (22 CFR chapter I, subchapter M), or successor regulations, for information technology products, components, software, or services that contain code custom-developed for the noncommercial product, system, or service DoD is using or intends to use.

Once the disclosures are provided to DoD, and if the Secretary of Defense determines that the disclosure relating to a product, system, or service entails a risk to the national security infrastructure or data of the United States, or any national security system under the control of DoD, section 1655 requires the Secretary to take such measures as the Secretary considers appropriate to mitigate such risks. In addition, as the Secretary considers appropriate, the Secretary may condition any agreement for the use, procurement, or acquisition of the product, system, or service on the inclusion of enforceable conditions or requirements that would mitigate such risks.

II. Discussion and Analysis

This proposed rule includes a new subpart, 239.7X, Disclosure of Information Regarding Foreign Obligations. Section 239.7X00 describes the statutory requirement implemented in the new subpart. Section 239.7X01 includes new definitions of computer code, open source software, and source code. The new subpart includes the section 1655 prohibition at 239.7X02. Section 239.7X03 clarifies that the prohibition does not apply to open source software.

A section on procedures was added at 239.7X04 to require contracting officers to validate in the Catalog Data Standard within the Electronic Data Access (EDA) system ( https://piee.eb.mil) that offerors or contractors have completed all foreign obligation disclosures prior to awarding a contract or exercising an option. Section 1655 prohibits DoD from using a product, service, or system procured or acquired under certain awards unless foreign obligation disclosures have been made. This proposed rule requires completion of the foreign obligation disclosures prior to exercising an option to ensure DoD complies with the statutory intent.

Section 239.7X05 provides prescriptions for a new solicitation provision and contract clause. The new provision is prescribed for use in solicitations that include the clause at 252.239-70ZZ, Postaward Disclosure of Foreign Obligations. The new clause is prescribed for use in solicitations and contracts, task orders, or delivery orders, for the acquisition of products, services, or systems relating to information or operational technology, cybersecurity, industrial control systems, or weapon systems, including those using Federal Acquisition Regulation (FAR) part 12 procedures for the acquisition of commercial products and commercial services.

The purpose of the provision at 252.239-70YY, Preaward Disclosure of Foreign Obligations—Representation, is to notify offerors that they will be required to make disclosures within the Catalog Data Standard in the Electronic Data Access (EDA) system ( https://piee.eb.mil) in order to be eligible for award. While there are three distinct disclosures, the provision identifies the first and second disclosures in one paragraph at 252.239-70YY, paragraph (c)(1), for clarity. The third disclosure is identified at paragraph (c)(2). This provision includes a requirement for all offerors to represent by submission of the offer that the information on the foreign disclosures the offeror has made within the Catalog Data Standard in EDA is current, accurate, and complete.

The purpose of the clause at 252.239-70ZZ, Postaward Disclosure of Foreign Obligations, is to require contractors to maintain their disclosures in the Catalog Data Standard within EDA and flow down the requirement to maintain disclosures in the Catalog Data Standard within EDA to subcontractors. Similar to the provision, while there are three distinct disclosures, the clause identifies the first and second disclosures in one paragraph at 252.239-70XX, paragraph (b)(1), for clarity. The third disclosure is identified at paragraph (b)(2). The clause also requires contractors to require their subcontractors to complete foreign obligation disclosures in the Catalog Data Standard in EDA prior to awarding the subcontract.

Language was added at part 212 to apply the provision and clause to the acquisition of commercial products and commercial services. In part 213, language was added to apply the requirement to disclose foreign obligations will be applied at or below the micro-purchase threshold. Language was also added at part 217 to instruct the contracting officer exercise options only after verifying in the Catalog Data Standard in the EDA system ( https://piee.eb.mil) that all disclosures have been completed.

III. Applicability to Contracts At or Below the Simplified Acquisition Threshold (SAT) and for Commercial Services and Commercial Products, Including Commercially Available Off-the-Shelf (COTS) Items

This proposed rule proposes a new provision and clause to implement the requirements of section 1655 of the NDAA for FY 2019: (1) DFARS 252.239-70YY, Preaward Disclosure of Foreign Obligations-Representation; and (2) DFARS 252.239-70ZZ, Postaward Disclosure of Foreign Obligations. The provision at DFARS 252.239-70YY is prescribed at DFARS 239.7X05(a) for use in solicitations that include the clause at DFARS 252.239-70ZZ. The clause at DFARS 252.239-70ZZ is prescribed at DFARS 239.7X05(b) for use in solicitations and contracts for the acquisition of products, services, or ( print page 90256) systems relating to information or operational technology, cybersecurity, industrial control systems, or weapon systems, including those using FAR part 12 procedures for the acquisition of commercial products and commercial services. DoD does intend to apply the proposed rule to contracts at or below the SAT. DoD does intend to apply the proposed rule to contracts for the acquisition of commercial products including COTS items and for the acquisition of commercial services.

A. Applicability to Contracts At or Below the Simplified Acquisition Threshold

The statute at 41 U.S.C. 1905 governs the applicability of laws to contracts or subcontracts in amounts not greater than the simplified acquisition threshold. It is intended to limit the applicability of laws to such contracts or subcontracts. The statute at 41 U.S.C. 1905 provides that if a provision of law contains criminal or civil penalties, or if the Federal Acquisition Regulatory Council makes a written determination that it is not in the best interest of the Federal Government to exempt contracts or subcontracts at or below the SAT, the law will apply to them. The Principal Director, Defense Pricing, Contracting, and Acquisition Policy (DPCAP), is the appropriate authority to make comparable determinations for regulations to be published in the DFARS, which is part of the FAR system of regulations. DoD does intend to make that determination. Therefore, this proposed rule will apply at or below the simplified acquisition threshold.

B. Applicability to Contracts for the Acquisition of Commercial Products Including COTS Items and for the Acquisition of Commercial Services

The statute at 10 U.S.C. 3452 exempts contracts and subcontracts for the acquisition of commercial products including COTS items, and commercial services from provisions of law enacted after October 13, 1994, unless the Under Secretary of Defense (Acquisition and Sustainment) (USD(A&S)) makes a written determination that it would not be in the best interest of DoD to exempt contracts for the procurement of commercial products and commercial services from the applicability of the provision or contract requirement, except for a provision of law that—

• Provides for criminal or civil penalties;
• Requires that certain articles be bought from American sources pursuant to10 U.S.C. 4862, or that strategic materials critical to national security be bought from American sources pursuant to 10 U.S.C. 4863; or
• Specifically refers to10 U.S.C. 3452 and states that it shall apply to contracts and subcontracts for the acquisition of commercial products (including COTS items) and commercial services.

The statute implemented in this proposed rule does not impose criminal or civil penalties, does not require purchase pursuant to 10 U.S.C. 4862 or 4863, and does not refer to 10 U.S.C. 3452. Therefore, section 1655 of the NDAA for FY 2019 will not apply to the acquisition of commercial services or commercial products including COTS items unless a written determination is made. Due to delegations of authority, the Principal Director, DPCAP is the appropriate authority to make this determination. DoD intends to make that determination to apply this statute to the acquisition of commercial products including COTS items and to the acquisition of commercial services. Therefore, this proposed rule will apply to the acquisition of commercial products including COTS items and to the acquisition of commercial services.

C. Determinations

Given that the requirements of section 1655 of the NDAA for FY 2019 were enacted to require disclosures of foreign obligations by contractors for contracts that include products, services, or systems relating to information or operational technology, cybersecurity, industrial control systems, or weapon systems and since products, services, or systems related to information or operational technology, cybersecurity, industrial control systems or weapon systems can include COTS items and awards at or below the SAT, it is in the best interest of the Federal Government to apply the statute to contracts for the acquisition of commercial services and commercial products, including COTS items, as defined at Federal Acquisition Regulation 2.101 and awards that are at or below the SAT. An exception for contracts for the acquisition of commercial services and commercial products, including COTS items, or for contracts or subcontracts valued at or below the SAT, would exclude the contracts intended to be covered by the law, thereby undermining the overarching public policy purpose of the law.

IV. Expected Impact of the Rule

The proposed rule implements section 1655 of the NDAA for FY 2019, which prohibits DoD from acquiring products, services, or systems relating to information or operational technology, cybersecurity, industrial control systems, or weapon systems through a contract unless the offeror or contractor provides disclosures related to sharing source code and computer code with foreign governments. Based on data from the Federal Procurement Data System, DoD issued approximately 36,677 new awards for information technology and weapon systems to approximately 4,147 unique entities per year on average from FY 2021 through FY 2023. DoD assumes this number will cover awardees for information or operational technology, cybersecurity, industrial control systems, and weapon systems, as there is no way to track individual awards for operational technology, industrial control systems, and cybersecurity. Of the 4,147 unique entities, on average, that received awards each year, an average of approximately 17,100 awards were made to 2,667 unique small entities from FY 2021 through FY 2023. DoD assumes that the clause will apply to the estimated 4,147 unique entities, including the 2,667 unique small entities.

DoD does not have a way to track the number of unique offerors per award, so DoD estimates that the number of offerors is the number of unique entities that received awards ( i.e., 4,147) multiplied by a factor of three, representing three offerors per award. Therefore, the estimated number of offerors is three times the average number of entities that received information technology and weapon systems awards for FY 2021 through FY 2023 (4,147 entities × 3), or 12,441, of which 8,002 are estimated to be small entities.

The proposed changes will require offerors for products, services, or systems related to information or operational technology, cybersecurity, industrial control systems, or weapon systems to make certain disclosures in the Catalog Data Standard within EDA ( https://piee.eb.mil) regarding whether they have shared certain source code and computer code with foreign persons or governments any time since August 12, 2013. During contract performance, prior to the exercise of any option, contractors will be required to update their disclosures in the Catalog Data Standard within EDA.

V. Executive Orders 12866 and 13563

Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety ( print page 90257) effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is not a significant regulatory action and, therefore, was not subject to review under section 6(b) of E.O. 12866, Regulatory Planning and Review, as amended.

VI. Regulatory Flexibility Act

DoD does not expect this proposed rule, when finalized, to have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq., because the rule is only applied to awards for products, services, or systems related to information or operational technology, cybersecurity, industrial control systems, or weapon systems. However, an initial regulatory flexibility analysis has been performed and is summarized as follows:

This proposed rule is necessary to implement section 1655 of the NDAA for FY 2019. Section 1655 prohibits DoD from using a product, service, or system relating to information or operational technology, cybersecurity, industrial control systems, or weapon systems provided by an entity unless that entity makes certain disclosures. The disclosures required by the statute have three parts.

The first part of the disclosures is related to whether, since August 12, 2013, the entity making the disclosure has allowed, or is under an obligation to allow, a foreign government to review the code of an other than commercial product, system, or service developed for DoD. The second part of the disclosure pertains to whether, since August 12, 2013, the entity making the disclosure has allowed, or is under an obligation to allow, a foreign government in the list required by section 1654 of the NDAA for FY 2019 to review the source code of a product, system, or service that DoD is using or intends to use. The third part of the disclosure is related to whether the entity making the disclosure holds or has sought a license pursuant to the Export Administration Regulations (15 CFR chapter VII, subchapter C), the International Traffic in Arms Regulations (22 CFR chapter I, subchapter M), or successor regulations, for information technology products, components, software, or services that contain code custom-developed for the other than commercial product, system, or service DoD is using or intends to use.

Once the disclosures are provided to DoD, and if the Secretary of Defense determines that the disclosure relating to a product, system, or service entails a risk to the national security infrastructure or data of the United States, or any national security system under the control of DoD, section 1655 requires the Secretary to take such measures as the Secretary considers appropriate to mitigate such risks.

The objective of this proposed rule is to implement the statutory requirement for offeror, contractor, and subcontractor disclosures under section 1655 of the NDAA for FY 2019 prior to award and during contract performance. The legal basis for the proposed rule is section 1655 of the NDAA for FY 2019.

The proposed rule applies to offerors, contractors, and subcontractors for information or operational technology, cybersecurity, industrial control systems, or weapon systems. Based on data from the Federal Procurement Data System, DoD issued approximately 36,677 awards to 4,147 entities, of which 17,100 awards were made to 2,667 small entities, for information technology and weapon systems, on average, from FY 2021 through FY 2023. DoD assumes these numbers will cover small entities awarded contracts for products, services, or systems relating to information or operational technology, cybersecurity, industrial control systems, and weapon systems, as there is no way to track individual awards for operational technology, cybersecurity, and industrial control systems. In order to estimate the number of offerors for information or operational technology, cybersecurity, industrial control systems, and weapon systems, DoD assumes the number of offerors will be the 4,147 awardees multiplied by a factor of three, or 12,441 offerors, of which 8,002 are estimated to be small entities.

This proposed rule does impose new reporting, recordkeeping, or other compliance requirements for small entities. These reporting requirements would apply to any offerors that are small entities for a contract for information or operational technology, cybersecurity, industrial control systems, and weapon systems. These small entities will be required to make disclosures within the Catalog Data Standard within the EDA system ( https://piee.eb.mil) in order to be eligible for award and will be required to represent that the disclosures are current, accurate, and complete. Contractors whose contracts contain the clause 252.239-70ZZ, Postaward Disclosure of Foreign Obligations, will be required to maintain their disclosures in EDA and flow down the requirement to maintain disclosures in EDA to subcontracts and other contractual instruments.

The proposed rule does not duplicate, overlap, or conflict with any other Federal rules.

There are no known alternatives that would accomplish the stated objectives of the applicable statute.

DoD invites comments from small business concerns and other interested parties on the expected impact of this proposed rule on small entities.

DoD will also consider comments from small entities concerning the existing regulations in subparts affected by this proposed rule in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 610 (DFARS Case 2018-D064) in correspondence.

VII. Paperwork Reduction Act

This proposed rule contains information collection requirements that require the approval of the Office of Management and Budget under the Paperwork Reduction Act (44 U.S.C. chapter 35). Accordingly, DoD has submitted a request for approval of a new information collection requirement concerning DFARS Case 2018-D064, Disclosure of Information Regarding Foreign Obligations, to the Office of Management and Budget.

A. Estimate of Public Burden

Public reporting burden for this collection of information is estimated to average 0.5 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information.

The annual reporting burden is estimated as follows:

Respondents: 12,441.

Total annual responses: 14,515.

Total annual burden hours: 7,257.5.

B. Request for Comments Regarding Paperwork Burden

Written comments and recommendations on the proposed information collection, including suggestions for reducing this burden, should be submitted using the Federal eRulemaking Portal at https://www.regulations.gov or by email to osd.dfars@mail.mil. Comments can be received up to 60 days after the date of this notice.

Public comments are particularly invited on: whether this collection of information is necessary for the proper performance of the functions of DoD, including whether the information will ( print page 90258) have practical utility; the accuracy of DoD's estimate of the burden of this information collection; ways to enhance the quality, utility, and clarity of the information to be collected; and ways to minimize the burden of the information collection on respondents, including through the use of automated collection techniques or other forms of information technology.

To obtain a copy of the supporting statement and associated collection instruments, please email osd.dfars@mail.mil. Include DFARS Case 2018-D064 in the subject line of the message.

Therefore, the Defense Acquisition Regulations System proposes to amend 48 CFR parts 212, 213, 217, 239, and 252 as follows:

1. The authority citation for parts 212, 213, 217, 239, and 252 continues to read as follows:

Authority: 41 U.S.C. 1303 and 48 CFR chapter 1.

2. Amend section 212.301 by adding paragraphs (f)(xvi)(E) and (F) to read as follows:

3. Add section 213.201-70 to read as follows:

4. Amend section 217.207 by adding paragraph (c)(3) to read as follows:

5. Add subpart 239.7X to read as follows:

6. Add sections 252.239-70YY and 252.239-70ZZ to read as follows: