President Joe Biden signed the National Defense Authorization Act on Dec. 23, 2022, approving approximately $858 billion in funding for the Department of Defense and national security programs under the Department of Energy. The NDAA also includes $12.6 billion for inflation’s impact on purchases and rising construction and fuel costs.
This year’s NDAA continues to expand on FY 2022’s version by focusing on improving and protecting the DoD’s supply chain and strengthening military readiness. These provisions continue to restrict procuring goods and services from certain foreign countries and improving cybersecurity. Contractors may be pleased to see that Congress increased funding for ship building, missile defense, aircraft, ground and weapon systems.
FY 2023’s NDAA is over 4,400 pages. We have highlighted some of the sections that may be of interest for government contractors.
Section 803: Data requirements for commercial products for major weapon systems
This NDAA provision requires offerors that provide subsystems, components and spare parts for major weapon systems that have not been previously determined commercial to identify specific comparable product(s) sold to the general public or non-governmental entities that can serve as the basis for an “of a type” assertion, as well as a comparative analysis to justify the commerciality of the product(s).
Section 805: Treatment of certain clauses implementing executive orders
This requires that the unilateral insertion of a covered clause inserted into an existing DoD contract, order or other transaction by a contracting officer must be treated as a change under the contract’s changes clause, FAR 52.243-3. Contractors who are required to incorporate executive orders that may increase costs to their contracts may seek an equitable adjustment.
Section 817: Modification to prohibition on operation or procurement of foreign-made unmanned aircraft systems
This provision modifies a FY 2020 NDAA provision on foreign-made, unmanned aircraft systems by prohibiting UAS purchases from China, Russia, Iran and North Korea. The provision places certain restrictions on Chinese drone-maker Da-Jiang Innovations and its subsidiaries or affiliates.
Section 822: Modification of contracts to provide extraordinary relief due to inflation impacts
There is potential good news for contractors and subcontractors of fixed-priced contracts. The government has acknowledged the need to protect and support its defense industrial base during this period of high inflation. The DoD may amend or modify an eligible contract when, due solely to economic inflation, the cost to a prime contractor of performing is greater than the price of the contract, with similar provisions applicable to subcontractors. If the prime contractor does not make the request, the provision allows for a subcontractor to make the request directly to the government. Contractors should take note that funding availability may be an issue, and contracting officers still maintain the authority to grant a modification to the contract. This is in effect until Dec. 31, 2023.
Section 856: Codification of the DoD mentor-protégé program
This provision codifies the mentor-protégé program, which is no longer considered a pilot program. It also lowers the threshold for eligibility of mentors from $100 million to $25 million in total defense contracts for the prior fiscal year. In addition, the provision extends program participation from two years to three years, and it establishes a five-year pilot program to encourage protégé participation in engineering, software development or manufacturing customization contracts.
Section 857: Procurement requirements relating to rare-earth elements and strategic and critical materials
Contractors who provide the DoD system with a permanent magnet that contains rare-earth metals, or strategic and critical materials, must disclose the provenance of the magnet. Disclosure elements include the identification of the country or countries where any rare-earth element, or strategic and critical materials, were mined, refined into oxides or made into alloys. The provision also requires details on where the magnet was sintered or bonded and magnetized. If a contractor is unable to make the disclosures, the contractor must implement a supply chain tracking system that provides a description of the efforts taken to make the required disclosure. In such cases, the contractor must also report the name, location and other identifying information of any entities that refuse to provide the contractor with information to make the disclosure. This section also expands restrictions on the procurement of military and dual-use technologies by Chinese military companies.
Incorporation of controlled unclassified information guidance into program classification guides and program-protection plans
This provision requires that all program classification guides (for classified programs) and all program-protection plans (for unclassified programs) include guidance for the proper marking of controlled unclassified information at their next regularly update. The provision also requires monitoring the DoD’s progress in including CUI guidance in all programs and updated training for both government and contractor personnel using the guides.
Section 1514: Operational testing for commercial cybersecurity capabilities
This provision requires DoD and branch chief information officers to develop and submit plans by Feb. 1, 2024, to ensure that covered cybersecurity capabilities (including commercial items) are appropriately tested, evaluated and proven operationally effective, suitable and survivable prior to operation on a DoD network.
Section 1553: Plan for commercial cloud test and evaluation
This requires the secretary of defense, in consultation with commercial industry, to implement a policy and plan for the testing and evaluation of the cybersecurity of commercial cloud service providers that provide, or are intended to provide, storage or computing of classified data of the DoD.
Section 5921: FedRAMP Authorization Act
This codifies into law the Federal Risk and Authorization Management Program cloud service provider security-assessment-and-authorization program with the General Services Administration. The provision requires that a government-wide program be established that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information. This will aid in reducing duplication. It establishes practices to support the FedRAMP authorization process to improve speed, effectiveness and transparency. Some additional key takeaways from the act are as follows:
- Establishes a FedRAMP board composed of senior officials or experts from agencies with relevant technical expertise to accelerate the authorization process, update requirements and guidelines, oversee and monitor processes for determining requirements for authorization, and ensure consistency and transparency.
- Establishes a federal secure-cloud advisory committee to engage public and private sectors to ensure effective and ongoing coordination of agency adoptions, and to assess the authorization, monitoring, acquisition and security of cloud computing products and services. The committee will be made up of members from government agencies, subject matter experts and private cloud service providers, including at least two representatives from small businesses.
- Reduces the duplication of security assessments and agency adoptions of cloud products by establishing a “presumption of adequacy” for cloud technologies that have received FedRAMP certification.
- Facilitates the use of cloud technologies that have received authorization to operate by requiring agencies to check a centralized, secure repository and reuse any existing security assessment before conducting their own.
Section 5949: Prohibition on certain semiconductor products and services
This provision applies to all executive agencies, not only the DoD, and takes effect five years after the NDAA is signed. It prohibits all federal agencies from procuring or contracting, for any electronic parts, a semiconductor product or service in “critical systems” (i.e., national security system) that is designed, produced or provided by Semiconductor Manufacturing International Corporation, ChangXin Memory Technologies, Yangtze Memory Technologies Corp. or any subsidiary, affiliate or successor of any of these companies. Agencies are also required to perform analyses and assessments, and report their findings within their supply chain of contractors and subcontractors. Contractors need to prepare and are responsible for certifying the non-use of covered semiconductor products or services; detecting and avoiding the use of semiconductor products or services; and performing rework or corrective action to remedy the use or inclusion of covered semiconductor parts or products.
Section 6502: Identification and threat assessment of companies with investments in China
This requires a report to Congress that identifies the risk to national security of the use of telecommunications companies with a 10% or greater investment by an entity owned or controlled by China that is operating in the United States, or providing services to affiliates and personnel of the intelligence community. The report must also address hospitality and conveyance companies with “substantial” investment by China that the intelligence community utilizes for travel.