Six Years in the Making, DoD Releases Proposed Rule Requiring Disclosure of Foreign Review of Code for IT, Cybersecurity, Critical Infrastructure, and Weapons System Products and Services

On November 15, 2024, the Department of Defense (DoD) issued a Proposed Rule implementing Section 1655 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019 (P.L. 115-232), over six years after Congress enacted the requirement. 

DoD’s issuance of the Proposed Rule, rather than an interim final rule, is notable in and of itself because progress toward implementing Section 1655 was already stalled “pending resolution of technical issues” from May 2019 until mid-2024. Now, DoD’s implementation will be pushed out further while DoD considers comments. Comments are due on January 14, 2025. 

Stemming from concerns about Chinese government access to U.S. technology, Section 1655 requires DoD contractors providing products, services, or systems relating to information technology (IT), cybersecurity, industrial controls, or weapons systems to disclose whether in the five years preceding the FY 2019 NDAA’s enactment, the contractor has allowed a foreign government or person to review its offering’s code or is obligated to provide such a review, and whether the contractor had an export license for that review. To implement these requirements, the Proposed Rule contemplates pre- and post-award disclosures of any foreign government or person’s actual review or legal right to review the code underlying the contractor’s product or service since August 2013. The disclosure obligation would attach to IT, cybersecurity, industrial controls or weapons system product or service offerings that DoD is using or will use, and any such offerings developed for DoD.

The Proposed Rule follows the recent trend of extending regulatory requirements for supply chain security beyond those imposed by statute. In particular, the Proposed Rule applies to commercial products and services, despite the statute’s clear language stating that the disclosure requirement applies only to noncommercial items developed for DoD. In addition, the Proposed Rule fails to define what it means for a foreign government or person to “review” the contractor’s code (or have the option to do so), which may require contractors to disclose instances where a foreign government had an unexercised one-time right to view a contractor’s code on a contractor device, where a foreign government would be unable to copy or modify the code.

Contractors should consider commenting on the Proposed Rule to request more definition and fidelity to the statutory requirements. In the meantime, contractors should also consider implementing measures to track disclosure of code for products or services, including the identity and nationality of the party receiving the disclosure and the reason for source code disclosure. Contractors should also make sure to have documented any export licenses or invocation of license exemptions.