FY 2020 NDAA

On December 20, 2019, President Trump signed into law the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2020. The FY 2020 NDAA includes several provisions relevant to contractors, including the development of a new cybersecurity framework applicable to the defense industrial base and pilot programs for acquisition strategy and intellectual property, among other things.

• Cybersecurity:
  • Section 1652 requires the Department of Defense (DoD) to complete a zero-based review of cyber and information technology contractors, military, and civilian personnel by January 1, 2021. Among other things, the review will assess whether cybersecurity service provider positions and personnel fit coherently into the enterprise-wide cybersecurity architecture and with the DoD’s cyber protection teams. 
  • Section 1648 requires the Secretary of Defense to develop a comprehensive framework to enhance the cybersecurity of the U.S. defense industrial base no later than February 1, 2020, which should consider risk-based methodologies such as the DoD’s Cybersecurity Maturity Model Certification program.
• Acquisition Policy and Management:
  • Under Section 802, the Secretary must establish a pilot program for alpha contracting teams for complex requirements by February 1, 2020, and select 2-5 initiatives to participate and use teams that will focus on the development of complex contract technical requirements for services, with each team focusing on “developing achievable technical requirements that are appropriately valued and identifying the most effective acquisition strategy to achieve those requirements.“
  • Section 803 provides that a contractor’s failure to provide “other than certified” cost or pricing data upon request may result in ineligibility for contract award. Section 804 requires the Comptroller General to issue a report to Congress by March 31, 2021, on the DoD’s efforts to secure data relating to the price reasonableness of offers.
  • Section 807 requires DoD to conduct a review on its decisions to use fixed-price contracts to ensure that such decisions are made strategically and consistently.
• Intellectual Property:
  • Section 801 provides for a pilot program to assess mechanisms to evaluate intellectual property (IP) in certain acquisition programs. The purpose of the IP evaluation will be to assess the relative costs of the various approaches to acquiring (or not acquiring) various levels of IP rights during the acquisition process with a goal of (i) developing cost effective IP strategies; (ii) assessing and managing of the value and acquisition costs of IP during acquisition and sustainment activities; and (iii) assessing the value of using commercial products or services as an alternative to a product or service to be specifically developed for a selected acquisition program, including evaluation of the benefits of reduced risk regarding cost, schedule, and performance associated with commercial products, commercial services, and nondevelopmental items.
  • Section 808 repeals Section 866 of the NDAA for FY 2019, which modified the data rights challenge process by permitting the DoD to authorize the use a contractor’s data after the contractor had filed an appeal of a contracting officer’s determination that the asserted restrictions are not justified, upon a finding that “compelling mission readiness requirements will not permit awaiting the final decision” by the Armed Services Board of Contract Appeals or the Court of Federal Claims. Section 866 was never implemented into regulations.
  • Section 838 requires the Secretary to report to Congress on DoD’s progress on its implementation of its policy for the acquisition or licensing of IP and the development of the cadre of IP experts. Each of these were requirements imposed by the 2018 NDAA, which, to date, have not been implemented.
• Foreign Ownership:
  • Section 847 requires the DoD to improve its assessment and mitigation of risks related to the foreign ownership, control, or influence (FOCI) of its contractors and subcontractors. Specifically, the assessment process and procedures must include an assessment of FOCI element, including whether covered contractors and subcontractors (defined as a company that is an existing or prospective DoD contractor on a contract or subcontract with a value in excess of $5,000,000) disclose their beneficial ownership and whether they are under FOCI to the Defense Counterintelligence and Security Agency (including disclosure of contact information for foreign owners), and a responsibility determination element, including whether to establish a special standard of responsibility relating to FOCI risks for covered contractors and subcontractors. These requirements will not apply to acquisitions of commercial products and services unless a senior DoD official specifically determines that the risks involved in a specific commercial item procurement merit close scrutiny of possible FOCI issues.