On Nov. 15, 2024, the Department of Defense (DoD) issued a new proposed rule that contemplates a ban, in some cases, both on awards and exercise of contract options or extensions unless the receiving contractors and subcontractors submit disclosures related to any sharing of source code and computer code with foreign governments. The comments on the proposed rule are due by Jan. 14, 2025.

However, the scope of the DoD’s proposal is quite extensive. It is thus worth noting, even before then, particularly by those entities that either have or contemplate pursuing contracts related to information or operational technology (IT or OT), cybersecurity, industrial control systems, or weapon systems. Since that is where the proposed ban will apply.

Below is a brief summary of the most noteworthy aspects of that proposal and the associated requirements:

Applicability: The DoD will mandate specific disclosures as part of a new provision and a clause that the DoD will incorporate into forthcoming solicitations and contracts for the acquisition of products, services, or systems relating to IT, OT, cybersecurity, industrial control systems, or weapon systems. The rule makes specific reference to the fact that such requirements will also extend to any task orders, delivery orders, and acquisitions using FAR Part 12 procedures for commercial products and commercial services. It will apply even to acquisitions that are below the Simplified Acquisition Threshold (SAT).

Three Separate Disclosures: Contractors will have to provide three different disclosures through their Procurement Integrated Enterprise Environment (PIEE) accounts in order to remain eligible for an award or an exercise of an option or an extension if those terms make their way into the solicitation or the contract. Specifically, the contractors may have to address:

1. Whether, after Aug. 12, 2013,[1] the entity making the disclosure has allowed, or is under an obligation to allow, a foreign person or foreign government to review the source code or computer code of a noncommercial product, system, or service developed for DoD.
2. Whether, after Aug. 12, 2013, the entity making the disclosure has allowed, or is under an obligation to allow, a foreign person or foreign government to review either:
   • (a) The source code of a product, system, or service that DoD is using or intends to use; or
   • (b) Computer code of a noncommercial product, system, or service developed for DoD.
3. Whether the entity making the disclosure holds or has sought a license pursuant to the Export Administration Regulations (EAR) or the International Traffic in Arms Regulations (ITAR) for information technology products, components, software, or services that contain code custom-developed for the noncommercial product, system, or service DoD is using or intends to use.

Relevant “Code”: The terms Computer Code and Source Code that will be the subject of disclosures refer to the following:

Computer code means a set of instructions, rules, or routines recorded in a form that is capable of causing a computer to perform a specific operation or series of operations. It includes both source code and object code.

Source code means any collection of code, with or without comments, written using a human-readable programming language, usually as plain text. This code is later translated into machine language by a compiler. The translated code is referred to as object code.

Flow-Down Obligations: The proposed clause requires prime contractors to flow-down its terms as part of any subcontracts or other contractual instruments for products, services, or systems. It also directs prime contractors to require that subcontractors at every tier complete all of the specified disclosures prior to the award of any subcontract.

Substantial Prohibition: The DoD contemplates an explicit prohibition on any awards or exercises of options and extensions to contractors who do not make the necessary disclosures. But notably, at least at the proposed stage, the prohibition does not extend to contractors that have similar challenges with certifications at the subcontractor level. It also explicitly excludes any open source software from the prohibitions either way.

Uncertain Additional Steps May be Required Depending on Disclosures: The rule does not offer much clarity regarding the impact that any releases of code to foreign governments may have. Instead, it notes only that contracting officers shall follow agency procedures, as applicable, in the event that the program office notifies the contracting officer that additional steps must be taken prior to award based on the information disclosed. However, given that the DoD has recently broadened the applicability of Foreign Ownership, Control, or Influence (FOCI) Mitigation requirements for the first time beyond entities with access to classified information in an update to the DoD Instruction 5205.87, perhaps FOCI Mitigation steps are some of those potential outcomes.

Extends Even to Prior Disclosures: It is notable that the proposed rule would require such disclosures about releases of code that precede even its eventual effective date, which still awaits the final rule. The fact that the proposed clause and provision contemplate requiring such disclosures about releases dating back to Aug. 13, 2013, may suggest that the industry will see some challenges on that basis. Other laws imposing effects for conduct retroactively have certainly faced such challenges in the past.

No Carve-Outs for Foreign-Owned Contractors or Small Businesses: The DoD does not provide any special exceptions for foreign-owned entities. In fact, the clause that is part of the rule includes language that would even require entities to disclose releases of code to a “foreign person” or “foreign government.” Since the rule did not include any definition of a “foreign person” for the purposes of this requirement, the DoD could certainly interpret that reference as broad enough to encompass both natural persons and other entities. The DoD makes no exceptions for small businesses either. However, it invites comments from small business concerns regarding the impact that this proposed rule may have on them.

Requirements for Post-Award Disclosures and Mitigation: Disclosing entities must ensure that any representations are current, accurate, and complete for the life of the contract. Under the proposed clause, however, if a disclosing entity identifies any information requiring disclosure during contract performance or learns of such information from a subcontractor or another source, the disclosing entity must not only update its disclosures but also disclose any mitigation measures taken or anticipated.

Takeaways

This rule is still in the proposed stage. However, at the least, it promises some new concerns for contractors to keep in mind when figuring out how to treat source and computer code that may end up going to the DoD. The lack of any clarity regarding the type of “foreign persons” that contractors must disclose, for example, alone is worth some attention. While a lot may still change between now and the final rule, companies in the affected industries would certainly benefit even from just (1) identifying the current contractual arrangements that they have with foreign governments that may fall under the requirements of this disclosure and (2) assessing the scope of those arrangements. As with other proposed rules, contractors should also make sure that their agreements with teaming partners and subcontractors are in the state necessary to ensure compliance with these requirements if and when they become final.

[1] The National Defense Authorization Act (NDAA) for fiscal year 2019, which serves as the origin of this proposed rule, was signed into law on Aug.13, 2018, and included a five-year lookback period for the required disclosures.