Cybersecurity and Supply Chain Security Provisions in the Draft 2021 National Defense Authorization

Each fiscal year (FY) the US Congress passes a National Defense Authorization Act (NDAA) covering broad provisions for the Department of Defense (DOD) and defense-related activities in other federal departments. It is very common for Congress to use the NDAA to address acquisition and other contracting policy priorities – including small business contracting – that drive acquisition policy and practice at the DOD and across federal agencies.

The bill is still in process of being finalized, but the House of Representatives has passed their version, H.R. 6395 and the Senate has passed their version, S. 4049. The most recent version of the amended bill text is available on the H.R. 6395 page and has been placed on the Senate’s legislative calendar for consideration, but it is still unclear of the timing of likely final passage.

Looking at the House and Senate drafts and what has made it into the current version there are several cybersecurity, supply chain and acquisition security related provisions that may make it into the final reconciled bill that goes to the president for signing.

Provisions that Appear in Both S. 4049 and H.R. 6395 Include:

Cyber Threat Intelligence Sharing

• Requires all defense industrial base contractors and subcontractors to participate in a DOD or other approved cyber threat intelligence sharing program to share cybersecurity incident reporting with and obtain from the defense industrial base. DOD is to invest in technology and capabilities to support automated detection and analysis across the defense industrial base. DOD may create tiers of requirements and participation based upon CMMC level.

DIB Cybersecurity Threat Hunting Program

• Authorizes DOD to establish a Defense Industrial Base Cybersecurity Threat Hunting Program to actively identify cybersecurity threats and vulnerabilities within defense contractor networks and systems for contracts that require a CMMC (cybersecurity maturity model certification) of level 4 or higher. Relevant contractor participation is mandatory for contract awards at these CMMC levels.

Aid to Small DIB Manufacturers to Meet CMMC

• Authorizes DOD to award financial assistance (grants) to a National Institute of Standards and Technology (NIST) Center for the purpose of providing cybersecurity services to small defense industry manufacturers to meet DOD cyber compliance requirements, including CMMC requirements.

Trusted Circuit Boards

• Beginning in fiscal year 2023, the DOD shall require contractors or subcontractors that provide printed circuit boards for the DOD to certify that not less than set percentages were manufactured and assembled within the U.S. or an approved foreign country. From 2023 through 2027, the greater of 50% or 75% and from 2028 through 2032, the greater of 75% or 100%. Beginning in fiscal year 2033, 100%. Contractors that fail to meet the certification requirement will be required to complete a remediation plan, including an audit its supply chain to identify any areas of security vulnerability and meet the requirement within one year.
• The Senate’s version takes a more modest schedule for increasing the percentage, beginning with 25% by October 1, 2023 and increasing in 25% increments in 2025, 2029 and 2032 to reach 100%.

Optical Transmission Components

• Amends title 10 of the U.S. Code to include optical transmission components in the analytical framework for supply chain risks to telecommunications services or equipment.

FedRAMP Standards for 5G

• Requires the DOD to use FedRAMP Moderate or High baselines, supplemented with the DOD’s additional cloud security controls, to assess fifth generation (5G) core service providers whose services will be used in the DOD’s provisional authorization process.

Impact of China on Cloud Standards

• Authorizes the National Institute of Standards and Technology to contract with an appropriate non-governmental organization to study the impact of China’s policies on international standards bodies for emerging technologies. Includes studying the impact of the ‘‘Chinese Standard 2035’’ strategy on international standards for select emerging technologies, such as cloud computing services.

Provisions that Appear in H.R. 6395 Only Include:

DOD Component CMMC Level 3 Compliance

• Requires the DOD to assess and report on the cyber hygiene practices and effectiveness of DOD components, including each component’s compliance with CMMC requirements and levels. Components that fail to meet CMMC Level 3 ‘‘good cyber hygiene’’ are required to mitigate and take steps to achieve Level 3.

Reduce Dependency on China

• Requires the DOD to issue guidance to ensure the elimination of the dependency of the U.S. on rare earth materials from China by fiscal year 2035.

Use U.S. Made Goods in DOD Programs

• Requires DOD to assess the domestic source content – articles, materials, or supplies mined, produced, or manufactured in the U.S. – of procurements for major defense acquisition programs and progressively increase the percentage of domestic sourced content from 75% by October 2021 to 100% by October 2026. The requirement would apply to contracts entered into on or after October 1, 2021.

Chinese Telecom and Video Prohibition

• Section 828 of the House version provides a “sense of Congress” that implementation of the prohibition on certain telecommunications and video surveillance services or equipment is critical and recommends agencies look to guidance from the Federal Acquisition Security Council while waiting for the finalized FAR rule. The prohibition on federal agencies from procuring or using telecom and video surveillance equipment from select Chinese companies was part of the FY 2019 NDAA.

Small UAS Components Supply Chain

• Requires DOD to brief Congress on the supply chain for small unmanned aircraft system (UAS) components, including current and projected future demand, sustainability and availability of secure sources of critical components and plans to address supply chain deficiencies. There is a Pending DFAR rule 2020-D020, required by Sec. 848 of the FY 2020 NDAA.

Chinese COTS UAS Prohibitions

• Prohibits federal agencies from buying commercial off-the-shelf (COTS) drone or covered unmanned aircraft system (UAS), or any component thereof for use in such a drone or unmanned aircraft. This provision adds COTS products and components to the prohibitions on Chinese-made unmanned aerial systems made in the FY 2020 NDAA.

National Technology and Industrial Base

• Suggests that the DOD – in preparing the annual report on the national technology and industrial base required by title 10 of the U.S. Code – include an assessment of gaps or vulnerabilities in the national technology and industrial base, including the extent to which foreign adversaries engage in operations to exploit such gaps or vulnerabilities and provide recommendations to mitigate or address them.

Rare Earth Materials Supply Chain

• Requires DOD to report to Congress on its ability to facilitate partnerships with higher education institutions that receive grants to enhance the security and stability of the supply chain for domestic rare earth materials for the National Defense Stockpile and make recommendations for improvements.

New Assistant Secretary for DIB Policy

• Creates an Assistant Secretary of Defense for Industrial Base (DIB) Policy to provide input to strategy on the defense industrial base (DIB), establish DOD policies for developing and maintaining the DIB to ensure a secure supply of materials critical to national security; and provide acquisition policy guidance on defense supply chain management and supply chain vulnerability throughout the entire defense supply chain.

New Small Business Resiliency Program

• Requires the proposed Assistant Secretary of Defense for Industrial Base Policy to establish the ‘‘Small Business Industrial Base Resiliency Program” to purchase goods or services from small businesses to respond to the COVID–19 pandemic; support, protect and restore this industrial base through the pandemic; and address supply chain vulnerabilities related to the COVID–19 pandemic.

Provisions that Appear in S. 4049 Only Include:

Reduce Dependency on Foreign Suppliers

• Directs the DOD Under Secretary for Acquisition and Sustainment submit to the DOD Secretary recommendations on ways to fully implement the July 21, 2017, Presidential Executive Order on Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States, including recommendation on ways to strengthen the domestic national security industrial base, especially in areas currently dependent on foreign suppliers.

FedRAMP Authorization Act

• Amends the FedRAMP Authorization Act passed by the House on Feb. 5, 2020 to the Senate version of the FY 2021 NDAA which makes the General Services Administration’s Federal Risk and Authorization Management Program (FedRAMP) a formal government-wide program for providing authoritative, standardized and secure cloud services.
• Includes the Joint Authorization Board, the FedRAMP Program Management Office, independent assessment organizations and a 15-member Federal Secure Cloud Advisory Committee to provide advice and recommendations.
• Authorizes $20M per year to fund the Joint Authorization Board and FedRAMP Program Management Office.

New National Technology and Industrial Base Regulatory Council

• Directs the Chairman of the National Defense Technology and Industrial Base Council to establish the National Technology and Industrial Base Regulatory Council, in part to address and review issues related to industrial security, supply chain security, cybersecurity, regulating foreign direct investment and foreign ownership, control and influence mitigation, and others.

Secure Supply of DIB Minerals and Metals

• Requires DOD to ensure, by 2030, secure sources of supply of strategic minerals and metals to fully meet the demands of the domestic defense industrial base (DIB) and eliminate U.S. dependence on unsecure sources.
• Directs the DOD to submit a report with recommendations to Congress on a study of strategic and critical minerals and metals, including rare earth metals, and vulnerabilities in supply chains of such minerals and metals.

Domestic Star Trackers in National Security Satellites

• Beginning in FY 2021, DOD contracts for a national security satellite shall require any star tracker system included in the design of such national security satellite to be domestically sourced, provided sufficient availability and competitiveness. “An urgent and compelling national security need must exist to necessitate a foreign-made star tracker.”

DOD Supply Chain Risk Mitigation

• Directs DOD Service Acquisition Executives to report on how they are assessing, mitigating, and reporting on supply chain risks, including cybersecurity, foreign control and ownership of key elements of supply chains, the consequences a fragile and weakening defense industrial base, and barriers to industrial cooperation with allies and partners for delivering systems and technologies in a trusted and assured manner.

Secure Software Development and Acquisition

• Requires DOD to develop requirements for inclusion in solicitations for both commercial and developmental solutions, and for the evaluation of bids, of appropriate software security criteria, including what processes were or will be used for a secure software development lifecycle, including management of supply chain and third-party software sources and component risks.

Restricts China Employees in the DIB

• Directs the DOD to provide mechanisms to restrict employees or former employees of the defense industrial base (DIB) that contribute to DOD-defined critical national security technologies from working directly for companies wholly owned by, or under the direction of, the Government of the Peoples Republic of China. DOD is to report on its progress by May 1, 2021.