Important New Cyber Provisions in the 2019 NDAA
By: Curt Smith, Manager and Neal Beggan, Principal
The National Defense Authorization Act for Fiscal Year 2019 (“NDAA” or “the Act”) was signed into law on August 13, 2018. The 2019 NDAA includes several broad provisions on cybersecurity that will interest government contractors.
Generally, the Act in Section 1636 establishes a more aggressive policy on cyberspace, cybersecurity, cyber warfare, and cyber deterrence stating that the U.S. should “employ all instruments of national power, including the use of offensive cyber capabilities, to deter if possible, and respond to when necessary, all cyber attacks or other malicious cyber activities of foreign powers that target United States.”
Section 889 of the Act prohibits the head of an executive agency from procuring covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system. Covered telecommunications equipment or services are defined as:
- Telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of such entities).
- Video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities) when used for the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes.
- Telecommunications or video surveillance services provided by such entities or using such equipment.
- Telecommunications or video surveillance equipment or services produced or provided by an entity that the Secretary of Defense believes to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country.
The term “covered foreign country” means the People’s Republic of China.
Section 1655 of the Act addresses supply chain IT risk. The Department of Defense (“DoD”) “may not use a product, service, or system procured or acquired … relating to information or operational technology, cybersecurity, an industrial control system, or weapons system provided by a person,” unless that person discloses certain information to the Secretary of Defense, including:
- Whether an organization or person has allowed within the five years prior to the enactment of the 2019 NDAA, or is under an obligation to allow, a foreign government to review the code of a noncommercial product, system, or service developed for DoD.
- Whether an organization or person has allowed within the five years prior to the enactment of the Act, or is under an obligation to allow, a foreign government or person from the countries listed in Section 1654, Identification of Countries of Concern Regarding Cybersecurity, to review the source code of a product, system, or service that DoD is using or intends to use.
- Whether a person holds or has sought a license pursuant to Export Administration Regulations under Subchapter C of Chapter VII of Title 15, Code of Federal Regulations, the International Traffic in Arms Regulations under Subchapter M of Chapter I of Title 22, Code of Federal Regulations, or successor regulations, for information technology products, components, software, or services that contain code custom developed for the noncommercial product, system, or service DoD is using or intends to use.
The Secretary of Defense is directed to issue regulations implementing these supply chain disclosure requirements. Within a year, a registry is to be created to collect and maintain information disclosed, which can be made available to any agency conducting a procurement pursuant to the Federal Acquisition Regulation or the Defense Federal Acquisition Regulation Supplement. Within two years of the NDAA’s passage, DoD shall develop a third-party testing standard “acceptable for commercial off the shelf (COTS) products, systems, or services to use when dealing with foreign governments.” Within a year and annually thereafter, DoD shall report the number, scope, product classifications, and mitigation agreements related to each product, system, and service for which a disclosure is made under this subsection.
Section 1654 directs the Secretary of Defense to “create a list of countries that pose a risk to the cybersecurity of United States defense and national security systems and infrastructure. Such list shall reflect the level of threat posed by each country included on such list.”
Section 1642 grants authority to “disrupt, defeat, and deter cyber attacks” originating from the Russian Federation, People’s Republic of China, Democratic People’s Republic of Korea, or Islamic Republic of Iran, including attempts in influence American elections and democratic processes.
Section 1657 of the Act calls for a study of the costs, benefits, technical merits, and other merits of the following technologies related to vulnerability assessments of nuclear systems and nuclear command and control, a critical subset of conventional power projection capabilities, cyber command and control, and other critical defense infrastructure. This study will cover:
- Technology acquired, developed, and used by Combat Support Agencies of the DoD to discover flaws and weaknesses in software code.
- Cloud-based software fuzzing-as-a-service to continuously test the security of DoD software repositories at large scale.
- Formal programming and protocol language for software code development and other methods and tools developed under various programs.
- The binary analysis and symbolic execution software security tools developed under the Defense Advanced Research Projects Agency program.
- Any other advanced or immature technologies with respect to which DoD determines there is particular potential for application to the vulnerability assessment and remediation of the systems.
Section 1643 states that, within 180 days of enactment, one official will be designated to be responsible for matters relating to integrating cybersecurity and industrial control systems for DoD. That official shall be responsible for “developing Department-wide certification standards for integration of industrial control systems and taking into consideration frameworks set forth by the NIST for the cybersecurity of such systems.”
Other Important Cyber-Related Provisions
- Committee on Foreign Investment in the United States (“CFIUS”) Review – Certain investments in critical technology and critical infrastructure companies and companies that maintain or collect sensitive personal data of U.S. citizens will be subject to CFIUS review if the investment could afford a foreign person access to material nonpublic technical information, board membership or observer rights or the right to nominate a board member, or certain substantive decision-making involvement.
- Section 1632 affirms the authority of DoD to conduct military activities and operations in cyberspace including clandestine military activities or operations. These clandestine activities or operations will be considered “traditional military activity,” as defined in the National Security Act of 1947.
- Section 880 states, “the use of lowest price technically acceptable source selection criteria shall be avoided in the case of a procurement that is predominately for the acquisition of information technology services, cybersecurity services, systems engineering and technical assistance services, advanced electronic testing, audit or audit readiness services, health care services and records, telecommunications devices and services, or other knowledge-based professional services.”
- In the case of “a significant loss of personally identifiable information [PII] [or] controlled unclassified information [CUI] by a cleared defense contractor,” the Secretary “shall promptly submit to the congressional defense committees notice in writing of such loss.” Whether or how this provision will impact notification requirements for contractors and vendors remains to be seen.
- In consultation with NIST, DoD shall take actions to “enhance awareness of cybersecurity threats among small manufacturers and universities” working on DoD programs and activities. This is aimed at enhancing security in the Defense Industrial supply chain. Outreach activities include training, courses, and self-certification to help these parties improve cybersecurity.
- DoD has greater authority for cyber-related grants and scholarships and the Secretary will establish a Cyber Institute. Further, within 240 days, a report shall be submitted to congressional committees on the feasibility of establishing a Cybersecurity Apprentice Program to support on-the-job training for certain cybersecurity positions and facilitate the acquisition of cybersecurity certifications.