Proposed Rule2024-26058
Defense Federal Acquisition Regulation Supplement: Disclosure of Information Regarding Foreign Obligations (DFARS Case 2018-D064)
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
November 15, 2024
Issuing agencies
Defense DepartmentDefense Acquisition Regulations System
Abstract
DoD is proposing to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a section of the National Defense Authorization Act for Fiscal Year 2019, which prohibits DoD from acquiring products, services, or systems relating to information or operational technology, cybersecurity, industrial control systems, or weapon systems through a contract unless the offeror or contractor provides disclosures related to sharing source code and computer code with foreign governments.
Full Text
<html>
<head>
<title>Federal Register, Volume 89 Issue 221 (Friday, November 15, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 221 (Friday, November 15, 2024)]
[Proposed Rules]
[Pages 90254-90259]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-26058]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Defense Acquisition Regulations System
48 CFR Parts 212, 213, 217, 239, and 252
[Docket DARS-2024-0034]
RIN 0750-AK23
Defense Federal Acquisition Regulation Supplement: Disclosure of
Information Regarding Foreign Obligations (DFARS Case 2018-D064)
AGENCY: Defense Acquisition Regulations System, Department of Defense
(DoD).
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: DoD is proposing to amend the Defense Federal Acquisition
Regulation Supplement (DFARS) to implement a section of the National
Defense Authorization Act for Fiscal Year 2019, which prohibits DoD
from acquiring products, services, or systems relating to information
or operational technology, cybersecurity, industrial control systems,
or weapon systems through a contract unless the offeror or contractor
provides disclosures related to sharing source code and computer code
with foreign governments.
DATES: Comments on the proposed rule should be submitted in writing to
the address shown below on or before January 14, 2025, to be considered
in the formation of a final rule.
ADDRESSES: Submit comments identified by DFARS Case 2018-D064, using
either of the following methods:
[cir] Federal eRulemaking Portal: <a href="https://www.regulations.gov">https://www.regulations.gov</a>.
Search for DFARS Case 2018-D064. Select ``Comment'' and follow the
instructions to submit a comment. Please include ``DFARS Case 2018-
D064'' on any attached documents.
[cir] Email: <a href="/cdn-cgi/l/email-protection#dbb4a8bff5bfbdbaa9a89bb6bab2b7f5b6b2b7"><span class="__cf_email__" data-cfemail="83ecf0e7ade7e5e2f1f0c3eee2eaefadeeeaef">[email protected]</span></a>. Include DFARS Case 2018-D064 in
the subject line of the message.
Comments received generally will be posted without change to
<a href="https://www.regulations.gov">https://www.regulations.gov</a>, including any personal information
provided. To
[[Page 90255]]
confirm receipt of your comment(s), please check <a href="https://www.regulations.gov">https://www.regulations.gov</a>, approximately two to three days after submission
to verify posting.
FOR FURTHER INFORMATION CONTACT: Ms. Heather Kitchens, telephone 571-
296-7152.
SUPPLEMENTARY INFORMATION:
I. Background
DoD is proposing to revise the DFARS to implement section 1655(a)
and (c) of the National Defense Authorization Act (NDAA) for Fiscal
Year (FY) 2019 (Pub. L. 115-232). Section 1655(a) prohibits DoD from
acquiring products, services, or systems relating to information or
operational technology, cybersecurity, industrial control systems, or
weapon systems through a contract unless the offeror or contractor
provides disclosures related to sharing source code and computer code
with foreign governments. Section 1655(c) requires contracts for those
products, services, or systems to include a clause requiring the
disclosures during the contract period of performance if an entity
becomes aware of information requiring disclosure.
The first part of the disclosure is related to whether, after
August 12, 2013, the entity making the disclosure has allowed, or is
under an obligation to allow, a foreign government to review the code
of a noncommercial product, system, or service developed for DoD. The
second part of the disclosure pertains to whether, after August 12,
2013, the entity making the disclosure has allowed, or is under an
obligation to allow, a foreign government in a list required by section
1654 of the NDAA for FY 2019 to review the source code of a product,
system, or service that DoD is using or intends to use.
The third part of the disclosure is related to whether the entity
making the disclosure holds or has sought a license pursuant to the
Export Administration Regulations (15 CFR chapter VII, subchapter C),
the International Traffic in Arms Regulations (22 CFR chapter I,
subchapter M), or successor regulations, for information technology
products, components, software, or services that contain code custom-
developed for the noncommercial product, system, or service DoD is
using or intends to use.
Once the disclosures are provided to DoD, and if the Secretary of
Defense determines that the disclosure relating to a product, system,
or service entails a risk to the national security infrastructure or
data of the United States, or any national security system under the
control of DoD, section 1655 requires the Secretary to take such
measures as the Secretary considers appropriate to mitigate such risks.
In addition, as the Secretary considers appropriate, the Secretary may
condition any agreement for the use, procurement, or acquisition of the
product, system, or service on the inclusion of enforceable conditions
or requirements that would mitigate such risks.
II. Discussion and Analysis
This proposed rule includes a new subpart, 239.7X, Disclosure of
Information Regarding Foreign Obligations. Section 239.7X00 describes
the statutory requirement implemented in the new subpart. Section
239.7X01 includes new definitions of computer code, open source
software, and source code. The new subpart includes the section 1655
prohibition at 239.7X02. Section 239.7X03 clarifies that the
prohibition does not apply to open source software.
A section on procedures was added at 239.7X04 to require
contracting officers to validate in the Catalog Data Standard within
the Electronic Data Access (EDA) system (<a href="https://piee.eb.mil">https://piee.eb.mil</a>) that
offerors or contractors have completed all foreign obligation
disclosures prior to awarding a contract or exercising an option.
Section 1655 prohibits DoD from using a product, service, or system
procured or acquired under certain awards unless foreign obligation
disclosures have been made. This proposed rule requires completion of
the foreign obligation disclosures prior to exercising an option to
ensure DoD complies with the statutory intent.
Section 239.7X05 provides prescriptions for a new solicitation
provision and contract clause. The new provision is prescribed for use
in solicitations that include the clause at 252.239-70ZZ, Postaward
Disclosure of Foreign Obligations. The new clause is prescribed for use
in solicitations and contracts, task orders, or delivery orders, for
the acquisition of products, services, or systems relating to
information or operational technology, cybersecurity, industrial
control systems, or weapon systems, including those using Federal
Acquisition Regulation (FAR) part 12 procedures for the acquisition of
commercial products and commercial services.
The purpose of the provision at 252.239-70YY, Preaward Disclosure
of Foreign Obligations--Representation, is to notify offerors that they
will be required to make disclosures within the Catalog Data Standard
in the Electronic Data Access (EDA) system (<a href="https://piee.eb.mil">https://piee.eb.mil</a>) in
order to be eligible for award. While there are three distinct
disclosures, the provision identifies the first and second disclosures
in one paragraph at 252.239-70YY, paragraph (c)(1), for clarity. The
third disclosure is identified at paragraph (c)(2). This provision
includes a requirement for all offerors to represent by submission of
the offer that the information on the foreign disclosures the offeror
has made within the Catalog Data Standard in EDA is current, accurate,
and complete.
The purpose of the clause at 252.239-70ZZ, Postaward Disclosure of
Foreign Obligations, is to require contractors to maintain their
disclosures in the Catalog Data Standard within EDA and flow down the
requirement to maintain disclosures in the Catalog Data Standard within
EDA to subcontractors. Similar to the provision, while there are three
distinct disclosures, the clause identifies the first and second
disclosures in one paragraph at 252.239-70XX, paragraph (b)(1), for
clarity. The third disclosure is identified at paragraph (b)(2). The
clause also requires contractors to require their subcontractors to
complete foreign obligation disclosures in the Catalog Data Standard in
EDA prior to awarding the subcontract.
Language was added at part 212 to apply the provision and clause to
the acquisition of commercial products and commercial services. In part
213, language was added to apply the requirement to disclose foreign
obligations will be applied at or below the micro-purchase threshold.
Language was also added at part 217 to instruct the contracting officer
exercise options only after verifying in the Catalog Data Standard in
the EDA system (<a href="https://piee.eb.mil">https://piee.eb.mil</a>) that all disclosures have been
completed.
III. Applicability to Contracts At or Below the Simplified Acquisition
Threshold (SAT) and for Commercial Services and Commercial Products,
Including Commercially Available Off-the-Shelf (COTS) Items
This proposed rule proposes a new provision and clause to implement
the requirements of section 1655 of the NDAA for FY 2019: (1) DFARS
252.239-70YY, Preaward Disclosure of Foreign Obligations-
Representation; and (2) DFARS 252.239-70ZZ, Postaward Disclosure of
Foreign Obligations. The provision at DFARS 252.239-70YY is prescribed
at DFARS 239.7X05(a) for use in solicitations that include the clause
at DFARS 252.239-70ZZ. The clause at DFARS 252.239-70ZZ is prescribed
at DFARS 239.7X05(b) for use in solicitations and contracts for the
acquisition of products, services, or
[[Page 90256]]
systems relating to information or operational technology,
cybersecurity, industrial control systems, or weapon systems, including
those using FAR part 12 procedures for the acquisition of commercial
products and commercial services. DoD does intend to apply the proposed
rule to contracts at or below the SAT. DoD does intend to apply the
proposed rule to contracts for the acquisition of commercial products
including COTS items and for the acquisition of commercial services.
A. Applicability to Contracts At or Below the Simplified Acquisition
Threshold
The statute at 41 U.S.C. 1905 governs the applicability of laws to
contracts or subcontracts in amounts not greater than the simplified
acquisition threshold. It is intended to limit the applicability of
laws to such contracts or subcontracts. The statute at 41 U.S.C. 1905
provides that if a provision of law contains criminal or civil
penalties, or if the Federal Acquisition Regulatory Council makes a
written determination that it is not in the best interest of the
Federal Government to exempt contracts or subcontracts at or below the
SAT, the law will apply to them. The Principal Director, Defense
Pricing, Contracting, and Acquisition Policy (DPCAP), is the
appropriate authority to make comparable determinations for regulations
to be published in the DFARS, which is part of the FAR system of
regulations. DoD does intend to make that determination. Therefore,
this proposed rule will apply at or below the simplified acquisition
threshold.
B. Applicability to Contracts for the Acquisition of Commercial
Products Including COTS Items and for the Acquisition of Commercial
Services
The statute at 10 U.S.C. 3452 exempts contracts and subcontracts
for the acquisition of commercial products including COTS items, and
commercial services from provisions of law enacted after October 13,
1994, unless the Under Secretary of Defense (Acquisition and
Sustainment) (USD(A&S)) makes a written determination that it would not
be in the best interest of DoD to exempt contracts for the procurement
of commercial products and commercial services from the applicability
of the provision or contract requirement, except for a provision of law
that--
<bullet> Provides for criminal or civil penalties;
<bullet> Requires that certain articles be bought from American
sources pursuant to 10 U.S.C. 4862, or that strategic materials
critical to national security be bought from American sources pursuant
to 10 U.S.C. 4863; or
<bullet> Specifically refers to 10 U.S.C. 3452 and states that it
shall apply to contracts and subcontracts for the acquisition of
commercial products (including COTS items) and commercial services.
The statute implemented in this proposed rule does not impose
criminal or civil penalties, does not require purchase pursuant to 10
U.S.C. 4862 or 4863, and does not refer to 10 U.S.C. 3452. Therefore,
section 1655 of the NDAA for FY 2019 will not apply to the acquisition
of commercial services or commercial products including COTS items
unless a written determination is made. Due to delegations of
authority, the Principal Director, DPCAP is the appropriate authority
to make this determination. DoD intends to make that determination to
apply this statute to the acquisition of commercial products including
COTS items and to the acquisition of commercial services. Therefore,
this proposed rule will apply to the acquisition of commercial products
including COTS items and to the acquisition of commercial services.
C. Determinations
Given that the requirements of section 1655 of the NDAA for FY 2019
were enacted to require disclosures of foreign obligations by
contractors for contracts that include products, services, or systems
relating to information or operational technology, cybersecurity,
industrial control systems, or weapon systems and since products,
services, or systems related to information or operational technology,
cybersecurity, industrial control systems or weapon systems can include
COTS items and awards at or below the SAT, it is in the best interest
of the Federal Government to apply the statute to contracts for the
acquisition of commercial services and commercial products, including
COTS items, as defined at Federal Acquisition Regulation 2.101 and
awards that are at or below the SAT. An exception for contracts for the
acquisition of commercial services and commercial products, including
COTS items, or for contracts or subcontracts valued at or below the
SAT, would exclude the contracts intended to be covered by the law,
thereby undermining the overarching public policy purpose of the law.
IV. Expected Impact of the Rule
The proposed rule implements section 1655 of the NDAA for FY 2019,
which prohibits DoD from acquiring products, services, or systems
relating to information or operational technology, cybersecurity,
industrial control systems, or weapon systems through a contract unless
the offeror or contractor provides disclosures related to sharing
source code and computer code with foreign governments. Based on data
from the Federal Procurement Data System, DoD issued approximately
36,677 new awards for information technology and weapon systems to
approximately 4,147 unique entities per year on average from FY 2021
through FY 2023. DoD assumes this number will cover awardees for
information or operational technology, cybersecurity, industrial
control systems, and weapon systems, as there is no way to track
individual awards for operational technology, industrial control
systems, and cybersecurity. Of the 4,147 unique entities, on average,
that received awards each year, an average of approximately 17,100
awards were made to 2,667 unique small entities from FY 2021 through FY
2023. DoD assumes that the clause will apply to the estimated 4,147
unique entities, including the 2,667 unique small entities.
DoD does not have a way to track the number of unique offerors per
award, so DoD estimates that the number of offerors is the number of
unique entities that received awards (i.e., 4,147) multiplied by a
factor of three, representing three offerors per award. Therefore, the
estimated number of offerors is three times the average number of
entities that received information technology and weapon systems awards
for FY 2021 through FY 2023 (4,147 entities x 3), or 12,441, of which
8,002 are estimated to be small entities.
The proposed changes will require offerors for products, services,
or systems related to information or operational technology,
cybersecurity, industrial control systems, or weapon systems to make
certain disclosures in the Catalog Data Standard within EDA (<a href="https://piee.eb.mil">https://piee.eb.mil</a>) regarding whether they have shared certain source code and
computer code with foreign persons or governments any time since August
12, 2013. During contract performance, prior to the exercise of any
option, contractors will be required to update their disclosures in the
Catalog Data Standard within EDA.
V. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety
[[Page 90257]]
effects, distributive impacts, and equity). E.O. 13563 emphasizes the
importance of quantifying both costs and benefits, of reducing costs,
of harmonizing rules, and of promoting flexibility. This is not a
significant regulatory action and, therefore, was not subject to review
under section 6(b) of E.O. 12866, Regulatory Planning and Review, as
amended.
VI. Regulatory Flexibility Act
DoD does not expect this proposed rule, when finalized, to have a
significant economic impact on a substantial number of small entities
within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et
seq., because the rule is only applied to awards for products,
services, or systems related to information or operational technology,
cybersecurity, industrial control systems, or weapon systems. However,
an initial regulatory flexibility analysis has been performed and is
summarized as follows:
This proposed rule is necessary to implement section 1655 of the
NDAA for FY 2019. Section 1655 prohibits DoD from using a product,
service, or system relating to information or operational technology,
cybersecurity, industrial control systems, or weapon systems provided
by an entity unless that entity makes certain disclosures. The
disclosures required by the statute have three parts.
The first part of the disclosures is related to whether, since
August 12, 2013, the entity making the disclosure has allowed, or is
under an obligation to allow, a foreign government to review the code
of an other than commercial product, system, or service developed for
DoD. The second part of the disclosure pertains to whether, since
August 12, 2013, the entity making the disclosure has allowed, or is
under an obligation to allow, a foreign government in the list required
by section 1654 of the NDAA for FY 2019 to review the source code of a
product, system, or service that DoD is using or intends to use. The
third part of the disclosure is related to whether the entity making
the disclosure holds or has sought a license pursuant to the Export
Administration Regulations (15 CFR chapter VII, subchapter C), the
International Traffic in Arms Regulations (22 CFR chapter I, subchapter
M), or successor regulations, for information technology products,
components, software, or services that contain code custom-developed
for the other than commercial product, system, or service DoD is using
or intends to use.
Once the disclosures are provided to DoD, and if the Secretary of
Defense determines that the disclosure relating to a product, system,
or service entails a risk to the national security infrastructure or
data of the United States, or any national security system under the
control of DoD, section 1655 requires the Secretary to take such
measures as the Secretary considers appropriate to mitigate such risks.
The objective of this proposed rule is to implement the statutory
requirement for offeror, contractor, and subcontractor disclosures
under section 1655 of the NDAA for FY 2019 prior to award and during
contract performance. The legal basis for the proposed rule is section
1655 of the NDAA for FY 2019.
The proposed rule applies to offerors, contractors, and
subcontractors for information or operational technology,
cybersecurity, industrial control systems, or weapon systems. Based on
data from the Federal Procurement Data System, DoD issued approximately
36,677 awards to 4,147 entities, of which 17,100 awards were made to
2,667 small entities, for information technology and weapon systems, on
average, from FY 2021 through FY 2023. DoD assumes these numbers will
cover small entities awarded contracts for products, services, or
systems relating to information or operational technology,
cybersecurity, industrial control systems, and weapon systems, as there
is no way to track individual awards for operational technology,
cybersecurity, and industrial control systems. In order to estimate the
number of offerors for information or operational technology,
cybersecurity, industrial control systems, and weapon systems, DoD
assumes the number of offerors will be the 4,147 awardees multiplied by
a factor of three, or 12,441 offerors, of which 8,002 are estimated to
be small entities.
This proposed rule does impose new reporting, recordkeeping, or
other compliance requirements for small entities. These reporting
requirements would apply to any offerors that are small entities for a
contract for information or operational technology, cybersecurity,
industrial control systems, and weapon systems. These small entities
will be required to make disclosures within the Catalog Data Standard
within the EDA system (<a href="https://piee.eb.mil">https://piee.eb.mil</a>) in order to be eligible for
award and will be required to represent that the disclosures are
current, accurate, and complete. Contractors whose contracts contain
the clause 252.239-70ZZ, Postaward Disclosure of Foreign Obligations,
will be required to maintain their disclosures in EDA and flow down the
requirement to maintain disclosures in EDA to subcontracts and other
contractual instruments.
The proposed rule does not duplicate, overlap, or conflict with any
other Federal rules.
There are no known alternatives that would accomplish the stated
objectives of the applicable statute.
DoD invites comments from small business concerns and other
interested parties on the expected impact of this proposed rule on
small entities.
DoD will also consider comments from small entities concerning the
existing regulations in subparts affected by this proposed rule in
accordance with 5 U.S.C. 610. Interested parties must submit such
comments separately and should cite 5 U.S.C. 610 (DFARS Case 2018-D064)
in correspondence.
VII. Paperwork Reduction Act
This proposed rule contains information collection requirements
that require the approval of the Office of Management and Budget under
the Paperwork Reduction Act (44 U.S.C. chapter 35). Accordingly, DoD
has submitted a request for approval of a new information collection
requirement concerning DFARS Case 2018-D064, Disclosure of Information
Regarding Foreign Obligations, to the Office of Management and Budget.
A. Estimate of Public Burden
Public reporting burden for this collection of information is
estimated to average 0.5 hour per response, including the time for
reviewing instructions, searching existing data sources, gathering and
maintaining the data needed, and completing and reviewing the
collection of information.
The annual reporting burden is estimated as follows:
Respondents: 12,441.
Total annual responses: 14,515.
Total annual burden hours: 7,257.5.
B. Request for Comments Regarding Paperwork Burden
Written comments and recommendations on the proposed information
collection, including suggestions for reducing this burden, should be
submitted using the Federal eRulemaking Portal at <a href="https://www.regulations.gov">https://www.regulations.gov</a> or by email to <a href="/cdn-cgi/l/email-protection#8ee1fdeaa0eae8effcfdcee3efe7e2a0e3e7e2"><span class="__cf_email__" data-cfemail="18776b7c367c7e796a6b587579717436757174">[email protected]</span></a>. Comments can be
received up to 60 days after the date of this notice.
Public comments are particularly invited on: whether this
collection of information is necessary for the proper performance of
the functions of DoD, including whether the information will
[[Page 90258]]
have practical utility; the accuracy of DoD's estimate of the burden of
this information collection; ways to enhance the quality, utility, and
clarity of the information to be collected; and ways to minimize the
burden of the information collection on respondents, including through
the use of automated collection techniques or other forms of
information technology.
To obtain a copy of the supporting statement and associated
collection instruments, please email <a href="/cdn-cgi/l/email-protection#d3bca0b7fdb7b5b2a1a093beb2babffdbebabf"><span class="__cf_email__" data-cfemail="c0afb3a4eea4a6a1b2b380ada1a9aceeada9ac">[email protected]</span></a>. Include DFARS
Case 2018-D064 in the subject line of the message.
List of Subjects in 48 CFR Parts 212, 213, 217, 239, and 252
Government procurement.
Jennifer D. Johnson,
Editor/Publisher, Defense Acquisition Regulations System.
Therefore, the Defense Acquisition Regulations System proposes to
amend 48 CFR parts 212, 213, 217, 239, and 252 as follows:
0
1. The authority citation for parts 212, 213, 217, 239, and 252
continues to read as follows:
Authority: 41 U.S.C. 1303 and 48 CFR chapter 1.
PART 212--ACQUISITION OF COMMERCIAL PRODUCTS AND COMMERCIAL
SERVICES
0
2. Amend section 212.301 by adding paragraphs (f)(xvi)(E) and (F) to
read as follows:
212.301 Solicitation provisions and contract clauses for the
acquisition of commercial products and commercial services.
* * * * *
(f) * * *
(xvi) * * *
(E) Use the provision at 252.239-70YY, Preaward Disclosure of
Foreign Obligations--Representation, as prescribed in 239.7X05(a), to
comply with section 1655 of the National Defense Authorization Act for
Fiscal Year 2019 (Pub. L. 115-232).
(F) Use the clause at 252.239-70ZZ, Postaward Disclosure of Foreign
Obligations, as prescribed at 239.7X05(b), to comply with section 1655
of the National Defense Authorization Act for Fiscal Year 2019 (Pub. L.
115-232).
* * * * *
PART 213--SIMPLIFIED ACQUISITION PROCEDURES
0
3. Add section 213.201-70 to read as follows:
213.201-70 Additional general requirements.
Do not procure or obtain, or exercise an option or otherwise extend
a contract relating to, information or operational technology,
cybersecurity, industrial control systems, or weapon systems from a
contractor, including through a subcontractor at any tier, unless the
contractor completes all foreign obligation disclosures in the Catalog
Data Standard within the Electronic Data Access system (<a href="https://piee.eb.mil">https://piee.eb.mil</a>). See subpart 239.7X.
PART 217--SPECIAL CONTRACTING METHODS
0
4. Amend section 217.207 by adding paragraph (c)(3) to read as follows:
217.207 Exercise of options.
(c) * * *
(3) Verifying in the Catalog Data Standard in the Electronic Data
Access system (<a href="https://piee.eb.mil">https://piee.eb.mil</a>) that all foreign obligation
disclosures are completed (see 239.7X).
PART 239--ACQUISITION OF INFORMATION TECHNOLOGY
0
5. Add subpart 239.7X to read as follows:
Subpart 239.7X--Disclosure of Information Regarding Foreign Obligations
Sec.
239.7X00 Scope.
239.7X01 Definitions.
239.7X02 Prohibition.
239.7X03 Exception.
239.7X04 Procedures.
239.7X05 Solicitation provision and contract clause.
SUBPART 239.7X--DISCLOSURE OF INFORMATION REGARDING FOREIGN
OBLIGATIONS
239.7X00 Scope.
This section implements the foreign obligation disclosure
requirements of section 1655(a) and (c) of the National Defense
Authorization Act for Fiscal Year 2019 (Pub. L. 115-232).
239.7X01 Definitions.
As used in this subpart--
Computer code means a set of instructions, rules, or routines
recorded in a form that is capable of causing a computer to perform a
specific operation or series of operations. It includes both source
code and object code.
Open source software means software for which the human-readable
source code is available for use, study, reuse, modification,
enhancement, and redistribution by the users of such software (section
1655, Pub. L. 115-232).
Source code means any collection of code, with or without comments,
written using a human-readable programming language, usually as plain
text. This code is later translated into machine language by a
compiler. The translated code is referred to as object code.
239.7X02 Prohibition.
(a) Contracting officers shall not procure or obtain, or exercise
an option or otherwise extend a contract to procure or obtain, any
products, services, or systems relating to information or operational
technology, cybersecurity, industrial control systems, or weapon
systems through a contract or subcontract at any tier from a
prospective contractor unless the offeror or contractor makes the
disclosures required by section 1655 of the NDAA for FY 2019.
(b) Contracting officers shall ensure that they do not violate the
prohibition by using the provision at 252.239-70YY and the clause at
252.239-70ZZ, as prescribed. The provision requires offerors to provide
the required foreign obligation disclosures, and the clause ensures
that contractors provide updates to foreign obligation disclosures for
the life of the contract.
239.7X03 Exception.
The prohibition at 239.7X02 does not apply to open source software.
239.7X04 Procedures.
(a) Contracting officers shall not award a contract, task order, or
delivery order for information or operational technology,
cybersecurity, industrial control systems, or weapon systems, unless
the prospective contractor has completed all of the foreign obligation
disclosures in the Catalog Data Standard within the Electronic Data
Access (EDA) system (<a href="https://piee.eb.mil">https://piee.eb.mil</a>) and those disclosures are
current, accurate, and complete (see 239.7X02).
(b) Contracting officers shall not exercise an option or extend the
period of performance on a contract, task order, or delivery order for
information or operational technology, cybersecurity, industrial
control systems, or weapons systems, unless the contractor has
completed all of the foreign obligation disclosures in the Catalog Data
Standard within the EDA system (see 239.7X02).
(c) Contracting officers shall work with the program office to
validate that the offeror has completed all of the foreign obligation
disclosures in the Catalog Data Standard within the EDA system.
[[Page 90259]]
(d) Contracting officers shall follow agency procedures, as
applicable, in the event that the program office notifies the
contracting officer that additional steps must be taken prior to award
based on information disclosed in EDA.
239.7X05 Solicitation provision and contract clause.
(a) Use the provision at 252.239-70YY, Preaward Disclosure of
Foreign Obligations--Representation, in solicitations that include the
clause at 252.239-70ZZ.
(b) Use the clause at 252.239-70ZZ, Postaward Disclosure of Foreign
Obligations, in solicitations and contracts, task orders, or delivery
orders, including those using FAR part 12 procedures for the
acquisition of commercial products and commercial services, for the
acquisition of products, services, or systems relating to information
or operational technology, cybersecurity, industrial control systems,
or weapon systems.
PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
6. Add sections 252.239-70YY and 252.239-70ZZ to read as follows:
252.239-70YY Preaward Disclosure of Foreign Obligations--
Representation.
As prescribed in 239.7X05(a), use the following provision:
Preaward Disclosure of Foreign Obligations--Representation (Date)
(a) Definitions. As used in this provision, computer code, open
source software, and source code are defined in the Defense Federal
Acquisition Regulation Supplement 252.239-70ZZ, Postaward Disclosure
of Foreign Obligations, clause of this solicitation.
(b) Prohibition on award. In accordance with section 1655 of
Public Law 115-232, no contract for information or operational
technology, cybersecurity, industrial control systems, or weapon
systems may be awarded to an offeror unless the offeror makes the
disclosures described in paragraph (c).
(c) Disclosures. The Offeror shall complete the following
foreign obligation disclosures in the Catalog Data Standard in the
Electronic Data Access (EDA) system (<a href="https://piee.eb.mil">https://piee.eb.mil</a>):
(1) Whether, and if so, when, at any time after August 12, 2013,
the Offeror--
(i) Has allowed a foreign person or foreign government to review
the source code for any product, system, or service that DoD is
using or intends to use, or the computer code for any other than
commercial product, system, or service developed for DoD; or
(ii) Is under any obligation to allow a foreign person or
foreign government to review, as a condition of entering into an
agreement for sale or other transaction with a foreign government or
with a foreign person on behalf of such a government--
(A) The source code for any product, system, or service that DoD
is using or intends to use; or
(B) The computer code for any other than commercial product,
system, or service developed for DoD; and
(2) Whether or not the Offeror holds or has sought a license
pursuant to the Export Administration Regulations (15 CFR chapter
VII, subchapter C) or the International Traffic in Arms Regulations
(22 CFR chapter I, subchapter M) for information technology
products, components, software, or services that contain computer
code custom-developed for the other than commercial product, system,
or service DoD is procuring.
(d) Exception. The prohibition in paragraph (b) of this
provision does not apply to open source software.
(e) Representation. By submission of its offer, the Offeror
represents that it has completed the foreign obligation disclosures
in EDA and the disclosures are current, accurate, and complete.
(End of provision)
252.239-70ZZ Postaward Disclosure of Foreign Obligations.
As prescribed in 239.7X05(b), use the following clause:
Postaward Disclosure of Foreign Obligations (Date)
(a) Definitions. As used in this clause--
Computer code means a set of instructions, rules, or routines
recorded in a form that is capable of causing a computer to perform
a specific operation or series of operations. It includes both
source code and object code.
Open source software means software for which the human-readable
source code is available for use, study, reuse, modification,
enhancement, and redistribution by the users of such software
(section 1655, Pub. L. 115-232).
Source code means any collection of code, with or without
comments, written using a human-readable programming language,
usually as plain text. This code is later translated into machine
language by a compiler. The translated code is referred to as object
code.
(b) Prohibition. The Contractor shall not provide to DoD any
products, services, or systems relating to information or
operational technology, cybersecurity, industrial control systems,
or weapon systems through a contract or subcontract at any tier
unless the Contractor makes the disclosures described in paragraph
(c).
(c) Disclosures. The Contractor shall complete the following
foreign obligation disclosures in the Catalog Data Standard in the
Electronic Data Access (EDA) system (<a href="https://piee.eb.mil">https://piee.eb.mil</a>):
(1) Whether, and if so, when, at any time after August 12, 2013,
the Contractor--
(i) Has allowed a foreign person or foreign government to review
the source code for any product, system, or service that DoD is
using or intends to use, or the computer code for any other than
commercial product, system, or service developed for DoD;
(ii) Is under any obligation to allow a foreign person or
foreign government to review, as a condition of entering into an
agreement for sale or other transaction with a foreign government or
with a foreign person on behalf of such a government--
(A) The source code for any product, system, or service that DoD
is using or intends to use; or
(B) The computer code for any other than commercial product,
system, or service developed for DoD; and
(2) Whether or not the supplier holds or has sought a license
pursuant to the Export Administration Regulations (15 CFR chapter
VII, subchapter C) or the International Traffic in Arms Regulations
(22 CFR chapter I, subchapter M) for information technology
products, components, software, or services that contain computer
code custom-developed for the other than commercial product, system,
or service DoD is using or intends to use.
(d) Maintenance of disclosures. The Contractor shall maintain
its foreign obligation disclosures in EDA for the life of the
contract.
(e) Identification of information requiring disclosure. In the
event the Contractor identifies information requiring disclosure
during contract performance, or the Contractor is notified of such
by a subcontractor at any tier or any other source, the Contractor
shall update its disclosures in EDA and shall disclose any
mitigation measures taken or anticipated.
(f) Exception. The prohibition in paragraph (b) does not apply
to open source software.
(g) Subcontracts. The Contractor shall--
(1) Insert the substance of this clause, including this
paragraph (g), in subcontracts, or other contractual instruments,
for the acquisition of products, services, or systems relating to
information or operational technology, cybersecurity, industrial
control systems, or weapon systems, including those for commercial
products and commercial services; and
(2) Require the subcontractor to complete the foreign obligation
disclosures in EDA prior to awarding a subcontract.
(End of clause)
[FR Doc. 2024-26058 Filed 11-14-24; 8:45 am]
BILLING CODE 6001-FR-P
</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>Indexed from Federal Register on November 15, 2024.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.