[co-author: Paul Korol]

Cybersecurity, supply chain risks, data rights, software acquisitions, and cost or pricing data are among the procurement-related issues targeted in the Fiscal Year (FY) 2020 National Defense Authorization Act (NDAA), which authorizes $738 billion in defense spending next year, a $21 billion increase from FY 2019. The NDAA contains numerous provisions that will affect government contractors and shape defense acquisition policies for years to come.

President Trump is expected to sign the NDAA (S 1790) into law on December 20, 2019, after the U.S. Congress passed a final bill with strong bicameral support. The final legislation represents a compromise between competing versions of the bill passed by the House and Senate, which we reported on earlier this year.

In a related action, on December 19, 2019, Congress sent President Trump the final version of the 2020 appropriations bill to finalize federal spending. The defense bill, part of a $1.4 trillion government-wide package, would provide $738 billion for the military. Like the NDAA, President Trump is expected to sign the appropriations bill on December 20, 2019.

This update provides an overview of the key procurement-related provisions in the final bill.

Cybersecurity and DoD’s Cloud Strategy

The NDAA contains numerous provisions addressing cybersecurity and cloud computing. These include the following:

• The secretary of defense is required to develop a “consistent, comprehensive framework to enhance cybersecurity for the United States defense industrial base” (Section 1648). The Department of Defense (DoD) is preparing to release its Cybersecurity Maturity Model Certification (CMMC) in January 2020. Under CMMC, all defense contractors will be required to be certified for cybersecurity compliance in order to obtain DoD contracts. Although the NDAA stops short of mandating CMMC, Section 1648 specifies certain elements that DoD’s cybersecurity framework must contain, including identifying the standards and requirements imposed on the defense industrial base and the implementation responsibilities of prime contractors and subcontractors.
• The NDAA grants a new mission to the National Security Agency (NSA): to advise and assist DoD in its acquisition and adoption of commercial cybersecurity products and services (Section 1647).
• The new act also directs DoD’s chief information officer and chief data officer to develop a policy to transition DoD data to the cloud (Section 1755).
• DoD also will be required to “reorient the Big Data Platform” by streamlining the collection, querying, analysis, and accessibility of metadata that could help track cybersecurity threats (Section 1651).

Supply Chain Risks

The NDAA includes notable provisions directed at protecting the DoD supply chain against intellectual property theft and other risks:

• The final bill requires the secretary of defense to “modernize” its approach to protecting the integrity of the defense industrial supply chain (Section 845). DoD must “streamline and digitize” its approach to identifying and mitigating supply chain risks and develop an analytical framework for risk mitigation across the acquisition process.
• The NDAA also contains a provision requiring DoD to establish trusted supply chain and operational security standards for the purchase of microelectronics products or services (Section 224).

Space Force

Among the more high-profile provisions in the final bill is the authorization to create a United States Space Force (Sections 951-961). The new agency will inevitably face procurement issues. The legislation creates a Space Force Acquisition Council within the Office of the Secretary of the Air Force to manage Air Force acquisitions for space and ensure integration across the national security space enterprise (Section 945).

Rapid Software Acquisitions

The NDAA will provide new opportunities for DoD to acquire and field new software on expedited timelines (Section 800). Under the new law, DoD will establish at least two new acquisition pathways to procure and field software within one year of obligating funds.

Cost or Pricing Data Requirements

The final bill makes several notable changes to the Truthful Cost or Pricing Data Act, more commonly referred to as the Truth in Negotiations Act (TINA):

• The legislation provides that, in the event that the contracting officer is unable to determine whether an offeror’s prices are fair and reasonable by any other means, an offeror who fails to make a “good faith effort to comply with a reasonable request” by the government to submit “other than certified” cost or pricing data is ineligible for award, absent a finding by the head of the contracting activity that the award is in the government’s best interests (Section 803).
• The NDAA also requires the undersecretary of defense for acquisition and sustainment to produce an annual report identifying offerors that have denied “multiple requests” for other than certified cost or pricing data over the preceding three years but nevertheless received an award (Section 803).
• The NDAA amends TINA to provide that, when determining whether an offeror’s price on a contract or subcontract is fair and reasonable, the contracting officer shall not make such a determination “based solely on historical prices paid by the Government” (Section 803).

Although not as expansive as provisions in the House-passed version of the NDAA, these changes are significant for contractors that provide cost or pricing data to the government.

No Major Changes for Bid Protests

The final bill does not make any significant reforms in the area of bid protests, despite calls by the Section 809 Panel and others to make certain changes in the bid protest system.

Data Rights

One section of the NDAA benefits contractors that provide technical data to the government. Section 808 repeals the DoD’s ability to use a contractor’s non-commercial technical data during a challenge at an agency board of contract appeals or the U.S. Court of Federal Claims under certain circumstances. The repeal means that the government will be unable to use the contractor’s technical data while a data rights dispute is pending.

Other Transactions

The NDAA requires the secretary of defense to report annually to Congress on the DoD’s use of Other Transactions (OTs) to carry out “prototype projects” (Section 819). Congress has encouraged use of OTs and DoD has increasingly used OTs in recent years.

Modified Requirements for Task and Delivery Orders

The final bill eliminates the need for additional approval when an agency awards a task or delivery order worth more than $100 million to a single source when already authorized under one of the exceptions to full and open competition (Section 816).

Security Clearances

The NDAA also authorizes spending and adopts policies affecting the intelligence community through the Intelligence Authorization Act (IAA) for fiscal years 2018-2020. Among the key provisions in the IAA affecting contractors are changes directed at improving the security clearance process (Sections 6601-6613). The statute requires the establishment of a new entity (the Security, Suitability, and Credentialing Performance Accountability Council) to reform the security clearance process with the objective of reducing the timeline for security clearance determinations (Section 6604). A new position of Security Executive Agent will review the process for security clearances and provide recommendations to Congress (Section 6605).

Review of Fixed-Price Contracts

Section 807 adopts a Senate-passed provision requiring DoD to examine the effects of using fixed-price contracts, including an assessment of additional costs or savings, added efficiencies in contract administration, and the effects of fixed-price vehicles on contract closeouts.

Small Business and Section 8(a) Contract Issues

The final bill has several provisions relevant to small business contractors:

• It extends DoD’s pilot Mentor-Protégé Program through the end of FY 2024 (Section 872). That program is intended to increase participation of small businesses by encouraging mentorships with DoD contractors. The bill also eliminates a requirement that, to participate in the program, small businesses must be less than half the size standard corresponding to their primary North American Industry Classification (NAICS) code.
• It eliminates a requirement that DoD issue a “justification and approval” memorandum when it awards a sole-source contract of less than $100 million to so-called 8(a) firms, which include tribes, Alaska Native, and Hawaiian firms (Section 823).

Commercial Goods and Services

The NDAA makes relatively few changes targeting commercial goods or services.

Section 818 provides that, when procuring commercial supplies or services, DoD must document market research at a level “appropriate to the size and complexity of the acquisition” (Section 818).

It also places a new requirement on the General Services Administration’s (GSA) e-commerce initiative, which aims to establish a program to enable government agencies to procure commercial items through a governmentwide e-commerce portal. As part of the initiative, GSA is considering three different commercial models for its portal. The NDAA now requires the GSA to estimate the costs associated with each of those models.

[View source.]