Cybersecurity, artificial intelligence, and nontraditional approaches to procurement are once again areas of legislative focus for Congress in the recently passed Fiscal Year 2022 National Defense Authorization Act (NDAA), which authorizes $768.2 billion in defense spending.
On December 15, the U.S. Senate voted 88 to 11 to pass the NDAA following the U.S. House of Representatives’ passage of the bill (363-70) the previous week, sending the bill to President Biden’s desk for his signature. In addition to authorizing $25 billion more in defense spending than the president requested, the bill contains numerous acquisition policy changes and new initiatives that will affect companies doing business with the U.S. Department of Defense (DoD).
This update provides an overview of key provisions of the final bill relevant to government contractors.
Continued Focus on Cybersecurity—but No Mandatory Breach Notification Bill
As with NDAAs in recent years, cybersecurity is again a priority in this year’s bill—the word “cybersecurity” appears in the bill 223 times and there are nearly 40 cyberspace-related provisions in Title XV of the bill alone. Congress, however, notably did not include a far-reaching proposal to require contractors to report cyber breaches under strict timelines. That provision had been included in an earlier version of the NDAA approved by the House in September 2021, but was ultimately dropped from the final bill. Among other things, the final bill:
- Requires DoD’s chief information officer and commander of the U.S. Cyber Command to jointly develop a “zero trust strategy” to be implemented across DoD’s information network, including classified systems (Section 1528).
- Expands the authority of the Cybersecurity Infrastructure and Security Agency (CISA) to identify threats to industrial control systems (Section 1541). It also establishes a pilot program on public-private partnerships to detect and disrupt cyber threats (Section 1550), creates a National Cyber Incident Response Plan (Section 1547), and extends a cyber-risk monitoring pilot program (CyberSentry) related to critical infrastructure (Section 1548).
- Calls for an assessment of DoD’s Controlled Unclassified Information (CUI) program that includes recommended regulatory and policy changes to “ensure consistency and clarity” in the identification and marking of CUI (Section 1526). Currently, identifying the extent to which documents constitute CUI requiring safeguarding can be challenging for industry.
- Requires DoD to designate an executive agent responsible for establishing a new program management office focused on DoD-wide procurement of cyber data products and services (Section 1521). The new office signals potential opportunities for companies.
- Requires DoD to report to Congress on the cost impact on small businesses of DoD’s Cybersecurity Maturity Model Certification (CMMC) program (Section 886). It also requires DoD to submit a report to Congress within 90 days on DoD’s plans for CMMC (Section 1533). DoD recently announced Version 2.2 of its cybersecurity assessment regime with plans to pursue a CMMC rulemaking process that could take years.
Artificial Intelligence, Machine Learning, and Innovative Technology
As with the FY 2021 NDAA, the bill contains several provisions focused on artificial intelligence (AI) and machine learning (ML) that underscore Congress’ ongoing support for acquiring AI solutions from commercial vendors, and a recognition of the challenges associated with that objective. The bill:
- Authorizes new investments in AI. Among other things, it provides $57 million for DoD’s new AI and Data Acceleration (ADA) Initiative, which is focused on the adoption of AI capabilities within DoD components using operational data teams.
- Requires DoD to modify its AI-focused Joint Common Foundation program—a cloud-based AI development and experimentation platform managed by DoD’s Joint Artificial Intelligence Center (JAIC)—to ensure that DoD “can more easily contract with leading commercial artificial intelligence companies to support the rapid and efficient” development and deployment of AI (Section 227). The bill requires DoD to take actions necessary “to increase the number of commercial artificial intelligence companies” eligible to provide support to DoD and using commercial item contracting processes under Federal Acquisition Regulation (FAR) Part 12 “to the maximum extent possible.”
- Directs DoD to assess potential applications of AI and digital technology to DoD’s platforms, processes, and operations, and to establish performance objectives and metrics. (Section 226). The bill also creates a pilot program to establish “data repositories” to facilitate the development of AI capabilities for DoD (Section 232).
- Requires DoD to submit reports and briefings to Congress on DoD’s implementation of recommendations made by the National Security Commission on Artificial Intelligence (NSCAI) (Section 247). The NSCAI’s March 2021 report to Congress and the president called for legislation and policy changes as part of a comprehensive defense and national security strategy for “winning the artificial intelligence era.”
- Authorizes DoD to expand the efforts of the Defense Innovation Unit (DIU) to engage with industry and communities and accelerate technology adoption (Section 213).
Commercial Acquisitions and Nontraditional Procurement
Several provisions in the bill highlight Congress’s continued interest in commercial technology and nontraditional acquisition methodologies that are not subject to FAR requirements. Indeed, the final bill:
- Permanently authorizes DoD’s use of Commercial Solutions Openings (CSO) to acquire “innovative” commercial products and services (Section 803). Using a competition involving a general solicitation and peer review of proposals, CSO competitions target small businesses and commercial companies, but without the restrictions applicable to FAR-based procurements. The Senate Armed Services Committee’s report explains that the Air Force and the Defense Innovation Unit have successfully used CSOs with commercial firms.
- Establishes a pilot program to develop and implement “unique acquisition mechanisms for emerging technologies” (Section 833). In support of the program, the Senate Armed Services Committee states that “more work is required” to improve DoD acquisition.
- Requires DoD to assess impediments and incentives required by existing law regarding preferences for the acquisition of commercial products and services (Section 807). The Senate Armed Services Committee cited concerns that DoD components too often choose custom solutions instead of buying commercial technology.
- Requires DoD to review its use of its Other Transaction (OT) authority under 10 U.S.C. §§ 2371 and 2371b, to make recommendations to Congress as to whether its authority should be modified or expanded (Section 824). In recent years, DoD has increasingly used OTs to fund prototype projects and follow-on procurements, including during the COVID-19 pandemic. The Senate Armed Services Committee, however, cited concerns about “differing interpretations by Department of Defense counsels” regarding the OT statute, resulting in inconsistencies and “confusion among industry and Government personnel.” The bill also requires DoD to establish procedures to identify OT agreements awarded to entities (Section 825). The Senate Armed Services Committee expressed concerns about a “lack of transparency” regarding OTs awarded to consortiums, citing an April 2021 DoD Inspector General report finding that DoD did not always plan and execute OTs awarded to consortiums in accordance with law.
Other Government Contracting Provisions
Among the other provisions in the bill related to acquisition:
- Repeal of Fixed-Price Contract Preference. The bill repeals a statutory provision giving a preference for fixed-price contracts over cost-type contracts in DoD acquisitions (Section 817). Under a provision in the FY 2017 NDAA, DoD has been requiring contracting officers to consider the use of fixed-price contracts and, for certain high-value contracts, to obtain special approval before awarding cost-type contracts. Although those requirements were intended to control costs on large DoD programs, according to the House Armed Services Committee’s report on the NDAA, they resulted in procedural delays that have hindered innovative advances in weapon system programs. With those requirements repealed, DoD will have more flexibility to select contract types that are appropriate for the specific product or service it is acquiring.
- Domestic Preferences. The bill requires DoD to submit annual reports to Congress on violations of domestic preference laws, including the name of the contractor involved (Section 809).
- Supply Chain Restrictions. The bill prohibits procurements by DoD of products mined, produced, or manufactured by forced labor from the Xinjiang Uyghur Autonomous Region (Section 848). It also delays until January 2027 a restriction on DoD’s acquisition of printed circuit boards sourced from China, North Korea, Russia, and Iran (Section 851).
- R&D. The bill increases funding for research and development (R&D), including almost $117 billion for new science and technology. For example, the bill funds a national network for microelectronics R&D, and cooperation with the secretary of energy for R&D focused on alternatives to critical minerals with the aim of strengthening the supply chain (Sections 217 and 845). Overall, the R&D authorization is a $5.9 billion increase above the president’s budget request and includes an almost 25% increase in defensewide basic research, applied research, and advanced technology development.