Defense Federal Acquisition Regulation Supplement: Disclosure of Information Regarding Foreign Obligations (DFARS Case 2018-D064), 90254-90259 [2024-26058]

Download as PDF 90254 Federal Register / Vol. 89, No. 221 / Friday, November 15, 2024 / Proposed Rules khammond on DSKJM1Z7X2PROD with PROPOSALS be due to permanent and enforceable measures. Therefore, the designation status of the Washington Area will remain nonattainment for the 2015 8hour ozone NAAQS until such time as DC, MD, and VA submit a request for redesignation pursuant to 107(d)(3) of the CAA and the EPA determines that the area meets the CAA requirements for redesignation to attainment and takes action to redesignate the area. The EPA also proposes to take final agency action on an exceptional events request submitted by DC on March 20, 2024, and concurred on by the EPA on July 17, 2024. The EPA is soliciting public comments on the issues discussed in this document. These comments will be considered before taking final action. The EPA previously received comments on the 2023 CDD Proposal (88 FR 6688, February 1, 2023). In re-proposing the CDD, the EPA will consider all comments received on the 2023 CDD Proposal as the Agency moves forward with the current rulemaking. Accordingly, commenters need not submit duplicate comments on the current proposal.24 However, the EPA welcomes comments providing additional information not previously submitted to the Agency. V. Statutory and Executive Order Reviews This rulemaking proposes to make an attainment determination based on air quality data and would, if finalized, result in the suspension of certain Federal requirements and would not impose any additional requirements. For that reason, this proposed action: • Is not a ‘‘significant regulatory action’’ subject to review by the Office of Management and Budget under Executive Orders 12866 (58 FR 51735, October 4, 1993) and 13563 (76 FR 3821, January 21, 2011); • Does not impose an information collection burden under the provisions of the Paperwork Reduction Act (44 U.S.C. 3501 et seq.); • Is certified as not having a significant economic impact on a substantial number of small entities under the Regulatory Flexibility Act (5 U.S.C. 601 et seq.); • Does not contain any unfunded mandate or significantly or uniquely affect small governments, as described in the Unfunded Mandates Reform Act of 1995 (Pub. L. 104–4); • Does not have federalism implications as specified in Executive 24 Comments received on the 2023 Proposal are contained in the same docket as the current proposal: Docket ID No. EPA–R03–OAR–2022– 0987. VerDate Sep<11>2014 15:49 Nov 14, 2024 Jkt 265001 Order 13132 (64 FR 43255, August 10, 1999); • Is not an economically significant regulatory action based on health or safety risks subject to Executive Order 13045 (62 FR 19885, April 23, 1997); • Is not a significant regulatory action subject to Executive Order 13211 (66 FR 28355, May 22, 2001); and • Is not subject to requirements of section 12(d) of the National Technology Transfer and Advancement Act of 1995 (15 U.S.C. 272 note) because application of those requirements would be inconsistent with the CAA. Executive Order 12898 (Federal Actions to Address Environmental Justice in Minority Populations and Low-Income Populations, 59 FR 7629, February 16, 1994) directs Federal agencies to identify and address ‘‘disproportionately high and adverse human health or environmental effects’’ of their actions on minority populations and low-income populations to the greatest extent practicable and permitted by law. The EPA defines environmental justice (EJ) as ‘‘the fair treatment and meaningful involvement of all people regardless of race, color, national origin, or income with respect to the development, implementation, and enforcement of environmental laws, regulations, and policies.’’ The EPA further defines the term fair treatment to mean that ‘‘no group of people should bear a disproportionate burden of environmental harms and risks, including those resulting from the negative environmental consequences of industrial, governmental, and commercial operations or programs and policies.’’ The EPA did not perform an EJ analysis and did not consider EJ in this action. Due to the nature of the action being taken here, this action is expected to have a neutral to positive impact on the air quality of the affected area. Consideration of EJ is not required as part of this action, and there is no information in the record inconsistent with the stated goal of E.O. 12898 of achieving environmental justice for people of color, low-income population, and Indigenous peoples. In addition, this action for the Washington Area does not have Tribal implications as specified by Executive Order 13175 (65 FR 67249, November 9, 2000), because this action is not approved to apply in Indian country located in the Washington Area, and the EPA notes that it will not impose substantial direct costs on Tribal governments or preempt Tribal law. PO 00000 Frm 00014 Fmt 4702 Sfmt 4702 List of Subjects in 40 CFR Part 52 Environmental protection, Air pollution control, Incorporation by reference, Ozone, Reporting and recordkeeping requirements. Adam Ortiz, Regional Administrator, Region III. [FR Doc. 2024–26423 Filed 11–14–24; 8:45 am] BILLING CODE 6560–50–P DEPARTMENT OF DEFENSE Defense Acquisition Regulations System 48 CFR Parts 212, 213, 217, 239, and 252 [Docket DARS–2024–0034] RIN 0750–AK23 Defense Federal Acquisition Regulation Supplement: Disclosure of Information Regarding Foreign Obligations (DFARS Case 2018–D064) Defense Acquisition Regulations System, Department of Defense (DoD). ACTION: Proposed rule. AGENCY: DoD is proposing to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a section of the National Defense Authorization Act for Fiscal Year 2019, which prohibits DoD from acquiring products, services, or systems relating to information or operational technology, cybersecurity, industrial control systems, or weapon systems through a contract unless the offeror or contractor provides disclosures related to sharing source code and computer code with foreign governments. DATES: Comments on the proposed rule should be submitted in writing to the address shown below on or before January 14, 2025, to be considered in the formation of a final rule. ADDRESSES: Submit comments identified by DFARS Case 2018–D064, using either of the following methods: Æ Federal eRulemaking Portal: https://www.regulations.gov. Search for DFARS Case 2018–D064. Select ‘‘Comment’’ and follow the instructions to submit a comment. Please include ‘‘DFARS Case 2018–D064’’ on any attached documents. Æ Email: osd.dfars@mail.mil. Include DFARS Case 2018–D064 in the subject line of the message. Comments received generally will be posted without change to https:// www.regulations.gov, including any personal information provided. To SUMMARY: E:\FR\FM\15NOP1.SGM 15NOP1 Federal Register / Vol. 89, No. 221 / Friday, November 15, 2024 / Proposed Rules confirm receipt of your comment(s), please check https:// www.regulations.gov, approximately two to three days after submission to verify posting. FOR FURTHER INFORMATION CONTACT: Ms. Heather Kitchens, telephone 571–296– 7152. khammond on DSKJM1Z7X2PROD with PROPOSALS SUPPLEMENTARY INFORMATION: I. Background DoD is proposing to revise the DFARS to implement section 1655(a) and (c) of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019 (Pub. L. 115–232). Section 1655(a) prohibits DoD from acquiring products, services, or systems relating to information or operational technology, cybersecurity, industrial control systems, or weapon systems through a contract unless the offeror or contractor provides disclosures related to sharing source code and computer code with foreign governments. Section 1655(c) requires contracts for those products, services, or systems to include a clause requiring the disclosures during the contract period of performance if an entity becomes aware of information requiring disclosure. The first part of the disclosure is related to whether, after August 12, 2013, the entity making the disclosure has allowed, or is under an obligation to allow, a foreign government to review the code of a noncommercial product, system, or service developed for DoD. The second part of the disclosure pertains to whether, after August 12, 2013, the entity making the disclosure has allowed, or is under an obligation to allow, a foreign government in a list required by section 1654 of the NDAA for FY 2019 to review the source code of a product, system, or service that DoD is using or intends to use. The third part of the disclosure is related to whether the entity making the disclosure holds or has sought a license pursuant to the Export Administration Regulations (15 CFR chapter VII, subchapter C), the International Traffic in Arms Regulations (22 CFR chapter I, subchapter M), or successor regulations, for information technology products, components, software, or services that contain code custom-developed for the noncommercial product, system, or service DoD is using or intends to use. Once the disclosures are provided to DoD, and if the Secretary of Defense determines that the disclosure relating to a product, system, or service entails a risk to the national security infrastructure or data of the United States, or any national security system under the control of DoD, section 1655 VerDate Sep<11>2014 15:49 Nov 14, 2024 Jkt 265001 requires the Secretary to take such measures as the Secretary considers appropriate to mitigate such risks. In addition, as the Secretary considers appropriate, the Secretary may condition any agreement for the use, procurement, or acquisition of the product, system, or service on the inclusion of enforceable conditions or requirements that would mitigate such risks. II. Discussion and Analysis This proposed rule includes a new subpart, 239.7X, Disclosure of Information Regarding Foreign Obligations. Section 239.7X00 describes the statutory requirement implemented in the new subpart. Section 239.7X01 includes new definitions of computer code, open source software, and source code. The new subpart includes the section 1655 prohibition at 239.7X02. Section 239.7X03 clarifies that the prohibition does not apply to open source software. A section on procedures was added at 239.7X04 to require contracting officers to validate in the Catalog Data Standard within the Electronic Data Access (EDA) system (https://piee.eb.mil) that offerors or contractors have completed all foreign obligation disclosures prior to awarding a contract or exercising an option. Section 1655 prohibits DoD from using a product, service, or system procured or acquired under certain awards unless foreign obligation disclosures have been made. This proposed rule requires completion of the foreign obligation disclosures prior to exercising an option to ensure DoD complies with the statutory intent. Section 239.7X05 provides prescriptions for a new solicitation provision and contract clause. The new provision is prescribed for use in solicitations that include the clause at 252.239–70ZZ, Postaward Disclosure of Foreign Obligations. The new clause is prescribed for use in solicitations and contracts, task orders, or delivery orders, for the acquisition of products, services, or systems relating to information or operational technology, cybersecurity, industrial control systems, or weapon systems, including those using Federal Acquisition Regulation (FAR) part 12 procedures for the acquisition of commercial products and commercial services. The purpose of the provision at 252.239–70YY, Preaward Disclosure of Foreign Obligations—Representation, is to notify offerors that they will be required to make disclosures within the Catalog Data Standard in the Electronic Data Access (EDA) system (https:// piee.eb.mil) in order to be eligible for PO 00000 Frm 00015 Fmt 4702 Sfmt 4702 90255 award. While there are three distinct disclosures, the provision identifies the first and second disclosures in one paragraph at 252.239–70YY, paragraph (c)(1), for clarity. The third disclosure is identified at paragraph (c)(2). This provision includes a requirement for all offerors to represent by submission of the offer that the information on the foreign disclosures the offeror has made within the Catalog Data Standard in EDA is current, accurate, and complete. The purpose of the clause at 252.239– 70ZZ, Postaward Disclosure of Foreign Obligations, is to require contractors to maintain their disclosures in the Catalog Data Standard within EDA and flow down the requirement to maintain disclosures in the Catalog Data Standard within EDA to subcontractors. Similar to the provision, while there are three distinct disclosures, the clause identifies the first and second disclosures in one paragraph at 252.239–70XX, paragraph (b)(1), for clarity. The third disclosure is identified at paragraph (b)(2). The clause also requires contractors to require their subcontractors to complete foreign obligation disclosures in the Catalog Data Standard in EDA prior to awarding the subcontract. Language was added at part 212 to apply the provision and clause to the acquisition of commercial products and commercial services. In part 213, language was added to apply the requirement to disclose foreign obligations will be applied at or below the micro-purchase threshold. Language was also added at part 217 to instruct the contracting officer exercise options only after verifying in the Catalog Data Standard in the EDA system (https:// piee.eb.mil) that all disclosures have been completed. III. Applicability to Contracts At or Below the Simplified Acquisition Threshold (SAT) and for Commercial Services and Commercial Products, Including Commercially Available Offthe-Shelf (COTS) Items This proposed rule proposes a new provision and clause to implement the requirements of section 1655 of the NDAA for FY 2019: (1) DFARS 252.239– 70YY, Preaward Disclosure of Foreign Obligations-Representation; and (2) DFARS 252.239–70ZZ, Postaward Disclosure of Foreign Obligations. The provision at DFARS 252.239–70YY is prescribed at DFARS 239.7X05(a) for use in solicitations that include the clause at DFARS 252.239–70ZZ. The clause at DFARS 252.239–70ZZ is prescribed at DFARS 239.7X05(b) for use in solicitations and contracts for the acquisition of products, services, or E:\FR\FM\15NOP1.SGM 15NOP1 90256 Federal Register / Vol. 89, No. 221 / Friday, November 15, 2024 / Proposed Rules systems relating to information or operational technology, cybersecurity, industrial control systems, or weapon systems, including those using FAR part 12 procedures for the acquisition of commercial products and commercial services. DoD does intend to apply the proposed rule to contracts at or below the SAT. DoD does intend to apply the proposed rule to contracts for the acquisition of commercial products including COTS items and for the acquisition of commercial services. A. Applicability to Contracts At or Below the Simplified Acquisition Threshold The statute at 41 U.S.C. 1905 governs the applicability of laws to contracts or subcontracts in amounts not greater than the simplified acquisition threshold. It is intended to limit the applicability of laws to such contracts or subcontracts. The statute at 41 U.S.C. 1905 provides that if a provision of law contains criminal or civil penalties, or if the Federal Acquisition Regulatory Council makes a written determination that it is not in the best interest of the Federal Government to exempt contracts or subcontracts at or below the SAT, the law will apply to them. The Principal Director, Defense Pricing, Contracting, and Acquisition Policy (DPCAP), is the appropriate authority to make comparable determinations for regulations to be published in the DFARS, which is part of the FAR system of regulations. DoD does intend to make that determination. Therefore, this proposed rule will apply at or below the simplified acquisition threshold. khammond on DSKJM1Z7X2PROD with PROPOSALS B. Applicability to Contracts for the Acquisition of Commercial Products Including COTS Items and for the Acquisition of Commercial Services The statute at 10 U.S.C. 3452 exempts contracts and subcontracts for the acquisition of commercial products including COTS items, and commercial services from provisions of law enacted after October 13, 1994, unless the Under Secretary of Defense (Acquisition and Sustainment) (USD(A&S)) makes a written determination that it would not be in the best interest of DoD to exempt contracts for the procurement of commercial products and commercial services from the applicability of the provision or contract requirement, except for a provision of law that— • Provides for criminal or civil penalties; • Requires that certain articles be bought from American sources pursuant to 10 U.S.C. 4862, or that strategic materials critical to national security be VerDate Sep<11>2014 15:49 Nov 14, 2024 Jkt 265001 bought from American sources pursuant to 10 U.S.C. 4863; or • Specifically refers to 10 U.S.C. 3452 and states that it shall apply to contracts and subcontracts for the acquisition of commercial products (including COTS items) and commercial services. The statute implemented in this proposed rule does not impose criminal or civil penalties, does not require purchase pursuant to 10 U.S.C. 4862 or 4863, and does not refer to 10 U.S.C. 3452. Therefore, section 1655 of the NDAA for FY 2019 will not apply to the acquisition of commercial services or commercial products including COTS items unless a written determination is made. Due to delegations of authority, the Principal Director, DPCAP is the appropriate authority to make this determination. DoD intends to make that determination to apply this statute to the acquisition of commercial products including COTS items and to the acquisition of commercial services. Therefore, this proposed rule will apply to the acquisition of commercial products including COTS items and to the acquisition of commercial services. C. Determinations Given that the requirements of section 1655 of the NDAA for FY 2019 were enacted to require disclosures of foreign obligations by contractors for contracts that include products, services, or systems relating to information or operational technology, cybersecurity, industrial control systems, or weapon systems and since products, services, or systems related to information or operational technology, cybersecurity, industrial control systems or weapon systems can include COTS items and awards at or below the SAT, it is in the best interest of the Federal Government to apply the statute to contracts for the acquisition of commercial services and commercial products, including COTS items, as defined at Federal Acquisition Regulation 2.101 and awards that are at or below the SAT. An exception for contracts for the acquisition of commercial services and commercial products, including COTS items, or for contracts or subcontracts valued at or below the SAT, would exclude the contracts intended to be covered by the law, thereby undermining the overarching public policy purpose of the law. IV. Expected Impact of the Rule The proposed rule implements section 1655 of the NDAA for FY 2019, which prohibits DoD from acquiring products, services, or systems relating to information or operational technology, cybersecurity, industrial control PO 00000 Frm 00016 Fmt 4702 Sfmt 4702 systems, or weapon systems through a contract unless the offeror or contractor provides disclosures related to sharing source code and computer code with foreign governments. Based on data from the Federal Procurement Data System, DoD issued approximately 36,677 new awards for information technology and weapon systems to approximately 4,147 unique entities per year on average from FY 2021 through FY 2023. DoD assumes this number will cover awardees for information or operational technology, cybersecurity, industrial control systems, and weapon systems, as there is no way to track individual awards for operational technology, industrial control systems, and cybersecurity. Of the 4,147 unique entities, on average, that received awards each year, an average of approximately 17,100 awards were made to 2,667 unique small entities from FY 2021 through FY 2023. DoD assumes that the clause will apply to the estimated 4,147 unique entities, including the 2,667 unique small entities. DoD does not have a way to track the number of unique offerors per award, so DoD estimates that the number of offerors is the number of unique entities that received awards (i.e., 4,147) multiplied by a factor of three, representing three offerors per award. Therefore, the estimated number of offerors is three times the average number of entities that received information technology and weapon systems awards for FY 2021 through FY 2023 (4,147 entities × 3), or 12,441, of which 8,002 are estimated to be small entities. The proposed changes will require offerors for products, services, or systems related to information or operational technology, cybersecurity, industrial control systems, or weapon systems to make certain disclosures in the Catalog Data Standard within EDA (https://piee.eb.mil) regarding whether they have shared certain source code and computer code with foreign persons or governments any time since August 12, 2013. During contract performance, prior to the exercise of any option, contractors will be required to update their disclosures in the Catalog Data Standard within EDA. V. Executive Orders 12866 and 13563 Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety E:\FR\FM\15NOP1.SGM 15NOP1 Federal Register / Vol. 89, No. 221 / Friday, November 15, 2024 / Proposed Rules effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is not a significant regulatory action and, therefore, was not subject to review under section 6(b) of E.O. 12866, Regulatory Planning and Review, as amended. khammond on DSKJM1Z7X2PROD with PROPOSALS VI. Regulatory Flexibility Act DoD does not expect this proposed rule, when finalized, to have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq., because the rule is only applied to awards for products, services, or systems related to information or operational technology, cybersecurity, industrial control systems, or weapon systems. However, an initial regulatory flexibility analysis has been performed and is summarized as follows: This proposed rule is necessary to implement section 1655 of the NDAA for FY 2019. Section 1655 prohibits DoD from using a product, service, or system relating to information or operational technology, cybersecurity, industrial control systems, or weapon systems provided by an entity unless that entity makes certain disclosures. The disclosures required by the statute have three parts. The first part of the disclosures is related to whether, since August 12, 2013, the entity making the disclosure has allowed, or is under an obligation to allow, a foreign government to review the code of an other than commercial product, system, or service developed for DoD. The second part of the disclosure pertains to whether, since August 12, 2013, the entity making the disclosure has allowed, or is under an obligation to allow, a foreign government in the list required by section 1654 of the NDAA for FY 2019 to review the source code of a product, system, or service that DoD is using or intends to use. The third part of the disclosure is related to whether the entity making the disclosure holds or has sought a license pursuant to the Export Administration Regulations (15 CFR chapter VII, subchapter C), the International Traffic in Arms Regulations (22 CFR chapter I, subchapter M), or successor regulations, for information technology products, components, software, or services that contain code custom-developed for the other than commercial product, system, or service DoD is using or intends to use. VerDate Sep<11>2014 15:49 Nov 14, 2024 Jkt 265001 Once the disclosures are provided to DoD, and if the Secretary of Defense determines that the disclosure relating to a product, system, or service entails a risk to the national security infrastructure or data of the United States, or any national security system under the control of DoD, section 1655 requires the Secretary to take such measures as the Secretary considers appropriate to mitigate such risks. The objective of this proposed rule is to implement the statutory requirement for offeror, contractor, and subcontractor disclosures under section 1655 of the NDAA for FY 2019 prior to award and during contract performance. The legal basis for the proposed rule is section 1655 of the NDAA for FY 2019. The proposed rule applies to offerors, contractors, and subcontractors for information or operational technology, cybersecurity, industrial control systems, or weapon systems. Based on data from the Federal Procurement Data System, DoD issued approximately 36,677 awards to 4,147 entities, of which 17,100 awards were made to 2,667 small entities, for information technology and weapon systems, on average, from FY 2021 through FY 2023. DoD assumes these numbers will cover small entities awarded contracts for products, services, or systems relating to information or operational technology, cybersecurity, industrial control systems, and weapon systems, as there is no way to track individual awards for operational technology, cybersecurity, and industrial control systems. In order to estimate the number of offerors for information or operational technology, cybersecurity, industrial control systems, and weapon systems, DoD assumes the number of offerors will be the 4,147 awardees multiplied by a factor of three, or 12,441 offerors, of which 8,002 are estimated to be small entities. This proposed rule does impose new reporting, recordkeeping, or other compliance requirements for small entities. These reporting requirements would apply to any offerors that are small entities for a contract for information or operational technology, cybersecurity, industrial control systems, and weapon systems. These small entities will be required to make disclosures within the Catalog Data Standard within the EDA system (https://piee.eb.mil) in order to be eligible for award and will be required to represent that the disclosures are current, accurate, and complete. Contractors whose contracts contain the clause 252.239–70ZZ, Postaward Disclosure of Foreign Obligations, will be required to maintain their disclosures PO 00000 Frm 00017 Fmt 4702 Sfmt 4702 90257 in EDA and flow down the requirement to maintain disclosures in EDA to subcontracts and other contractual instruments. The proposed rule does not duplicate, overlap, or conflict with any other Federal rules. There are no known alternatives that would accomplish the stated objectives of the applicable statute. DoD invites comments from small business concerns and other interested parties on the expected impact of this proposed rule on small entities. DoD will also consider comments from small entities concerning the existing regulations in subparts affected by this proposed rule in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 610 (DFARS Case 2018–D064) in correspondence. VII. Paperwork Reduction Act This proposed rule contains information collection requirements that require the approval of the Office of Management and Budget under the Paperwork Reduction Act (44 U.S.C. chapter 35). Accordingly, DoD has submitted a request for approval of a new information collection requirement concerning DFARS Case 2018–D064, Disclosure of Information Regarding Foreign Obligations, to the Office of Management and Budget. A. Estimate of Public Burden Public reporting burden for this collection of information is estimated to average 0.5 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. The annual reporting burden is estimated as follows: Respondents: 12,441. Total annual responses: 14,515. Total annual burden hours: 7,257.5. B. Request for Comments Regarding Paperwork Burden Written comments and recommendations on the proposed information collection, including suggestions for reducing this burden, should be submitted using the Federal eRulemaking Portal at https:// www.regulations.gov or by email to osd.dfars@mail.mil. Comments can be received up to 60 days after the date of this notice. Public comments are particularly invited on: whether this collection of information is necessary for the proper performance of the functions of DoD, including whether the information will E:\FR\FM\15NOP1.SGM 15NOP1 90258 Federal Register / Vol. 89, No. 221 / Friday, November 15, 2024 / Proposed Rules have practical utility; the accuracy of DoD’s estimate of the burden of this information collection; ways to enhance the quality, utility, and clarity of the information to be collected; and ways to minimize the burden of the information collection on respondents, including through the use of automated collection techniques or other forms of information technology. To obtain a copy of the supporting statement and associated collection instruments, please email osd.dfars@ mail.mil. Include DFARS Case 2018– D064 in the subject line of the message. List of Subjects in 48 CFR Parts 212, 213, 217, 239, and 252 217.207 Therefore, the Defense Acquisition Regulations System proposes to amend 48 CFR parts 212, 213, 217, 239, and 252 as follows: ■ 1. The authority citation for parts 212, 213, 217, 239, and 252 continues to read as follows: Authority: 41 U.S.C. 1303 and 48 CFR chapter 1. 2. Amend section 212.301 by adding paragraphs (f)(xvi)(E) and (F) to read as follows: 212.301 Solicitation provisions and contract clauses for the acquisition of commercial products and commercial services. * * * * * (f) * * * (xvi) * * * (E) Use the provision at 252.239– 70YY, Preaward Disclosure of Foreign Obligations—Representation, as prescribed in 239.7X05(a), to comply with section 1655 of the National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115–232). (F) Use the clause at 252.239–70ZZ, Postaward Disclosure of Foreign Obligations, as prescribed at 239.7X05(b), to comply with section 1655 of the National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115–232). * * * * * PART 213—SIMPLIFIED ACQUISITION PROCEDURES 3. Add section 213.201–70 to read as follows: Jkt 265001 (c) * * * (3) Verifying in the Catalog Data Standard in the Electronic Data Access system (https://piee.eb.mil) that all foreign obligation disclosures are completed (see 239.7X). PART 239—ACQUISITION OF INFORMATION TECHNOLOGY 5. Add subpart 239.7X to read as follows: ■ ■ Exercise of options. ■ PART 212—ACQUISITION OF COMMERCIAL PRODUCTS AND COMMERCIAL SERVICES khammond on DSKJM1Z7X2PROD with PROPOSALS PART 217—SPECIAL CONTRACTING METHODS 4. Amend section 217.207 by adding paragraph (c)(3) to read as follows: Jennifer D. Johnson, Editor/Publisher, Defense Acquisition Regulations System. 15:49 Nov 14, 2024 Do not procure or obtain, or exercise an option or otherwise extend a contract relating to, information or operational technology, cybersecurity, industrial control systems, or weapon systems from a contractor, including through a subcontractor at any tier, unless the contractor completes all foreign obligation disclosures in the Catalog Data Standard within the Electronic Data Access system (https://piee.eb.mil). See subpart 239.7X. ■ Government procurement. VerDate Sep<11>2014 213.201–70 Additional general requirements. Subpart 239.7X—Disclosure of Information Regarding Foreign Obligations Sec. 239.7X00 Scope. 239.7X01 Definitions. 239.7X02 Prohibition. 239.7X03 Exception. 239.7X04 Procedures. 239.7X05 Solicitation provision and contract clause. SUBPART 239.7X—DISCLOSURE OF INFORMATION REGARDING FOREIGN OBLIGATIONS 239.7X00 Scope. This section implements the foreign obligation disclosure requirements of section 1655(a) and (c) of the National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115–232). 239.7X01 Definitions. As used in this subpart— Computer code means a set of instructions, rules, or routines recorded in a form that is capable of causing a computer to perform a specific operation or series of operations. It includes both source code and object code. Open source software means software for which the human-readable source code is available for use, study, reuse, modification, enhancement, and redistribution by the users of such PO 00000 Frm 00018 Fmt 4702 Sfmt 4702 software (section 1655, Pub. L. 115– 232). Source code means any collection of code, with or without comments, written using a human-readable programming language, usually as plain text. This code is later translated into machine language by a compiler. The translated code is referred to as object code. 239.7X02 Prohibition. (a) Contracting officers shall not procure or obtain, or exercise an option or otherwise extend a contract to procure or obtain, any products, services, or systems relating to information or operational technology, cybersecurity, industrial control systems, or weapon systems through a contract or subcontract at any tier from a prospective contractor unless the offeror or contractor makes the disclosures required by section 1655 of the NDAA for FY 2019. (b) Contracting officers shall ensure that they do not violate the prohibition by using the provision at 252.239–70YY and the clause at 252.239–70ZZ, as prescribed. The provision requires offerors to provide the required foreign obligation disclosures, and the clause ensures that contractors provide updates to foreign obligation disclosures for the life of the contract. 239.7X03 Exception. The prohibition at 239.7X02 does not apply to open source software. 239.7X04 Procedures. (a) Contracting officers shall not award a contract, task order, or delivery order for information or operational technology, cybersecurity, industrial control systems, or weapon systems, unless the prospective contractor has completed all of the foreign obligation disclosures in the Catalog Data Standard within the Electronic Data Access (EDA) system (https://piee.eb.mil) and those disclosures are current, accurate, and complete (see 239.7X02). (b) Contracting officers shall not exercise an option or extend the period of performance on a contract, task order, or delivery order for information or operational technology, cybersecurity, industrial control systems, or weapons systems, unless the contractor has completed all of the foreign obligation disclosures in the Catalog Data Standard within the EDA system (see 239.7X02). (c) Contracting officers shall work with the program office to validate that the offeror has completed all of the foreign obligation disclosures in the Catalog Data Standard within the EDA system. E:\FR\FM\15NOP1.SGM 15NOP1 Federal Register / Vol. 89, No. 221 / Friday, November 15, 2024 / Proposed Rules (d) Contracting officers shall follow agency procedures, as applicable, in the event that the program office notifies the contracting officer that additional steps must be taken prior to award based on information disclosed in EDA. 239.7X05 Solicitation provision and contract clause. (a) Use the provision at 252.239– 70YY, Preaward Disclosure of Foreign Obligations—Representation, in solicitations that include the clause at 252.239–70ZZ. (b) Use the clause at 252.239–70ZZ, Postaward Disclosure of Foreign Obligations, in solicitations and contracts, task orders, or delivery orders, including those using FAR part 12 procedures for the acquisition of commercial products and commercial services, for the acquisition of products, services, or systems relating to information or operational technology, cybersecurity, industrial control systems, or weapon systems. PART 252—SOLICITATION PROVISIONS AND CONTRACT CLAUSES (End of provision) 6. Add sections 252.239–70YY and 252.239–70ZZ to read as follows: ■ 252.239–70ZZ Postaward Disclosure of Foreign Obligations. 252.239–70YY Preaward Disclosure of Foreign Obligations—Representation. As prescribed in 239.7X05(a), use the following provision: khammond on DSKJM1Z7X2PROD with PROPOSALS Preaward Disclosure of Foreign Obligations—Representation (Date) (a) Definitions. As used in this provision, computer code, open source software, and source code are defined in the Defense Federal Acquisition Regulation Supplement 252.239–70ZZ, Postaward Disclosure of Foreign Obligations, clause of this solicitation. (b) Prohibition on award. In accordance with section 1655 of Public Law 115–232, no contract for information or operational technology, cybersecurity, industrial control systems, or weapon systems may be awarded to an offeror unless the offeror makes the disclosures described in paragraph (c). (c) Disclosures. The Offeror shall complete the following foreign obligation disclosures in the Catalog Data Standard in the Electronic Data Access (EDA) system (https:// piee.eb.mil): (1) Whether, and if so, when, at any time after August 12, 2013, the Offeror— (i) Has allowed a foreign person or foreign government to review the source code for any product, system, or service that DoD is using or intends to use, or the computer code for VerDate Sep<11>2014 15:49 Nov 14, 2024 Jkt 265001 any other than commercial product, system, or service developed for DoD; or (ii) Is under any obligation to allow a foreign person or foreign government to review, as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government— (A) The source code for any product, system, or service that DoD is using or intends to use; or (B) The computer code for any other than commercial product, system, or service developed for DoD; and (2) Whether or not the Offeror holds or has sought a license pursuant to the Export Administration Regulations (15 CFR chapter VII, subchapter C) or the International Traffic in Arms Regulations (22 CFR chapter I, subchapter M) for information technology products, components, software, or services that contain computer code customdeveloped for the other than commercial product, system, or service DoD is procuring. (d) Exception. The prohibition in paragraph (b) of this provision does not apply to open source software. (e) Representation. By submission of its offer, the Offeror represents that it has completed the foreign obligation disclosures in EDA and the disclosures are current, accurate, and complete. As prescribed in 239.7X05(b), use the following clause: Postaward Disclosure of Foreign Obligations (Date) (a) Definitions. As used in this clause— Computer code means a set of instructions, rules, or routines recorded in a form that is capable of causing a computer to perform a specific operation or series of operations. It includes both source code and object code. Open source software means software for which the human-readable source code is available for use, study, reuse, modification, enhancement, and redistribution by the users of such software (section 1655, Pub. L. 115– 232). Source code means any collection of code, with or without comments, written using a human-readable programming language, usually as plain text. This code is later translated into machine language by a compiler. The translated code is referred to as object code. (b) Prohibition. The Contractor shall not provide to DoD any products, services, or systems relating to information or operational technology, cybersecurity, industrial control systems, or weapon systems through a contract or subcontract at any tier unless the Contractor makes the disclosures described in paragraph (c). PO 00000 Frm 00019 Fmt 4702 Sfmt 9990 90259 (c) Disclosures. The Contractor shall complete the following foreign obligation disclosures in the Catalog Data Standard in the Electronic Data Access (EDA) system (https://piee.eb.mil): (1) Whether, and if so, when, at any time after August 12, 2013, the Contractor— (i) Has allowed a foreign person or foreign government to review the source code for any product, system, or service that DoD is using or intends to use, or the computer code for any other than commercial product, system, or service developed for DoD; (ii) Is under any obligation to allow a foreign person or foreign government to review, as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government— (A) The source code for any product, system, or service that DoD is using or intends to use; or (B) The computer code for any other than commercial product, system, or service developed for DoD; and (2) Whether or not the supplier holds or has sought a license pursuant to the Export Administration Regulations (15 CFR chapter VII, subchapter C) or the International Traffic in Arms Regulations (22 CFR chapter I, subchapter M) for information technology products, components, software, or services that contain computer code customdeveloped for the other than commercial product, system, or service DoD is using or intends to use. (d) Maintenance of disclosures. The Contractor shall maintain its foreign obligation disclosures in EDA for the life of the contract. (e) Identification of information requiring disclosure. In the event the Contractor identifies information requiring disclosure during contract performance, or the Contractor is notified of such by a subcontractor at any tier or any other source, the Contractor shall update its disclosures in EDA and shall disclose any mitigation measures taken or anticipated. (f) Exception. The prohibition in paragraph (b) does not apply to open source software. (g) Subcontracts. The Contractor shall— (1) Insert the substance of this clause, including this paragraph (g), in subcontracts, or other contractual instruments, for the acquisition of products, services, or systems relating to information or operational technology, cybersecurity, industrial control systems, or weapon systems, including those for commercial products and commercial services; and (2) Require the subcontractor to complete the foreign obligation disclosures in EDA prior to awarding a subcontract. (End of clause) [FR Doc. 2024–26058 Filed 11–14–24; 8:45 am] BILLING CODE 6001–FR–P E:\FR\FM\15NOP1.SGM 15NOP1

Agencies

[Federal Register Volume 89, Number 221 (Friday, November 15, 2024)]
[Proposed Rules]
[Pages 90254-90259]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-26058]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Defense Acquisition Regulations System

48 CFR Parts 212, 213, 217, 239, and 252

[Docket DARS-2024-0034]
RIN 0750-AK23


Defense Federal Acquisition Regulation Supplement: Disclosure of 
Information Regarding Foreign Obligations (DFARS Case 2018-D064)

AGENCY: Defense Acquisition Regulations System, Department of Defense 
(DoD).

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: DoD is proposing to amend the Defense Federal Acquisition 
Regulation Supplement (DFARS) to implement a section of the National 
Defense Authorization Act for Fiscal Year 2019, which prohibits DoD 
from acquiring products, services, or systems relating to information 
or operational technology, cybersecurity, industrial control systems, 
or weapon systems through a contract unless the offeror or contractor 
provides disclosures related to sharing source code and computer code 
with foreign governments.

DATES: Comments on the proposed rule should be submitted in writing to 
the address shown below on or before January 14, 2025, to be considered 
in the formation of a final rule.

ADDRESSES: Submit comments identified by DFARS Case 2018-D064, using 
either of the following methods:
    [cir] Federal eRulemaking Portal: https://www.regulations.gov. 
Search for DFARS Case 2018-D064. Select ``Comment'' and follow the 
instructions to submit a comment. Please include ``DFARS Case 2018-
D064'' on any attached documents.
    [cir] Email: [email protected]. Include DFARS Case 2018-D064 in 
the subject line of the message.
    Comments received generally will be posted without change to 
https://www.regulations.gov, including any personal information 
provided. To

[[Page 90255]]

confirm receipt of your comment(s), please check https://www.regulations.gov, approximately two to three days after submission 
to verify posting.

FOR FURTHER INFORMATION CONTACT: Ms. Heather Kitchens, telephone 571-
296-7152.

SUPPLEMENTARY INFORMATION:

I. Background

    DoD is proposing to revise the DFARS to implement section 1655(a) 
and (c) of the National Defense Authorization Act (NDAA) for Fiscal 
Year (FY) 2019 (Pub. L. 115-232). Section 1655(a) prohibits DoD from 
acquiring products, services, or systems relating to information or 
operational technology, cybersecurity, industrial control systems, or 
weapon systems through a contract unless the offeror or contractor 
provides disclosures related to sharing source code and computer code 
with foreign governments. Section 1655(c) requires contracts for those 
products, services, or systems to include a clause requiring the 
disclosures during the contract period of performance if an entity 
becomes aware of information requiring disclosure.
    The first part of the disclosure is related to whether, after 
August 12, 2013, the entity making the disclosure has allowed, or is 
under an obligation to allow, a foreign government to review the code 
of a noncommercial product, system, or service developed for DoD. The 
second part of the disclosure pertains to whether, after August 12, 
2013, the entity making the disclosure has allowed, or is under an 
obligation to allow, a foreign government in a list required by section 
1654 of the NDAA for FY 2019 to review the source code of a product, 
system, or service that DoD is using or intends to use.
    The third part of the disclosure is related to whether the entity 
making the disclosure holds or has sought a license pursuant to the 
Export Administration Regulations (15 CFR chapter VII, subchapter C), 
the International Traffic in Arms Regulations (22 CFR chapter I, 
subchapter M), or successor regulations, for information technology 
products, components, software, or services that contain code custom-
developed for the noncommercial product, system, or service DoD is 
using or intends to use.
    Once the disclosures are provided to DoD, and if the Secretary of 
Defense determines that the disclosure relating to a product, system, 
or service entails a risk to the national security infrastructure or 
data of the United States, or any national security system under the 
control of DoD, section 1655 requires the Secretary to take such 
measures as the Secretary considers appropriate to mitigate such risks. 
In addition, as the Secretary considers appropriate, the Secretary may 
condition any agreement for the use, procurement, or acquisition of the 
product, system, or service on the inclusion of enforceable conditions 
or requirements that would mitigate such risks.

II. Discussion and Analysis

    This proposed rule includes a new subpart, 239.7X, Disclosure of 
Information Regarding Foreign Obligations. Section 239.7X00 describes 
the statutory requirement implemented in the new subpart. Section 
239.7X01 includes new definitions of computer code, open source 
software, and source code. The new subpart includes the section 1655 
prohibition at 239.7X02. Section 239.7X03 clarifies that the 
prohibition does not apply to open source software.
    A section on procedures was added at 239.7X04 to require 
contracting officers to validate in the Catalog Data Standard within 
the Electronic Data Access (EDA) system (https://piee.eb.mil) that 
offerors or contractors have completed all foreign obligation 
disclosures prior to awarding a contract or exercising an option. 
Section 1655 prohibits DoD from using a product, service, or system 
procured or acquired under certain awards unless foreign obligation 
disclosures have been made. This proposed rule requires completion of 
the foreign obligation disclosures prior to exercising an option to 
ensure DoD complies with the statutory intent.
    Section 239.7X05 provides prescriptions for a new solicitation 
provision and contract clause. The new provision is prescribed for use 
in solicitations that include the clause at 252.239-70ZZ, Postaward 
Disclosure of Foreign Obligations. The new clause is prescribed for use 
in solicitations and contracts, task orders, or delivery orders, for 
the acquisition of products, services, or systems relating to 
information or operational technology, cybersecurity, industrial 
control systems, or weapon systems, including those using Federal 
Acquisition Regulation (FAR) part 12 procedures for the acquisition of 
commercial products and commercial services.
    The purpose of the provision at 252.239-70YY, Preaward Disclosure 
of Foreign Obligations--Representation, is to notify offerors that they 
will be required to make disclosures within the Catalog Data Standard 
in the Electronic Data Access (EDA) system (https://piee.eb.mil) in 
order to be eligible for award. While there are three distinct 
disclosures, the provision identifies the first and second disclosures 
in one paragraph at 252.239-70YY, paragraph (c)(1), for clarity. The 
third disclosure is identified at paragraph (c)(2). This provision 
includes a requirement for all offerors to represent by submission of 
the offer that the information on the foreign disclosures the offeror 
has made within the Catalog Data Standard in EDA is current, accurate, 
and complete.
    The purpose of the clause at 252.239-70ZZ, Postaward Disclosure of 
Foreign Obligations, is to require contractors to maintain their 
disclosures in the Catalog Data Standard within EDA and flow down the 
requirement to maintain disclosures in the Catalog Data Standard within 
EDA to subcontractors. Similar to the provision, while there are three 
distinct disclosures, the clause identifies the first and second 
disclosures in one paragraph at 252.239-70XX, paragraph (b)(1), for 
clarity. The third disclosure is identified at paragraph (b)(2). The 
clause also requires contractors to require their subcontractors to 
complete foreign obligation disclosures in the Catalog Data Standard in 
EDA prior to awarding the subcontract.
    Language was added at part 212 to apply the provision and clause to 
the acquisition of commercial products and commercial services. In part 
213, language was added to apply the requirement to disclose foreign 
obligations will be applied at or below the micro-purchase threshold. 
Language was also added at part 217 to instruct the contracting officer 
exercise options only after verifying in the Catalog Data Standard in 
the EDA system (https://piee.eb.mil) that all disclosures have been 
completed.

III. Applicability to Contracts At or Below the Simplified Acquisition 
Threshold (SAT) and for Commercial Services and Commercial Products, 
Including Commercially Available Off-the-Shelf (COTS) Items

    This proposed rule proposes a new provision and clause to implement 
the requirements of section 1655 of the NDAA for FY 2019: (1) DFARS 
252.239-70YY, Preaward Disclosure of Foreign Obligations-
Representation; and (2) DFARS 252.239-70ZZ, Postaward Disclosure of 
Foreign Obligations. The provision at DFARS 252.239-70YY is prescribed 
at DFARS 239.7X05(a) for use in solicitations that include the clause 
at DFARS 252.239-70ZZ. The clause at DFARS 252.239-70ZZ is prescribed 
at DFARS 239.7X05(b) for use in solicitations and contracts for the 
acquisition of products, services, or

[[Page 90256]]

systems relating to information or operational technology, 
cybersecurity, industrial control systems, or weapon systems, including 
those using FAR part 12 procedures for the acquisition of commercial 
products and commercial services. DoD does intend to apply the proposed 
rule to contracts at or below the SAT. DoD does intend to apply the 
proposed rule to contracts for the acquisition of commercial products 
including COTS items and for the acquisition of commercial services.

A. Applicability to Contracts At or Below the Simplified Acquisition 
Threshold

    The statute at 41 U.S.C. 1905 governs the applicability of laws to 
contracts or subcontracts in amounts not greater than the simplified 
acquisition threshold. It is intended to limit the applicability of 
laws to such contracts or subcontracts. The statute at 41 U.S.C. 1905 
provides that if a provision of law contains criminal or civil 
penalties, or if the Federal Acquisition Regulatory Council makes a 
written determination that it is not in the best interest of the 
Federal Government to exempt contracts or subcontracts at or below the 
SAT, the law will apply to them. The Principal Director, Defense 
Pricing, Contracting, and Acquisition Policy (DPCAP), is the 
appropriate authority to make comparable determinations for regulations 
to be published in the DFARS, which is part of the FAR system of 
regulations. DoD does intend to make that determination. Therefore, 
this proposed rule will apply at or below the simplified acquisition 
threshold.

B. Applicability to Contracts for the Acquisition of Commercial 
Products Including COTS Items and for the Acquisition of Commercial 
Services

    The statute at 10 U.S.C. 3452 exempts contracts and subcontracts 
for the acquisition of commercial products including COTS items, and 
commercial services from provisions of law enacted after October 13, 
1994, unless the Under Secretary of Defense (Acquisition and 
Sustainment) (USD(A&S)) makes a written determination that it would not 
be in the best interest of DoD to exempt contracts for the procurement 
of commercial products and commercial services from the applicability 
of the provision or contract requirement, except for a provision of law 
that--
     Provides for criminal or civil penalties;
     Requires that certain articles be bought from American 
sources pursuant to 10 U.S.C. 4862, or that strategic materials 
critical to national security be bought from American sources pursuant 
to 10 U.S.C. 4863; or
     Specifically refers to 10 U.S.C. 3452 and states that it 
shall apply to contracts and subcontracts for the acquisition of 
commercial products (including COTS items) and commercial services.
    The statute implemented in this proposed rule does not impose 
criminal or civil penalties, does not require purchase pursuant to 10 
U.S.C. 4862 or 4863, and does not refer to 10 U.S.C. 3452. Therefore, 
section 1655 of the NDAA for FY 2019 will not apply to the acquisition 
of commercial services or commercial products including COTS items 
unless a written determination is made. Due to delegations of 
authority, the Principal Director, DPCAP is the appropriate authority 
to make this determination. DoD intends to make that determination to 
apply this statute to the acquisition of commercial products including 
COTS items and to the acquisition of commercial services. Therefore, 
this proposed rule will apply to the acquisition of commercial products 
including COTS items and to the acquisition of commercial services.

C. Determinations

    Given that the requirements of section 1655 of the NDAA for FY 2019 
were enacted to require disclosures of foreign obligations by 
contractors for contracts that include products, services, or systems 
relating to information or operational technology, cybersecurity, 
industrial control systems, or weapon systems and since products, 
services, or systems related to information or operational technology, 
cybersecurity, industrial control systems or weapon systems can include 
COTS items and awards at or below the SAT, it is in the best interest 
of the Federal Government to apply the statute to contracts for the 
acquisition of commercial services and commercial products, including 
COTS items, as defined at Federal Acquisition Regulation 2.101 and 
awards that are at or below the SAT. An exception for contracts for the 
acquisition of commercial services and commercial products, including 
COTS items, or for contracts or subcontracts valued at or below the 
SAT, would exclude the contracts intended to be covered by the law, 
thereby undermining the overarching public policy purpose of the law.

IV. Expected Impact of the Rule

    The proposed rule implements section 1655 of the NDAA for FY 2019, 
which prohibits DoD from acquiring products, services, or systems 
relating to information or operational technology, cybersecurity, 
industrial control systems, or weapon systems through a contract unless 
the offeror or contractor provides disclosures related to sharing 
source code and computer code with foreign governments. Based on data 
from the Federal Procurement Data System, DoD issued approximately 
36,677 new awards for information technology and weapon systems to 
approximately 4,147 unique entities per year on average from FY 2021 
through FY 2023. DoD assumes this number will cover awardees for 
information or operational technology, cybersecurity, industrial 
control systems, and weapon systems, as there is no way to track 
individual awards for operational technology, industrial control 
systems, and cybersecurity. Of the 4,147 unique entities, on average, 
that received awards each year, an average of approximately 17,100 
awards were made to 2,667 unique small entities from FY 2021 through FY 
2023. DoD assumes that the clause will apply to the estimated 4,147 
unique entities, including the 2,667 unique small entities.
    DoD does not have a way to track the number of unique offerors per 
award, so DoD estimates that the number of offerors is the number of 
unique entities that received awards (i.e., 4,147) multiplied by a 
factor of three, representing three offerors per award. Therefore, the 
estimated number of offerors is three times the average number of 
entities that received information technology and weapon systems awards 
for FY 2021 through FY 2023 (4,147 entities x 3), or 12,441, of which 
8,002 are estimated to be small entities.
    The proposed changes will require offerors for products, services, 
or systems related to information or operational technology, 
cybersecurity, industrial control systems, or weapon systems to make 
certain disclosures in the Catalog Data Standard within EDA (https://piee.eb.mil) regarding whether they have shared certain source code and 
computer code with foreign persons or governments any time since August 
12, 2013. During contract performance, prior to the exercise of any 
option, contractors will be required to update their disclosures in the 
Catalog Data Standard within EDA.

V. Executive Orders 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety

[[Page 90257]]

effects, distributive impacts, and equity). E.O. 13563 emphasizes the 
importance of quantifying both costs and benefits, of reducing costs, 
of harmonizing rules, and of promoting flexibility. This is not a 
significant regulatory action and, therefore, was not subject to review 
under section 6(b) of E.O. 12866, Regulatory Planning and Review, as 
amended.

VI. Regulatory Flexibility Act

    DoD does not expect this proposed rule, when finalized, to have a 
significant economic impact on a substantial number of small entities 
within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et 
seq., because the rule is only applied to awards for products, 
services, or systems related to information or operational technology, 
cybersecurity, industrial control systems, or weapon systems. However, 
an initial regulatory flexibility analysis has been performed and is 
summarized as follows:
    This proposed rule is necessary to implement section 1655 of the 
NDAA for FY 2019. Section 1655 prohibits DoD from using a product, 
service, or system relating to information or operational technology, 
cybersecurity, industrial control systems, or weapon systems provided 
by an entity unless that entity makes certain disclosures. The 
disclosures required by the statute have three parts.
    The first part of the disclosures is related to whether, since 
August 12, 2013, the entity making the disclosure has allowed, or is 
under an obligation to allow, a foreign government to review the code 
of an other than commercial product, system, or service developed for 
DoD. The second part of the disclosure pertains to whether, since 
August 12, 2013, the entity making the disclosure has allowed, or is 
under an obligation to allow, a foreign government in the list required 
by section 1654 of the NDAA for FY 2019 to review the source code of a 
product, system, or service that DoD is using or intends to use. The 
third part of the disclosure is related to whether the entity making 
the disclosure holds or has sought a license pursuant to the Export 
Administration Regulations (15 CFR chapter VII, subchapter C), the 
International Traffic in Arms Regulations (22 CFR chapter I, subchapter 
M), or successor regulations, for information technology products, 
components, software, or services that contain code custom-developed 
for the other than commercial product, system, or service DoD is using 
or intends to use.
    Once the disclosures are provided to DoD, and if the Secretary of 
Defense determines that the disclosure relating to a product, system, 
or service entails a risk to the national security infrastructure or 
data of the United States, or any national security system under the 
control of DoD, section 1655 requires the Secretary to take such 
measures as the Secretary considers appropriate to mitigate such risks.
    The objective of this proposed rule is to implement the statutory 
requirement for offeror, contractor, and subcontractor disclosures 
under section 1655 of the NDAA for FY 2019 prior to award and during 
contract performance. The legal basis for the proposed rule is section 
1655 of the NDAA for FY 2019.
    The proposed rule applies to offerors, contractors, and 
subcontractors for information or operational technology, 
cybersecurity, industrial control systems, or weapon systems. Based on 
data from the Federal Procurement Data System, DoD issued approximately 
36,677 awards to 4,147 entities, of which 17,100 awards were made to 
2,667 small entities, for information technology and weapon systems, on 
average, from FY 2021 through FY 2023. DoD assumes these numbers will 
cover small entities awarded contracts for products, services, or 
systems relating to information or operational technology, 
cybersecurity, industrial control systems, and weapon systems, as there 
is no way to track individual awards for operational technology, 
cybersecurity, and industrial control systems. In order to estimate the 
number of offerors for information or operational technology, 
cybersecurity, industrial control systems, and weapon systems, DoD 
assumes the number of offerors will be the 4,147 awardees multiplied by 
a factor of three, or 12,441 offerors, of which 8,002 are estimated to 
be small entities.
    This proposed rule does impose new reporting, recordkeeping, or 
other compliance requirements for small entities. These reporting 
requirements would apply to any offerors that are small entities for a 
contract for information or operational technology, cybersecurity, 
industrial control systems, and weapon systems. These small entities 
will be required to make disclosures within the Catalog Data Standard 
within the EDA system (https://piee.eb.mil) in order to be eligible for 
award and will be required to represent that the disclosures are 
current, accurate, and complete. Contractors whose contracts contain 
the clause 252.239-70ZZ, Postaward Disclosure of Foreign Obligations, 
will be required to maintain their disclosures in EDA and flow down the 
requirement to maintain disclosures in EDA to subcontracts and other 
contractual instruments.
    The proposed rule does not duplicate, overlap, or conflict with any 
other Federal rules.
    There are no known alternatives that would accomplish the stated 
objectives of the applicable statute.
    DoD invites comments from small business concerns and other 
interested parties on the expected impact of this proposed rule on 
small entities.
    DoD will also consider comments from small entities concerning the 
existing regulations in subparts affected by this proposed rule in 
accordance with 5 U.S.C. 610. Interested parties must submit such 
comments separately and should cite 5 U.S.C. 610 (DFARS Case 2018-D064) 
in correspondence.

VII. Paperwork Reduction Act

    This proposed rule contains information collection requirements 
that require the approval of the Office of Management and Budget under 
the Paperwork Reduction Act (44 U.S.C. chapter 35). Accordingly, DoD 
has submitted a request for approval of a new information collection 
requirement concerning DFARS Case 2018-D064, Disclosure of Information 
Regarding Foreign Obligations, to the Office of Management and Budget.

A. Estimate of Public Burden

    Public reporting burden for this collection of information is 
estimated to average 0.5 hour per response, including the time for 
reviewing instructions, searching existing data sources, gathering and 
maintaining the data needed, and completing and reviewing the 
collection of information.
    The annual reporting burden is estimated as follows:
    Respondents: 12,441.
    Total annual responses: 14,515.
    Total annual burden hours: 7,257.5.

B. Request for Comments Regarding Paperwork Burden

    Written comments and recommendations on the proposed information 
collection, including suggestions for reducing this burden, should be 
submitted using the Federal eRulemaking Portal at https://www.regulations.gov or by email to [email protected]. Comments can be 
received up to 60 days after the date of this notice.
    Public comments are particularly invited on: whether this 
collection of information is necessary for the proper performance of 
the functions of DoD, including whether the information will

[[Page 90258]]

have practical utility; the accuracy of DoD's estimate of the burden of 
this information collection; ways to enhance the quality, utility, and 
clarity of the information to be collected; and ways to minimize the 
burden of the information collection on respondents, including through 
the use of automated collection techniques or other forms of 
information technology.
    To obtain a copy of the supporting statement and associated 
collection instruments, please email [email protected]. Include DFARS 
Case 2018-D064 in the subject line of the message.

List of Subjects in 48 CFR Parts 212, 213, 217, 239, and 252

    Government procurement.

Jennifer D. Johnson,
Editor/Publisher, Defense Acquisition Regulations System.

    Therefore, the Defense Acquisition Regulations System proposes to 
amend 48 CFR parts 212, 213, 217, 239, and 252 as follows:

0
1. The authority citation for parts 212, 213, 217, 239, and 252 
continues to read as follows:

    Authority: 41 U.S.C. 1303 and 48 CFR chapter 1.

PART 212--ACQUISITION OF COMMERCIAL PRODUCTS AND COMMERCIAL 
SERVICES

0
2. Amend section 212.301 by adding paragraphs (f)(xvi)(E) and (F) to 
read as follows:


212.301  Solicitation provisions and contract clauses for the 
acquisition of commercial products and commercial services.

* * * * *
    (f) * * *
    (xvi) * * *
    (E) Use the provision at 252.239-70YY, Preaward Disclosure of 
Foreign Obligations--Representation, as prescribed in 239.7X05(a), to 
comply with section 1655 of the National Defense Authorization Act for 
Fiscal Year 2019 (Pub. L. 115-232).
    (F) Use the clause at 252.239-70ZZ, Postaward Disclosure of Foreign 
Obligations, as prescribed at 239.7X05(b), to comply with section 1655 
of the National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 
115-232).
* * * * *

PART 213--SIMPLIFIED ACQUISITION PROCEDURES

0
3. Add section 213.201-70 to read as follows:


213.201-70   Additional general requirements.

    Do not procure or obtain, or exercise an option or otherwise extend 
a contract relating to, information or operational technology, 
cybersecurity, industrial control systems, or weapon systems from a 
contractor, including through a subcontractor at any tier, unless the 
contractor completes all foreign obligation disclosures in the Catalog 
Data Standard within the Electronic Data Access system (https://piee.eb.mil). See subpart 239.7X.

PART 217--SPECIAL CONTRACTING METHODS

0
4. Amend section 217.207 by adding paragraph (c)(3) to read as follows:


217.207   Exercise of options.

    (c) * * *
    (3) Verifying in the Catalog Data Standard in the Electronic Data 
Access system (https://piee.eb.mil) that all foreign obligation 
disclosures are completed (see 239.7X).

PART 239--ACQUISITION OF INFORMATION TECHNOLOGY

0
5. Add subpart 239.7X to read as follows:
Subpart 239.7X--Disclosure of Information Regarding Foreign Obligations
Sec.
239.7X00 Scope.
239.7X01 Definitions.
239.7X02 Prohibition.
239.7X03 Exception.
239.7X04 Procedures.
239.7X05 Solicitation provision and contract clause.

SUBPART 239.7X--DISCLOSURE OF INFORMATION REGARDING FOREIGN 
OBLIGATIONS


239.7X00   Scope.

    This section implements the foreign obligation disclosure 
requirements of section 1655(a) and (c) of the National Defense 
Authorization Act for Fiscal Year 2019 (Pub. L. 115-232).


239.7X01   Definitions.

    As used in this subpart--
    Computer code means a set of instructions, rules, or routines 
recorded in a form that is capable of causing a computer to perform a 
specific operation or series of operations. It includes both source 
code and object code.
    Open source software means software for which the human-readable 
source code is available for use, study, reuse, modification, 
enhancement, and redistribution by the users of such software (section 
1655, Pub. L. 115-232).
    Source code means any collection of code, with or without comments, 
written using a human-readable programming language, usually as plain 
text. This code is later translated into machine language by a 
compiler. The translated code is referred to as object code.


239.7X02   Prohibition.

    (a) Contracting officers shall not procure or obtain, or exercise 
an option or otherwise extend a contract to procure or obtain, any 
products, services, or systems relating to information or operational 
technology, cybersecurity, industrial control systems, or weapon 
systems through a contract or subcontract at any tier from a 
prospective contractor unless the offeror or contractor makes the 
disclosures required by section 1655 of the NDAA for FY 2019.
    (b) Contracting officers shall ensure that they do not violate the 
prohibition by using the provision at 252.239-70YY and the clause at 
252.239-70ZZ, as prescribed. The provision requires offerors to provide 
the required foreign obligation disclosures, and the clause ensures 
that contractors provide updates to foreign obligation disclosures for 
the life of the contract.


239.7X03  Exception.

    The prohibition at 239.7X02 does not apply to open source software.


239.7X04   Procedures.

    (a) Contracting officers shall not award a contract, task order, or 
delivery order for information or operational technology, 
cybersecurity, industrial control systems, or weapon systems, unless 
the prospective contractor has completed all of the foreign obligation 
disclosures in the Catalog Data Standard within the Electronic Data 
Access (EDA) system (https://piee.eb.mil) and those disclosures are 
current, accurate, and complete (see 239.7X02).
    (b) Contracting officers shall not exercise an option or extend the 
period of performance on a contract, task order, or delivery order for 
information or operational technology, cybersecurity, industrial 
control systems, or weapons systems, unless the contractor has 
completed all of the foreign obligation disclosures in the Catalog Data 
Standard within the EDA system (see 239.7X02).
    (c) Contracting officers shall work with the program office to 
validate that the offeror has completed all of the foreign obligation 
disclosures in the Catalog Data Standard within the EDA system.

[[Page 90259]]

    (d) Contracting officers shall follow agency procedures, as 
applicable, in the event that the program office notifies the 
contracting officer that additional steps must be taken prior to award 
based on information disclosed in EDA.


239.7X05   Solicitation provision and contract clause.

    (a) Use the provision at 252.239-70YY, Preaward Disclosure of 
Foreign Obligations--Representation, in solicitations that include the 
clause at 252.239-70ZZ.
    (b) Use the clause at 252.239-70ZZ, Postaward Disclosure of Foreign 
Obligations, in solicitations and contracts, task orders, or delivery 
orders, including those using FAR part 12 procedures for the 
acquisition of commercial products and commercial services, for the 
acquisition of products, services, or systems relating to information 
or operational technology, cybersecurity, industrial control systems, 
or weapon systems.

PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0
6. Add sections 252.239-70YY and 252.239-70ZZ to read as follows:


252.239-70YY   Preaward Disclosure of Foreign Obligations--
Representation.

    As prescribed in 239.7X05(a), use the following provision:

Preaward Disclosure of Foreign Obligations--Representation (Date)

    (a) Definitions. As used in this provision, computer code, open 
source software, and source code are defined in the Defense Federal 
Acquisition Regulation Supplement 252.239-70ZZ, Postaward Disclosure 
of Foreign Obligations, clause of this solicitation.
    (b) Prohibition on award. In accordance with section 1655 of 
Public Law 115-232, no contract for information or operational 
technology, cybersecurity, industrial control systems, or weapon 
systems may be awarded to an offeror unless the offeror makes the 
disclosures described in paragraph (c).
    (c) Disclosures. The Offeror shall complete the following 
foreign obligation disclosures in the Catalog Data Standard in the 
Electronic Data Access (EDA) system (https://piee.eb.mil):
    (1) Whether, and if so, when, at any time after August 12, 2013, 
the Offeror--
    (i) Has allowed a foreign person or foreign government to review 
the source code for any product, system, or service that DoD is 
using or intends to use, or the computer code for any other than 
commercial product, system, or service developed for DoD; or
    (ii) Is under any obligation to allow a foreign person or 
foreign government to review, as a condition of entering into an 
agreement for sale or other transaction with a foreign government or 
with a foreign person on behalf of such a government--
    (A) The source code for any product, system, or service that DoD 
is using or intends to use; or
    (B) The computer code for any other than commercial product, 
system, or service developed for DoD; and
    (2) Whether or not the Offeror holds or has sought a license 
pursuant to the Export Administration Regulations (15 CFR chapter 
VII, subchapter C) or the International Traffic in Arms Regulations 
(22 CFR chapter I, subchapter M) for information technology 
products, components, software, or services that contain computer 
code custom-developed for the other than commercial product, system, 
or service DoD is procuring.
    (d) Exception. The prohibition in paragraph (b) of this 
provision does not apply to open source software.
    (e) Representation. By submission of its offer, the Offeror 
represents that it has completed the foreign obligation disclosures 
in EDA and the disclosures are current, accurate, and complete.


(End of provision)


252.239-70ZZ   Postaward Disclosure of Foreign Obligations.

    As prescribed in 239.7X05(b), use the following clause:

Postaward Disclosure of Foreign Obligations (Date)

    (a) Definitions. As used in this clause--
    Computer code means a set of instructions, rules, or routines 
recorded in a form that is capable of causing a computer to perform 
a specific operation or series of operations. It includes both 
source code and object code.
    Open source software means software for which the human-readable 
source code is available for use, study, reuse, modification, 
enhancement, and redistribution by the users of such software 
(section 1655, Pub. L. 115-232).
    Source code means any collection of code, with or without 
comments, written using a human-readable programming language, 
usually as plain text. This code is later translated into machine 
language by a compiler. The translated code is referred to as object 
code.
    (b) Prohibition. The Contractor shall not provide to DoD any 
products, services, or systems relating to information or 
operational technology, cybersecurity, industrial control systems, 
or weapon systems through a contract or subcontract at any tier 
unless the Contractor makes the disclosures described in paragraph 
(c).
    (c) Disclosures. The Contractor shall complete the following 
foreign obligation disclosures in the Catalog Data Standard in the 
Electronic Data Access (EDA) system (https://piee.eb.mil):
    (1) Whether, and if so, when, at any time after August 12, 2013, 
the Contractor--
    (i) Has allowed a foreign person or foreign government to review 
the source code for any product, system, or service that DoD is 
using or intends to use, or the computer code for any other than 
commercial product, system, or service developed for DoD;
    (ii) Is under any obligation to allow a foreign person or 
foreign government to review, as a condition of entering into an 
agreement for sale or other transaction with a foreign government or 
with a foreign person on behalf of such a government--
    (A) The source code for any product, system, or service that DoD 
is using or intends to use; or
    (B) The computer code for any other than commercial product, 
system, or service developed for DoD; and
    (2) Whether or not the supplier holds or has sought a license 
pursuant to the Export Administration Regulations (15 CFR chapter 
VII, subchapter C) or the International Traffic in Arms Regulations 
(22 CFR chapter I, subchapter M) for information technology 
products, components, software, or services that contain computer 
code custom-developed for the other than commercial product, system, 
or service DoD is using or intends to use.
    (d) Maintenance of disclosures. The Contractor shall maintain 
its foreign obligation disclosures in EDA for the life of the 
contract.
    (e) Identification of information requiring disclosure. In the 
event the Contractor identifies information requiring disclosure 
during contract performance, or the Contractor is notified of such 
by a subcontractor at any tier or any other source, the Contractor 
shall update its disclosures in EDA and shall disclose any 
mitigation measures taken or anticipated.
    (f) Exception. The prohibition in paragraph (b) does not apply 
to open source software.
    (g) Subcontracts. The Contractor shall--
    (1) Insert the substance of this clause, including this 
paragraph (g), in subcontracts, or other contractual instruments, 
for the acquisition of products, services, or systems relating to 
information or operational technology, cybersecurity, industrial 
control systems, or weapon systems, including those for commercial 
products and commercial services; and
    (2) Require the subcontractor to complete the foreign obligation 
disclosures in EDA prior to awarding a subcontract.


(End of clause)

[FR Doc. 2024-26058 Filed 11-14-24; 8:45 am]
BILLING CODE 6001-FR-P


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.