The GovCon Bulletin™
Taking A Closer Look At The Senate's 2018 NDAA Bill
Last week, on October 17, 2017, the U.S. Senate voted to appoint members to join with House members on a conference committee to work out differences between Senate and House NDAA 2018 bills. The Senate passed its bill on September 18, while the U.S. House of Representative passed its bill in July. As we stated during our closer look of the House’s bill (here), examining the defense authorization bills gives government contractors an early glimpse and insight of the spending priorities supported by influential constituencies. There is some overlap between the bills, including appropriations for military housing and construction, a prohibition against another round of base realignment activities, and heavy investments in the missile defense system, which in the Senate version includes appropriations for the Iron-Dome Short Range Rocket Defense Program, the Israeli Cooperative Missile Defense Program, development of space-based sensor architecture, and improved ground-based interceptor capability and reliability.
The differences between the bills, however, are far greater and significant and the Senate bill is every bit the complete re-write it appears to be on a side-by-side comparison. While it remains to be seen which of the Senate's proposals will ultimately be included in a final bill that is worked out by conference committee members, below are highlights of the Senate bill that government contractors may wish to take note of now.
Changes To Procurement Process
The Senate bill includes reforms to the procurement process including provisions requiring amendments to the Defense Federal Acquisition Regulation Supplement (DFARS) that would implement procedures aimed at making “should-cost” reviews transparent and objective. The reforms also prohibit the U.S. Department of Defense (DoD) from entering into contracts for services over $10 million based on specific personnel or labor hour requirements without first submitting a justification on why outcome-based or performance-based requirements were not used instead, and mandate a pilot program under which DoD would enter into extended multi-year contracts of up to ten years.
Some of the most significant reforms, however, are proposed changes to debriefing and bid protest rules. Specifically, the bill requires changes to DFARS that would mandate that all required post-award debriefings must provide detailed and comprehensive statements of the agency’s rating for each evaluation criteria, as well as of the agency’s award decision. The revisions would also encourage agencies to release as part of the debriefing all information that would be releasable during a bid protest, including the agency’s written source selection award determination. The changes would also provide an opportunity for a round of follow-up questions and answers.
As for bid protests, the Senate bill requires a losing protester with revenues over $100,000,000 to pay for DoD's costs incurred for processing the protest. In addition, incumbent contractors who file protests are required to have all payments over the incurred costs withheld on any bridge or temporary contract extension awarded to the contractor as a result of any delay in the award that results from the protest filing. The withheld funds are, depending on the protest outcome, released to the awarded contractor, DoD, or the incumbent.
Increased Threshold Limits
The Senate bill also proposes to raise several threshold limits. For example, the bill raises the simplified acquisition threshold for the DoD acquisitions to $250,000. In addition, the threshold for requiring contractors to submit cost or pricing data – when such submission is required – is raised from $500,000 to $1,000,000, while the micro-purchase threshold has been raised from $3,000 to $10,000.
Space Based Initiatives
While the Senate bill does not take up the House’s proposed Space Corps, it does make several proposals targeting the nation’s space based defense systems. First, the Senate bill repeatedly pronounces that space is a “warfighting,” “contested,” or “combat” domain, and places the National Space Defense Center at the center of efforts to protect U.S. assets in space and to detect, assess and react to evolving space threats. It also requires the Commander of the Air Force Space and Missile Systems Center to maintain a watch list of contractors with a history of poor performance on space-related contracts. And, although not grouped in with, or categorized as, space defense weapons, hypersonic weapons (featured in this Popular Mechanics article ) receive significant support in the Senate bill, which points specifically to technological breakthroughs that have made the pursuit of hypersonic glide weapons feasible from a budgetary standpoint. According to the bill, although hypersonic weapons “present a radical change in warfare,” other countries (including Russia and China) “are aggressively pursuing hypersonic weapons at an alarming rate that threatens to outpace the United States if the United States does not more aggressively pursue development.”
Another area that received significant, if not the most, attention is not surprisingly cybersecurity. The Senate bill declares a U.S. policy to use “all instruments of power” to deter, and respond to, any and all cyber attacks that target U.S. interests. The bill includes numerous DoD mandates, a few of which include:
- Requiring DoD to conduct a comprehensive review of U.S. cyber posture for the next 5 to 10 years and submit a report to Congress;
- Requiring DoD to incorporate cybersecurity of election systems as a component of its Cyber Guard Exercise;
- Requiring DoD to submit to Congress a plan to meet the increased demand for cyberspace careers in the armed reserves;
- Mandating the establishment of the DoD Cybersecurity Scholarship Program;
- Requiring an annual assessment of “cyber resiliency” of the nuclear command and control system, including its ability to operate through a cyber attack from Russia and China;
- Requiring DoD to submit a congressional report on the training infrastructure of cyber forces;
- Requiring Army to report on the cyber capability and readiness shortfalls of its Army Combat Training Centers;
- Requiring DoD to report on significant security risks to defense-critical electric infrastructure posed by significant malicious cyber-enabled activity;
- Requiring the Comptroller General of the United States to submit a report to congressional committees of any critical telecommunications equipment, technologies or services obtained by DoD, or its contractors or subcontractors, manufactured directly or indirectly by a foreign supplier closely linked to a leading cyber-threat actor;
- Requiring DoD to submit to appropriate congressional committees a report on the potential offensive and defensive applications of “blockchain” technology and other distributed database technologies;
- Requiring DoD to establish a cross-functional task force that will integrate across organizations that are responsible for information operations, military deception, public affairs, electronic warfare, and cyber operations;
- Requiring DoD to establish a “Strategic Cybersecurity Program” that will continuously assess information assurance and overall effectiveness of offensive cyber systems, long-range strike systems, nuclear deterrent systems, national security systems, and DoD’s critical infrastructure; and
- Requiring an evaluation by the Commander of U.S. Cyber Command of alternative methods for developing, acquiring, and maintaining software-based cyber tools and applications that must include agile software development, agile acquisition, and other best practices of commercial industry.
On this last point, the Senate bill expressly requires the Commander to consult with commercial software companies, but it seems likely that many of the other evaluations and reports mandated under the bill will require commercial or contractor consultation.
In addition, in order to make secure work spaces available to small and nontraditional businesses, the bill also requires DoD to establish procedures to build and maintain certifications for multi-use sensitive compartmented information facilities where multiple companies can work on multiple projects at different security levels and not tied to any single contract.
Lastly, the bill also prohibits any U.S. government department, agency or organization from using, directly or indirectly, any hardware, software or services developed by Kaspersky Lab or any entity in which Kaspersky Lab has majority ownership.
Other Integration of Agile Methods
The Senate bill contemplates a much broader integration of agile software and methods that goes far beyond application to cyber threats described above. For example, the bill requires DoD to identify one major program per military service and one defense-wide program for tailoring into a smaller increment. Each program must be either a major defense acquisition or formerly a major automated information system. In addition, DoD is required to conduct a comprehensive assessment of investments in between four and eight defense business systems and priorities for realignment and restructuring into smaller increments and incorporation of agile acquisition methods. DoD is also required to identify between four and eight software development activities to be developed using modern agile acquisition methods and without incorporating requirements that typically may otherwise apply such as (1) earned value management or EVM-like reporting; (2) development of integrated master schedule; (3) development of integrated master plan; (4) development of a technical requirement document; (5) development of systems requirement documents; (6) use of information technology infrastructure library agreements; or (7) use of software development life cycle (methodology).
Open Source Requirement and Changes to Technical Data Rights
Perhaps more controversially, the bill requires all unclassified custom-developed software and related technical data that is not a defense article regulated by the Arms Export Control Act but that is developed under a DoD contract award to be managed as open source software unless specifically waived by a service acquisition executive. Thus, DoD must require contractors to release source code and related technical data in a DoD approved public repository subject to a license through which the copyright holder provides the rights to use, study, reuse, modify, enhance, and distribute the software to anyone and for any purpose. Moreover, with regard to existing custom-developed computer software, DoD must, where appropriate, seek to negotiate open source licenses with contractors that developed it, and release related source code and technical data in a DoD approved repository. Lastly, DoD must task the Defense Advanced Research Program Agency with a project to identify and reverse engineer custom-developed computer software and related technical data for which source code is unavailable.
As we have noted in our white paper on computer software and data rights (here) and in our GovCon Video Blog™ series on software and data rights (see here), the government’s rights that are designated as “unlimited” are broad and expansive, but it is clear that the Senate’s bill intends for the government to aggressively make full use of those unlimited rights.
Indeed, the bill requires changes to definition of “technical data,” which currently is simply and broadly defined under 10 U.S.C. 2302 as “recorded information (regardless of the form or method of the recording) of a scientific or technical nature (including computer software documentation) relating to supplies procured by an agency.” Under the bill, the definition now explicitly includes "everything required to reproduce, build/recompile, test, and deploy working system binaries on system hardware, including all source code, revision histories, build scripts, build/compilation/modification instructions/procedures, documentation, test cases, expected test results, compilers, interpreters, test harnesses, specialized build and test hardware, connectors, cables, and library dependencies."
Moreover, the bill amends the data rights provisions in 10 U.S.C. 2320 to require, with respect to any software delivered to the government, (i) delivery in native format; (ii) builds that are not dependent on predefined build directories; and (iii) in the case of licensing restrictions that do not allow library dependent inclusion, documentation and verified accessible repositories and revision history.
If the Senate proposals are adopted, therefore, government contractors developing custom-software or integrating proprietary software into custom solutions will have to take particular attention to their data rights assertions to ensure that unlimited rights are properly confined to the particular software or data to which they apply.
The bill also proposes several important changes to the SBIIR and STTR Programs. First, the bill amends the portion of the Small Business Act relating to Phase III awards. In particular, Section 9(r)(4) of the Small Business Act (10 U.S.C. 638(r)(4)) currently states that to “the greatest extent practicable” government agencies and prime contractors must issue Phase III awards related to technology to the SBIR and STTR award recipients that developed the technology. Although the Senate bill does not eliminate the wiggle room requiring Phase III awards to the technology developers only to the “greatest extent practicable,” it does now add a provision that explicitly states that agencies and prime contractors must construe any prior Phase I or Phase II award as satisfying any “full and open” or other competition requirements, and that a Phase III award can be made without further justification. In addition, the bill Senate proposes to implement a pilot program under which DoD shall award multiple award contracts to small businesses in order to purchase technologies, supplies or services that were developed under the STTR and SBIR programs. Similarly here, DoD is authorized to establish procedures to waive the competition in contracting requirements for any such purchases.