Critical National Security Technology

The Department of Defense’s proposed rule implementing Section 847 of the FY 2020 NDAA could fundamentally reshape how foreign ownership, control, or influence (FOCI) is monitored across the defense industrial base. Through proposed DFARS Part 240, the rule would extend recurring FOCI disclosure, National Industrial Security System (NISS) reporting, and Defense Counterintelligence and Security Agency (DCSA) oversight far beyond the traditional facility-clearance context and into ordinary government contracting. For foreign-owned contractors, allied-country suppliers, private equity sponsors, and federal subcontractors, the proposal signals the emergence of a permanent compliance regime built around continuous visibility rather than one-time vetting.

Friends, Romans, contractors, lend me your ears;
I come to disclose your owners, not to debar them.
The FOCI that contractors do is oft assessed;
The clearances are oft interred with their bones.
So let it be with allies. The honorable rule
Hath told you that we treat all foreigners alike;
If it be so, it is a grievous form,
And grievously hath the SF-328 answered it.

The speech may be a little ridiculous, but in its way, it’s also a little accurate. The proposed DFARS rule implementing Section 847 of the FY 2020 NDAA is not unkind to allies. It is, as was Mark Antony, scrupulously polite to them, right up to the moment it asks them to register as suspects.

Continue Reading Section 847 and the New Era of DOD Continuous FOCI Monitoring

Cyber incidents involving critical infrastructure pose a serious risk to the US. In March 2024, the Environmental Protection Agency and the National Security Advisor warned state governors about potential attacks on drinking water and wastewater facilities by specific Iran- and China-aligned hackers. The following month (on April 4, 2024), in an attempt to prepare for such attacks and otherwise improve the federal government’s ability to collect and analyze data related to cyber incidents on critical infrastructure, the Cybersecurity and Infrastructure Security Agency (CISA) issued a proposed rule to implement cyber incident reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enacted in an omnibus appropriation, CIRCIA directed CISA to issue rulemaking requiring the reporting of cyber incidents or the payment of ransoms in response to cyberattacks affecting critical infrastructure.  

Continue Reading CISA’s CIRCIA Proposed Rule: Another Player Enters the Reporting Regime

Each year, Congress presents us in Title VIII of the National Defense Authorization Act (NDAA) a potpourri of procurement reforms, changes, and additions. Some are effective immediately, while some are bound for rulemaking and regulation and surface years from enactment. Some require analyses, reports, and studies which have no immediate impact but provide a roadmap that can and should be used by government contractors in their business planning. Finally, some provisions of the NDAAs just wither away and have no impact whatsoever. Nineteen days before the Trump Administration ended, the US Senate followed the US House of Representatives in overriding the President’s veto of the William (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (H.R. 6395) (FY2021 NDAA), making it law on January 1, 2021.  Happy New Year! As for its Title VIII, the FY2021 NDAA is no different from its predecessors in its procurement potpourri. Here’s a tour of key provisions you oughta know.
Continue Reading Here to Remind You of the Key Provisions of the Fiscal Year 2021 National Defense Authorization Act – You Oughta Know!