by Deborah Norris Rodin and Alexandria Tindall Webb
On December 23, 2022, President Biden signed the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2023, authorizing $858 billion in defense spending. The NDAA sets out defense policy and budget priorities for the Department of Defense (DoD). Each year, Congress also employs the NDAA as a vehicle for establishing new initiatives and making changes to federal procurement policy.
This year’s NDAA includes new measures aimed at securing the U.S. supply chain, with a focus on curtailing the influence of China; efforts to enhance cybersecurity, including for cloud services; and modifications to important small business programs. We highlight key takeaways and notable provisions for government contractors and all companies that do business with the DoD.
Passing the NDAA with bipartisan support has become an important end-of-year legislative ritual in Congress, as the NDAA has been enacted annually for more than six decades. This year, the U.S. Senate passed a compromise version of the bill by a vote of 83 to 11 on December 15, following its passage by the U.S. House of Representatives (by a vote of 350 to 80) on December 8.
Several provisions in the FY2023 NDAA establish new restrictions or prohibitions on Chinese-made products. These provisions reflect continued and growing concern regarding China’s influence on the U.S. supply chain, particularly the defense industrial base. Most prominently, a new prohibition on certain Chinese semiconductors is similar to Section 889 from the FY2019 NDAA, the so-called “Huawei ban,” which prohibited the use of telecommunications equipment from several Chinese companies, including Huawei. Contractors would be wise to examine their supply chains and begin taking steps to ensure they will be in compliance when these provisions take effect.
Improving cybersecurity throughout DoD’s supply chain continues to be an area of focus for Congress and is reflected in many provisions of the NDAA. For instance, under one provision, DoD is required to develop new plans for testing the cybersecurity of commercial cloud services that use or store classified DoD data. Codification of the Federal Risk and Authorization Management Program (FedRAMP), the government-wide, standardized assessment and certification program for cloud services, reflects the government’s continued move towards cloud computing.
Just like in previous years, the NDAA contains numerous provisions aimed at supporting small businesses that provide goods and services to the federal government. Notably, there are new requirements that DoD perform due diligence to assess security risks that may be presented by small businesses seeking Small Business Innovation Research (SBIR) or Small Business Technology Transfer (STTR) awards, and establish a program to aid small businesses in identifying threats to the company from malicious foreign actors.
These NDAA provisions will impose new or expanded restrictions and requirements on federal contractors, especially those companies that do business with the DoD. Contractors should take steps now to ensure they will be in compliance when these provisions take effect. If you have questions about how these provisions will affect your business, please contact one of the RJO attorneys with whom you regularly work or the authors of this article.
Disclaimer:
The materials provided in this document are offered for informational and educational purposes only and are not offered as and do not constitute legal advice or legal opinions. The transmission or receipt of information through this document, or communications with Rogers Joseph O’Donnell via email does not constitute or create an attorney-client relationship between us and any recipient.
© 2023 ClearanceJobs – All rights reserved. ClearanceJobs is a DHI service.
