DEFENSE AUTHORIZATION BILL CONTAINS CYBER, FEDRAMP, AND OTHER GOODIES
The House passed a unified FY’23 National Defense Authorization Act (NDAA) last week and the Senate is now poised to follow suit this week. Contractors should closely read the Section 800 title for procurement-related changes on issues such as increased cybersecurity reporting requirements, steps to create a standard definition of “Controlled Unclassified Information” (CUI), and provisions to support small business contracting. Section 5949 prohibits the government from purchasing semiconductor products from several manufacturers with close ties to the Chinese government after 2027. It also prohibits the government from doing business with contractors that use these products within their critical systems after that date. The provision does, however, make a distinction between “critical” and “non-critical” systems, making it somewhat more flexible than Section 889 telecom prohibitions. Other portions of the NDAA include a formal authorization for GSA’s FedRAMP cloud security certification program, as well as language intended to streamline the FedRAMP accreditation process. Defense One reports, that, “in terms of new and emerging defense technologies, the Defense Advanced Research Projects Agency is getting $75 million for artificial intelligence, and another $20 million for quantum computing; $85 million is set aside for advanced “jamming protection, electronic warfare and signature measurement…” These projects may provide additional opportunities for contractors that are developing such capabilities or are working with partners who are. Significant funding is authorized to support both Ukraine and Taiwan, an indication of where Congress believes just some serious potential threats lie. The NDAA also notably removes the requirement for DOD personnel to be vaccinated against COVID-19. This provision had resulted in the resignation or separation of many uniformed military personnel over the past two years. While the NDAA language here does not speak to the contractor vaccine mandate that is currently held up in the courts, its repeal could be an indication that the next Congress could consider withholding funding for enforcement of that provision. Contractors should either conduct their own analysis of major provisions in the NDAA or obtain trusted analysis from outside sources. This measure can impact both defnese and non-defense business.