On December 20, 2019, President Trump signed the National Defense Authorization Act for fiscal year 2020 (the 2020 NDAA) into law (Public Law No. 116-92). The 2020 NDAA authorizes $738 billion dollars in appropriations for programs and activities of the Department of Defense (DOD), the U.S. executive agency that acquires the largest amount (by dollar value and volume) of goods and services within the U.S. government. This amount authorized by the 2020 NDAA represents roughly a $22 billion dollar increase over the 2019 NDAA. The 2020 NDAA includes a variety of provisions that are important for government contractors to be aware of, including provisions related to supply chain security, cybersecurity, software acquisition, cloud computing, and research and development, among others. This client alert discusses the provision of the 2020 NDAA that will impact defense contractors (manufacturers, distributors, resellers) supplying microelectronic products and wireless network services acquired by the DOD.

Section 224. Requiring defense microelectronics products and services meet trusted supply chain and operational security standards

Title II, section 224 of the 2020 NDAA requires the establishment of operational security standards that will protect the United States, the DOD, and defense contractors that do business with the DOD from the theft of intellectual property and ensure national security and public safety in the application of new generations of wireless network technologies and microelectronics. Section 224 refers to these operational security standards as trusted supply chain and operational security standards and requires the Secretary of Defense (SECDEF) to establish these security standards no later than January 1, 2021. By January 1, 2023, nearly all microelectronics products and wireless network services purchased by the DOD must meet these new security standards.

Section 224 defines “security standards” as standards that systemize best practices relevant to six categories: (1) manufacturing location; (2) company ownership; (3) workforce composition; (4) access to the product during manufacturing, suppliers’ design, sourcing, packaging, and distribution processes; (5) reliability of the supply chain; and (6) other matters germane to supply chain and operational security. Military standards or specifications that specify individual features for microelectronics products and wireless network services or that inhibit the acquisition of securely manufactured, commercially available products by the DOD are excluded from the definition.

Section 224’s required security standards are to be developed in consultation with civilian agencies and industry to ensure that differing perspectives will be considered. The Departments of Homeland Security, State, and Commerce, and the National Institute of Standards and Technology; suppliers of microelectronics products and wireless network services from the United States and allies and partners of the United States; representatives of major U.S. sectors that rely on a trusted supply chain and the operational security of microelectronics products and wireless network services; and representatives from the U.S. insurance industry will collaborate with the DOD to develop the security standards contemplated. The goal of this collaboration is to maintain competition and innovation in the industrial microelectronics and wireless network services supply base. To that end, section 224 requires the SECDEF to ensure, to the greatest extent practicable, that microelectronic and wireless network technology suppliers are incentivized to sell their products commercially as well as to governments that are allies and partners of the United States. Furthermore, all suppliers (manufacturers, distributers, and resellers) will be required to ensure that microelectronics and wireless technology supplies are produced on the same production lines as the products purchased by the DOD. This requirement will likely drive changes to the manufacturing practices of many supplies.

Contractors that sell, or wish to sell, microelectronics and wireless network technology products and services to the DOD should be prepared for the imposition of the security standards developed under this program. While the security standards likely will not be enforced until January of 2023, they are required to be developed and effective by January 2021. This statutorily prescribed time frame will give contractors approximately two years to evaluate the impact of the new standards and to take appropriate steps to come into compliance. As a result of the anticipated standards, microelectronic and wireless network technology manufacturers, and their supply chain, may have to evaluate possible changes required to come into compliance. Such changes may include the relocation of manufacturing facilities and adjustments to company ownership and workforce composition, among others, to meet the microelectronic and wireless network technology security standards that will ultimately be imposed. Reed Smith will continue to monitor the information related to the establishment of these security standards and provide updated client alerts as new information becomes available.