New York (November 15, 2016, 12:45 PM EST) -- The US Department of Defense issued a proposed rule titled Withholding of Unclassified Technical Data and Technology from the Public Disclosure on Oct. 31, 2016. The deadline for public comments is Dec. 30, 2016.
At its essence, the proposed rule sets forth procedures that were already included in pre-existing DOD directives relating to the dissemination and withholding of export-controlled information associated with DOD programs. Although the DOD takes the view that the rule does not otherwise modify or supplant the International Traffic in Arms Regulations or the Export Administration Regulations, the proposed rule contains provisions that should be of concern to DOD contractors. Specifically, the rule notes that when a DOD component is in receipt of “substantial and credible information” that a qualified US contractor has violated US export control law, or engaged in other potentially problematic conduct associated with the completion of a certification that contractors are required to submit to gain access to DOD-origin export controlled information, the DOD will temporarily revoke, and could ultimately disqualify a contractor, from receiving DOD-origin export control information.
If it were to be implemented as proposed, this disqualification requirement would be controversial and difficult to manage. Although the proposed rule itself does call for contractors to voluntarily disclose export violations to the DOD, it is possible any contractor that has submitted a voluntary disclosure to the U State or Commerce Departments (or the National Security Division of the US Department of Justice under its recent guidance regarding export controls and sanctions matters) associated with participating in a DOD contract might be subjected to temporary revocation of its right to receive DOD controlled technical data for purposes of performing or bidding on DOD contracts.
As a consequence, this rule (if implemented) could impact or potentially inhibit the submission of contractor disclosures to the Departments of State and Commerce, given the possibility that the facts and circumstances associated with such disclosures might become known to the DOD and ultimately result in parallel DOD disqualification proceedings.
In addition, DOD contractors are required by the Defense Federal Acquisition Regulation Supplement network penetration rule to report cyber breaches. Such breaches could involve export controlled information. It is possible, therefore, that upon report of a cyber breach, the DOD could the take the view that the breach was an export control violation and that the DOD is therefore required to contact the Departments of State or Commerce, or the Department of Justice. Of course, the contractor may be of the view that it had adequate security and the breach was a “theft” rather than an “export.” Accordingly, contractors with solid compliance programs that identify and disclose potential export violations, or which have adequate mechanisms for complying with cybersecurity rules, may find themselves inadvertently subjected DOD proceedings which in turn impact their ability to perform or be awarded DOD contracts. In addition, the scope of the DOD revocation, (e.g., just the relevant business unit/subsidiary or the entire corporation?), as well as the definition of the “substantial and credible information” standard lack clarity and would benefit from further clarification in a final or interim rule.
Finally, the proposed rule calls for various marking protocols, e.g., reminding the DOD and contractors that documents should be marked in accordance with DOD Instruction 5230.24, Distribution Statements on Technical Documents. This focus on “releasability” is aligned with the DOD’s long-standing practices, but should be considered in the context of the Sept. 14, 2016, National Archives and Records Administration government wide final rule on controlled unclassified information found at 81 Federal Register 63324 which would seem to call for the DOD (when it implements the NARA CUI program) and ultimately DOD contractors (when the DOD includes the CUI program in agreements with contractors) to mark documents as “EXPT” (export controlled) and/or “CTI” (controlled technical information), in addition to including the distribution statements.
In sum, the DOD’s proposed rule, although well intentioned and focused on the strong need to protect export controlled information in DOD procurement, will likely attract considerable attention and public comment from industry.
This article was first published in Law360.