In the span of just over one month, the Department of Defense (DoD) published two separate Federal Register notices relevant to export controls and the requirements for safeguarding unclassified technical data under DoD contracts. Among other concerns, the two notices appear to take conflicting positions with respect to the ability of DoD contracting officers to identify contracts that will involve export-controlled data:
- In a March 3 notice, DoD issued a proposed rule that would establish specific requirements for safeguarding unclassified information related to DoD contracts and reporting cyber intrusions. Under the proposed framework, DoD contracting officers would be required to decide whether to include an additional contract clause, depending on whether the contractor would need to access or generate certain export-controlled data or other types of sensitive information. When the more sensitive categories of data are involved, the contractor would be required to adopt "enhanced" data security measures. Moreover, the contracting officer would be required to include an additional clause regarding publication restrictions, unless the activity constituted "fundamental research." Thus, the proposed rule would require DoD contracting officers to reach judgments prior to executing the contract as to whether export controlled data or other categories of sensitive data would be involved and whether the program would be excluded from export controls as "fundamental research."
- In contrast, DoD published a final rule on April 8 in which it established a single standard clause regarding export controls that must be included in all DoD contracts. The mandatory clause does little more than notify contractors of their obligation to comply with export control laws. In publishing this rule, DoD abandoned a long-running effort through prior Federal Register notices to establish a framework under which DoD contracting officers would make determinations as to whether DoD contracts would involve export-controlled information or would be exempt from export controls as "fundamental research." In explaining its decision to move to the single clause approach, DoD stated that its contracting officers have no authority or ability to make decisions on the applicability of export controls to DoD-funded programs, as jurisdiction over export control matters lies with the Departments of State and Commerce.
In light of the conclusions reached in the April 8 notice, it is surprising that DoD again proposed to adopt a choice of clauses approach in the March 3 notice in connection with export-controlled data and fundamental research. In particular, given the conclusion that DoD contracting officers have no ability to make judgments as to whether contracts will involve export-controlled data, it seems likely that DoD contracting officers will err on the side of including the more burdensome and restrictive clause relating to enhanced data protections and publication restrictions. The following is a more detailed summary of the two DoD Federal Register notices.
March 3, 2010 Advanced Notice of Proposed Rulemaking Regarding DoD Information
On March 3, 2010, DoD published a Federal Register notice regarding proposed revisions to the DFARS that would establish specific requirements with respect to the safeguarding of unclassified information related to DoD contracts. The proposed rule would represent a significant expansion in the requirements and restrictions currently applicable to unclassified DoD information. DoD invited public comments regarding the proposed rule and held a public meeting in Washington on April 22, 2010 to discuss the measure.
The proposed DoD rule lays out an explicit policy requiring contractors and subcontractors to provide "adequate security" to safeguard "DoD information" on their unclassified information systems from unauthorized access and disclosure. "Adequate security" requires that the "protection measures applied are commensurate with the risks (i.e., consequences and their probability) of loss, misuse, or unauthorized access to or modification of information." Significantly, "DoD information" includes unclassified information that has not been cleared for public release and that either was provided by or on behalf of DoD or "collected, developed, received, transmitted, used, or stored by the contractor or its subcontractor(s) in support of an official DoD activity." The proposed rule also references U.S. export control laws, including the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR).
Among other things, this proposed rule creates two levels of security for DoD information:
- Basic: Applies to any DoD information on a contractor's unclassified information systems.
- Enhanced: Applies to DoD information on a contractor's unclassified information systems that is: (1) designated as Critical Program Information; (2) subject to ITAR and EAR regulations; (3) designated for withholding from public release under DoD FOIA; (4) bears current or prior designations indicating controlled access and dissemination (e.g., For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive); (5) technical data, computer software, and any other technical information covered by DoD Directive 5230.24 (Distribution Statements on Technical Documents) and DoD Directive 5230.25 (Withholding of Unclassified Technical Data from Public Disclosure); or (6) personally identifiable information.
The proposed rule identifies specific procedures that the contractor would be required to implement in relation to DoD information subject to the basic or enhanced safeguarding requirements. To this end, the proposed rule includes two separate clauses related to the protection of DoD information: one for use in all solicitations and contracts when the contractor or subcontractor at any level will potentially have DoD information subject to basic safeguarding requirements and a second clause that would be used in addition to the first when DoD information subject to enhanced safeguarding requirements is involved.
In addition, the proposed rule requires contracting officers to include the standard "7000" clause requiring the contractor to obtain DoD approval prior to publishing any information related to contracts involving DoD information, unless the contract relates to "fundamental research."
April 8, 2010 Final Rule Regarding Export-Controlled Items
On April 8, 2010, DoD published a final rule that addresses requirements regarding compliance with U.S. export control laws in connection with DoD contracts. See Defense Federal Acquisition Regulation Supplement; Export-Controlled Items (DFARS Case 2004-D010), 75 Fed. Reg. 18030 (April 8, 2010). This final rule amends the DFARS to require the use of a single, standard clause regarding export controls that merely puts contractors on notice of their independent obligations to comply with U.S. export control laws set forth in the EAR and ITAR. This clause must be included in every DoD solicitation and contract regardless of whether the parties anticipate that the resulting activities will involve export-controlled items.
The April 8 notice is DoD's fourth iteration of the rule regarding export control clauses. In this final notice, DoD abandons the two clause construct that was adopted in the prior interim rule nearly two years ago (see 73 Fed. Reg. 42274 (July 21, 2008)) and that was in force from July 21, 2008 through April 7, 2010. The significant changes adopted in the final rule as compared to the prior interim rule include the following:
- The interim rule required DoD contracting officers to include one of two clauses in contracts: one for use when the contractor is expected to generate or need access to "export-controlled items," and an alternative clause for use when the work is "fundamental" research and "export-controlled items" are not expected to be involved. As noted above, the final rule requires the use of a single generic clause in all DoD solicitations and contracts.
- Under the one clause construct of the final rule, contracting officers and their private sector counterparts are no longer required to assess in advance whether the DoD contract or related subcontract will require the contractor to generate or require access to "export-controlled items." The changes made to the final rule appear to focus on eliminating the need for DoD to make pre-contract assessments as to whether particular items or technology will be subject to the ITAR or EAR and specifically states that "DoD does not have authority to issue 'export direction' regarding contractor responsibilities to comply with the ITAR and the EAR."
The final rule no longer includes a definition of "fundamental research." DoD indicates in the final rule that ten of the twelve respondents that provided comments on the interim rule represented a university or the university community. DoD takes the view that the concerns of the university community are addressed, because DoD will no longer be required to make judgments regarding whether specific research and development contracts might involve "export-controlled items" or "fundamental research."