The National Defense Authorization Act for Fiscal Year 2020 was signed into law on December 20, 2019, after Congress passed the Conference Report for the NDAA earlier in the month, including provisions creating the U.S. Space Force and strengthening cyber operations and acquisition reforms. The Senate passed the Conference Report on December 17, 2019, including the agreed NDAA text and the Joint Explanatory Statement of the Conference Committee. A bipartisan summary of the NDAA for FY 2020 was also released by the congressional committees with the Conference Report on December 9, 2019. According to the Congressional Summary,
This year’s NDAA charts a consensus national defense policy that continues the restoration of military readiness, implements a National Defense Strategy to confront Russia, China, and other threats around the world, reforms and modernizes Pentagon business systems and bureaucracy, and – most importantly – cares for our troops and their families.
The NDAA provides a base budget of $658.4 billion and an additional $71.5 billion for overseas contingency operations, resulting in a discretionary topline of about $730 billion. With $8 billion in defense-related activities outside the NDAA jurisdiction, the NDAA’s national defense topline is $738 billion, and another $5.3 billion is allocated for emergency disaster recovery.
Establishment of Space Force
As stated in the Congressional Summary, the NDAA “recognizes space as a warfighting domain and establishes the U.S. Space Force in Title 10 as the sixth Armed Service of the United States, under the U.S. Air Force.” The NDAA provides the secretary of the Air Force with the authority to transfer Air Force personnel to the newly established Space Force. The conference agreement creates a Chief of Space Operations (CSO) for the U.S. Space Force who will report directly to the Air Force secretary. In addition, a Senate-confirmed Assistant Secretary of the Air Force for Space Acquisition and Integration will serve as the senior space architect; will lead the acquisition of space systems as the Chair of the Space Force Acquisition Council; and will take on Service Acquisition Executive responsibilities for space systems and programs as of 2022.
Cyber Operations and Cybersecurity
The NDAA again strengthens congressional oversight of cyber operations and enhances the DoD’s cybersecurity strategy and cyber warfare capabilities. As stated in the Congressional Summary, the NDAA, among other measures:
- Directs the Secretary of Defense to develop a consistent, comprehensive framework to enhance the cybersecurity of the U.S. defense industrial base;
- Requires development of metrics for the assessment of the readiness of the Cyber Mission Forces;
- Establishes a consortium of universities to advise the Secretary of Defense on cybersecurity matters;
- Establishes Principal Cyber Advisors on military cyber force matters for each military service;
- Directs an annual report on military cyberspace operations;
- Directs a zero-based review of DoD cyber and information technology personnel;
- Refines the role of the Chief Information Officer in improving enterprise-wide cybersecurity;
- Commissions a Defense Science Board study on future cyber warfighting capabilities of the DoD;
- Directs the Secretary of Defense to conduct a review of the cyber posture of the United States on a quadrennial basis; and
- Extends the completion date of the Cyberspace Solarium Commission.
See Congressional Summary at 17.
Section 1648 of the NDAA endorses the current DoD plans for the Cybersecurity Maturity Model Certification program. Section 1648 requires the Secretary of Defense to develop a comprehensive framework to enhance the cybersecurity of the U.S. defense industrial base no later than February 1, 2020. This will include “the responsibilities of the prime contractors, and all subcontractors in the supply chain, for implementing the required cybersecurity standards, regulations, metrics, ratings, third-party certifications, and requirements identified[.]” The Secretary is required to consider “risk-based methodologies, standards, metrics, and tiered cybersecurity requirements for the defense industrial base, including third-party certifications such as the Cybersecurity Maturity Model Certification pilot program, as the basis for a mandatory Department standard.”
Pentagon Acquisition Reforms
The NDAA conferees “focused on enforcing reforms already enacted by Congress while creating new pathways for innovators to bring their ideas to DOD,” according to the Congressional Summary. Accordingly, the FY2020 NDAA requires DoD “to redesign the Acquisition Workforce certification, education, and career fields by leveraging nationally and internationally recognized standards.”
In addition, the NDAA establishes a Defense Civilian Training Corps “to address critical skill gaps in the DOD’s civilian workforce,” and to train civilians for public service in the DoD. The NDAA also requires DoD “to establish extramural research activities focused on innovative acquisition process that leverage expertise outside of the DoD.” The NDAA also “continues the work of previous NDAAs to enable the DoD to assess and mitigate risks to its supply chain posed by advanced intelligence services . . . that seek to exploit vulnerabilities to erode our military advantage.”
With respect to Emerging Technologies, as highlighted in the Congressional Summary, the NDAA “directs policies to ensure that the national security innovation base is poised to meet long-range emerging threats and the rise of global competitors.” Accordingly, the NDAA includes a host of measures supporting emerging technologies including cyber science and technologies; Artificial Intelligence; hypersonic capabilities, quantum science; and emerging biotechnologies. The Conference Report also “recognizes the importance and urgency of establishing a Departmentwide 5th Generation (5G) strategy to enhance military capabilities.”
The NDAA also adopts aspects of the Accelerating Defense Innovation Act in order to gain access to new sources of innovation:
It establishes inclusive pathways for the most promising small businesses to commercialize their innovations for the DOD market. The NDAA increases DOD’s engagement with innovation hubs across the country by establishing a Joint Reserve Detachment at Defense Innovation Unit locations and authorizing $75 million to the Defense Innovation Unit for the creation of a National Security Innovation Capital Fund.
Title VIII Acquisition Provisions
Below is a summary of select provisions from NDAA Title VIII, which covers Acquisition Policy, Acquisition Management, and Related Matters.
Acquisition Policy and Management
Title VIII Subtitle A includes a number of provisions relating to acquisition policy and management, including provisions relating to rapid acquisition of software, pilot programs on IP and complex contracting teams, and DoD pricing issues and source selection procedures.
Section 800 requires the Secretary of Defense to establish new procurement pathways for the efficient and effective acquisition, development, integration, and timely delivery of secure software. Sections 801 and 802 create pilot programs for evaluation of intellectual property rights in acquisition programs, and for the use of contracting “alpha teams” for complex technical requirements, with advice of expert third parties.
Section 803 addresses a contractor’s failure to provide “other than certified” cost or pricing data upon request, including potential ineligibility for contract award. Section 804 requires a Comptroller General report on the efforts of the DoD to secure data relating to the price reasonableness of offers.
Section 806 provides for standardization of data collection on the use of source selection procedures, including lowest price technically acceptable and best value, and contracting actions under indefinite-delivery-indefinite quantity contracts. Section 807 requires DoD to conduct a review on its decisions to use fixed-price contracts to ensure that such decisions are made strategically and consistently.
Amendments to General Authorities
Subtitle B contains amendments to general contracting authorities. Section 818 requires DoD agencies, in procurements relating to commercial items, to “document the results of market research in a manner appropriate to the size and complexity of the acquisition.”
Section 819 concerns the availability of data on the use of Other Transaction Authority, amending a requirement in the NDAA for FY 2019, adding new requirements to annual reporting by DoD to Congress on use of OTs for prototype projects, and ensuring the annual report is unclassified.
Section 820 requires the U.S. Navy to require prime contractors of certain navy procurement programs to report, within 15 calendar days of any contractor or subcontractor stop work order or within 15 days of a manufacturing disruption that has lasted 15 calendar days, to the respective program manager and navy technical authority.
The Acquisition System
Subtitle D contains provisions relating to the acquisition system. Section 835 requires the DoD to establish and maintain “extramural acquisition innovation and research activities,” to include an acquisition research organization within a civilian university, to provide and maintain essential research and development capabilities through a long-term strategic relationship with DoD, with the goal to provide policy alternatives for innovation in defense acquisition. Section 836 requires a report to Congress on DoD’s progress on implementing acquisition reform initiatives that have already been enacted into law.
Subtitle G includes several provisions relating to small businesses, including Section 872, which reauthorizes and improves the DoD mentor-protégé program. Section 870 amends section 8(d) of the Small Business Act (15 U.S.C. 637) to, according to the Conference Report, “clarify that large prime contractors have the ability to receive subcontracting credit for small businesses at lower tiers; strengthen the agency’s ability to collect and review data regarding prime contractors' achievement of their subcontracting plans; [and] require the prime contractor to keep and maintain records to demonstrate subcontracting credit claimed.”
The Industrial Base
Subtitle E relates to Industrial Base Matters and includes numerous provisions reflecting congressional and DoD concern over the vitality, health and security of the Industrial Base.
Section 845, “Modernization of Acquisition Processes to Ensure Integrity of Industrial Base,” requires DoD to digitize and streamline the existing approach to identify and mitigate risks to the defense industrial base. The analytical framework must include monitoring of supply chain risks including: (i) material sources and fragility, including the extent to which sources and materials are mined, produced, or manufactured outside the U.S.; (ii) telecommunications services or equipment; (iii) counterfeit parts; (iv) cybersecurity; (v) video surveillance services or equipment; (vi) vendor vetting in contingency or operational environments; (vii) other electronic or IT products and services; and (viii) other risk areas.
The analytical framework under Section 845 must also include monitoring of risks posed by contractor behavior that constitutes violations of laws or regulations, including those relating to:
(ii) ownership structures;
(iii) trafficking in persons;
(iv) workers’ health and safety;
(v) affiliation with the enemy;
(vi) foreign influence; and
(vii) other risk areas.
The analytical framework must also include assessment of the acquisition processes of the DoD and monitoring of the health and activities of the defense industrial base.
The Conference Report noted the importance of contracting as the foundation of DoD’s relationship with the defense industrial base:
contracting is the mechanism by which the Department of Defense operationalizes its relationship with the defense industrial base/national security innovation base. The conferees further note that the Department’s ability to maintain awareness of the sources of procured items or materials, including the degree to which the sources are foreign or domestic, are critical elements for understanding supply chain risks. This is particularly the case for items used in critical programs such as major defense acquisition programs.
Section 847, “Mitigating Risks Related to Foreign Ownership, Control, or Influence [FOCI] of Department of Defense Contractors or Subcontractors,” requires improved mitigation of risks related to FOCI. In developing the analytical framework for mitigating risk relating to ownership structures, as required by Section 845, DoD must improve the procedures for the assessment and mitigation of risks relating to FOCI of contractors and subcontractors doing business with DoD, in connection with contracts and subcontracts greater than $5 million.
The Conference Report stated that “the conferees are concerned by the growing threat to the integrity of the defense industrial base from strategic competitors, like the Russian Federation, the People’s Republic of China, and their proxies, seeking to gain access to sensitive defense information or technology through contractors or subcontractors.” Further, DoD “must ensure that contractors and subcontractors do not pose a risk to the security of sensitive data, systems, or processes such as personally identifiable information, cybersecurity, or national security systems.” The NDAA and Conference Report reflect continuing congressional concern over vulnerabilities in the DoD supply chain, and continuing efforts to improve the security and strength of the defense industrial base.