On October 31, 2016, the Department of Defense (DoD) issued a proposed rule entitled, Withholding of Unclassified Technical Data and Technology from the Public Disclosure. Public comments are due on December 30, 2016.
The proposed rule establishes DoD policy, assigns responsibilities, and prescribes procedures for the dissemination and withholding of certain unclassified technical data and technology subject to the ITAR and EAR. The regulation applies to DoD components, their contractors, and grantees and is meant to control the transfer of technical data and technology contributing to the military potential of any country or countries, groups, or individuals that could prove detrimental to US national security or critical interests.
For the purposes of this regulation, DoD has taken the view that public disclosure of technical data and technology is the same as providing uncontrolled foreign access. Therefore, this rule instructs DoD employees, contractors, and grantees to ensure unclassified technical data and technology that discloses technology or information with a military or space application may not be exported without authorization, and should be disseminated consistent with US export control laws and regulations.
Although DoD states this rule does not modify or supplant the ITAR or the EAR, and further notes that this rule does not apply to commercial relationships unrelated to DoD programs, data, or information in the public domain or approved for public release by DoD, in practical effect the proposed rule further injects DoD into the field of export regulation. Specifically, the rule notes that in order for a contractor to receive technical data associated with DoD procurements, the contractor will have to complete a DD 2354 Military Critical Technology Agreement to the US-Canada Joint Certification Office, and will be required to mark and treat export controlled information associated with DoD programs in accordance with various DoD directives. Although the proposed rule adds several new sub-requirements regarding treatment of export controlled information from DoD, the baseline requirements for submitting an authorization request to receive DoD technical data in and of themselves, are not new and have been specified in DoD publications such as DoD Directive 5230.5 (albeit apparently not in the CFR explicitly), for a number of years.
What is new and significant is the requirement that when a DoD component is in receipt of “substantial and credible information” that a qualified US contractor has violated US export controls, violated its certification, made a certification in bad faith, or omitted or misstated a material fact, the DoD component will temporarily revoke the US contractor’s qualification to receive export controlled information from DoD. The same will be true of Canadian contractors who the rule requires submit a similar certification. Notably, the certification on the DD2354 states that a contractor does not employ persons who have violated export control laws and does not specify whether administrative/civil violations (which are common in the defense industry), are carved out from the certification. The rule goes on to note that the DoD component may delay such temporary revocations with the potential to compromise a US government investigation. When there is a temporary revocation, however, the DoD component is supposed to notify the contractor and the Undersecretary of Defense for Acquisition, Technology and Logistics (USD (AT&L)). The contractor will then be given an opportunity to respond in writing to the information upon which the temporary revocation is based before being disqualified. Any US contractor whose qualification has been temporarily revoked may present information to the DoD component showing that the basis for revocation was in error or has been remedied and be reinstated. When the basis for a contractor’s temporary revocation cannot be removed within 20 working days, the DoD component will recommend to the USD (AT&L) that the contractor be disqualified from receiving export controlled information from DoD. Further, after receipt of substantial and credible information that a qualified US contractor has violated US export control law, the DoD component must notify the appropriate law enforcement agency.
The disqualification requirement, if implemented in the final (or an interim) rule, will no doubt be controversial. While the proposed rule itself does not call for contractors to voluntarily disclose export violations to DoD, it is conceivable any company that submits a voluntary disclosure to the State or Commerce Departments (or the National Security Division of the Department of Justice pursuant to its recent guidance) in connection with a DoD contract might face temporary revocation of its right to receive controlled technical data from DoD associated with contracts upon which it is working or bidding, if the export control agencies, or the Department of Justice, were to notify DoD of the voluntary disclosure. Moreover, various other regulations regarding cybersecurity and controlled unclassified information call for contractors to report breaches to the disseminating agency (such as DoD), even when in the view of the contractor there may be a credible argument that those breaches are not themselves export violations. Therefore, it is possible that DoD will take the view such breaches are in fact export violations and DoD is therefore required to contact the Departments of State or Commerce, or the Department of Justice. For more information on this topic, see our October 31 advisory. Thus, companies that have strong compliance programs and disclose potential violations, or have appropriate mechanisms for complying with cyber-reporting requirements, may inadvertently find themselves subjected to multi-agency follow-up inquiries and that their ability to perform or win DoD contracts has been impacted. Furthermore, the scope of the revocation, i.e., corporate-wide or just the affected business unit/subsidiary, as well as the scope of the “substantial and credible information” standard are unclear and merit clarification as do a number of other aspects of this potentially impactful rule.