Act Imposes Cybersecurity Disclosure Obligations on Providers of Information Technology
On August 13, 2018, President Trump signed into law the 2019 National Defense Authorization Act. This massive (788 pages) piece of legislation establishes or renews the various programs of the Department of Defense and authorizes funding for the Department. Many provisions in the Act reflect an increased emphasis by the DOD on cybersecurity as the military strives to protect its supply chain. Among the many cybersecurity provisions are new disclosure obligations imposed on providers of information technology. For the purpose of the Act, “information technology” has the meaning given this term in 40 USC Section 11101.
Reporting Contacts with Foreign Governments
The Act’s disclosure requirements for information technology providers appear in Section 1655. This section recites that the DOD may not use a product, service, or system procured or acquired after the date of the Act relating to information or operational technology, cybersecurity, an industrial control system, or weapons system provided by a contractor unless the contractor discloses to the DOD the following:
First, whether and if so, when, the contractor has (1) allowed a foreign government to review the code of a noncommercial product, system, or service developed for the DOD, or (2) whether the contractor is under any obligation to allow a foreign person or government to review the code of a non-commercial product, system, or service developed for the DOD as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person acting on behalf of such a government. See Section 1655(a)(1).
To read the full article, please click here.