Photo of Charles Fleischmann

Charles provides legal counsel to businesses and executives facing government investigations and also assists companies with their compliance needs prior to the government becoming involved. Charles has represented clients before the Department of Justice, Federal Bureau of Investigation, Congress and other regulatory and enforcement agencies. In addition, he advises clients regarding corporate compliance and tailored training on issues including cyber security, data privacy, the Foreign Corrupt Practices Act and campaign finance compliance. Finally, Charles also assists companies conducting internal investigations.

The National Defense Authorization Act for Fiscal Year 2016 [pdf], signed into law just before Thanksgiving, authorizes $607 billion for Department of Defense activities in FY 2016. It also implements a number of acquisition reforms intended to enhance the Government’s cybersecurity efforts and streamline the various acquisition regulations.  Here we break down some of the key acquisition provisions:

  • Rapid acquisition authority for cyber attacks. Section 803 of the 2016 NDAA expands the DoD’s ability to employ rapid acquisition procedures established under the 2003 NDAA to enhance its ability to respond to combat emergencies and urgent operational needs. Under Section 803, rapid acquisition procedures may now be used to acquire “needed offensive or defensive cyber capabilities, supplies, and associated support services” to respond to a cyber attack that “has resulted in critical mission failure, the loss of life, property destruction, or economic effects.” The term “cyber attack” is broadly defined as including any “deliberate action to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information or programs” in those systems. Acquisitions made pursuant to this authority are subject to an aggregate limit of $200 million in each fiscal year.
  • U.S. Cyber Command acquisition authority and liability protection for cybersecurity contractors. In addition to expanding DoD’s rapid acquisition authority to deal with cyber attacks, Section 807 of the NDAA provides new limited acquisition authority for the Commander of the United States Cyber Command (CYBERCOM). The Commander is authorized to procure “cyber operations-peculiar equipment and capabilities,” subject to an annual limit of $75 million for each fiscal year from 2016 through 2021. Section 1647 of the NDAA also requires the evaluation of cyber vulnerabilities of all major DoD weapons systems by the end of 2019. Section 1641 of the NDAA provides enhanced liability protection for reporting cyber incidents for both “cleared” and “operationally critical” contractors, so long as there is no willful misconduct.

The Senate passed the Carl Levin and Howard P. “Buck” McKeon National Defense Authorization Act for Fiscal Year 2015 [pdf] on Friday, December 12, 2014. President Obama is expected to sign the bill into law. The $585 billion bill authorizes the Pentagon’s activities in FY 2015. It includes $521.3 billion in base defense spending and another $64 billion in war funding. Here is a summary of the procurement reform initiatives that will be relevant to contractors in the upcoming year:

  1. Cyber incident reporting for operationally critical contractors. Section 1632 of the 2015 NDAA directs the Secretary of Defense to designate and notify “operationally critical contractors,” a term narrowly defined in the bill. After notification, designated contractors will be required to report to the Department of Defense each cyber incident with respect to any network or information system of such contractor. Reports must include: an assessment of the effect on the contractor’s ability to meet the Department’s contractual requirements; the technique used in the cyber incident; any sample of malicious software obtained; and a summary of information compromised by the incident. Despite the disclosure requirement, section 1632 provides for protection of contractor trade secrets and confidential commercial or financial information. It also limits the dissemination of information obtained to relevant entities and agencies.
  2. Enhanced authority for non-DOD Chief Information Officers. Section 831 of the NDAA increases the role of Chief Information Officers of agencies other than the Department of Defense. It provides that an agency may not enter into a contract for information technology unless the contract has first been reviewed and approved by the agency’s Chief Information Officer. The head of each covered agency must ensure that its Chief Information Officer has a significant role in all annual and multi-year planning, budgeting, and reporting related to information technology. The bill requires the Director of OMB and the Chief Information Officers of appropriate agencies to increase the efficiency and effectiveness of information technology investments and to develop opportunities to consolidate the acquisition and management of information technology services. The Chief Information Officer of each covered agency is directed to inventory agency data centers and develop a multi-year strategy for consolidation and optimization of those data centers inventoried.
  3. DOD CIO positions consolidated. Section 901 of the 2015 NDAA incorporates a DOD proposal to combine the positions of Chief Information Officer and Deputy Chief Management Officer into the position of Under Secretary of Defense for Business Management and Information. The new Under Secretary will oversee business operations, personnel, and IT projects and will be appointed by the President with the advice and consent of the Senate. This change will not take place until the next administration.