The National Defense Authorization Act for Fiscal Year 2016 [pdf], signed into law just before Thanksgiving, authorizes $607 billion for Department of Defense activities in FY 2016. It also implements a number of acquisition reforms intended to enhance the Government’s cybersecurity efforts and streamline the various acquisition regulations. Here we break down some of the key acquisition provisions:
- Rapid acquisition authority for cyber attacks. Section 803 of the 2016 NDAA expands the DoD’s ability to employ rapid acquisition procedures established under the 2003 NDAA to enhance its ability to respond to combat emergencies and urgent operational needs. Under Section 803, rapid acquisition procedures may now be used to acquire “needed offensive or defensive cyber capabilities, supplies, and associated support services” to respond to a cyber attack that “has resulted in critical mission failure, the loss of life, property destruction, or economic effects.” The term “cyber attack” is broadly defined as including any “deliberate action to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information or programs” in those systems. Acquisitions made pursuant to this authority are subject to an aggregate limit of $200 million in each fiscal year.
- U.S. Cyber Command acquisition authority and liability protection for cybersecurity contractors. In addition to expanding DoD’s rapid acquisition authority to deal with cyber attacks, Section 807 of the NDAA provides new limited acquisition authority for the Commander of the United States Cyber Command (CYBERCOM). The Commander is authorized to procure “cyber operations-peculiar equipment and capabilities,” subject to an annual limit of $75 million for each fiscal year from 2016 through 2021. Section 1647 of the NDAA also requires the evaluation of cyber vulnerabilities of all major DoD weapons systems by the end of 2019. Section 1641 of the NDAA provides enhanced liability protection for reporting cyber incidents for both “cleared” and “operationally critical” contractors, so long as there is no willful misconduct.
- Streamlining acquisition regulations. Another major thrust of the 2016 NDAA was streamlining the acquisition process and eliminating redundant and duplicative requirements. Section 809 of the NDAA requires that the Secretary of Defense establish a nine-member advisory panel consisting of experts in acquisition and procurement policy, the objective of which is to review the DoD’s acquisition regulations and provide recommendations for streamlining the procurement process. The panel has 2 years to provide a final report of its recommendations and must provide interim reports at the 6-month and 18-month marks.
- Cost overrun penalty. The 2016 NDAA also emphasizes the need to monitor costs on major defense acquisition programs and to hold the DoD accountable for cost overruns. Under section 828 of the NDAA, beginning in FY 2015, the Secretary of each military department “shall pay a penalty for cost overruns” experienced on certain major defense acquisition programs. Cost overruns are defined as the difference between the current program acquisition cost and the program acquisition cost shown in the original baseline estimate. The penalty for cost overruns in a given fiscal year is 3% of the cumulative amount of overruns on all of the covered major defense acquisition programs for the respective military department.
- Other acquisition provisions of note. Section 816 of the NDAA raises the special emergency procurement threshold from $250,000 to $750,000 for purchases inside the U.S., and from $1 million to $1.5 million for purchases outside the U.S. Additionally, section 867 of the NDAA allows small businesses to better compete for large contracts by requiring that more weight be given to the past performances of teams and joint ventures. Congress also considered increasing several other acquisition thresholds, but those changes were omitted from the language that became law.