Logos: DOD and CSP-AB

Multi-Association Comments on DFARS Case 2018-D064: Striking the Balance Between Innovation and Compliance

The Cloud Service Providers Advisory Board (CSP-AB), in collaboration with leading industry associations such as ITI, NDIA, PSC, and SIIA, has submitted detailed comments on the Department of Defense’s proposed rulemaking for DFARS Case 2018-D064, “Disclosure of Information Regarding Foreign Obligations.”

The proposed rule, intended to implement Section 1655 of the FY19 NDAA, introduces new disclosure requirements for defense contractors. While we recognize the importance of safeguarding national security, the current regulatory approach risks stifling innovation, deterring market participation, and overburdening compliance efforts without yielding proportional security benefits.

Key Concerns and Recommendations

  1. Overreach in Scope
    • The proposed rule extends disclosure requirements to commercial products, including COTS items, contrary to the statutory text of Sec. 1655(a)(1).
    • Recommendation: Limit disclosure requirements to non-commercial products and systems specifically developed for the DoD.
  2. Protecting the Commercial Market
    • Additional requirements on commercial acquisitions under FAR Part 12 undermine the accessibility of commercial solutions.
    • Recommendation: Preserve the integrity of commercial products and services by excluding them from unnecessary disclosures.
  3. Focus on High-Risk Scenarios
    • Expanding disclosure to include foreign persons in low-risk scenarios exceeds legislative intent and may reduce the availability of innovative technology to the DoD.
    • Recommendation: Restrict disclosures to high-risk scenarios involving foreign governments or individuals acting on their behalf.
  4. Proportional Lookback Period
    • The proposed twelve-year retroactive reporting requirement is commercially impractical and exceeds standard norms.
    • Recommendation: Align lookback requirements with a five-year statutory period, focusing on material disclosures tied to actual knowledge.
  5. Subcontractor and Attestation Challenges
    • Flow-down requirements to subcontractors and ambiguous attestation obligations create significant legal and operational risks.
    • Recommendation: Strike subcontractor flow-down provisions and provide clear definitions for key terms like “code review” and “foreign person.”
  6. Clarifying Open Source Software Exemptions
    • The proposed rule fails to adequately exempt open-source components commonly embedded within end products.
    • Recommendation: Expand the OSS exemption to include embedded components, ensuring flexibility and compliance.
  7. Data Privacy and Security
    • Sensitive disclosures risk exposure through open records laws or misuse.
    • Recommendation: Limit data access to federal authorities with a need to know and ensure robust tracking and auditing measures.

Moving Forward

CSP-AB and partner associations urge the DoD to revisit the proposed rules, ensuring alignment with statutory intent and fostering a secure yet innovative defense industrial base. By implementing targeted recommendations, we can achieve the dual objectives of safeguarding national security and maintaining a competitive, resilient marketplace.

For further details or inquiries, please contact Leopold Wildenauer, Director of Public Sector Policy at ITI, at lwildenauer@itic.org.

Related Posts

Scroll to Top