HOME  |  CONTENTS  |  DISCUSSIONS  DISCUSSION ARCHIVES  |  BLOG  |  QUICK-KITs|  STATES

How To Use the NDAA Pages

Back to NDAA Contents

TITLE VIII--ACQUISITION POLICY, ACQUISITION MANAGEMENT, AND RELATED MATTERS

Subtitle E--Industrial Base Matters

P. L. 116-92

House Conference Report 116-333

SEC. 847. MITIGATING RISKS RELATED TO FOREIGN OWNERSHIP, CONTROL, OR INFLUENCE OF DEPARTMENT OF DEFENSE CONTRACTORS OR SUBCONTRACTORS.

(a) Definitions.--In this section:

(1) Beneficial owner; beneficial ownership.--The terms ``beneficial owner'' and ``beneficial ownership'' shall be determined in a manner that is not less stringent than the manner set forth in section 240.13d-3 of title 17, Code of Federal Regulations (as in effect on the date of the enactment of this
Act).

(2) Company.--The term ``company'' means any corporation, company, limited liability company, limited partnership, business trust, business association, or other similar entity.

(3) Covered contractor or subcontractor.--The term ``covered contractor or subcontractor'' means a company that is an existing or prospective contractor or subcontractor of the Department of Defense on a contract or subcontract with a value in excess of $5,000,000, except as provided in subsection (c).

(4) Foreign ownership, control, or influence; foci.--The terms ``foreign ownership, control, or influence'' and ``FOCI'' have the meanings given those terms in the National Industrial Security Program Operating Manual (DOD 5220.22-M), or a successor document.

(b) Improved Assessment and Mitigation of Risks Related to Foreign Ownership, Control, or Influence.--

(1) In general.--In developing and implementing the analytical framework for mitigating risk relating to ownership structures, as required by section 2509 of title 10, United States Code, as added by section 845 of this Act, the Secretary of Defense shall improve the process and procedures for the assessment and mitigation of risks related to foreign ownership, control, or influence (FOCI) of contractors and subcontractors doing business with the Department of Defense.

(2) Elements.--The process and procedures for the assessment and mitigation of risk relating to ownership structures referred to in paragraph (1) shall include the following elements:

(A) Assessment of foci.--

(i) A requirement for covered contractors and subcontractors to disclose to the Defense Counterintelligence and Security Agency, or its successor organization, their beneficial ownership and whether they are under FOCI.

(ii) A requirement to update such disclosures when changes occur to information previously provided, consistent with or similar to the procedures for updating FOCI information under the National Industrial Security Program Operating Manual (DOD 5220.22-M), or a successor document.

(iii) A requirement for covered contractors and subcontractors determined to be under FOCI to disclose contact information for each of its foreign owners that is a beneficial owner.

(iv) A requirement that, at a minimum, the disclosures required by this paragraph be provided at the time the contract or subcontract is awarded, amended, or renewed, but in no case later than one year after the Secretary prescribes regulations to carry out this subsection.

(B) Responsibility determination.--Consistent with section 2509 of title 10, United States Code, as added by section 845 of this Act, consideration of FOCI risks as part of responsibility determinations, including--

(i) whether to establish a special standard of responsibility relating to FOCI risks for covered contractors or subcontractors, and the extent to which the policies and procedures consistent with or similar to those relating to FOCI under the National Industrial Security Program shall be applied to covered contractors or subcontractors;

(ii) procedures for contracting officers making responsibility determinations regarding whether covered contractors and subcontractors may be under foreign ownership, control, or influence and for determining whether there is reason to believe that such foreign ownership, control, or influence would pose a risk or potential risk to national security or potential compromise because of sensitive data, systems, or processes, such as personally identifiable information, cybersecurity, or national security systems involved with the contract or subcontract; and

(iii) modification of policies, directives, and practices to provide that an assessment that a covered contractor or subcontractor is under FOCI may be a sufficient basis for a contracting officer to determine that a contractor or subcontractor is not responsible.

(C) Contract requirements, administration, and oversight
relating to foci.--

(i) Requirements for contract clauses providing for and enforcing disclosures related to changes in FOCI or beneficial ownership during performance of the contract or subcontract, consistent with subparagraph (A), and necessitating the effective mitigation of risks related to FOCI throughout the duration of the contract or subcontract.

(ii) Pursuant to section 831(c), designation of the appropriate Department of Defense official responsible to approve and to take actions relating to award, modification, termination of a contract, or direction to modify or terminate a subcontract due to an assessment by the Defense Counterintelligence and Security Agency, or its successor organization, that a covered contractor or subcontractor under FOCI poses a risk to national security or potential risk of compromise.

(iii) A requirement for the provision of additional information regarding beneficial ownership and control of any covered contractor or subcontractor on the contract or subcontract.

(iv) Other measures as necessary to be consistent with other relevant practices, policies, regulations, and actions, including those under the National Industrial Security Program.

(c) Applicability to Contracts and Subcontracts for Commercial Products and Services and Other Forms of Acquisition Agreements.--

(1) Commercial products and services.--The requirements under subsection (b)(2)(A) and (b)(2)(C) shall not apply to a contract or subcontract for commercial products or services, unless a designated senior Department of Defense official specifically requires the applicability of subsections (b)(2)(A) and (b)(2)(C) based on a determination by the designated senior official that the contract or subcontract involves a risk or potential risk to national security or potential compromise because of sensitive data, systems, or processes, such as personally identifiable information, cybersecurity, or national security systems.

(2) Research and development and procurement activities.--The Secretary of Defense shall ensure that the requirements of this section are applied to research and development and procurement activities, including for the delivery of services, established through any means including those under section 2358(b) of title 10, United States Code.

(d) Availability of Resources.--The Secretary shall ensure that sufficient resources, including subject matter expertise, are allocated to execute the functions necessary to carry out this section, including the assessment, mitigation, contract administration, and oversight functions.

(e) Rule of Construction.--Nothing in this section shall be construed to limit or modify any other procurement policy, procedure, requirement, or restriction provided by law, including section 721 of the Defense Production Act of 1950 (50 U.S.C. 4565), as amended by the Foreign Interference Risk Review Modernization Act of 2018 (subtitle A of title XVII of Public Law 115-232).

(f) Availability of Beneficial Ownership Data.--

(1) In general.--Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense shall establish a process to update systems of record to improve the assessment and mitigation of risks associated with FOCI through the inclusion and updating of all appropriate associated uniquely identifying information about the contracts and contractors and subcontracts and subcontractors in the Federal Awardee Performance and Integrity Information System (FAPIIS), administered by the General Services Administration, and the Commercial and Government Entity (CAGE) database, administered by the Defense Logistics Agency.

(2) Limited availability of information.--The Secretary of Defense shall ensure that the information required to be disclosed pursuant to this section is--

(A) not made public;

(B) made available via the FAPIIS and CAGE databases; and

(C) made available to appropriate government departments or agencies.

Mitigating risks related to foreign ownership, control, or influence of Department of Defense contractors or subcontractors (sec. 847)

The Senate bill contained a provision (sec. 833) that would require the Secretary of Defense to amend policy and regulation to take steps to enhance the process for assessing and mitigating risks related to foreign ownership, control, or influence (FOCI).

The House amendment contained no similar provision.

The House recedes with technical and clarifying amendments.

The conferees are concerned by the growing threat to the integrity of the defense industrial base from strategic competitors, like the Russian Federation, the People's Republic of China, and their proxies, seeking to gain access to sensitive defense information or technology through contractors or subcontractors. The conferees recognize that there are existing efforts underway to understand and mitigate some of these risks as directed by several pilot programs including section 1048 of the National Defense Authorization Act for Fiscal Year 2019 and section 1969 of the National Defense Authorization Act for Fiscal Year 2018. The conferees also recognize that the Defense Counterintelligence and Security Agency (DCSA) has transitioned to a new mission and has taken on additional responsibilities despite resource constraints.

However, the acquisition community must have greater visibility into all cleared and uncleared potential contractors and subcontractors seeking to do business with the Department. The Department must ensure that contractors and subcontractors do not pose a risk to the security of sensitive data, systems, or processes such as personally identifiable information, cybersecurity, or national security systems.


Senate Report 116-48


Mitigating risks related to foreign ownership, control, or influence of Department of Defense contractors or subcontractors (sec. 833)

The committee recommends a provision that would require the Secretary of Defense to amend policy and regulation to take steps to enhance the process for assessing and mitigating risks related to foreign ownership, control, or influence (FOCI).

The committee is concerned by the growing threat to the integrity of the defense industrial base from strategic competitors, like the Russian Federation, the People's Republic of China, and their proxies, seeking to gain access to sensitive defense information or technology through contractors or subcontractors. The committee recognizes the need for the Department's acquisition community to have greater visibility into the potential FOCI of contractors and subcontractors seeking to do business with the Department to ensure that they do not pose a risk to the security of sensitive data, systems, or processes such as personally identifiable information, cybersecurity systems, or national security systems.

In order to aid in identifying the actual individual or individuals owning or controlling each contractor or subcontractor, the provision would require the companies to make certain disclosures. Such disclosures would then be considered in determining the responsibility of the contractor being considered for a contract or subcontract and standards under which a contract or subcontract could be terminated due to unmitigable risks.

ABOUT  l CONTACT