January 5, 2017 - Cybersecurity & Data Privacy

Congress Revisits the Data Rights Statutes and Advances Modular Open Systems Architecture in the FY 2017 NDAA

CybersecurityAlthough there usually is great validity in the aphorism that “no man’s life, liberty, or property is safe while the Legislature is in session,” we might have to rethink that notion when it comes to data rights.  Congress did some good last month in passing, with broad support, the National Defense Authorization Act (NDAA) for Fiscal Year 2017.  The FY 2017 NDAA fixed many of the worst problems created by the ill-conceived and poorly drafted provisions of Section 815 of the FY 2012 NDAA that skewed the allocation of data rights too far in favor of the government, while creating disincentives for innovation and headaches for the DFARS writers.  The FY17 NDAA also takes a sound step toward a workable statutory framework for DOD’s Modular Open System Approach (MOSA) to major defense systems.

A chief goal of MOSA is that DOD should be able to swap one contractor’s components in a system with another contractor’s hardware or software – so called “plug and play.”  To achieve this, DOD often legitimately will need something more detailed than “form, fit, and function” data (or software).  But it is not easy to figure out how to describe that “something more” in ways that will meet DOD’s needs while not cutting too deeply into a contractor’s equally legitimate, and statutory, rights to protect from competitors its limited rights technical data and restricted-rights software developed at private expense.

In the FY 2012 NDAA, Congress took a meat ax to this goal by creating new but entirely undefined categories of data necessary for “segregation and reintegration” and applying those categories too broadly, while also ignoring software.  Congress left to DOD the undesirable task of sorting out in the DFARS this Congressional abdication of responsibility.  After more than four years of struggling to balance DOD’s requirements with industry’s concerns, DOD proposed regulations in June 2016 to make the best of Section 815.  As we wrote this summer, DOD’s draft was commendable but left lingering concerns, including the scope of data and software encompassed by segregation and reintegration, as well as the breadth (“utilized” in performance) and unlimited time of the government’s ability to acquire data and software through a revised “deferred ordering” clause.  Congress recognized these and other concerns and ameliorated them in Section 809 of the FY 2017 NDAA.

With regard to deferred ordering, Congress eliminated the perpetual ordering right of Section 815, cutting it back to six years.  Although this is longer than the three-year period of the current deferred ordering clause (DFARS 252.227-7027), it is a fair compromise given the long life of many DOD systems and is far better than forever.  Congress also eliminated from deferred ordering any data that merely were “utilized” in performance of a contract – a word added by Section 815 – limiting the government instead to data “generated” in performance of the contract, which is the current DFARS standard.

Congress also limited the unbounded scope of segregation and reintegration data to only such data “pertaining to an interface.”  Industry had questioned what Congress meant by “interfaces” in relation to segregation or reintegration data.  Congress responded in the FY 2017 NDAA  by defining a “major system interface” as a “shared boundary” between or amongst system platforms and system components that is “defined by various physical, logical, and functional characteristics, such as electrical, mechanical, fluidic, optical, radio frequency, data, networking, or software elements.”  These interfaces further are “characterized clearly in terms of form, function, and the content that flows across the interface in order to enable technological innovation, incremental improvements, integration, and interoperability.”  DOD now is faced either with adopting Congress’s roomy definition or adding some greater specificity to it, although government and industry might prefer a “you’ll-know-it-when-you-see-it approach,” to allow flexibility in solicitations and negotiations.

In addition to the deferred ordering and interface amendments, Section 809 also removed the presumption that the government retains government purpose rights in data developed with a mix of government and private funding.  Section 809 replaces this presumption with a requirement for the parties to negotiate the government’s rights in such data.  Of course, with MOSA in mind, Section 809 carves out some important exceptions:  the government retains government purpose rights in (1) technical data pertaining to an interface developed with mixed funding, and (2) technical data pertaining to a “major system interface” developed either with mixed funding or exclusively at private expense.  In return for government purpose rights in data developed exclusively at private expense, the Secretary of Defense is to negotiate appropriate and reasonable compensation with the contractor.

The Pentagon has adopted open architecture as its vision for the future of defense acquisition.  For DOD to succeed with MOSA, it must develop a system allowing it to accumulate and to share with contractors the data necessary to facilitate “plug-and-play” interchangeability, while not overreaching into contractors’ proprietary data and software.  Congress and DOD are furthering this balance through the ongoing “Section 813 Panel,” the Government-Industry Advisory Panel established by the FY 2016 NDAA to review the DOD data rights statutes and regulations.  The FY 2017 NDAA directed the Panel to consider MOSA further and to recommend changes to ensure DOD and its contractors fair rights in the data necessary to support MOSA.  This report is due by February 1, 2017.  DOD then will return to the drawing board to revise yet again its proposed draft data rights regulations to accommodate the changes required by the FY 2017 NDAA and recommended by the Section 813 Panel.  We look forward (cautiously) to this final resolution of the damage created five years ago by the FY 2012 NDAA.  We will keep you apprised of any new developments.