[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 9597 Introduced in House (IH)]
<DOC>
118th CONGRESS
2d Session
H. R. 9597
To amend title 41, United States Code, to make changes with respect to
the Federal Acquisition Security Council, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
September 16, 2024
Mr. Comer (for himself, Mr. Raskin, Mr. Moolenaar, and Mr.
Krishnamoorthi) introduced the following bill; which was referred to
the Committee on Oversight and Accountability
_______________________________________________________________________
A BILL
To amend title 41, United States Code, to make changes with respect to
the Federal Acquisition Security Council, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Federal Acquisition Security Council
Improvement Act of 2024''.
SEC. 2. CHANGES WITH RESPECT TO THE FEDERAL ACQUISITION SECURITY
COUNCIL.
(a) Definition of Source of Concern, Covered Source of Concern,
Recommended Order, and Desiganted Order.--Section 1321 of title 41,
United States Code, is amended--
(1) by redesignating paragraphs (5) through (8) as
paragraphs (7) through (10);
(2) by inserting after paragraph (4) the following:
``(5) Covered source of concern.--The term `covered source
of concern' means a source of concern that is specifically
designated as a `covered source of concern' by a statute that
states that such designation is for the purposes of this
subchapter.
``(6) Designated order.--The term `designated order' means
an order described under section 1323(c)(3).''; and
(3) by adding at the end the following:
``(11) Recommended order.--The term `recommended order'
means an order recommended under section 1323(c)(2).
``(12) Source of concern.--
``(A) In general.--The term `source of concern'
means a source--
``(i) subject to the jurisdiction,
direction, or control of the government of a
foreign adversary, or operates on behalf of the
government of a foreign adversary; or
``(ii) that poses a risk to the national
security of the United States based on
collaboration with, whole or partial ownership
or control by, or being affiliated with a
military, internal security force, or
intelligence agency of a foreign adversary.
``(B) Foreign adversary defined.--In this
paragraph, the term `foreign adversary' has the meaning
given the term `covered nation' in section 4872(d) of
title 10.''.
(b) Establishment and Members of Council.--Section 1322 of title
41, United States Code, is amended--
(1) in subsection (a), by striking ``executive branch'' and
inserting ``Executive Office of the President'';
(2) in subsection (b)--
(A) by amending paragraph (1) to read as follows:
``(1) In general.--The members of the Council shall be as
follows:
``(A) The Administrator for Federal Procurement
Policy.
``(B) The Deputy Director for Management of the
Office of Management and Budget.
``(C) The following officials, each of whom shall
occupy a position at the level of Assistant Secretary
or Deputy Assistant Secretary (or equivalent):
``(i) Two officials from the Office of the
Director of National Intelligence, one of which
shall be from the National Counterintelligence
and Security Center.
``(ii) Two officials from the Department of
Defense, one of which shall be one from the
National Security Agency.
``(iii) Two officials from the Department
of Homeland Security, one of which shall be one
from the Cybersecurity and Infrastructure
Security Agency.
``(iv) An official from the General
Services Administration.
``(v) An official from the Office of the
National Cyber Director.
``(vi) Two officials from the Department of
Justice, one of which shall be one from the
Federal Bureau of Investigation.
``(vii) One official from the National
Institute of Standards and Technology and one
official from the Bureau of Industry and
Security.
``(viii) An official from any executive
agency not listed under clauses (i) through
(vii) whose temporary or permanent
participation is determined by the Chairperson
of the Council to be necessary to carry out the
functions of the Council.''; and
(B) in paragraph (2)--
(i) in the heading, by striking ``Lead
representatives'' and inserting ``Members'';
(ii) by amending subparagraph (A)(i) to
read as follows:
``(i) In general.--The head of each
executive agency listed under paragraph (1)(C)
shall designate the official or officials from
that agency who shall serve on the Council in
accordance with such paragraph.'';
(iii) by amending subparagraph (A)(ii) to
read as follows:
``(ii) Requirements.--To the extent
feasible, any official designated under clause
(i) shall have expertise in supply chain risk
management, acquisitions, law, or information
and communications technology.'';
(iv) by amending subparagraph (B) to read
as follows:
``(B) Functions.--A member of the Council shall--
``(i) regularly participate in the
activities of the Council;
``(ii) ensure that any information
requested by the Council from the agency
represented by the member is provided to the
Council; and
``(iii) ensure that the head of the agency
represented by the member and other appropriate
personnel of the agency are aware of the
activities of the Council.'';
(3) in subsection (c)--
(A) by amending paragraph (1) to read as follows:
``(1) In general.--The Chairperson of the Council shall
be--
``(A) the National Cyber Director; or
``(B) another member of the Council designated by
the National Cyber Director.''; and
(B) in paragraph (2)--
(i) in subparagraph (B), by striking
``(b)(1)(H)'' and inserting ``(b)(1)(F)(vii)'';
and
(ii) in subparagraph (C), by striking
``lead representative of each agency
represented on the Council'' and inserting
``members of the Council''; and
(4) in subsection (d)--
(A) by striking ``The Council'' and inserting the
following:
``(1) Council meetings.--The Council''; and
(B) by adding at the end the following:
``(2) Other meetings.--The Chairperson of the Council shall
meet, not less frequently than semiannually, with--
``(A) the Secretary of Homeland Security, Secretary
of Defense, and Director of National Intelligence; or
``(B) in the case that any of the officials under
subparagraph (A) delegated authority to an official
under section 1323(c)(6)(C), with the delegated
official.''.
(c) Functions and Authorities.--Section 1323 of title 41, United
States Code is amended--
(1) in subsection (a)--
(A) by striking ``supply chain'' each place it
appears and inserting ``acquisition security and supply
chain'';
(B) in paragraph (1), as amended by subparagraph
(A), by striking ``, particularly'' and inserting
``that arise'';
(C) in paragraph (2), as amended by subparagraph
(A), by inserting ``associated with the acquisition and
use of covered articles'' after ``risk'';
(D) in paragraph (6), as amended by subparagraph
(A)--
(i) by striking ``posed by'' and inserting
``associated with''; and
(ii) by inserting ``and use'' before ``of
covered articles'';
(E) in paragraph (7), by striking ``posed by
acquisitions'' and inserting ``associated with the
acquisition'';
(F) by redesignating paragraph (7) as paragraph
(11); and
(G) by inserting after paragraph (6) the following:
``(7) Implementing a prioritization scheme for evaluating
the security risks associated with the acquisition and use of
covered articles provided or produced by a covered source of
concern.
``(8) Evaluating each covered source of concern to
determine whether to issue a designated order with respect to
the covered source of concern or a covered article produced or
provided by the covered source of concern.
``(9) Evaluating sources of concern to determine whether to
issue a recommended order with respect to the source of
concern, or any covered article produced or provided by the
source of concern.
``(10) Monitoring and evaluating compliance by the
Secretary of Homeland Security, Secretary of Defense, and
Director of National Intelligence with the requirement to issue
designated orders under subsection (c)(6)(B).
``(11) Reporting to Congress annually on the security risks
associated with the acquisition and use of covered articles
produced or provided by sources of concern.'';
(2) in subsection (b)--
(A) by striking ``The Council'' and inserting the
following:
``(1) In general.--The Council''; and
(B) in paragraph (1), as so redesignated, by
striking ``a program office and''; and
(C) by adding at the end the following:
``(2) Federal acquisition security council program
office.--
``(A) Establishment.--The Council shall establish a
Federal Acquisition Security Council Program Office
(referred to in this paragraph as the `Program Office')
within the Office of the National Cyber Director to
carry out the functions of the Council duties described
under subparagraph (B).
``(B) Duties.--The Program Office shall provide to
the Council, including any committees, working groups,
or other constituent bodies established by the Council
under paragraph (1)--
``(i) administrative, legal, and policy
support; and
``(ii) analysis and subject matter
expertise on information communications
technology acquisition security and supply
chain risk.
``(C) Structure.--The head of the Program Office
shall be a senior official from the Office of the
National Cyber Director that occupies a position at the
level of Assistant Secretary or Deputy Assistant
Secretary (or equivalent).
``(D) Prohibition.--The Program Office may not
provide administrative support to the Council for any
activities of the Council carried out pursuant to a
provision of law other than a provision of law under
this subchapter.
``(E) Funding and resources.--The Program Office
may use the staff and resources of the Office of the
National Cyber Director or maintain dedicated staff and
resources, as appropriate, in the performance of the
duties of the Office.
``(F) Shared staffing authority.--
``(i) In general.--The Program Office may
accept officers or employees of the United
States or members of the Armed Forces on a
detail from an element of the intelligence
community (as such term is defined in section 3
of the National Security Act of 1947 (50 U.S.C.
3003)) or from another element of the Federal
Government on a nonreimbursable basis, as
jointly agreed to by the heads of the receiving
and detailing elements, for a period not to
exceed three years.
``(ii) Rule of construction.--Nothing in
this subparagraph may be construed as imposing
any limitation on any other authority for
reimbursable or nonreimbursable details.
``(iii) Nonreimbursable detail.--A
nonreimbursable detail made under this
subparagraph shall not be considered an
augmentation of the appropriations of the
receiving element of the Program Office or the
Office of the National Cyber Director.
``(G) Sunset.--The Program Office shall terminate
on the date described under section 1328.'';
(3) in subsection (c)--
(A) in paragraph (1)--
(i) in the matter preceding subparagraph
(A), by striking ``supply chain risk'' and
inserting ``acquisition security and supply
chain risk associated with the acquisition of
covered articles'';
(ii) in subparagraph (A), by inserting
``recommended'' before ``exclusion orders'';
(iii) in subparagraph (B), by inserting
``recommended'' before ``removal orders'';
(iv) in subparagraph (C), by striking ``;
and'' and inserting a semicolon;
(v) in subparagraph (D), by striking the
period at the end and inserting ``; and''; and
(vi) by adding at the end the following:
``(E) issuing designated orders.'';
(B) in paragraph (2)--
(i) in the heading, by striking
``Recommendations'' and inserting ``Recommended
orders'';
(ii) by striking ``use'' and inserting ``,
using'';
(iii) by striking ``subsection (a)(3)'' and
inserting ``subsection (a)(4)'';
(iv) by striking ``to issue
recommendations'' and inserting ``, recommend
orders'';
(v) by striking ``Such recommendations''
and inserting ``Any such order recommended'';
(vi) by inserting ``to the officials
described under clause (iii) of paragraph
(6)(A) for issuance under such paragraph''
after ``thereof,'';
(vii) in subparagraph (D), by striking
``supply chain risk'' and inserting
``acquisition security and supply chain risk
associated with the acquisition of covered
articles''; and
(viii) in subparagraph (E), by striking
``exclusion or removal'';
(C) by redesignating paragraphs (3) through (7) as
paragraphs (4) through (8);
(D) by inserting after paragraph (2) the following:
``(3) Designated orders.--
``(A) Exclusion or removal of covered sources of
concern.--
``(i) In general.--Not later than 270 days
after a source of concern is designated as a
covered source of concern, the Council--
``(I) shall provide to the
officials described under clause (iii)
of paragraph (6)(B) for issuance under
such paragraph orders requiring--
``(aa) the exclusion of the
covered source of concern from
any executive agency
procurement action, including
source selection and consent
for a contractor; or
``(bb) the removal of
covered articles produced or
provided by the covered source
of concern from the information
system of executive agencies;
or
``(II) report to Congress why the
Council has determined to not issue an
order described under subclause (I)
with respect to the covered source of
concern or covered articles produced or
provided by the covered source of
concern.
``(ii) Contents of order.--Any order
provided under clause (i) shall include--
``(I) information regarding the
scope and applicability of the order,
including any information necessary to
positively identify the covered source
of concern or covered articles produced
or provided by the covered source of
concern required to be excluded or
removed under the order;
``(II) a summary of any risk
assessment reviewed or conducted in
support of the order;
``(III) a summary of the basis for
the order, including a discussion of
less intrusive measures that were
considered and why such measures were
not reasonably available to reduce
security risk;
``(IV) a description of the actions
necessary to implement the order; and
``(V) where practicable, in the
Council's sole and unreviewable
discretion, a description of mitigation
steps that could be taken by the
covered source of concern that may
result in the Council rescinding the
order.
``(B) Exclusion or removal of second order sources
or covered articles.--
``(i) Issuance.--In the case that the
Council provides an order under subparagraph
(A), the Council may also provide an order to
the officials described under paragraph
(6)(A)(iii) requiring the exclusion of sources
or covered articles from executive agency
procurement actions or removal of covered
articles from executive agency information
systems if--
``(I) such covered articles or such
sources use a covered source of concern
in the performance of a contract with
the executive agency; or
``(II) such sources enter into a
contract, the performance of which such
source knows or has reason to believe
will require, in the performance of a
contract with the executive agency, the
use of a covered source of concern or
the use of a covered article produced
or provided by a covered source of
concern.
``(ii) Effective date considerations.--Any
effective date prescribed by the Council for an
order issued pursuant to clause (i) shall take
into account--
``(I) the risk posed by the covered
source of concern or the covered
article produced or provided by the
covered source of concern to the
national security of the United States;
``(II) the likelihood of the
covered source of concern or the
covered article produced or provided by
the covered source of concerned causing
imminent threat to public health and
safety; and
``(III) an assessment of the
potential direct or quantifiable costs
that may be incurred by the Federal
Government, a State, local, or Tribal
government, or by the private sector,
as a result of compliance by the head
of an executive agency with such an
exclusion or removal order.'';
(E) in paragraph (4), as so redesignated--
(i) in the heading, by striking ``of
recommendation and review'' and inserting ``and
review of recommended and designated orders'';
(ii) by striking `` the recommendation''
each place the term appears, and inserting ``
the order'';
(iii) in the matter preceding subparagraph
(A), by striking ``A notice of the Council's
recommendation under paragraph (2)'' and
inserting ``Before the Council recommends an
order under paragraph (2) or issues an order
under paragraph (3), a notice'';
(iv) in subparagraph (A), by striking
``recommendation has been made'' and inserting
``the order will be recommended or issued'';
and
(v) in subparagraph (D), by striking
``paragraph (5)'' and inserting ``paragraph
(6)'';
(F) in paragraph (5), as so redesignated--
(i) by striking ``paragraph (3)'' and
inserting ``paragraph (4)'';
(ii) in subparagraph (A), by striking
``paragraph (5)'' and inserting ``paragraph
(6)''; and
(iii) in subparagraph (B), by striking
``paragraph (6)'' and inserting ``paragraph
(7)'';
(G) in paragraph (6), as so redesignated--
(i) by amending subparagraph (A) to read as
follows:
``(A) Issuance of recommended orders.--
``(i) Modifications to order.--After
considering any response properly submitted by
a source under paragraph (4) related to an
order to be recommended under paragraph (2),
the Council shall--
``(I) make such modifications to
the order as the Council considers
appropriate; and
``(II) provide the order (together
with any information submitted by a
source under paragraph (4) related to
such order) to the officials described
under clause (iii).
``(ii) Order.--Not later than 90 days after
receiving a recommended order, the officials
described under clause (iii) shall--
``(I) issue the order to the heads
of the applicable agencies; or
``(II) submit a notification to the
Council and the source named in the
order that the order will not be
issued, that includes in the
notification to the Council, all the
reasons for why the order will not be
issued.
``(iii) Officials.--The officials described
in this clause are as follows:
``(I) The Secretary of Homeland
Security, for exclusion and removal
orders applicable to civilian agencies,
to the extent not covered by subclause
(II) or (III).
``(II) The Secretary of Defense,
for exclusion and removal orders
applicable to the Department of Defense
and national security systems other
than sensitive compartmented
information systems.
``(III) The Director of National
Intelligence, for exclusion and removal
orders applicable to the intelligence
community and sensitive compartmented
information systems, to the extent not
covered by subclause (II).'';
(ii) by redesignating subparagraphs (B)
through (E) as subparagraphs (C) through (F),
respectively;
(iii) by inserting after subparagraph (A)
the following:
``(B) Issuance of designated order.--
``(i) Modifications.--After considering any
response properly submitted by a source under
paragraph (4) related to a designated order,
the Council shall--
``(I)(aa) make any such
modifications to the order as the
Council considers appropriate; or
``(bb) if the Council
determines that the issuance of
a designated order is not
warranted, rescind the
designated order and notify the
source of the rescission; and
``(II) except in the case that the
Council rescinds the designated order
under subclause (I)(bb), provide the
designated order (including any
modifications made to such order by the
Council) to the officials described in
clause (iii).
``(ii) Issuance.--The officials described
in clause (iii) shall, not later than 30 days
after receiving a designated order, issue the
order to the heads of the applicable agencies.
``(iii) Officials.--The officials described
in this clause are as follows:
``(I) The Secretary of Homeland
Security, for exclusion and removal
orders applicable to civilian agencies,
to the extent not covered by subclause
(II) or (III).
``(II) The Secretary of Defense,
for exclusion and removal orders
applicable to the Department of Defense
and national security systems other
than sensitive compartmented
information systems.
``(III) The Director of National
Intelligence, for exclusion and removal
orders applicable to the intelligence
community and sensitive compartmented
information systems, to the extent not
covered by subclause (II).
``(iv) Waiver.--An official described under
clause (iii) may waive for a period of not more
than 365 days the application of an order
issued by such official under clause (ii) with
respect to a covered source of concern or a
covered article produced or provided by a
covered source of concern if--
``(I) the Council approves the
waiver; and
``(II) the official submits, not
later than 30 days after making such
waiver, a written notification to the
appropriate congressional committees
and leadership that contains the
justification for such waiver.
``(v) Renewal of waiver.--An official
described under clause (iii) may renew a waiver
under clause (iv) for an additional period of
not more than 180 days if--
``(I) the Council approves the
renewal of the waiver;
``(II) the renewal of the waiver is
in the national security interests of
the United States; and
``(III) the official submits, not
later than 30 days after renewing such
waiver, a written notification to the
appropriate congressional committees
and leadership that includes the
justification for renewing the wavier.
``(vi) Rescission of order.--An exclusion
or removal order issued under this subparagraph
by an official may be rescinded only by the
Council.''.
(iv) in subparagraph (C), as so
redesignated--
(I) by striking ``subparagraph
(A)'' and inserting ``subparagraph
(A)(iii) or (B)(iii)'';
(II) by striking ``this
subparagraph'' and inserting
``subparagraph (A)(iii) or (B)(iii)'';
and
(III) by striking ``, except'' and
all that follows before the period at
the end;
(v) in subparagraph (D), as so
redesignated--
(I) by striking ``this paragraph''
and inserting ``subparagraph (A)(iii)
or (B)(iii)''; and
(II) by striking ``help'';
(vi) in subparagraph (E), as so
redesignated, by striking ``this paragraph''
and inserting ``subparagraph (A)''; and
(vii) by adding after subparagraph (F), as
so redesignated, the following:
``(G) Effective date of orders.--The effective date
of an order issued under this paragraph may not be more
than 180 days after the order is issued.'';
(H) in paragraph (7), as so redesignated, by
striking ``paragraph (5)(A)'' and inserting
``subparagraph (A) or (B) of paragraph (6)''; and
(I) in paragraph (8), as so redesignated, by
striking ``paragraph (5)'' and inserting ``paragraph
(6)'';
(4) by redesignating subsections (d) through (f) as
subsections (e) through (g), respectively;
(5) in subsection (f), as so redesignated, by inserting
``the Chief Data Officers Council,'' before ``the Chief
Acquisition''; and
(6) in subsection (g)(2), as so redesignated, by striking
the period at the end and inserting ``unless such source is
specifically designated by statute as a covered source of
concern for the purposes of this subchapter.''
(d) Strategic Plan.--Section 1324(a) of title 41, United States
Code, is amended--
(1) by inserting ``, and periodically thereafter'' after
``2018'';
(2) in the matter preceding paragraph (1), by inserting
``acquisition security and'' before ``supply chain risks'';
(3) in paragraph (8), by inserting ``acquisition security
and'' before ``supply chain risks''; and
(4) in paragraph (9)(A), by inserting ``acquisition
security and'' before ``supply chain risk''.
(e) Requirements for Executive Agencies.--Section 1326 of title 41,
United States Code, is amended--
(1) in subsection (a),
(A) in paragraph (1), by striking ``; and'' and
inserting a semicolon;
(B) in paragraph (2), by striking the period at the
end and inserting ``; and''; and
(C) by adding at the end the following:
``(3) providing any information requested by the
Chairperson of the Council for the purpose of carrying out
activities of this subchapter.'';
(2) by striking ``supply chain'' each place such term
appears and inserting ``security and supply chain''; and
(3) in subsection (b)(6), by striking ``supply chain'' and
inserting ``security or supply chain''.
(f) Judicial Procedure.--Section 1327(b) of title 41, United States
Code, is amended--
(1) in paragraph (1), by striking ``section 1323(c)(6)''
and inserting ``section 1323(c)(7)'';
(2) in paragraph (3), by striking ``sections 1323(c)(5)''
and inserting ``sections 1323(c)(6)''; and
(3) in paragraph (4), by amending subparagraph (B)(i) to
read as follows:
``(i) Filing of record.--The United States
shall file with the court an administrative
record, which shall consist of--
``(I) the information the Council
relied upon in issuing a designated
order under 1323(c)(6); and
``(II) the information that the
appropriate official relied upon in
issuing an exclusion or removal order
under section 1323(c)(6) or a covered
procurement action under section
4713.''.
(g) Additional Provisions.--Subchapter III of chapter 13 of title
41, United States Code, is amended by adding at the end the following:
``Sec. 1329. Additional provisions
``(a) Compliance With Existing Prohibitions.--In implementing this
subchapter, the Council shall coordinate, as applicable and
practicable, with the head of an agency to ensure compliance by the
agency with--
``(1) section 889 of the John S. McCain National Defense
Authorization Act of 2019 (Public Law 115-232; 41 U.S.C. 3901
note);
``(2) section 5949 of the James M. Inhofe National Defense
Authorization Act of 2023 (Public Law 117-263; 41 U.S.C. 4713
note); and
``(3) sections 1821 through 1833 of the American Security
Drone Act of 2023 (Public Law 118-31).
``(b) Update to Regulations.--The Federal Acquisition Security
Council shall update, within two years after the date of the enactment
of this section, any regulations of the Council as necessary.''.
(h) Technical and Conforming Changes.--Subchapter III of chapter 13
of title 41, United States Code, is amended--
(1) in the table of sections for the subchapter by adding
after the item related to section 1328 the following:
``1329. Additional provisions.'';
(2) in section 1321(1)(B), by striking ``Government
Reform'' and inserting ``Accountability''; and
(3) by striking ``of this title'' each place the term
appears.
SEC. 3. REALLOCATING EXISTING RESOURCES.
Section 5949(l) of the James M. Inhofe National Defense
Authorization Act for Fiscal Year 2023 (Public Law 117-263) is
amended--
(1) in paragraph (1), by striking ``Office of Management
and Budget'' and inserting ``Office of the National Cyber
Director''; and
(2) in paragraph (2), by striking ``Office of Management
and Budget'' and inserting ``Office of the National Cyber
Director''.
<all>