[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 5310 Introduced in Senate (IS)]
<DOC>
118th CONGRESS
2d Session
S. 5310
To amend title 41, United States Code, to make changes with respect to
the Federal Acquisition Security Council, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
November 13, 2024
Mr. Peters (for himself and Mr. Rounds) introduced the following bill;
which was read twice and referred to the Committee on Homeland Security
and Governmental Affairs
_______________________________________________________________________
A BILL
To amend title 41, United States Code, to make changes with respect to
the Federal Acquisition Security Council, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Federal Acquisition Security Council
Improvement Act of 2024''.
SEC. 2. CHANGES WITH RESPECT TO THE FEDERAL ACQUISITION SECURITY
COUNCIL.
(a) Definition of Source of Concern, Covered Source of Concern,
Recommended Order, and Designated Order.--Section 1321 of title 41,
United States Code, is amended--
(1) by redesignating paragraphs (5) through (8) as
paragraphs (7) through (10);
(2) by inserting after paragraph (4) the following new
paragraph:
``(5) Covered source of concern.--The term `covered source
of concern' means a source of concern that is specifically
designated as a `covered source of concern' by a statute that
states that such designation is for the purposes of this
subchapter.
``(6) Designated order.--The term `designated order' means
an order described under section 1323(c)(3).''; and
(3) by adding at the end the following new paragraph:
``(11) Recommended order.--The term `recommended order'
means an order recommended under section 1323(c)(2).
``(12) Source of concern.--
``(A) In general.--The term `source of concern'
means a source--
``(i) subject to the jurisdiction,
direction, or control of the government of a
foreign adversary, or operates on behalf of the
government of a foreign adversary; or
``(ii) that poses a risk to the national
security of the United States based on
collaboration with, whole or partial ownership
or control by, or being affiliated with a
military, internal security force, or
intelligence agency of a foreign adversary.
``(B) Foreign adversary defined.--In this
paragraph, the term `foreign adversary' has the meaning
given the term `covered nation' in section 4872(d) of
title 10.''.
(b) Establishment and Members of Council.--Section 1322 of title
41, United States Code, is amended--
(1) in subsection (a), by striking ``executive branch'' and
inserting ``Executive Office of the President'';
(2) in subsection (b)--
(A) by amending paragraph (1) to read as follows:
``(1) In general.--The members of the Council shall be as
follows:
``(A) The Administrator for Federal Procurement
Policy.
``(B) The Deputy Director for Management of the
Office of Management and Budget.
``(C) The following officials, each of whom shall
occupy a position at the level of Assistant Secretary
or Deputy Assistant Secretary (or equivalent):
``(i) Two officials from the Office of the
Director of National Intelligence, one of which
shall be from the National Counterintelligence
and Security Center.
``(ii) Two officials from the Department of
Defense, one of which shall be from the
National Security Agency.
``(iii) Two officials from the Department
of Homeland Security, one of which shall be
from the Cybersecurity and Infrastructure
Security Agency.
``(iv) One official from the General
Services Administration.
``(v) One official from the Office of the
National Cyber Director.
``(vi) Two officials from the Department of
Justice, one of which shall be from the Federal
Bureau of Investigation.
``(vii) Two officials from the Department
of Commerce, one of which shall be from the
National Institute of Standards and Technology
and one of which shall be from the Bureau of
Industry and Security.
``(viii) An official from any executive
agency not listed under clauses (i) through
(vii) whose temporary or permanent
participation is determined by the Chairperson
of the Council to be necessary to carry out the
functions of the Council while maintaining the
intended balance in subject matter
expertise.''; and
(B) in paragraph (2)--
(i) in the heading, by striking ``Lead
representatives'' and inserting ``Members'';
(ii) by amending subparagraph (A)(i) to
read as follows:
``(i) In general.--The head of each
executive agency listed under paragraph (1)(C)
shall designate the official or officials from
that agency who shall serve on the Council in
accordance with such paragraph.'';
(iii) by amending subparagraph (A)(ii) to
read as follows:
``(ii) Requirements.--To the extent
feasible, any official designated under clause
(i) shall have expertise in supply chain risk
management, acquisitions, law, or information
and communications technology.''; and
(iv) by amending subparagraph (B) to read
as follows:
``(B) Functions.--A member of the Council shall--
``(i) regularly participate in the
activities of the Council;
``(ii) ensure that any information
requested by the Council from the agency
represented by the member is provided to the
Council; and
``(iii) ensure that the head of the agency
represented by the member and other appropriate
personnel of the agency are aware of the
activities of the Council.'';
(3) in subsection (c)--
(A) by amending paragraph (1) to read as follows:
``(1) In general.--The Chairperson of the Council shall
be--
``(A) the National Cyber Director; or
``(B) another member of the Council designated by
the National Cyber Director.''; and
(B) in paragraph (2)--
(i) in subparagraph (B), by striking
``(b)(1)(H)'' and inserting ``(b)(1)(C)(vii)'';
and
(ii) in subparagraph (C), by striking
``lead representative of each agency
represented on the Council'' and inserting
``members of the Council''; and
(4) in subsection (d)--
(A) by striking ``The Council'' and inserting the
following:
``(1) Council meetings.--The Council''; and
(B) by adding at the end the following:
``(2) Other meetings.--The Chairperson of the Council shall
meet, not less frequently than semiannually, with--
``(A) the Secretary of Homeland Security, the
Secretary of Defense, and the Director of National
Intelligence; or
``(B) in the case that any of the officials under
subparagraph (A) delegated authority to an official
under section 1323(c)(6)(C), with the delegated
official.''.
(c) Functions and Authorities.--Section 1323 of title 41, United
States Code, is amended--
(1) in subsection (a)--
(A) by striking ``supply chain'' each place it
appears and inserting ``acquisition security and supply
chain'';
(B) in paragraph (1), as amended by subparagraph
(A), by striking ``, particularly'' and inserting
``that arise'';
(C) in paragraph (2), as amended by subparagraph
(A), by inserting ``associated with the acquisition and
use of covered articles'' after ``risk'';
(D) in paragraph (6)--
(i) by striking ``posed by'' and inserting
``associated with''; and
(ii) by inserting ``and use'' before ``of
covered articles'';
(E) by redesignating paragraph (7) as paragraph
(12);
(F) in paragraph (12), as redesignated by
subparagraph (E), by striking ``posed by acquisitions''
and inserting ``associated with the acquisition''; and
(G) by inserting after paragraph (6) the following
new paragraphs:
``(7) Implementing a prioritization scheme for evaluating
the security risks associated with the acquisition and use of
covered articles provided or produced by a covered source of
concern.
``(8) Evaluating each covered source of concern to
determine whether to issue a designated order with respect to
the covered source of concern or a covered article produced or
provided by the covered source of concern.
``(9) Evaluating sources of concern to determine whether to
issue a recommended order with respect to the source of
concern, or any covered article produced or provided by the
source of concern.
``(10) Monitoring the issuance of designated orders under
subsection (c)(6)(B), as required, by the Secretary of Homeland
Security, the Secretary of Defense, and the Director of
National Intelligence with the requirement to issue designated
orders under subsection (c)(6)(B) and providing technical
assistance to those agencies on compliance matters.
``(11) Reporting to Congress annually on the security risks
associated with the acquisition and use of covered articles
produced or provided by sources of concern.'';
(2) in subsection (b)--
(A) by striking ``The Council'' and inserting the
following:
``(1) In general.--The Council''; and
(B) in paragraph (1), as so redesignated, by
striking ``a program office and''; and
(C) by adding at the end the following new
paragraph:
``(2) Federal acquisition security council program
office.--
``(A) Establishment.--The Council shall establish a
Federal Acquisition Security Council Program Office
(referred to in this paragraph as the `Program Office')
within the Office of the National Cyber Director to
carry out the functions of the Council duties described
under subparagraph (B).
``(B) Duties.--The Program Office shall provide to
the Council and any committees, working groups, or
other constituent bodies established by the Council
under paragraph (1)--
``(i) administrative, legal, and policy
support; and
``(ii) analysis and subject matter
expertise on information communications
technology, acquisition security, and supply
chain risk.
``(C) Structure.--The head of the Program Office
shall be a senior official from the Office of the
National Cyber Director that occupies a position at the
level of Assistant Secretary or Deputy Assistant
Secretary (or equivalent).
``(D) Prohibition.--The Program Office may not
provide administrative support to the Council for any
activities of the Council carried out pursuant to a
provision of law other than a provision of law under
this subchapter.
``(E) Funding and resources.--The Program Office
may use the staff and resources of the Office of the
National Cyber Director or maintain dedicated staff and
resources, as appropriate, in the performance of the
duties of the Office.
``(F) Shared staffing authority.--
``(i) In general.--The Program Office may
accept officers or employees of the United
States or members of the Armed Forces on a
detail from an element of the intelligence
community (as such term is defined in section 3
of the National Security Act of 1947 (50 U.S.C.
3003)) or from another element of the Federal
Government on a nonreimbursable basis, as
jointly agreed to by the heads of the receiving
and detailing elements, for a period not to
exceed three years.
``(ii) Rule of construction.--Nothing in
this subparagraph may be construed as imposing
any limitation on any other authority for
reimbursable or nonreimbursable details.
``(iii) Nonreimbursable detail.--A
nonreimbursable detail made under this
subparagraph shall not be considered an
augmentation of the appropriations of the
receiving element of the Program Office or the
Office of the National Cyber Director.
``(G) Sunset.--The Program Office shall terminate
on the date described under section 1328.'';
(3) in subsection (c)--
(A) in paragraph (1)--
(i) in the matter preceding subparagraph
(A), by striking ``supply chain risk'' and
inserting ``acquisition security and supply
chain risk associated with the acquisition of
covered articles'';
(ii) in subparagraph (A), by inserting
``recommended'' before ``exclusion orders'';
(iii) in subparagraph (B), by inserting
``recommended'' before ``removal orders'';
(iv) in subparagraph (C), by striking ``;
and'' and inserting a semicolon;
(v) in subparagraph (D), by striking the
period at the end and inserting ``; and''; and
(vi) by adding at the end the following new
subparagraph:
``(E) issuing designated orders.'';
(B) in paragraph (2)--
(i) in the heading, by striking
``Recommendations'' and inserting ``Recommended
orders'';
(ii) by striking ``use'' and inserting ``,
using'';
(iii) by striking ``subsection (a)(3)'' and
inserting ``subsection (a)(4)'';
(iv) by striking ``recommendations'' and
inserting ``recommend orders'';
(v) by inserting ``to the officials
described under clause (iii) of paragraph
(6)(A) for issuance under such paragraph''
after ``thereof,'';
(vi) by striking ``Such recommendations''
and inserting ``Any such order recommended'';
(vii) in subparagraph (D), by striking
``supply chain risk'' and inserting
``acquisition security and supply chain risk
associated with the acquisition of covered
articles''; and
(viii) in subparagraph (E), by striking
``exclusion or removal'';
(C) by redesignating paragraphs (3) through (7) as
paragraphs (4) through (8);
(D) by inserting after paragraph (2) the following
new paragraph:
``(3) Designated orders.--
``(A) Exclusion or removal of covered sources of
concern.--
``(i) In general.--Not later than 270 days
after a source of concern is designated as a
covered source of concern pursuant to paragraph
(2), the Council--
``(I) shall provide to the
officials described under clause (iii)
of paragraph (6)(B) for issuance under
such paragraph orders requiring--
``(aa) the exclusion of the
covered source of concern from
any executive agency
procurement action, including
source selection and consent
for a contractor; or
``(bb) the removal of
covered articles produced or
provided by the covered source
of concern from the information
system of executive agencies;
or
``(II) report to Congress why the
Council has determined to not issue an
order described under subclause (I)
with respect to the covered source of
concern or covered articles produced or
provided by the covered source of
concern.
``(ii) Contents of order.--Any order
provided under clause (i) shall include--
``(I) information regarding the
scope and applicability of the order,
including any information necessary to
positively identify the covered source
of concern or covered articles produced
or provided by the covered source of
concern required to be excluded or
removed under the order;
``(II) a summary of any risk
assessment reviewed or conducted in
support of the order;
``(III) a summary of the basis for
the order, including a discussion of
less intrusive measures that were
considered and why such measures were
not reasonably available to reduce
security risk;
``(IV) a description of the actions
necessary to implement the order; and
``(V) where practicable, in the
Council's sole and unreviewable
discretion, a description of mitigation
steps that could be taken by the
covered source of concern that may
result in the Council rescinding the
order.
``(B) Exclusion or removal of second order sources
or covered articles.--
``(i) Issuance.--In the case that the
Council provides an order under subparagraph
(A), the Council may also provide an order to
the officials described under paragraph
(6)(A)(iii) requiring the exclusion of sources
or covered articles from executive agency
procurement actions or removal of covered
articles from executive agency information
systems if--
``(I) such covered articles or such
sources use a covered source of concern
in the performance of a contract with
the executive agency; or
``(II) such sources enter into a
contract, the performance of which such
source knows or has reason to believe
will require, in the performance of a
contract with the executive agency, the
use of a covered source of concern or
the use of a covered article produced
or provided by a covered source of
concern.
``(ii) Effective date considerations.--Any
effective date prescribed by the Council for an
order issued pursuant to clause (i) shall take
into account--
``(I) the risk posed by the covered
source of concern or the covered
article produced or provided by the
covered source of concern to the
national security of the United States;
``(II) the likelihood of the
covered source of concern or the
covered article produced or provided by
the covered source of concern causing
imminent threat to public health and
safety;
``(III) the availability of an
alternative source or covered article
produced or provided by an alternative
source; and
``(IV) an assessment of the
potential direct or quantifiable costs
that may be incurred by the Federal
Government, a State, local, or Tribal
government, or by the private sector,
as a result of compliance by the head
of an executive agency with such an
exclusion or removal order, as
necessary.'';
(E) in paragraph (4), as so redesignated--
(i) in the paragraph heading, by striking
``of recommendation and review'' and inserting
``and review of recommended and designated
orders'';
(ii) by striking `` the recommendation''
each place it appears, and inserting `` the
order'';
(iii) in the matter preceding subparagraph
(A), by striking ``A notice of the Council's
recommendation under paragraph (2)'' and
inserting ``Before the Council recommends an
order under paragraph (2) or issues an order
under paragraph (3), a notice'';
(iv) in subparagraph (A), by striking ``a
recommendation has been made'' and inserting
``the order will be recommended or issued'';
(v) in subparagraph (D), by striking
``paragraph (5); and'' and inserting
``paragraph (6);'';
(vi) in subparagraph (E), by striking the
period at the end and inserting ``; and''; and
(vii) by adding at the end the following
new subparagraph:
``(F) Until an order is issued pursuant to
paragraph (6), information collected under this
paragraph shall be exempt from public disclosure and
shall be treated as information described in section
552(b)(3) of title 5, United States Code (commonly
referred to as the `Freedom of Information Act').'';
(F) in paragraph (5), as so redesignated--
(i) by striking ``paragraph (3)'' and
inserting ``paragraph (4)'';
(ii) in subparagraph (A), by striking
``paragraph (5)'' and inserting ``paragraph
(6)''; and
(iii) in subparagraph (B), by striking
``paragraph (6)'' and inserting ``paragraph
(7)'';
(G) in paragraph (6), as so redesignated--
(i) by amending subparagraph (A) to read as
follows:
``(A) Issuance of recommended orders.--
``(i) Modifications to order.--After
considering any response properly submitted by
a source under paragraph (4) related to an
order to be recommended under paragraph (2),
the Council shall--
``(I) make such modifications to
the order as the Council considers
appropriate; and
``(II) provide the order (together
with any information submitted by a
source under paragraph (4) related to
such order) to the officials described
under clause (iii).
``(ii) Order.--Not later than 90 days after
receiving a recommended order, the officials
described under clause (iii) shall--
``(I) issue the order to the heads
of the applicable agencies; or
``(II) submit a notification to the
Council that the order will not be
issued, that includes in the
notification to the Council, all the
reasons for why the order will not be
issued.
``(iii) Officials.--The officials described
in this clause are as follows:
``(I) The Secretary of Homeland
Security, for exclusion and removal
orders applicable to civilian agencies,
to the extent not covered by subclause
(II) or (III).
``(II) The Secretary of Defense,
for exclusion and removal orders
applicable to the Department of Defense
and national security systems other
than sensitive compartmented
information systems.
``(III) The Director of National
Intelligence, for exclusion and removal
orders applicable to the intelligence
community and sensitive compartmented
information systems, to the extent not
covered by subclause (II).'';
(ii) by redesignating subparagraphs (B)
through (E) as subparagraphs (C) through (F),
respectively;
(iii) by inserting after subparagraph (A)
the following new subparagraph:
``(B) Issuance of designated order.--
``(i) Modifications.--After considering any
response properly submitted by a source under
paragraph (4) related to a designated order,
the Council shall--
``(I)(aa) make any such
modifications to the order as the
Council considers appropriate; or
``(bb) if the Council determines
that the issuance of a designated order
is not warranted, rescind the
designated order and notify the source
of the rescission; and
``(II) except in the case that the
Council rescinds the designated order
under subclause (I)(bb), provide the
designated order (including any
modifications made to such order by the
Council) to the officials described in
clause (iii).
``(ii) Issuance.--The officials described
in clause (iii) shall, not later than 90 days
after receiving a designated order, issue the
order to the heads of the applicable agencies.
``(iii) Officials.--The officials described
in this clause are as follows:
``(I) The Secretary of Homeland
Security, for exclusion and removal
orders applicable to civilian agencies,
to the extent not covered by subclause
(II) or (III).
``(II) The Secretary of Defense,
for exclusion and removal orders
applicable to the Department of Defense
and national security systems other
than sensitive compartmented
information systems.
``(III) The Director of National
Intelligence, for exclusion and removal
orders applicable to the intelligence
community and sensitive compartmented
information systems, to the extent not
covered by subclause (II).
``(iv) Waiver.--An official described under
clause (iii) may waive for a period of not more
than 365 days the application of an order
issued by such official under clause (ii) with
respect to a covered source of concern or a
covered article produced or provided by a
covered source of concern if the official
submits, not later than 30 days after making
such waiver, a written notification to the
Council, the appropriate congressional
committees, and leadership that contains the
justification for such waiver, which may
include a classified annex.
``(v) Renewal of waiver.--An official
described under clause (iii) may renew a waiver
under clause (iv) for an additional period of
not more than 365 days if--
``(I) the renewal of the waiver is
in the national security interests of
the United States; and
``(II) the official submits, not
later than 30 days after renewing such
waiver, a written notification to the
Council, the appropriate congressional
committees, and leadership that
includes the justification for renewing
the wavier.
``(vi) National security waiver.--An
official described under clause (iii) may waive
the application of an order issued by such
official under clause (ii) with respect to a
covered source of concern or a covered article
produced or provided by a covered source of
concern for any activity subject to the
reporting requirements under title V of the
National Security Act of 1947 (50 U.S.C. 3091
et seq.) or any authorized intelligence
activities of the United States.
``(vii) Rescission of order.--An exclusion
or removal order issued under this subparagraph
by an official may be rescinded only by the
Council.'';
(iv) in subparagraph (C), as so
redesignated--
(I) by striking ``subparagraph
(A)'' and inserting ``subparagraph
(A)(iii) or (B)(iii)'';
(II) by striking ``this
subparagraph'' and inserting
``subparagraph (A)(iii) or (B)(iii)'';
and
(III) by striking ``, except'' and
all that follows through ``Deputy
Commander'';
(v) in subparagraph (D), as so
redesignated--
(I) by striking ``this paragraph''
and inserting ``subparagraph (A)(iii)
or (B)(iii)''; and
(II) by striking ``help'';
(vi) in subparagraph (E), as so
redesignated, by striking ``this paragraph''
and inserting ``subparagraph (A)''; and
(vii) by adding after subparagraph (F), as
so redesignated, the following new
subparagraph:
``(G) Effective date of orders.--The effective date
of an order issued under this paragraph may not be more
than one year after the order is issued.'';
(H) in paragraph (7), as so redesignated, by
striking ``paragraph (5)(A)'' and inserting
``subparagraph (A) or (B) of paragraph (6)''; and
(I) in paragraph (8), as so redesignated, by
striking ``paragraph (5)'' and inserting ``paragraph
(6)'';
(4) in subsection (e), by inserting ``the Chief Data
Officers Council,'' before ``the Chief Acquisition''; and
(5) in subsection (f)(2), by striking the period at the end
and inserting ``unless such source is specifically designated
by statute as a covered source of concern for the purposes of
this subchapter.''.
(d) Strategic Plan.--Section 1324(a) of title 41, United States
Code, is amended--
(1) by inserting ``, and periodically thereafter'' after
``2018'';
(2) in the matter preceding paragraph (1), by inserting
``acquisition security and'' before ``supply chain risks'';
(3) in paragraph (8), by inserting ``acquisition security
and'' before ``supply chain risks''; and
(4) in paragraph (9)(A), by inserting ``acquisition
security and'' before ``supply chain risk''.
(e) Requirements for Executive Agencies.--Section 1326 of title 41,
United States Code, is amended--
(1) by striking ``supply chain'' each place such term
appears and inserting ``security and supply chain'';
(2) in subsection (a)--
(A) in paragraph (1), by striking ``; and'' and
inserting a semicolon;
(B) in paragraph (2), by striking the period at the
end and inserting ``; and''; and
(C) by adding at the end the following:
``(3) providing any information requested by the
Chairperson of the Council for the purpose of carrying out
activities of this subchapter, subject to applicable law or
policy on control and handling of classified, sensitive, or
proprietary information.''; and
(3) in subsection (b)(6), by striking ``may pose'' and all
that follows through ``risk'' and inserting ``may pose a
security or supply chain risk''.
(f) Judicial Procedure.--Section 1327(b) of title 41, United States
Code, is amended--
(1) in paragraph (1), by striking ``section 1323(c)(6)''
and inserting ``section 1323(c)(7)'';
(2) in paragraph (3), by striking ``sections 1323(c)(5)''
and inserting ``sections 1323(c)(6)''; and
(3) in paragraph (4), by amending subparagraph (B)(i) to
read as follows:
``(i) Filing of record.--The United States
shall file with the court an administrative
record, which shall consist of--
``(I) the information the Council
relied upon in issuing a designated
order under section 1323(c)(6); and
``(II) the information that the
appropriate official relied upon in
issuing an exclusion or removal order
under section 1323(c)(6) or a covered
procurement action under section
4713.''.
(g) Additional Provisions.--Subchapter III of chapter 13 of title
41, United States Code, is amended by adding at the end the following
new section:
``Sec. 1329. Additional provisions
``(a) Compliance With Existing Prohibitions.--In implementing this
subchapter, the Council shall coordinate, as applicable and
practicable, with the head of an agency to assist with compliance by
the agency with--
``(1) section 889 of the John S. McCain National Defense
Authorization Act of 2019 (Public Law 115-232; 41 U.S.C. 3901
note);
``(2) section 5949 of the James M. Inhofe National Defense
Authorization Act of 2023 (Public Law 117-263; 41 U.S.C. 4713
note); and
``(3) sections 1821 through 1833 of the American Security
Drone Act of 2023 (Public Law 118-31).
``(b) Update to Regulations.--Not later than two years after the
date of the enactment of this section, the Federal Acquisition Security
Council shall update any regulations the Council determines
necessary.''.
(h) Technical and Conforming Changes.--Subchapter III of chapter 13
of title 41, United States Code, is amended--
(1) in the table of sections for the subchapter by adding
after the item related to section 1328 the following:
``1329. Additional provisions.'';
(2) in section 1321(1)(B), by striking ``Government
Reform'' and inserting ``Accountability''; and
(3) by striking ``of this title'' each place the term
appears.
SEC. 3. REALLOCATING EXISTING RESOURCES.
Section 5949(l) of the James M. Inhofe National Defense
Authorization Act for Fiscal Year 2023 (Public Law 117-263) is
amended--
(1) in paragraph (1), by striking ``Office of Management
and Budget'' and inserting ``Office of the National Cyber
Director''; and
(2) in paragraph (2), by striking ``Office of Management
and Budget'' and inserting ``Office of the National Cyber
Director''.
<all>