Text: H.R.3320 — 116th Congress (2019-2020)All Information (Except Text)

Text available as:

Shown Here:
Reported in House (08/27/2019)

Union Calendar No. 146

116th CONGRESS
1st Session
H. R. 3320

[Report No. 116–188]


To amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to implement certain requirements for information relating to supply chain risk, and for other purposes.


IN THE HOUSE OF REPRESENTATIVES

June 18, 2019

Mr. King of New York (for himself, Mr. Thompson of Mississippi, Miss Rice of New York, Mr. Correa, Mr. Rogers of Alabama, Mr. Rose of New York, and Mr. Payne) introduced the following bill; which was referred to the Committee on Homeland Security

August 27, 2019

Additional sponsors: Mr. McCaul and Mr. Hagedorn

August 27, 2019

Reported with an amendment, committed to the Committee of the Whole House on the State of the Union, and ordered to be printed

[Strike out all after the enacting clause and insert the part printed in italic]

[For text of introduced bill, see copy of bill as introduced on June 18, 2019]


A BILL

To amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to implement certain requirements for information relating to supply chain risk, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Securing the Homeland Security Supply Chain Act of 2019”.

SEC. 2. Department of Homeland Security requirements for information relating to supply chain risk.

(a) In general.—Subtitle D of title VIII of the Homeland Security Act of 2002 (6 U.S.C. 391 et seq.) is amended by adding at the end the following new section:

“SEC. 836. Requirements for information relating to supply chain risk.

“(a) Authority.—Subject to subsection (b), the Secretary may—

“(1) carry out a covered procurement action;

“(2) limit, notwithstanding any other provision of law, in whole or in part, the disclosure of information, including classified information, relating to the basis for carrying out such an action; and

“(3) exclude, in whole or in part, a source carried out in the course of such an action applicable to a covered procurement of the Department.

“(b) Determination and notification.—Except as authorized by subsection (c) to address an urgent national security interest, the Secretary may exercise the authority provided in subsection (a) only after—

“(1) obtaining a joint recommendation, in unclassified or classified form, from the Chief Acquisition Officer and the Chief Information Officer of the Department, including a review of any risk assessment made available by an appropriate person or entity, including the national risk management center at the Cybersecurity and Infrastructure Security Agency, that there is a significant supply chain risk in a covered procurement;

“(2) notifying any source named in the joint recommendation described in paragraph (1) advising—

“(A) that a recommendation has been obtained;

“(B) to the extent consistent with the national security and law enforcement interests, the basis for such recommendation;

“(C) that, within 30 days after receipt of notice, such source may submit information and argument in opposition to such recommendation; and

“(D) of the procedures governing the consideration of such submission and the possible exercise of the authority provided in subsection (a);

“(3) notifying the relevant components of the Department that such risk assessment has demonstrated significant supply chain risk to a covered procurement;

“(4) making a determination in writing, in unclassified or classified form, that after considering any information submitted by a source under paragraph (2), and in consultation with the Chief Information Officer of the Department, that—

“(A) use of authority under subsection (a)(1) is necessary to protect national security by reducing supply chain risk;

“(B) less intrusive measures are not reasonably available to reduce such risk;

“(C) a decision to limit disclosure of information under subsection (a)(2) is necessary to protect national security interest; and

“(D) the use of such authorities will apply to a single covered procurement or a class of covered procurements, and otherwise specifies the scope of such determination;

“(5) providing to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a classified or unclassified notice of the determination made under paragraph (4) that includes—

“(A) the joint recommendation described in paragraph (1);

“(B) a summary of any risk assessment reviewed in support of such joint recommendation; and

“(C) a summary of the basis for such determination, including a discussion of less intrusive measures that were considered and why such measures were not reasonably available to reduce supply chain risk;

“(6) notifying the Director of the Office of Management and Budget, and the heads of other Federal agencies as appropriate, in a manner and to the extent consistent with the requirements of national security; and

“(7) taking steps to maintain the confidentiality of any notifications under this subsection.

“(c) Procedures To address urgent national security interests.—In any case in which the Secretary determines that national security interests require the immediate exercise of the authorities under subsection (a), the Secretary—

“(1) may, to the extent necessary to address any such national security interest, and subject to the conditions specified in paragraph (2)—

“(A) temporarily delay the notice required by subsection (b)(2);

“(B) make the determination required by subsection (b)(4), regardless of whether the notice required by subsection (b)(2) has been provided or whether the notified source at issue has submitted any information in response to such notice;

“(C) temporarily delay the notice required by subsections (b)(4) and (b)(5); and

“(D) exercise the authority provided in subsection (a) in accordance with such determination; and

“(2) shall take actions necessary to comply with all requirements of subsection (b) as soon as practicable after addressing the urgent national security interest that is the subject of paragraph (1), including—

“(A) providing the notice required by subsection (b)(2);

“(B) promptly considering any information submitted by the source at issue in response to such notice, and making any appropriate modifications to the determination required by subsection (b)(4) based on such information; and

“(C) providing the notice required by subsections (b)(5) and (b)(6), including a description of such urgent national security, and any modifications to such determination made in accordance with subparagraph (B).

“(d) Annual review of determinations.—The Secretary shall annually review all determinations made under subsection (b).

“(e) Delegation.—The Secretary may not delegate the authority provided in subsection (a) or the responsibility identified in subsection (d) to an official below the Deputy Secretary.

“(f) Limitation of review.—Notwithstanding any other provision of law, no action taken by the Secretary under subsection (a) may be subject to review in a bid protest before the Government Accountability Office or in any Federal court.

“(g) Consultation.—In developing procedures and guidelines for the implementation of the authorities described in this section, the Secretary shall review the procedures and guidelines utilized by the Department of Defense to carry out similar authorities.

“(h) Definitions.—In this section:

“(1) COVERED ARTICLE.—The term ‘covered article’ means:

“(A) Information technology, including cloud computing services of all types.

“(B) Telecommunications equipment.

“(C) Telecommunications services.

“(D) The processing of information on a Federal or non-Federal information system, subject to the requirements of the Controlled Unclassified Information program of the Department.

“(E) Hardware, systems, devices, software, or services that include embedded or incidental information technology.

“(2) COVERED PROCUREMENT.—The term ‘covered procurement’ means—

“(A) a source selection for a covered article involving either a performance specification, as provided in subsection (a)(3)(B) of section 3306 of title 41, United States Code, or an evaluation factor, as provided in subsection (c)(1)(A) of such section, relating to supply chain risk, or with respect to which supply chain risk considerations are included in the Department’s determination of whether a source is a responsible source as defined in section 113 of such title;

“(B) the consideration of proposals for and issuance of a task or delivery order for a covered article, as provided in section 4106(d)(3) of title 41, United States Code, with respect to which the task or delivery order contract includes a contract clause establishing a requirement relating to supply chain risk;

“(C) any contract action involving a contract for a covered article with respect to which such contract includes a clause establishing requirements relating to supply chain risk; or

“(D) any procurement made via Government Purchase Care for a covered article when supply chain risk has been identified as a concern.

“(3) COVERED PROCUREMENT ACTION.—The term ‘covered procurement action’ means any of the following actions, if such action takes place in the course of conducting a covered procurement:

“(A) The exclusion of a source that fails to meet qualification requirements established pursuant to section 3311 of title 41, United States Code, for the purpose of reducing supply chain risk in the acquisition or use of a covered article.

“(B) The exclusion of a source that fails to achieve an acceptable rating with regard to an evaluation factor providing for the consideration of supply chain risk in the evaluation of proposals for the award of a contract or the issuance of a task or delivery order.

“(C) The determination that a source is not a responsible source based on considerations of supply chain risk.

“(D) The decision to withhold consent for a contractor to subcontract with a particular source or to direct a contractor to exclude a particular source from consideration for a subcontract.

“(4) INFORMATION SYSTEM.—The term ‘information system’ has the meaning given such term in section 3502 of title 44, United States Code.

“(5) INFORMATION TECHNOLOGY.—The term ‘information technology’ has the meaning given such term in section 11101 of title 40, United States Code.

“(6) RESPONSIBLE SOURCE.—The term ‘responsible source’ has the meaning given such term in section 113 of title 41, United States Code.

“(7) SUPPLY CHAIN RISK.—The term ‘supply chain risk’ means the risk that a malicious actor may sabotage, maliciously introduce an unwanted function, extract or modify data, or otherwise manipulate the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered article so as to surveil, deny, disrupt, or otherwise manipulate the function, use, or operation of the information technology or information stored or transmitted on the covered articles.

“(8) TELECOMMUNICATIONS EQUIPMENT.—The term ‘telecommunications equipment’ has the meaning given such term in section 3(52) of the Communications Act of 1934 (47 U.S.C. 153(52)).

“(9) TELECOMMUNICATIONS SERVICE.—The term ‘telecommunications service’ has the meaning given such term in section 3(53) of the Communications Act of 1934 (47 U.S.C. 153(53)).

“(i) Effective date.—The requirements of this section shall take effect on the date that is 90 days after the date of the enactment of this Act and shall apply to—

“(1) contracts awarded on or after such date; and

“(2) task and delivery orders issued on or after such date pursuant to contracts awarded before, on, or after such date.”.

(b) Rulemaking.—Section 553 of title 5, United States Code, and section 1707 of title 41, United States Code, shall not apply to the Secretary of Homeland Security when carrying out the authorities and responsibilities under section 836 of the Homeland Security Act of 2002, as added by subsection (a).

(c) Clerical amendment.—The table of contents in section 1(b) of the Homeland Security Act of 2002 is amended by inserting after the item relating to section 835 the following new item:


“Sec. 836. Requirements for information relating to supply chain risk.”.

SEC. 3. Report on threats posed by foreign state-owned entities to DHS information technology and communications systems.

Not later than 180 days after the date of the enactment of this Act, the Under Secretary for Management of the Department of Homeland Security, in coordination with the national risk management center of the Cybersecurity and Infrastructure Security Agency of the Department, shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report on cybersecurity threats posed by terrorist actors and foreign state-owned entities to the information technology and communications systems of Department of Homeland Security, including information relating to the following:

(1) The use of foreign state-owned entities’ information and communications technology by the Department of Homeland Security, listed by component.

(2) The threats, in consultation with the Department’s Office of Intelligence and Analysis, of foreign state-owned entities’ information and communications technology equipment that could impact the Department.


Union Calendar No. 146

116th CONGRESS
     1st Session
H. R. 3320
[Report No. 116–188]

A BILL
To amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to implement certain requirements for information relating to supply chain risk, and for other purposes.

August 27, 2019
Reported with an amendment, committed to the Committee of the Whole House on the State of the Union, and ordered to be printed
Share This Section