- TXT
-
PDF
(PDF provides a complete and accurate display of this text.)
Tip
?
115th Congress
2d Session SENATE Report
115-408
_______________________________________________________________________
Calendar No. 666
FEDERAL ACQUISITION SUPPLY CHAIN SECURITY ACT OF 2018
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 3085
TO ESTABLISH A FEDERAL ACQUISITION SECURITY COUNCIL AND
TO PROVIDE EXECUTIVE AGENCIES WITH AUTHORITIES RELATING
TO MITIGATING SUPPLY CHAIN RISKS IN THE PROCUREMENT OF
INFORMATION TECHNOLOGY, AND FOR OTHER PURPOSES
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
December 4, 2018.--Ordered to be printed
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio CLAIRE McCASKILL, Missouri
RAND PAUL, Kentucky THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma HEIDI HEITKAMP, North Dakota
MICHAEL B. ENZI, Wyoming GARY C. PETERS, Michigan
JOHN HOEVEN, North Dakota MAGGIE HASSAN, New Hampshire
STEVE DAINES, Montana KAMALA D. HARRIS, California
JON KYL, Arizona DOUG JONES, Alabama
Christopher R. Hixon, Staff Director
Gabrielle D'Adamo Singer, Chief Counsel
Elliott A. Walden, Counsel
Margaret E. Daum, Minority Staff Director
Charles A. Moskowitz, Minority Senior Legislative Counsel
Julie G. Klein, Minority Professional Staff Member
Laura W. Kilbride, Chief Clerk
Calendar No. 666
115th Congress Report
SENATE
2d Session 115-408
======================================================================
FEDERAL ACQUISITION SUPPLY CHAIN SECURITY
ACT OF 2018
_______
December 4, 2018.--Ordered to be printed
_______
Mr. Johnson, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 3085]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 3085) to establish
a Federal Acquisition Security Council and to provide executive
agencies with authorities relating to mitigating supply chain
risks in the procurement of information technology, and for
other purposes, having considered the same, reports favorably
thereon with an amendment in the nature of a substitute and
recommends that the bill, as amended, do pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and Need for the Legislation..........................2
III. Legislative History..............................................9
IV. Section-by-Section Analysis......................................9
V. Evaluation of Regulatory Impact.................................15
VI. Congressional Budget Office Cost Estimate.......................15
VII. Changes in Existing Law Made by the Bill, as Reported...........16
I. Purpose and Summary
S. 3085, the Federal Acquisition Supply Chain Security Act
of 2018, establishes a whole-of government approach to supply
chain risk management by creating a council and providing
executive agencies with the necessary authorities to
effectively share information and mitigate supply chain risks
when procuring information and communications technology (ICT).
The bill establishes the Federal Acquisition Security Council
(Council), an inter-agency body headed by the Office of
Management and Budget (OMB). The Council is tasked with several
functions related to supply chain risk management (SCRM),
including the development of protocols for assessing risk, a
government-wide strategy, and the authority to recommend
exclusion or removal orders to executive agencies. The bill
gives the Secretary of the Department of Homeland Security
(DHS), the Secretary of the Department of Defense (DoD), and
the Director of National Intelligence (ODNI) plenary authority
to issue exclusion and removal orders based upon the Council's
recommendations. The bill details a limited judicial review
process available to an aggrieved company wishing to challenge
the DHS, DoD, or ODNI determination.
II. Background and the Need for Legislation
Hostile nation states and other bad actors are attempting
to gain unprecedented access to sensitive and classified
information via the Federal ICT supply chains.\1\ Experts have
noted that using the supply chain, ICT ``products could be
modified to (1) perform below expectations or fail, (2)
facilitate state or corporate espionage, of (3) otherwise
compromise the confidentiality, integrity, or availability of a
federal information technology system.''\2\ Many of the
technologies the Federal Government relies on for vital, daily
functions either could be or already have been targeted by bad
actors or hostile nation states.\3\ The actors' motivations
vary, but the effects are the same: a less secure America.\4\
---------------------------------------------------------------------------
\1\See, e.g., Confirmation Hearing for William R. Evanina to be
Director of the National Counterintelligence and Security Center:
Hearing Before the S. Select Comm. on Intelligence, 115th Cong. (2018)
(statement for the record by William Evanina, Director of the National
Counterintelligence and Security Center, stating, ``The most critical
CI threats cut across these threat actors: influence operations,
critical infrastructure, supply chain, and traditional as well as
economic espionage. . . . Advanced technology previously available
mainly to leading nation-states is now increasingly available to a wide
range of nation-state and non-state actors as well. For example, a
growing set of threat actors are now capable of using cyber operations
to remotely access traditional intelligence targets, as well as a
broader set of U.S. targets including critical infrastructure and
supply chain, often without attribution.''), available at https://
www.intelligence.senate.gov/sites/default/files/documents/os-revanina-
051518.PDF.
\2\Supply Chain Vulnerabilities from China in U.S. Federal
Information and Communications Technology (Apr. 2018), https://
www.uscc.gov/sites/default/files/Research/Interos_Supply%
20Chain%20Vulnerabilities%20from%20China%20in%20U.S.%20Federal%20ICT
_final.pdf.
\3\See Current and Projected National Security Threats to the
United States: Hearing Before the S. Select Comm. on Intelligence,
112th Cong. (2012) (unclassified statement for the record by Director
James Clapper, Director of National Intelligence, stating the ``highly
complex vulnerabilities associated with the IT supply chain'' are one
of the ``greatest strategic challenges regarding cyber threats.''),
available at https://www.dni.gov/files/documents/Newsroom/Testimonies/
20120131_testimony_ata.pdf; Office of the U.S. Trade Representative,
Executive Office of the President, Findings of the Investigation Into
China's Acts, Policies, and Practices Related to Technology Transfer,
Intellectual Property, and Innovation Under Section 301 of the Trade
Act of 1974 (Mar. 22, 2018), available at https://ustr.gov/sites/
default/files/Section%20301%20FINAL.PDF.
\4\H. Permanent Select Comm. on Intelligence, Chairman Mike Rogers
and Ranking Member C.A. Dutch Ruppersberger, Investigative Report on
the U.S. National Security Issues Posed by Chinese Telecommunications
Companies Huawei and ZTE, 112th Cong. (Oct. 8, 2012), available at
https://intelligence.house.gov/sites/intelligence.house.gov/files/
documents/huawei-zte% 20investigative%20report%20(final).pdf (stating,
``Inserting malicious hardware or software implants into Chinese-
manufactured telecommunications components and systems headed for U.S.
customers could allow Beijing to shut down or degrade critical national
security systems in a time of crisis or war. Malicious implants in the
components of critical infrastructure, such as power grids or financial
networks, would also be a tremendous weapon in China's arsenal.
Malicious Chinese hardware or software implants would also be a potent
espionage tool for penetrating sensitive U.S. national security
systems, as well as providing access to the closed American corporate
networks that contain the sensitive trade secrets, advanced research
and development data, and negotiating or litigation positions that
China would find useful in obtaining an unfair diplomatic or commercial
advantage over the United States. . . .'').
---------------------------------------------------------------------------
This is not a new threat. The U.S. Intelligence Community
(IC) and Congress have long warned that foreign governments may
target the Federal ICT supply chain via certain products or
services. This well-documented history includes:
In 2011, the Office of National
Counterintelligence Executive released a report stating,
``Sensitive U.S. economic information and technology are
targeted by the intelligence services, private sector
companies, academic and research institutions, and citizens of
dozens of countries.''\5\
---------------------------------------------------------------------------
\5\Office of National Counterintelligence Executive, Foreign Spies
Stealing U.S. Economic Secrets in Cyberspace: Report to Congress on
Foreign Economic Collection & Industrial Espionage, 2009-2011 (Oct.
2011), available at https://www.dni.gov/files/documents/Newsroom/
Reports%20and%20Pubs/20111103_report_fecie.pdf.
---------------------------------------------------------------------------
In 2012, the U.S. House of Representatives'
Permanent Select Committee on Intelligence (HPSCI) released a
bipartisan report on the national security issues posed by
Chinese telecommunications companies that stated in part,
``[T]he U.S. government must pay particular attention to
products produced by companies with ties to regimes that
present the highest and most advanced espionage threats to the
U.S., such as China.''\6\
---------------------------------------------------------------------------
\6\H. Permanent Select Comm. on Intelligence, Chairman Mike Rogers
and Ranking Member C.A. Dutch Ruppersberger, Investigative Report on
the U.S. National Security Issues Posed by Chinese Telecommunications
Companies Huawei and ZTE, 112th Cong. (Oct. 8, 2012), available at
https://intelligence.house.gov/sites/intelligence.house.gov/files/
documents/huawei-zte%20
investigative%20report%20(final).pdf.
---------------------------------------------------------------------------
In 2016, the U.S. Federal Bureau of Investigation
(FBI) released a guide entitled, Best Practices in Supply Chain
Risk Management for the U.S. Government, in which the FBI
advises, among other things, to: ``Identify the location of a
service provider. If in a foreign country, identify potential
relationships between the foreign government and the provider
(suppliers, vendors, etc.). Identify the foreign country's laws
or policies which enable it to request sensitive business
information from the provider. Request the names, addresses,
and roles of foreign individuals associated with, or who have
access to the provider. . . . Identify if the provider employs
foreign nationals . . . .''\7\
---------------------------------------------------------------------------
\7\U.S. Federal Bureau of Investigation, Best Practices in Supply
Chain Risk Management for the U.S. Government (Feb. 2016), available at
https://www.fbi.gov/file-repository/scrmbestpractices-1.pdf/view.
---------------------------------------------------------------------------
In 2017, the DoD's Defense Science Board's Task
Force on Cyber Supply Chain released a report stating that
factors to consider when vetting a supplier could include
ownership and control of the supplier.\8\
---------------------------------------------------------------------------
\8\Department of Defense, Defense Science Board Task Force on Cyber
Supply Chain, Final Report of the Defense Science Board Task Force on
Cyber Supply Chain (Feb. 2017), available at https://www.acq.osd.mil/
dsb/reports/2010s/1028953.pdf.
---------------------------------------------------------------------------
In 2018, during testimony before the U.S. Senate
Select Committee on Intelligence (SSCI), FBI Director Wray
publicly stated: ``I think probably the simplest way to put it
in this setting would be that we're deeply concerned about the
risks of allowing any company or entity that is beholden to
foreign governments that don't share our values to gain
positions of power inside our telecommunications networks. That
provides the capacity to exert pressure or control over our
telecommunications infrastructure. It provides the capacity to
maliciously modify or steal information, and it provides the
capacity to conduct undetected espionage. So, at a 100,000-foot
level, at least in this setting, those are the kind of things
that worry us.''\9\
---------------------------------------------------------------------------
\9\Worldwide Threats: Hearing Before the S. Select Comm. on
Intelligence, 115th Cong. (2018) (statement of Director Chris Wray,
Director of the U.S. Federal Bureau of Investigation).
---------------------------------------------------------------------------
For years, the United States security agencies have
understood the threat to national security systems posed by ICT
supply chains, while grappling with how to appropriately share
classified information and address the risk for all government
agencies. The need for this legislation is underscored by
several recent examples of supply chain risks discovered within
the Federal ICT system.
AO Kaspersky Lab
AO Kaspersky Lab (``Kaspersky''), including its related
entities such as Kaspersky Lab, Inc., is a cybersecurity and
anti-virus software provider headquartered in Moscow,
Russia.\10\ Anti-virus software, by its very nature, is
designed to have access to all files on the system on which it
is running. Although the exact nature of how Kaspersky software
operates is outside the scope of this report, Kaspersky's
potential capabilities and the impacts on U.S. national
security have been widely reported by a variety of leading
security specialists and scholars.\11\ In September 2017, DHS
issued a Binding Operational Directive (BOD) ordering all
Federal civilian executive agencies to identify and remove
Kaspersky-branded products from Federal information
systems.\12\ This was the first time since receiving the
authority under the Federal Information Security Modernization
Act of 2014 to issue BODs that DHS used the authority to remove
a product from the Federal supply chain.
---------------------------------------------------------------------------
\10\Contact Us, Kaspersky.com, https://usa.kaspersky.com/about/
contact (last visited Oct. 17, 2018).
\11\See, e.g., Herb Lin, The Real Threat from Kaspersky Security
Software, Lawfare (Oct. 12, 2017), https://www.lawfareblog.com/real-
threat-kaspersky-security-software (stating, ``Of more concern to me is
the idea that Kaspersky software has the capability to inspect the
media of any computer running it for interesting files and to forward
such files to Russian intelligence.'') (emphasis in original); Nicholas
Weaver, On Kaspersky, Lawfare (July 25, 2017), https://
www.lawfareblog.com/kaspersky (noting that there is a risk of a
``government-mandated malicious update.''); see also Defendant's Motion
to Dismiss, Kaspersky Lab, Inc.; and Kaspersky Labs Limited v. United
States of America, D.D.C. (Mar. 26, 2018), Civ. No. 18-325 (CKK),
available at https://www.nextgov.com/media/gbc/docs/pdfs_edit/
032718kaspersky1ng.pdf.
\12\Department of Homeland Security, BOD-17-01: Removal of
Kaspersky-Branded Products (Sept. 13, 2017), available at https://
cyber.dhs.gov/assets/report/bod-17-01.pdf. BOD-17-01 defines
``Kaspersky-branded products'' as ``information security products,
solutions, and services supplied, directly or indirectly, by AO
Kaspersky Lab or any of its predecessors, successors, parents,
subsidiaries, or affiliates, including Kaspersky Lab North America,
Kaspersky Lab, Inc., and Kaspersky Government Security Solutions, Inc.
. . .''
---------------------------------------------------------------------------
Then-Acting Secretary of DHS Elaine Duke released the
following statement contemporaneous with the BOD explaining why
the Department acted. The statement said, in part:
This action is based on the information security
risks presented by the use of Kaspersky products on
federal information systems. Kaspersky anti-virus
products and solutions provide broad access to files
and elevated privileges on the computers on which the
software is installed, which can be exploited by
malicious cyber actors to compromise those information
systems. The Department is concerned about the ties
between certain Kaspersky officials and Russian
intelligence and other government agencies, and
requirements under Russian law that allow Russian
intelligence agencies to request or compel assistance
from Kaspersky and to intercept communications
transiting Russian networks. The risk that the Russian
government, whether acting on its own or in
collaboration with Kaspersky, could capitalize on
access provided by Kaspersky products to compromise
federal information and information systems directly
implicates U.S. national security.\13\
---------------------------------------------------------------------------
\13\Press Release, U.S. Department of Homeland Security, Acting
Secretary Elaine Duke, DHS Statement on the Issuance of Binding
Operational Directive 17-01 (Sept. 13, 2017), available at https://
www.dhs.gov/news/2017/09/13/dhs-statement-issuance-binding-operational-
directive-17-01.
In making the decision to issue the BOD, DHS consulted with
multiple interagency partners.\14\ Additionally, DHS offered
Kaspersky the opportunity to submit a written response to
address the Department's concerns and an opportunity to
mitigate them.\15\
---------------------------------------------------------------------------
\14\Id.
\15\Id.
---------------------------------------------------------------------------
Congressional interest in Kaspersky continued throughout
2017.\16\ In December 2017, Congress passed and the President
signed into law the Fiscal Year 2018 National Defense
Authorization Act (NDAA), which contained a statutory ban on
Kaspersky products.\17\ Unlike DHS' BOD, which applied only to
Kaspersky branded products, the exclusion in the NDAA applied
to ``any hardware, software, or services developed or provided,
in whole or in part, by Kaspersky Lab (or any successor
entity); and any entity that controls, is controlled by, or is
under common control with Kaspersky Lab; or any entity of which
Kaspersky Lab has majority ownership.''\18\ The NDAA ban is
much broader than the BOD as it targeted any product with
Kaspersky coded embedded in it. Furthermore, this exclusion
applied Government-wide. This provision went into effect on
October 1, 2018.\19\
---------------------------------------------------------------------------
\16\See Disinformation: A Primer in Russian Active Measures and
Influence Campaigns, Panel II: Hearing Before the S. Select Comm. on
Intelligence, 115th Cong. (2017) https://www.gpo.gov/fdsys/pkg/CHRG-
115shrg25998/html/CHRG-115shrg25998.htm; Bolstering the Government's
Cybersecurity: Assessing the Risks of Kaspersky Lab Products to the
Federal Government: Hearing Before the H. Comm. on Science, Space, and
Technology, 115th Cong. (2017), https://science.house.gov/legislation/
hearings/bolstering-government-s-cybersecurity-assessing-risk-
kaspersky-lab-products.
\17\NDAA 2018 Sec. 1634.
\18\Id.
\19\Id.
---------------------------------------------------------------------------
Kaspersky filed lawsuits challenging both the BOD and the
NDAA exclusions.\20\ Regarding the BOD challenge, Kaspersky
argued that the directive violated the Administrative
Procedures Act and the Due Process Clause of the Fifth
Amendment.\21\ The U.S. District Court for the District of
Columbia found that Kaspersky lacked standing and granted the
Government's motion to dismiss.\22\ Kaspersky filed a separate
lawsuit against the NDAA exclusion, arguing that the language
in the NDAA constituted an unconstitutional bill of
attainder.\23\ The U.S. District Court for the District of
Columbia held that the NDAA ``does not inflict `punishment' on
Kaspersky Lab'' under the definition of bill of attainder,
again dismissing the case.\24\ Kaspersky appealed the decision,
and the appeal is still pending.\25\
---------------------------------------------------------------------------
\20\Memorandum Opinion, Kaspersky Lab, Inc. et al., v. U.S.
Department of Homeland Security, et al., and Kaspersky Lab, Inc. et
al., v. United States of America, D.C.C. (May 30, 2018), available at
https://cases.justia.com/federal/district-courts/district-of-columbia/
dcdce/1:2017cv02697/192070/26/0.pdf?ts=1527759017.
\21\Id. at 3-5.
\22\Id.
\23\Id.
\24\Id.
\25\It is the policy of this Committee not to comment on matters
currently before the courts. For details regarding the latest in
litigation, see generally Joseph Marks, Kaspersky Faces Tough Questions
at Appeals Court, Nextgov (Sept. 14, 2018), https://www.nextgov.com/
cybersecurity/2018/09/kaspersky-faces-tough-questions-appeals-court/
151282.
---------------------------------------------------------------------------
Huawei Technologies Company and ZTE Corporation
Huawei Technologies Company (``Huawei'') and ZTE
Corporation (``ZTE'') are telecommunications equipment
manufacturers headquartered in Shenzhen, China, and represent a
significant market share in the global telecommunications
sector.\26\ The presence of their products and services
worldwide is prolific, including in the United States.\27\ The
United States Government has argued that Huawei and ZTE
services and equipment may be used for nefarious or otherwise
unauthorized purposes by the Chinese government.\28\ During a
hearing before SSCI, the Director of National Intelligence,
Director of the Central Intelligence Agency, Director of the
National Security Agency (NSA), Director of the Defense
Intelligence Agency, Director of the FBI, and Director of the
National Geospatial-Intelligence Agency were each asked if they
would use products or services from Huawei or ZTE; all answered
in the negative.\29\
---------------------------------------------------------------------------
\26\Company Profile: Huawei Technologies Co Ltd, Bloomberg, https:/
/www.bloomberg.com/profiles/companies/40978Z:CH-huawei-technologies-co-
ltd (last visited Oct. 17, 2018); Contact Us, ZTE.com, https://
www.zte.com.cn/global/about/contact-us (last visited Oct. 17, 2018).
\27\H. Permanent Select Comm. on Intelligence, Chairman Mike Rogers
and Ranking Member C.A. Dutch Ruppersberger, Investigative Report on
the U.S. National Security Issues Posed by Chinese Telecommunications
Companies Huawei and ZTE, 112th Cong. (Oct. 8, 2012), available at
https://intelligence.house.gov/sites/intelligence.house.gov/files/
documents/huawei-zte%20 investigative%20report%20(final).pdf.
\28\See generally, id.; Office of the U.S. Trade Representative,
Executive Office of the President, Findings of the Investigation Into
China's Acts, Policies, and Practices Related to Technology Transfer,
Intellectual Property, and Innovation Under Section 301 of the Trade
Act of 1974 (Mar. 22, 2018), available at https://ustr.gov/sites/
default/files/Section%20301%20FINAL.PDF.
\29\Worldwide Threats: Hearing Before the S. Select Comm. on
Intelligence, 115th Cong. (2018) (questioning by Senator Tom Cotton:
``All the witnesses, I'd like to address this question to you. Would
you please raise your hand if you would use products or services from
Huawei or ZTE? None of you would. You obviously lead intelligence
services, so that's something of a biased question. Raise your hand if
you would recommend that private American citizens use Huawei or ZTE
products or services. None of you again are raising your hand, thank
you for that. . . .).
---------------------------------------------------------------------------
The John S. McCain NDAA for Fiscal Year 2019, signed into
law in August 2018, contained a provision banning the use of
Huawei and ZTE from a ``substantial or essential component of
any system, or as critical technology as part of any system''
within the Federal ICT supply chain.\30\ The provision in the
2019 NDAA followed years of concern over the use of Huawei and
ZTE products that culminated with several Federal agencies
independently taking action to reassess the use of Huawei and
ZTE products.\31\
---------------------------------------------------------------------------
\30\NDAA 2019 Sec. 889.
\31\See Stu Woo & Gordon Lubold, Pentagon Orders Stores on Military
Bases to Remove Huawei, ZTE Phones, The Wall Street Journal (May 2,
2018), https://www.wsj.com/articles/pentagon-asking-military-bases-to-
remove-huawei-zte-phones-1525262076; see also Federal Communications
Commission, Notice of Proposed Rulemaking: WC Docket No. 18-89,
Protecting Against National Security Threats to the Communications
Supply Chain Through FCC Programs (Mar. 27, 2018), https://
transition.fcc.gov/Daily_Releases/Daily_Business/2018/db0327/DOC-
349937A1.pdf.
---------------------------------------------------------------------------
S. 3085, the Federal Acquisition Supply Chain Security Act of 2018
The Committee continues to investigate threats to the
Federal ICT supply chain and methods of mitigating the risk.
The Kaspersky case made clear the potential threat to civilian
agencies' ICT purchases and systems. Since then, a number of
disjointed efforts to address the supply chain risk from
Government ICT purchases have emerged, but there is no cohesive
framework for all agencies to follow. A whole of government
approach is needed to give U.S. agencies the information and
authorities they need to swiftly address ICT supply chain
issues.
S. 3085 establishes the Federal Acquisition Security
Council, chaired by OMB. This Council, comprised of civilian,
DoD, and IC agencies, is designed to develop a government-wide
strategy for addressing supply chain risks from ICT purchases,
to facilitate information sharing among government agencies and
to be the central, government-wide authority for SCRM
activities. The composition of the Council allows for agencies
with a critical stake in Federal SCRM to have a voice in the
Government's policy direction. Among its various SCRM-related
functions, the Council is required to identify and recommend
the development of SCRM standards for executive agencies to use
when addressing supply chain risks. This will provide
uniformity in how agencies assess and address such risk. The
Council must also identify or develop criteria for sharing
information related to supply chain risk management, including
information pertaining to the exercise of authorities under
sections 1326 and 4713. This criteria is to include, among
other things, the content to be shared, when sharing is
mandated or voluntary, and when it is appropriate for an
executive agency to rely on shared information to exercise its
authorities under this bill. This is designed to prevent one or
two executive agencies from being aware of a present supply
chain risk and failing to notify other agencies of that risk.
As such, another responsibility of the Council includes
designating an appropriate executive agency to act as a
``central hub'' for receiving supply chain information
submitted by other executive agencies. This will streamline the
information-sharing process across the Federal Government.
Another authority granted to the Council is the ability to
recommend exclusion or removal orders for ``covered articles.''
Covered articles are items found in the ICT supply chain,
including, but not limited to: IT, including cloud computing
services; telecommunications equipment; hardware; and software.
Once the Council issues a recommendation, the Secretary of DHS,
the Defense Secretary, and the Director of National
Intelligence are vested with plenary authority to act on those
recommendations. Once one of those officials, or their
delegates, have acted on the recommendation(s), the
corresponding agencies and systems they are responsible for are
required to abide by the order(s). In the event that the
Secretary of DHS, Defense Secretary, and Director of National
Intelligence all issue the same order(s), collectively
resulting in a government-wide decision, the bill requires the
Administrator of the General Services Administration (GSA) and
officials at other agencies to effectuate the order(s)
government-wide.
In the event the Council makes a recommendation, the bill
requires the Council to provide notice of the recommendation to
any named source. The notice must advise the source that: a
recommendation has been made; the criteria the Council relied
upon in making the recommendation, to the extent consistent
with national security and law enforcement interests; that the
source has 30 days after receipt of the notice to submit
information and arguments in opposition to the recommendation;
of the procedures governing the review and possible issuance of
an exclusion or removal order; and, if practicable and within
the sole and unreviewable discretion of the Council, a
description of any mitigation steps the source could take that
may result in the Council rescinding its recommendation. If one
of the authorized agency heads decides to act on the Council's
recommendation and issues an exclusion or removal order, that
official must notify any named source of the exclusion or
removal order and of the information that formed the basis for
the order, to the extent consistent with national security and
law enforcement interests. These exclusion and removal orders
require an annual review thereafter.
This legislation also authorizes the head of an executive
agency to carry out a ``covered procurement action'' and to
limit the disclosure of information relating to the basis for
doing so. A covered procurement action includes: the exclusion
of a source that fails to meet certain qualification
requirements; the exclusion of a source that fails to achieve
an acceptable rating for supply chain risk when evaluating
contract award proposals; the determination that a source is
not a responsible source; and the decision to withhold consent
for a contractor to subcontract with a particular source or to
direct a contractor to exclude a particular source. Except when
addressing an urgent national security interest, an agency head
may only carry out a covered procurement action after receiving
a joint recommendation from their chief acquisition officer and
the chief information officer, or officials performing similar
functions if the agency does not have such officials, and after
providing notice of the joint recommendation to any source
named in the recommendation. This notice must advise the named
source of the following information: that a recommendation is
being considered or has been made; of the information that
formed the basis for the recommendation, to the extent
consistent with national security and law enforcement
interests; that the source has 30 days to submit information
and argument in opposition to the recommendation; and of the
procedures governing the consideration of the submission and
the possible exercise of the agency's authority.
Finally, this bill contains judicial review procedures that
appropriately balance the need for aggrieved companies to
receive due process with the need for the Federal Government to
act swiftly to address threats, share sensitive and/or
classified information, and ensure that information is
protected from disclosure. Any action taken under section 1323
or 4713 is not subject to existing administrative review or
judicial review procedures for government purchases, including
bid protests before the Government Accountability Office or in
any Federal court. The bill provides for the filing of
petitions for judicial review only in the U.S. Court of Appeals
for the D.C. Circuit. A petition must be filed within sixty
days after a party is notified of an exclusion or removal order
under section 1323 or a covered procurement action under
section 4713, claiming that the action is unlawful. The court
will consider such an action unlawful only if it finds it to
be: arbitrary, capricious, an abuse of discretion, or otherwise
not in accordance with law; contrary to constitutional right,
power, privilege, or immunity; in excess of statutory
jurisdiction; lacking substantial support in the administration
record taken as a whole or in classified information submitted
to the court; or not in accord with procedures required by law.
These constraints and the timeline of sixty days affords for an
expeditious resolution. The U.S. Court of Appeals for the D.C.
Circuit is granted exclusive jurisdiction over such claims,
which is appropriate given its unique expertise with national
security matters and handling of classified material.
III. Legislative History
Ranking Member Claire McCaskill (D-MO) introduced S. 3085,
the Federal Acquisition Supply Chain Security Act of 2018, on
June 19, 2018, with Senator James Lankford (R-OK). The bill was
referred to the Committee on Homeland Security and Governmental
Affairs.
The Committee considered S. 3085 at a business meeting on
September 26, 2018. During the business meeting, Ranking Member
McCaskill and Senator Lankford offered an amendment in the
nature of a substitute that was twice modified to reflect
discussions among Members of the Committee and feedback from
relevant executive agencies. The bill, as amended by the
McCaskill-Lankford Substitute Amendment as twice modified, was
ordered reported favorably by voice vote en bloc. Senators
present were Johnson, Portman, Lankford, Enzi, Hoeven,
McCaskill, Carper, Heitkamp, Peters, Hassan, Harris, and Jones.
IV. Section-by-Section Analysis of the Bill, as Reported
Section 1. Short title
This section provides that the bill may be referred to as
the ``Federal Acquisition Supply Chain Security Act of 2018.''
Sec. 2. Federal Acquisition Supply Chain Security.
Section 2 of the bill amends chapter 13 of title 41, United
States Code (U.S.C.), by adding the following new subchapter at
the end:
Subchapter III--Federal Acquisition Supply Chain Security
Sec. 1321. Definitions
This section defines or provides references for the
following terms in the subchapter: ``appropriate congressional
committees and leadership;'' ``Council;'' ``covered article;''
``covered procurement action;'' ``information and
communications technology;'' ``intelligence community;''
``national security system;'' and ``supply chain risk.''
Sec. 1322. Federal Acquisition Security Council
establishment and membership
This section establishes the Council, whose membership is
comprised of the following agencies: OMB; GSA; DHS; ODNI,
including the National Counterintelligence and Security Center;
Department of Justice, including the FBI; DoD, including the
NSA; Department of Commerce, including the National Institute
of Standards and Technology (NIST); and any other executive
agencies the Chairperson designates. Within 90 days of the
bill's enactment, each agency represented on the Council is
required to designate a lead representative who is an expert in
SCRM, acquisitions, or information and communications
technology. Each agency's lead representative is tasked with
ensuring that their agency leadership and subject matter
experts are kept apprised of the Council's business. The
Director of OMB is required to designate a senior-level OMB
official to serve as the Council's Chairperson. The Chairperson
is tasked with several functions, including developing a
charter for the Council. The Council is required to meet within
180 days after enactment and at least every quarter thereafter.
Sec. 1323. Functions and authorities
This section delineates the functions and authorities
granted to the Council.
New subsection (a) outlines that the Council is required to
perform several functions, including but not limited to: (1)
recommending NIST to develop SCRM standards and practices for
executive agencies; (2) developing criteria for sharing
information regarding supply chain risk; (3) identifying an
executive agency to act as a ``clearing house'' for several
functions, including receiving supply chain risk information
submitted by other executive agencies and facilitating the
sharing of that information to support supply chain risk
analyses; (4) identifying executive agencies to provide shared
services and common contract solutions to support SCRM; (5)
issuing guidance on any other steps necessary to address supply
chain risks that may arise when executive agencies provide
shared services, common contract solutions, acquisitions
vehicles, or assisted acquisitions; and (6) engaging with the
private sector and other nongovernmental stakeholders on SCRM
in the acquisition process, as appropriate.
New subsection (b) states that, in its sole and
unreviewable discretion, the Council may establish a program
office and any other bodies it deems appropriate for the
purpose of carrying out its functions.
New subsection (c) details the authority the Council has to
issue exclusion or removal orders. The Council is required to
establish criteria and procedures for several actions,
including for: (1) recommending orders for executive agencies
requiring the exclusion of sources or covered articles from
executive agencies procurement actions, also known as
``exclusion orders;'' (2) recommending orders for executive
agencies requiring the removal of covered articles from
executive agency information systems, also known as ``removal
orders;'' (3) requesting and approving exceptions to issued
exclusion or removal orders; and (4) ensuring that any
recommended orders do not conflict with standards issued under
section 11331 of title 40 and that the Director of NIST is
consulted with regarding any orders that would implement
standards developed by NIST. Using these established criteria,
the Council will make recommendations regarding the exclusion
of sources or covered articles from any executive agency
procurement action or the removal of covered articles from
executive agency information systems. Recommendations must
include several important components, including, but not
limited to, information regarding the scope and applicability
of the recommended exclusion or removal order and a summary of
any risk assessment reviewed or made in support of the order.
New subsection (c) also states that the Council is required
to issue a notice of its recommendation to any source named in
the recommendation. This is intended to provide notice to the
source that a recommendation has been made; of the criteria the
Council relied on in making the recommendation; and that the
source has 30 days after receipt of the notice to submit
information and argument in opposition of the recommendation.
New subsection (c) also details how exclusion and removal
order recommendations become operable. Exclusion and removal
order recommendations issued by the Council will be reviewed by
the Secretary of DHS, for orders applicable to civilian
agencies, to the extent not covered by clause (ii) and (iii);
by the Secretary of DoD, for orders applicable to the DoD and
national security systems other than sensitive compartmented
information systems; and the Director of National Intelligence,
for orders applicable to the intelligence community and
sensitive compartmented information. These officials have sole
and unreviewable discretion to issue exclusion and removal
orders based upon the Council's recommendations. If officials
from DHS, DoD, and ODNI issue orders collectively resulting in
a government-wide exclusion, the Administrator of GSA and
officials at other agencies responsible for management of the
Federal Supply Schedule and government-wide acquisition and
multi-agency contracts must help facilitate implementation of
the orders by removing the identified covered articles or
sources from contracts. Exclusion and removal orders must be
reviewed at least annually by the issuing officials. An
authorized official from the relevant issuing agency may
rescind exclusion and removal orders. Once such an order has
been issued, the issuing official must provide notice to any
source named in the order. The issuing official must also
notify the appropriate congressional committees and the
aforementioned agency selected to be the ``clearing house'' for
such information. All executive agencies are required to comply
with exclusion and removal orders.
New subsection (d) states that the Council may request any
information from executive agencies it deems necessary to carry
out its functions.
New subsection (e) states that the Council must consult and
coordinate, as appropriate, with other relevant councils.
New subsection (f) states that nothing in this section
limits the authority of the Office of Federal Procurement
Policy to carry out its responsibilities.
Sec. 1324. Strategic plan
This section requires the Council to create a strategic
plan for addressing supply chain risks posed by the acquisition
of covered articles within 180 days of enactment. The necessary
components of this plan include, but are not limited to: (1) an
identification and promulgation of best practices for executive
agencies to assess and mitigate supply chain risks; (2) an
evaluation of the effect of implanting new policies or
procedures on existing contracts; and (3) a plan for the
identification and mitigation of supply chain risks from
existing and prospective information and communications
technology made available to executive agencies by other
executive agencies. This plan is due to Congress within seven
days after completion.
Sec. 1325. Annual report
The Chairperson of the Council is required to submit an
annual report to Congress on the Council's activities before
December 31 of each year.
Sec. 1326. Requirements for executive agencies
This section outlines the responsibilities of each
executive agency head for SCRM, which include, but are not
limited to: (1) assessing the supply chain risk posed by the
acquisition of covered articles and either avoiding,
mitigating, accepting, or transferring that risk; and (2)
prioritizing such assessments based on the criticality of the
mission or asset. This section also includes clarifications for
interagency acquisitions and assisted acquisitions. For
interagencyacquisitions, in which one agency purchases supplies
or services using another agency's contract, SCRM activities are the
responsibility of the funding agency. For assisted acquisitions, in
which an agency performs acquisition-related functions on behalf of
another agency, it is required that the parties negotiate the
assignment of responsibilities. The Secretary of DHS may assist
executive agencies in conducting risk assessments and provide
additional tools as necessary in support of such actions.
Sec. 1327. Judicial review procedures
This section outlines the judicial review procedures
applicable to an action taken under Sec. 1323 or Sec. 4713 of
this title. New subsection (a) clarifies that any action taken
under either Sec. 1323 or Sec. 4713 is not reviewable, either
by administrative review or judicial review, including bid
protests before the Government Accountability Office or in any
Federal court.
New subsection (b) describes the process for petitioning
exclusion or removal orders. After a party has been notified of
an exclusion or removal order under Sec. 1323 or a covered
procurement action under section Sec. 4713, the party has 60
days to file a petition for judicial review in the United
States Court of Appeals for the District of Columbia Circuit
(``court''). The court will rule that a covered action taken
under Sec. 1323 or Sec. 4713 is unlawful if it is: (1)
arbitrary, capricious, and an abuse of discretion; (2) contrary
to constitutional right, power, privilege, or immunity; (3) in
excess of statutory jurisdiction, authority, or limitation, or
short of statutory right; (4) lacking substantial support in
the administrative record taken as a whole or in classified
information submitted to the court; or (5) not in accordance
with procedures required by law. The court has exclusive
jurisdiction over claims arising under these sections against
the U.S., any U.S. department or agency, or any component or
official of any such department or agency, subject to review by
the U.S. Supreme Court.
New subsection (b) also describes the contents and
procedures for the administrative record, which will apply to
the review of a petition. The U.S. is required to file an
administrative record with the court, which consists of the
information that the appropriate official relied on when taking
an action under Sec. 1323 or Sec. 4713. Information that is
both unclassified and non-privileged in the administrative
record will be provided to the petitioner, with appropriate
protections for any information that is privileged or
confidential. The following information may be included in the
administrative record and will only be submitted to the court
ex parte and in camera: (1) classified information; (2)
sensitive security information; (3) privileged law enforcement
information; (4) information obtained or derived from any
activity authorized under the Foreign Intelligence Surveillance
Act of 1978, with several exceptions; and (5) information
subject to privilege or protections under any other provision
of law. Any of the previously described information must remain
under seal. The administrative record must be returned after
the time to seek further review has ended or after further
proceedings have concluded. Any determination made by the court
under this subsection is the exclusive remedy. In this section,
the term ``classified information'' not only has the meaning
given the term in 1(a) of the Classified Information Procedures
Act, but also includes any information that the government has
determined to require protection for reasons of national
security and any restricted data, as defined in section 11 of
the Atomic Energy Act of 1954.
Sec. 1327. Termination
This section states that the subchapter terminates five
years after the day of enactment. Amendments made by this
section take effect 90 days after the day of enactment and
apply to contracts that are awarded before, on, or after that
date. The Federal Acquisition Security Council must prescribe
an interim final rule to implement subchapter III of chapter 13
of title 41, U.S.C. within one year of enactment, and the
Council must issue a final rule no later than one year after
prescribing that interim final rule. If the Council does not
issue a final rule in that time frame, the Council will be
required to submit a report to Congress explaining why they
failed to do so.
Sec. 3. Authorities of Executive Agencies relating to mitigating supply
chain risks in the procurement of covered articles
Section 3 of the bill amends chapter 47 of title 41,
U.S.C., by adding the following new section to the end:
Sec. 14713. Authorities relating to mitigating supply chain
risks in the procurement of covered articles
New subsection (a) establishes that heads of executive
agencies have the authority to carry out a covered procurement
action and to limit the disclosure of information relating to
their basis for doing so.
New subsection (b) provides that an agency head may carry
out a covered procurement action, absent an urgent national
security interest, only after (1) obtaining a joint
recommendation from the agency's CIO and chief acquisition
officer, or comparable officials; (2) providing notice of the
joint recommendation to any source named in the joint
recommendation; (3) making a written determination that the use
of the authority is, among other things, necessary to protect
national security by reducing supply chain risk; and (4)
providing notice of the determination to Congress. Any named
sources must be provided with a notice containing the following
information: (1) that a recommendation is being considered or
has been made; (2) what information formed the basis for the
recommendation, to the extent consistent with national security
interests; (3) that the source has 30 days after receipt to
submit an argument against the recommendation; and (4) what
procedures govern the consideration of that submission.
New subsection (c) provides an exception for cases in which
an agency head determines that an urgent national security
interest necessitates the immediate exercise of the authority
provided in new subsection (a). This exception allows agency
heads to, among other things, temporarily delay sending notice
to named sources; however, agency heads are required to comply
with all of the requirements of new subsection (b) as soon as
practicable after the urgency has passed.
New subsection (d) states that an agency head may not
delegate these authorities to an official below the level one
level below the Deputy Secretary or Principal Deputy Director,
except that the Secretary of Defense may delegate authority for
removal orders to the Commander of U.S. Cyber Command.
New subsection (e) states that if an agency head has made
the decision to limit the disclosure of information relating to
their basis for carrying out a covered procurement action, that
official must notify the aforementioned agency identified as a
``clearing house'' for such SCRM-related information.
New subsection (f) requires agency heads to annually review
any covered procurement actions.
New subsection (g) requires the Federal Acquisition
Regulatory Council to prescribe any regulations necessary to
implement this section.
New subsection (h) requires the head of each agency to
submit a report to Congress, at least annually, summarizing the
actions taken under this section.
New subsection (i) states that this section applies to the
DoD, Coast Guard, and National Aeronautics and Space
Administration, notwithstanding Sec. 3101(c)(1)(A) of this
title.
New subsection (j) provides that the authority provided
under subsection (a) terminates in 5 years.
New subsection (k) defines the terms ``appropriate
congressional committees and leadership;'' ``covered article;''
``covered procurement;'' ``covered procurement action;''
``information and communications technology;'' and ``supply
chain risk.''
Sec. 4. Federal Information Security Modernization Act
New subsection (a) amends the Federal Information Security
Modernization Act to provide references to several provisions
in this bill and to add a new SCRM-related provision. That Act
provides a government-wide framework for the oversight and
security of non-national security Federal executive branch
information security.
New subsection (b) contains a rule of construction,
clarifying that nothing in this bill alters or impedes any
authority or responsibility under Sec. 3553 of title 44,
U.S.C., which addresses the authorities and functions of the
Director of OMB and Secretary of DHS under the Federal
Information Security Modernization Act.
Sec. 5. Effective date
Section 5 states that this bill will take effect 90 days
after enactment.
V. Evaluation of Regulatory Impact
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. Congressional Budget Office Cost Estimate
U.S. Congress,
Congressional Budget Office,
Washington, DC, November 28, 2018.
Hon. Ron Johnson, Chairman,
Committee on Homeland Security and Governmental Affairs,
U.S. Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 3085, the Federal
Acquisition Supply Chain Security Act of 2018.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Matthew
Pickford, who can be reached at 226-2860.
Sincerely,
Keith Hall,
Director.
Enclosure,
S. 3085--Federal Acquisition Supply Chain Security Act of 2018
S. 3085 would create the Federal Acquisition Security
Council, which would work to mitigate security risks that may
arise from information technology (IT), telecommunications
services, and other goods and services procured by the federal
government. The council would consist of representatives from
at least 11 departments and agencies and a representative from
the Office of Management and Budget (OMB) would serve as chair
of the council.
Under the bill, the council would look at the security of
the entire supply chain for goods and services procured by the
government including threats from terrorism, piracy, and theft
in both the real world and cyber space. (The term supply chain
refers to the total number of organizations, individuals, and
processes involved in producing and selling something to a
final user.) Primary responsibilities for the council would
include:
Developing criteria for assessing threats
and vulnerabilities to the supply chain, and
Issuing guidance on risks to the supply
chain and how to address such risks.
Using information from OMB and based on the scope of the
council's responsibilities, CBO estimates that when fully
implemented the council would spend about $2 million annually;
most of that would be for the cost of about 10 employees. CBO
estimates that implementing S. 3085 would cost $10 million over
the 2019-2023 period; any spending would be subject to the
availability of appropriated funds.
S. 3085 also would allow agencies to change their
procurement actions based on expected risks to the agency from
different acquisitions. Those changes would involve preparing
risk management plans and strategies to assess risks to the
supply chain prior to purchasing and goods or services.
CBO is unaware of any comprehensive information on the
security of the government's supply chain. CBO aims to produce
estimates that generally reflect the middle of a range of most
likely outcomes that would result if the legislation was
enacted. However, CBO cannot determine how agencies currently
handle supply chain risks nor how many resources are devoted to
those activities. In addition, what policies, procedures, or
guidance the new council would provide to agencies is not
clear. Finally, under existing authority initially provided by
section 806 of Public Law 111-383 and recently reauthorized by
section 881 of the 2019 National Defense Authorization Act
(P.L. 115-232), the Department of Defense can currently perform
many of the activities described in section 3 of S. 3085.
However, CBO cannot determine whether those authorities have
ever been used. Thus, CBO cannot estimate whether implementing
that section would have costs or savings for government
agencies.
CBO expects that agencies would continue to procure goods
and services at the lowest price available and that issues
involving supply chain risk would not significantly increase or
decrease the costs of goods and services procured by the
government.
Enacting S. 3085 could affect direct spending by agencies
that are authorized to use receipts from the sale of goods,
fees, and other collections to cover operating costs.
Therefore, pay-as-you-go procedures apply. Because most
agencies can adjust the amounts collected as operating costs
change, CBO estimates that any net changes in direct spending
by those agencies would be negligible. Enacting the bill would
not affect revenues.
CBO estimates that enacting S. 3085 would not increase net
direct spending or on-budget deficits in any of the four
consecutive 10-year periods beginning in 2029.
S. 3085 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act.
The CBO staff contacts for this estimate are Matthew
Pickford and Ray Hall. The estimate was reviewed by H. Samuel
Papenfuss, Deputy Assistant Director for Budget Analysis.
VII. Changes in Existing Law Made by the Bill, as Reported
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, changes in existing law made by
the bill, as reported, are shown as follows: (existing law
proposed to be omitted is enclosed in brackets, new matter is
printed in italic, and existing law in which no change is
proposed is shown in roman):
UNITED STATES CODE
* * * * * * *
TITLE 41--PUBLIC CONTRACTS
* * * * * * *
Subtitle I--Federal Procurement Policy
* * * * * * *
DIVISION B--OFFICE OF FEDERAL PROCUREMENT POLICY
* * * * * * *
CHAPTER 13--ACQUISITION COUNCILS
Subchapter I--Federal Acquisition Regulatory Council
Sec.
1301. Definition.
1302. Establishment and membership.
1303. Functions and authority.
1304. Contract clauses and certifications.
Subchapter II--Chief Acquisition Officers Council
Sec.
1311. Establishment and membership.
1312. Functions.
Subchapter III--Federal Acquisition Supply Chain Security
Sec.
1321. Definitions.
1322. Federal Acquisitions Security Council establishment and
membership.
1323. Functions and authorities.
1324. Strategic plan.
1325. Annual report.
1326. Requirements for executive agencies.
1327. Judicial review procedures.
1328. Termination.
* * * * * * *
Subchapter II--Chief Acquisition Officers Council
* * * * * * *
Subchapter III--Federal Acquisition Supply Chain Security
SEC. 1321. DEFINITIONS.
In this subchapter:
(1) Appropriate congressional committees and
leadership.--The term ``appropriate congressional
committees and leadership'' means--
(A) the Committee on Homeland Security and
Governmental Affairs, the Committee on the
Judiciary, the Committee on Armed Services, the
Committee on Appropriations, the Select
Committee on Intelligence, and the majority and
minority leader of the Senate; and
(B) the Committee on Oversight and Government
Reform, the Committee on the Judiciary, the
Committee on Armed Services, the Committee on
Appropriations, the Committee on Homeland
Security, the Permanent Select Committee on
Intelligence, and the Speaker and minority
leader of the House of Representatives.
(2) Council.--The term ``Council'' means the Federal
Acquisition Security Council established under section
1322(a) of this title.
(3) Covered article.--The term ``covered article''
has the meaning given that term in section 4713 of this
title.
(4) Covered procurement action.--The term ``covered
procurement action'' has the meaning given that term in
section 4713 of this title.
(5) Information and communications technology.--The
term ``information and communications technology'' has
the meaning given that term in section 4713 of this
title.
(6) Intelligence community.--The term ``intelligence
community'' has the meaning given that term in section
3(4) of the National Security Act of 1947 (50 U.S.C.
3003(4)).
(7) National security system.--The term ``national
security system'' has the meaning given that term in
section 3552 of title 44.
(8) Supply chain risk.--The term ``supply chain
risk'' has the meaning given that term in section 4713
of this title.
SEC. 1322. FEDERAL ACQUISITION SECURITY COUNCIL ESTABLISHMENT AND
MEMBERSHIP.
(a) Establishment.--There is established in the executive
branch a Federal Acquisition Security Council.
(b) Membership.--
(1) In general.--The following agencies shall be
represented on the Council:
(A) The Office of Management and Budget.
(B) The General Services Administration.
(C) The Department of Homeland Security.
(D) The Office of the Director of National
Intelligence, including the National
Counterintelligence and Security Center.
(E) The Department of Justice, including the
Federal Bureau of Investigation.
(F) The Department of Defense, including the
National Security Agency.
(G) The Department of Commerce, including the
National Institute of Standards and Technology.
(H) Such other executive agencies as
determined by the Chairperson of the Council.
(2) Lead representatives.--
(A) Designation.--
(i) In general.--Not later than 90
days after the date of the enactment of
the Federal Acquisition Supply Chain
Security Act of 2018, the head of each
agency represented on the Council shall
designate a representative of that
agency as the lead representative on
the Council.
(ii) Requirements.--The
representative of an agency designated
under clause (i) shall have expertise
in supply chain risk management,
acquisitions, or information and
communications technology.
(B) Functions.--The lead representative of an
agency designated under subparagraph (A) shall
ensure that appropriate personnel, including
leadership and subject matter experts of the
agency, are aware of the business of the
Council.
(c) Chairperson.--
(1) Designation.--Not later than 90 days after the
date of the enactment of the Federal Acquisition Supply
Chain Security Act of 2018, the Director of the Office
of Management and Budget shall designate a senior-level
official from the Office of Management and Budget to
serve as the Chairperson of the Council.
(2) Functions.--The Chairperson shall perform
functions that include--
(A) subject to subsection (d), developing a
schedule for meetings of the Council;
(B) designating executive agencies to be
represented on the Council under subsection
(b)(1)(H);
(C) in consultation with the lead
representative of each agency represented on
the Council, developing a charter for the
Council; and
(D) not later than 7 days after completion of
the charter, submitting the charter to the
appropriate congressional committees and
leadership.
(d) Meetings.--The Council shall meet not later than 180
days after the date of the enactment of the Federal Acquisition
Supply Chain Security Act of 2018 and not less frequently than
quarterly thereafter.
SEC. 1323. FUNCTIONS AND AUTHORITIES.
(a) In General.--The Council shall perform functions that
include the following:
(1) Identifying and recommending by the National
Institute of Standards and Technology of supply chain
risk management standards, guidelines, and practices
for executive agencies to use when assessing and
developing mitigation strategies to address supply
chain risks, particularly in the acquisition and use of
covered articles under section 1326(a) of this title.
(2) Identifying or developing criteria for sharing
information with respect to supply chain risk,
including information related to the exercise of
authorities provided under this section and sections
1326 and 4713 of this title. At a minimum, such
criteria shall address--
(A) the content to be shared;
(B) the circumstances under which sharing is
mandated or voluntary; and
(C) the circumstances under which it is
appropriate for an executive agency to rely on
information made available through such sharing
in exercising the responsibilities and
authorities provided under this section and
section 4713 of this title.
(3) Identifying an appropriate executive agency to--
(A) accept information submitted by executive
agencies based on the criteria established
under paragraph (2);
(B) facilitate the sharing of information
received under subparagraph (A) to support
supply chain risk analyses under section 1326
of this title, recommendations under this
section, and covered procurement actions under
section 4713 of this title;
(C) share with the Council information
regarding covered procurement actions by
executive agencies taken under section 4713 of
this title; and
(D) inform the Council of orders issued under
this section.
(4) Identifying, as appropriate, executive agencies
to provide--
(A) shared services, such as support for
making risk assessments, validation of products
that may be suitable for acquisition, and
mitigation activities; and
(B) common contract solutions to support
supply chain risk management activities, such
as subscription services or machine-learning-
enhanced analysis applications to support
informed decision making.
(5) Identifying and issuing guidance on additional
steps that may be necessary to address supply chain
risks arising in the course of executive agencies
providing shared services, common contract solutions,
acquisitions vehicles, or assisted acquisitions.
(6) Engaging, as appropriate, with the private sector
and other nongovernmental stakeholders on issues
relating to the management of supply chain risks posed
by the acquisition of covered articles.
(7) Carrying out such other actions, as determined by
the Council, that are necessary to reduce the supply
chain risks posed by acquisitions and use of covered
articles.
(b) Program Office and Committees.--The Council may
establish a program office and any committees, working groups,
or other constituent bodies the Council deems appropriate, in
its sole and unreviewable discretion, to carry out its
functions.
(c) Authority for Exclusion or Removal Orders.--
(1) Criteria.--To reduce supply chain risk, the
Council shall establish criteria and procedures for--
(A) recommending orders applicable to
executive agencies requiring the exclusion of
sources or covered articles from executive
agency procurement actions (in this section
referred to as `exclusion orders');
(B) recommending orders applicable to
executive agencies requiring the removal of
covered articles from executive agency
information systems (in this section referred
to as removal orders');
(C) requesting and approving exceptions to an
issued exclusion or removal order when
warranted by circumstances, including
alternative mitigation actions; and
(D) ensuring that recommended orders do not
conflict with standards and guidelines issued
under section 11331 of title 40 and that the
Council consults with the Director of the
National Institute of Standards and Technology
regarding any recommended orders that would
implement standards and guidelines developed by
the National Institute of Standards and
Technology.
(2) Recommendations.--The Council shall use the
criteria established under paragraph (1), information
made available under subsection (a)(3), and any other
information the Council determines appropriate to issue
recommendations, for application to executive agencies
or any subset thereof, regarding the exclusion of
sources or covered articles from any executive agency
procurement action, including source selection and
consent for a contractor to subcontract, or the removal
of covered articles from executive agency information
systems. Such recommendations shall include--
(A) information necessary to positively
identify the sources or covered articles
recommended for exclusion or removal;
(B) information regarding the scope and
applicability of the recommended exclusion or
removal order;
(C) a summary of any risk assessment reviewed
or conducted in support of the recommended
exclusion or removal order;
(D) a summary of the basis for the
recommendation, including a discussion of less
intrusive measures that were considered and why
such measures were not reasonably available to
reduce supply chain risk;
(E) a description of the actions necessary to
implement the recommended exclusion or removal
order; and
(F) where practicable, in the Council's sole
and unreviewable discretion, a description of
mitigation steps that could be taken by the
source that may result in the Council
rescinding a recommendation.
(3) Notice of recommendation and review.--A notice of
the Council's recommendation under paragraph (2) shall
be issued to any source named in the recommendation
advising--
(A) that a recommendation has been made;
(B) of the criteria the Council relied upon
under paragraph (1) and, to the extent
consistent with national security and law
enforcement interests, of information that
forms the basis for the recommendation;
(C) that, within 30 days after receipt of
notice, the source may submit information and
argument in opposition to the recommendation;
(D) of the procedures governing the review
and possible issuance of an exclusion or
removal order pursuant to paragraph (4); and
(E) where practicable, in the Council's sole
and unreviewable discretion, a description of
mitigation steps that could be taken by the
source that may result in the Council
rescinding the recommendation.
(4) Exclusion and removal orders.--
(A) Order issuance.--Recommendations of the
Council under paragraph (2), together with any
information submitted by a source under
paragraph (3) related to such a recommendation,
shall be reviewed by the following officials,
who in their sole and unreviewable discretion
may issue exclusion and removal orders based
upon such recommendations:
(i) The Secretary of Homeland
Security, for exclusion and removal
orders applicable to civilian agencies,
to the extent not covered by clause
(ii) or (iii).
(ii) The Secretary of Defense, for
exclusion and removal orders applicable
to the Department of Defense and
national security systems other than
sensitive compartmented information
systems.
(iii) The Director of National
Intelligence, for exclusion and removal
orders applicable to the intelligence
community and sensitive compartmented
information systems, to the extent not
covered by clause (ii).
(B) Delegation.--The officials identified in
subparagraph (A) may not delegate any authority
under this subparagraph to an official below
the level one level below the Deputy Secretary
or Principal Deputy Director, except that the
Secretary of Defense may delegate authority for
removal orders to the Commander of the United
States Cyber Command, who may not re-delegate
such authority to an official below the level
one level below the Deputy Commander.
(C) Facilitation of exclusion orders.--If
officials identified under this paragraph from
the Department of Homeland Security, the
Department of Defense, and the Office of the
Director of National Intelligence issue orders
collectively resulting in a governmentwide
exclusion, the Administrator for General
Services and officials at other executive
agencies responsible for management of the
Federal Supply Schedules, governmentwide
acquisition contracts and multi-agency
contracts shall help facilitate implementation
of such orders by removing the covered articles
or sources identified in the orders from such
contracts.
(D) Review of exclusion and removal orders.--
The officials identified under this paragraph
shall review all exclusion and removal orders
issued under subparagraph (A) not less
frequently than annually pursuant to procedures
established by the Council.
(E) Rescission.--Orders issued pursuant to
subparagraph (A) may be rescinded by an
authorized official from the relevant issuing
agency.
(5) Notifications.--Upon issuance of an exclusion or
removal order pursuant to paragraph (4)(A), the
official identified under that paragraph who issued the
order shall--
(A) notify any source named in the order of--
(i) the exclusion or removal order;
and
(ii) to the extent consistent with
national security and law enforcement
interests, information that forms the
basis for the order;
(B) provide classified or unclassified notice
of the exclusion or removal order to the
appropriate congressional committees and
leadership; and
(C) provide the exclusion or removal order to
the agency identified in subsection (a)(3).
(6) Compliance.--Executive agencies shall comply with
exclusion and removal orders issued pursuant to
paragraph (4).
(d) Authority to Request Information.--The Council may
request such information from executive agencies as is
necessary for the Council to carry out its functions.
(e) Relationship to Other Councils.--The Council shall
consult and coordinate, as appropriate, with other relevant
councils, including the Chief Information Officers Council, the
Chief Acquisition Officers Council, and the Federal Acquisition
Regulatory Council, with respect to supply chain risks posed by
the acquisition and use of covered articles.
(f) Rule of Construction.--Nothing in this section shall
limit the authority of the Office of Federal Procurement Policy
to carry out the responsibilities of that Office under any
other provision of law.
SEC. 1324. STRATEGIC PLAN.
(a) In General.--Not later than 180 days after the date of
the enactment of the Federal Acquisition Supply Chain Security
Act of 2018, the Council shall develop a strategic plan for
addressing supply chain risks posed by the acquisition of
covered articles and for managing such risks that includes--
(1) the criteria and processes required under section
1323(a) of this title, including a threshold and
requirements for sharing relevant information about
such risks with all executive agencies;
(2) an identification of existing authorities for
addressing such risks;
(3) an identification and promulgation of best
practices and procedures and available resources for
executive agencies to assess and mitigate such risks;
(4) recommendations for any legislative, regulatory,
or other policy changes to improve efforts to address
such risks;
(5) an evaluation of the effect of implementing new
policies or procedures on existing contracts and the
procurement process;
(6) a plan for engaging with executive agencies, the
private sector, and other nongovernmental stakeholders
to address such risks;
(7) a plan for identification, assessment,
mitigation, and vetting of supply chain risks from
existing and prospective information and communications
technology made available by executive agencies to
other executive agencies through common contract
solutions, shared services, acquisition vehicles, or
other assisted acquisition services; and
(8) plans to strengthen the capacity of all executive
agencies to conduct assessments of--
(A) the supply chain risk posed by the
acquisition of covered articles; and
(B) compliance with the requirements of this
subchapter.
(b) Submission to Congress.--Not later than 7 calendar days
after completion of the strategic plan required by subsection
(a), the Chairperson of the Council shall submit the plan to
the appropriate congressional committees and leadership.
SEC. 1325. ANNUAL REPORT.
Not later than December 31 of each year, the Chairperson of
the Council shall submit to the appropriate congressional
committees and leadership a report on the activities of the
Council during the preceding 12-month period.
SEC. 1326. REQUIREMENTS FOR EXECUTIVE AGENCIES.
(a) In General.--The head of each executive agency shall be
responsible for--
(1) assessing the supply chain risk posed by the
acquisition and use of covered articles and avoiding,
mitigating, accepting, or transferring that risk, as
appropriate and consistent with the standards,
guidelines, and practices identified by the Council
under section 1323(a)(1); and
(2) prioritizing supply chain risk assessments
conducted under paragraph (1) based on the criticality
of the mission, system, component, service, or asset.
(b) Inclusions.--The responsibility for assessing supply
chain risk described in subsection (a) includes--
(1) developing an overall supply chain risk
management strategy and implementation plan and
policies and processes to guide and govern supply chain
risk management activities;
(2) integrating supply chain risk management
practices throughout the life cycle of the system,
component, service, or asset;
(3) limiting, avoiding, mitigating, accepting, or
transferring any identified risk;
(4) sharing relevant information with other executive
agencies as determined appropriate by the Council in a
manner consistent with section 1323(a) of this title;
(5) reporting on progress and effectiveness of the
agency's supply chain risk management consistent with
guidance issued by the Office of Management and Budget
and the Council; and
(6) ensuring that all relevant information, including
classified information, with respect to acquisitions of
covered articles that may pose a supply chain risk,
consistent with section 1323(a) of this title, is
incorporated into existing processes of the agency for
conducting assessments described in subsection (a) and
ongoing management of acquisition programs, including
any identification, investigation, mitigation, or
remediation needs.
(c) Interagency Acquisitions.--
(1) In general.--Except as provided in paragraph (2),
in the case of an interagency acquisition, subsection
(a) shall be carried out by the head of the executive
agency whose funds are being used to procure the
covered article.
(2) Assisted acquisitions.--In an assisted
acquisition, the parties to the acquisition shall
determine, as part of the interagency agreement
governing the acquisition, which agency is responsible
for carrying out subsection (a).
(3) Definitions.--In this subsection, the terms
`assisted acquisition' and `interagency acquisition'
have the meanings given those terms in section 2.101 of
title 48, Code of Federal Regulations (or any
corresponding similar regulation or ruling).
(d) Assistance.--The Secretary of Homeland Security may--
(1) assist executive agencies in conducting risk
assessments described in subsection (a) and
implementing mitigation requirements for information
and communications technology; and
(2) provide such additional guidance or tools as are
necessary to support actions taken by executive
agencies.
SEC. 1327. JUDICIAL REVIEW PROCEDURES.
(a) In General.--Except as provided in subsection (b) and
chapter 71 of this title, and notwithstanding any other
provision of law, an action taken under section 1323 or 4713 of
this title, or any action taken by an executive agency to
implement such an action, shall not be subject to
administrative review or judicial review, including bid
protests before the Government Accountability Office or in any
Federal court.
(b) Petitions.--
(1) In general.--Not later than 60 days after a party
is notified of an exclusion or removal order under
section 1323(c)(5) of this title or a covered
procurement action under section 4713 of this title,
the party may file a petition for judicial review in
the United States Court of Appeals for the District of
Columbia Circuit claiming that the issuance of an
exclusion or removal order or covered procurement
action is unlawful.
(2) Standard of review.--The Court shall hold
unlawful a covered procurement action taken under
sections 1323 or 4713 of this title, in response to a
petition that the court finds to be--
(A) arbitrary, capricious, an abuse of
discretion, or otherwise not in accordance with
law;
(B) contrary to constitutional right, power,
privilege, or immunity;
(C) in excess of statutory jurisdiction,
authority, or limitation, or short of statutory
right;
(D) lacking substantial support in the
administrative record taken as a whole or in
classified information submitted to the court
under paragraph (3); or
(E) not in accord with procedures required by
law.
(3) Exclusive jurisdiction.--The United States Court
of Appeals for the District of Columbia Circuit shall
have exclusive jurisdiction over claims arising under
sections 1323(c)(4) or 4713 of this title against the
United States, any United States department or agency,
or any component or official of any such department or
agency, subject to review by the Supreme Court of the
United States under section 1254 of title 28.
(4) Administrative record and procedures.--
(A) In general.--The procedures described in
this paragraph shall apply to the review of a
petition under this section.
(B) Administrative record.--
(i) Filing of record.--The United
States shall file with the court an
administrative record, which shall
consist of the information that the
appropriate official relied upon in
issuing an exclusion or removal order
under section 1323(c)(4) or a covered
procurement action under section 4713
of this title.
(ii) Unclassified, nonprivileged
information.--All unclassified
information contained in the
administrative record that is not
otherwise privileged or subject to
statutory protections shall be provided
to the petitioner with appropriate
protections for any privileged or
confidential trade secrets and
commercial or financial information.
(iii) In camera and ex parte.--The
following information may be included
in the administrative record and shall
be submitted only to the court ex parte
and in camera:
(I) Classified information.
(II) Sensitive security
information, as defined by
section 1520.5 of title 49,
Code of Federal Regulations.
(III) Privileged law
enforcement information.
(IV) Information obtained or
derived from any activity
authorized under the Foreign
Intelligence Surveillance Act
of 1978 (50 U.S.C. 1801 et
seq.), except that, with
respect to such information,
subsections (c), (e), (f), (g),
and (h) of section 106 (50
U.S.C. 1806), subsections (d),
(f), (g), (h), and (i) of
section 305 (50 U.S.C. 1825),
subsections (c), (e), (f), (g),
and (h) of section 405 (50
U.S.C. 1845), and section 706
(50 U.S.C. 1881e) of that Act
shall not apply.
(V) Information subject to
privilege or protections under
any other provision of law.
(iv) Under seal.--Any information
that is part of the administrative
record filed ex parte and in camera
under clause (iii), or cited by the
court in any decision, shall be treated
by the court consistent with the
provisions of this subparagraph and
shall remain under seal and preserved
in the records of the court to be made
available consistent with the above
provisions in the event of further
proceedings. In no event shall such
information be released to the
petitioner or as part of the public
record.
(v) Return.--After the expiration of
the time to seek further review, or the
conclusion of further proceedings, the
court shall return the administrative
record, including any and all copies,
to the United States.
(C) Exclusive remedy.--A determination by the
court under this subsection shall be the
exclusive judicial remedy for any claim
described in this section against the United
States, any United States department or agency,
or any component or official of any such
department or agency.
(D) Rule of construction.--Nothing in this
section shall be construed as limiting,
superseding, or preventing the invocation of,
any privileges or defenses that are otherwise
available at law or in equity to protect
against the disclosure of information.
(c) Definition.--In this section, the term ``classified
information''--
(1) has the meaning given that term in section 1(a)
of the Classified Information Procedures Act (18 U.S.C.
App.); and
(2) includes--
(A) any information or material that has been
determined by the United States Government
pursuant to an Executive order, statute, or
regulation to require protection against
unauthorized disclosure for reasons of national
security; and
(B) any restricted data, as defined in
section 11 of the Atomic Energy Act of 1954 (42
U.S.C. 2014).
SEC. 1328. TERMINATION.
This subchapter shall terminate on the date that is 5 years
after the date of the enactment of the Federal Acquisition
Supply Chain Security Act of 2018.
* * * * * * *
DIVISION C--PROCUREMENT
* * * * * * *
CHAPTER 47--MISCELLANEOUS
Sec.
4701. Determinations and decisions.
* * * * * * *
4712. Enhancement of contractor protection from reprisal for disclosure
of certain information.
4713. Authorities relating to mitigating supply chain risks in the
procurement of covered articles.
* * * * * * *
SEC. 4712. ENHANCEMENT OF CONTRACTOR PROTECTION FROM REPRISAL FOR
DISCLOSURE OF CERTAIN INFORMATION.
* * * * * * *
SEC. 4713. AUTHORITIES RELATING TO MITIGATING SUPPLY CHAIN RISKS IN THE
PROCUREMENT OF COVERED ARTICLES.
(a) Authority.--Subject to subsection (b), the head of an
executive agency--
(1) carry out a covered procurement action; and
(2) limit, notwithstanding any other provision of
law, in whole or in part, the disclosure of information
relating to the basis for carrying out a covered
procurement action.
(b) Determination and Notification.--Except as authorized
by subsection (c) to address an urgent national security
interest, the head of an executive agency may exercise the
authority provided in subsection (a) only after--
(1) obtaining a joint recommendation, in unclassified
or classified form, from the chief acquisition officer
and the chief information officer of the agency, or
officials performing similar functions in the case of
executive agencies that do not have such officials,
which includes a review of any risk assessment made
available by the executive agency identified under
section 1323(a)(3) of this title, that there is a
significant supply chain risk in a covered procurement;
(2) providing notice of the joint recommendation
described in paragraph (1) to any source named in the
joint recommendation advising--
(A) that a recommendation is being considered
or has been obtained;
(B) to the extent consistent with the
national security and law enforcement
interests, of information that forms the basis
for the recommendation;
(C) that, within 30 days after receipt of the
notice, the source may submit information and
argument in opposition to the recommendation;
and
(D) of the procedures governing the
consideration of the submission and the
possible exercise of the authority provided in
subsection (a);
(3) making a determination in writing, in
unclassified or classified form, after considering any
information submitted by a source under paragraph (2)
and in consultation with the chief information security
officer of the agency, that--
(A) use of the authority under subsection
(a)(1) is necessary to protect national
security by reducing supply chain risk;
(B) less intrusive measures are not
reasonably available to reduce such supply
chain risk;
(C) a decision to limit disclosure of
information under subsection (a)(2) is
necessary to protect an urgent national
security interest; and
(D) the use of such authorities will apply to
a single covered procurement or a class of
covered procurements, and otherwise specifies
the scope of the determination; and
(4) providing a classified or unclassified notice of
the determination made under paragraph (3) to the
appropriate congressional committees and leadership
that includes--
(A) the joint recommendation described in
paragraph (1);
(B) a summary of any risk assessment reviewed
in support of the joint recommendation required
by paragraph (1); and
(C) a summary of the basis for the
determination, including a discussion of less
intrusive measures that were considered and why
such measures were not reasonably available to
reduce supply chain risk.
(c) Procedures To Address Urgent National Security
Interests.--In any case in which the head of an executive
agency determines that an urgent national security interest
requires the immediate exercise of the authority provided in
subsection (a), the head of the agency--
(1) may, to the extent necessary to address such
national security interest, and subject to the
conditions in paragraph (2)--
(A) temporarily delay the notice required by
subsection (b)(2);
(B) make the determination required by
subsection (b)(3), regardless of whether the
notice required by subsection (b)(2) has been
provided or whether the notified source has
submitted any information in response to such
notice;
(C) temporarily delay the notice required by
subsection (b)(4); and
(D) exercise the authority provided in
subsection (a) in accordance with such
determination within 60 calendar days after the
day the determination is made; and
(2) shall take actions necessary to comply with all
requirements of subsection (b) as soon as practicable
after addressing the urgent national security interest,
including--
(A) providing the notice required by
subsection (b)(2);
(B) promptly considering any information
submitted by the source in response to such
notice, and making any appropriate
modifications to the determination based on
such information;
(C) providing the notice required by
subsection (b)(4), including a description of
the urgent national security interest, and any
modifications to the determination made in
accordance with subparagraph (B); and
(D) providing notice to the appropriate
congressional committees and leadership within
7 calendar days of the covered procurement
actions taken under this section.
(d) Delegation.--The head of an executive agency may not
delegate the authority provided in subsection (a) or the
responsibility identified in subsection (f) to an official
below the level one level below the Deputy Secretary or
Principal Deputy Director.
(e) Limitation on Disclosure.--If the head of an executive
agency has exercised the authority provided in subsection
(a)(2) to limit disclosure of information, the agency head or a
designee identified by the agency head shall--
(1) provide the executive agency identified by the
Council under paragraph (3) of section 1323(a) of this
title information identified by the criteria under
paragraph (2) of that section, in a manner and to the
extent consistent with the requirements of national
security and law enforcement interests; and
(2) take steps to maintain the confidentiality of any
such notifications.
(f) Annual Review of Determinations.--The head of an
executive agency shall conduct an annual review of all
determinations made by such head under subsection (b) and
promptly amend any covered procurement action as appropriate.
(g) Regulations.--The Federal Acquisition Regulatory
Council shall prescribe such regulations as may be necessary to
carry out this section.
(h) Reports Required.--Not less frequently than annually,
the head of each executive agency that exercised the authority
provided in subsection (a) or (c) during the preceding 12-month
period shall submit to the appropriate congressional committees
and leadership a report summarizing the actions taken by the
agency under this section during that 12-month period.
(i) Applicability.--Notwithstanding section 3101(c)(1)(A)
of this title, this section applies to the Department of
Defense, the Coast Guard, and the National Aeronautics and
Space Administration.
(j) Termination.--The authority provided under subsection
(a) shall terminate on the date that is 5 years after the date
of the enactment of the Federal Acquisition Supply Chain
Security Act of 2018.
(k) Definitions.--In this section:
(1) Appropriate congressional committees and
leadership.--The term ``appropriate congressional
committees and leadership'' means--
(A) the Committee on Homeland Security and
Governmental Affairs, the Committee on the
Judiciary, the Committee on Appropriations, the
Select Committee on Intelligence, and the
majority and minority leader of the Senate; and
(B) the Committee on Oversight and Government
Reform, the Committee on the Judiciary, the
Committee on Appropriations, the Committee on
Homeland Security, the Permanent Select
Committee on Intelligence, and the Speaker and
minority leader of the House of
Representatives.
(2) Covered article.--The term covered article
means--
(A) information technology, as defined in
section 11101 of title 40, including cloud
computing services of all types;
(B) telecommunications equipment or
telecommunications service, as those terms are
defined in section 3 of the Communications Act
of 1934 (47 U.S.C. 153);
(C) the processing of information of a
Federal or non-Federal information system,
subject to the requirements of the Controlled
Unclassified Information program; or
(D) hardware, systems, devices, software, or
services that include embedded or incidental
information technology.
(3) Covered procurement.--The term ``covered
procurement'' means--
(A) a source selection for a covered article
involving either a performance specification,
as provided in subsection (a)(3)(B) of section
3306 of this title, or an evaluation factor, as
provided in subsection (b)(1)(A) of such
section, relating to a supply chain risk, or
where supply chain risk considerations are
included in the agency's determination of
whether a source is a responsible source as
defined in section 113 of this title;
(B) the consideration of proposals for and
issuance of a task or delivery order for a
covered article, as provided in section
4106(d)(3) of this title, where the task or
delivery order contract includes a contract
clause establishing a requirement relating to a
supply chain risk;
(C) any contract action involving a contract
for a covered article where the contract
includes a clause establishing requirements
relating to a supply chain risk; or
(D) any other procurement in a category of
procurements determined appropriate by the
Federal Acquisition Regulatory Council, with
the advice of the Federal Acquisition Security
Council.
(4) Covered procurement action.--The term ``covered
procurement action'' means any of the following
actions, if the action takes place in the course of
conducting a covered procurement:
(A) The exclusion of a source that fails to
meet qualification requirements established
under section 3311 of this title for the
purpose of reducing supply chain risk in the
acquisition or use of covered articles.
(B) The exclusion of a source that fails to
achieve an acceptable rating with regard to an
evaluation factor providing for the
consideration of supply chain risk in the
evaluation of proposals for the award of a
contract or the issuance of a task or delivery
order.
(C) The determination that a source is not a
responsible source as defined in section 113 of
this title based on consideration of supply
chain risk.
(D) The decision to withhold consent for a
contractor to subcontract with a particular
source or to direct a contractor to exclude a
particular source from consideration for a
subcontract under the contract.
(5) Information and communications technology.--The
term ``information and communications technology''
means--
(A) information technology, as defined in
section 11101 of title 40;
(B) information systems, as defined in
section 3502 of title 44; and
(C) telecommunications equipment and
telecommunications services, as those terms are
defined in section 3 of the Communications Act
of 1934 (47 U.S.C. 153).
(6) Supply chain risk.--The term ``supply chain
risk'' means the risk that any person may sabotage,
maliciously introduce unwanted function, extract data,
or otherwise manipulate the design, integrity,
manufacturing, production, distribution, installation,
operation, maintenance, disposition, or retirement of
covered articles so as to surveil, deny, disrupt, or
otherwise manipulate the function, use, or operation of
the covered articles or information stored or
transmitted on the covered articles.
* * * * * * *
TITLE 44--PUBLIC PRINTING AND DOCUMENTS
* * * * * * *
CHAPTER 35--COORDINATION OF FEDERAL INFORMATION POLICY
* * * * * * *
Subchapter II--Information Security
* * * * * * *
SEC. 3553. AUTHORITIES AND FUNCTIONS OF THE DIRECTOR AND SECRETARY.
(a) * * *
(1) * * *
* * * * * * *
(5) overseeing agency compliance with the
requirements of this subchapter and section 1326 of
title 41, including through any authorized action under
section 11303 of title 40, to enforce accountability
for compliance with such requirements; and
* * * * * * *
SEC. 3554. FEDERAL AGENCY RESPONSIBILITIES.
(a) * * *
(1) * * *
(A) * * *
(B) complying with the requirements of this
subchapter, subchapter III of chapter 13 of
title 41, and related policies, procedures,
standards, and guidelines, including--
(i) * * *
(ii) * * *
(iii) * * *
(iv) information security standards
and guidelines for national security
systems issued in accordance with law
and as directed by the President[;
and];
(v) * * *
(vi) responsibilities relating to
assessing and avoiding, mitigating,
transferring, or accepting supply chain
risks under section 1326 of title 41,
and complying with exclusion and
removal orders issued under section
1323 of such title; and
* * * * * * *
[all]
