115 HR 7327 EH: SECURE Technology Act U.S. House of Representatives text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
I 115th CONGRESS 2d Session H. R. 7327 IN THE HOUSE OF REPRESENTATIVES AN ACT To require the Secretary of Homeland Security to establish a security vulnerability disclosure policy, to establish a bug bounty program for the Department of Homeland Security, to amend title 41, United States Code, to provide for Federal acquisition supply chain security, and for other purposes.
1.
Short title; table of contents
(a)
Short title
This Act may be cited as the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act or the SECURE Technology Act. (b)
Table of contents
The table of contents for this Act is as follows: Sec. 1. Short title; table of contents. Title I—Department of Homeland Security information security and other matters Sec. 101. Department of Homeland Security disclosure of security vulnerabilities. Sec. 102. Department of Homeland Security bug bounty pilot program. Sec. 103. Congressional submittal of reports relating to certain special access programs and similar programs. Title II—Federal acquisition supply chain security Sec. 201. Short title. Sec. 202. Federal acquisition supply chain security. Sec. 203. Authorities of executive agencies relating to mitigating supply chain risks in the procurement of covered articles. Sec. 204. Federal Information Security Modernization Act. Sec. 205. Effective date.
<enum>I</enum><header>Department of Homeland Security information security and other matters</header> <section id="HE99D8BFB4CFC436A8AE9F1F6E9BBBBBD" section-type="subsequent-section"><enum>101.</enum><header>Department of Homeland Security disclosure of security vulnerabilities</header> <subsection id="H42DBE522E6D449B4B41C474779B18969"><enum>(a)</enum><header>Vulnerability disclosure policy</header><text>The Secretary of Homeland Security shall establish a policy applicable to individuals, organizations, and companies that report security vulnerabilities on appropriate information systems of Department of Homeland Security. Such policy shall include each of the following:</text> <paragraph id="H685ABD56C7B748AC89BBDEEE56ACCA47"><enum>(1)</enum><text>The appropriate information systems of the Department that individuals, organizations, and companies may use to discover and report security vulnerabilities on appropriate information systems.</text></paragraph> <paragraph id="HE121AF86B82F4872B1BF80F02FEF7756"><enum>(2)</enum><text>The conditions and criteria under which individuals, organizations, and companies may operate to discover and report security vulnerabilities.</text></paragraph> <paragraph id="HDFFB082FD7AE466C8F16AF696AB2DD3B"><enum>(3)</enum><text>How individuals, organizations, and companies may disclose to the Department security vulnerabilities discovered on appropriate information systems of the Department.</text></paragraph> <paragraph id="H95A6127A3F144C6B82905949E8B16BB5"><enum>(4)</enum><text>The ways in which the Department may communicate with individuals, organizations, and companies that report security vulnerabilities.</text></paragraph> <paragraph id="HEEB040A83CAD42E3BB5A62A20286EF7D"><enum>(5)</enum><text>The process the Department shall use for public disclosure of reported security vulnerabilities.</text></paragraph></subsection> <subsection id="H8AA438077563424E9170833CEA1F215A"><enum>(b)</enum><header>Remediation process</header><text>The Secretary of Homeland Security shall develop a process for the Department of Homeland Security to address the mitigation or remediation of the security vulnerabilities reported through the policy developed in subsection (a).</text></subsection> <subsection id="HBBCA5442D3DE4D52BD273B9D031C5A90"><enum>(c)</enum><header>Consultation</header> <paragraph id="H6783BE2FB9674701AC3DD043F2E716F4"><enum>(1)</enum><header>In general</header><text>In developing the security vulnerability disclosure policy under subsection (a), the Secretary of Homeland Security shall consult with each of the following:</text> <subparagraph id="H30A824B89EA045ECB5ED104519C405D1"><enum>(A)</enum><text>The Attorney General regarding how to ensure that individuals, organizations, and companies that comply with the requirements of the policy developed under subsection (a) are protected from prosecution under section 1030 of title 18, United States Code, civil lawsuits, and similar provisions of law with respect to specific activities authorized under the policy.</text></subparagraph> <subparagraph id="H646D8D7865584FD5B15838FDC13A2EB3"><enum>(B)</enum><text>The Secretary of Defense and the Administrator of General Services regarding lessons that may be applied from existing vulnerability disclosure policies.</text></subparagraph> <subparagraph id="H7712F2E784A7465BAF93D3E636C51F53"><enum>(C)</enum><text>Non-governmental security researchers.</text></subparagraph></paragraph> <paragraph id="H322C6F89BE534E0096CEDC2A32C35302"><enum>(2)</enum><header>Nonapplicability of FACA</header><text display-inline="yes-display-inline">The Federal Advisory Committee Act (5 U.S.C. App.) shall not apply to any consultation under this section.</text></paragraph></subsection> <subsection id="H2B5A4C8CD7E345E4B49CB2D199BE1957"><enum>(d)</enum><header>Public availability</header><text>The Secretary of Homeland Security shall make the policy developed under subsection (a) publicly available.</text></subsection> <subsection id="HDFF2960300E64498905DA83E3313F9B4"><enum>(e)</enum><header>Submission to Congress</header> <paragraph id="H654E3B2C757D4914A8FF6FE0D673D798"><enum>(1)</enum><header>Disclosure policy and remediation process</header><text>Not later than 90 days after the date of the enactment of this Act, the Secretary of Homeland Security shall submit to the appropriate congressional committees a copy of the policy required under subsection (a) and the remediation process required under subsection (b).</text></paragraph> <paragraph id="HB9B03CFBE02847D59A96CB1A546B1054"><enum>(2)</enum><header>Report and briefing</header> <subparagraph id="H4D1C337141A747849F24BEBF3EF2CC70"><enum>(A)</enum><header>Report</header><text>Not later than one year after establishing the policy required under subsection (a), the Secretary of Homeland Security shall submit to the appropriate congressional committees a report on such policy and the remediation process required under subsection (b).</text></subparagraph> <subparagraph id="H2D7B1A295CE7438AA05C632C0A6C3FC2"><enum>(B)</enum><header>Annual briefings</header><text>One year after the date of the submission of the report under subparagraph (A), and annually thereafter for each of the next three years, the Secretary of Homeland Security shall provide to the appropriate congressional committees a briefing on the policy required under subsection (a) and the process required under subsection (b).</text></subparagraph> <subparagraph id="H08E4CF6230AB4B3B88EE2D40D9840498"><enum>(C)</enum><header>Matters for inclusion</header><text>The report required under subparagraph (A) and the briefings required under subparagraph (B) shall include each of the following with respect to the policy required under subsection (a) and the process required under subsection (b) for the period covered by the report or briefing, as the case may be:</text> <clause id="H47D4C873576F4997BB4E037D68710B41"><enum>(i)</enum><text>The number of unique security vulnerabilities reported.</text></clause> <clause id="H6EF02AAA61654CA3A207BAE54D2A8A92"><enum>(ii)</enum><text>The number of previously unknown security vulnerabilities mitigated or remediated.</text></clause> <clause id="HD68512AA76F049679B35D80785530793"><enum>(iii)</enum><text>The number of unique individuals, organizations, and companies that reported security vulnerabilities.</text></clause> <clause id="HBE99140908B44D65A040D2B66221BF6C"><enum>(iv)</enum><text>The average length of time between the reporting of security vulnerabilities and mitigation or remediation of such vulnerabilities.</text></clause></subparagraph></paragraph></subsection> <subsection id="H211E87F9A9F449E2B2A8BE92A0077FBA"><enum>(f)</enum><header>Definitions</header><text>In this section:</text> <paragraph id="HA4AC7B5CF96A48E8A419607E3E21B458"><enum>(1)</enum><text>The term <quote>security vulnerability</quote> has the meaning given that term in section 102(17) of the Cybersecurity Information Sharing Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1501">6 U.S.C. 1501(17)</external-xref>), in information technology.</text></paragraph> <paragraph id="H6A2DC3CC9C4743439A5508F16DF42889"><enum>(2)</enum><text>The term <quote>information system</quote> has the meaning given that term by section 3502 of title 44, United States Code.</text></paragraph> <paragraph id="H7429D034A444451191EB5C6C9329C597"><enum>(3)</enum><text>The term <quote>appropriate information system</quote> means an information system that the Secretary of Homeland Security selects for inclusion under the vulnerability disclosure policy required by subsection (a).</text></paragraph> <paragraph id="H32A04C653A694B7E8FDD54747539E328"><enum>(4)</enum><text>The term <quote>appropriate congressional committees</quote> means—</text> <subparagraph id="H64C8E327CC074A61A6E846B6B0C64A91"><enum>(A)</enum><text>the Committee on Homeland Security, the Committee on Armed Services, the Committee on Energy and Commerce, and the Permanent Select Committee on Intelligence of the House of Representatives; and</text></subparagraph> <subparagraph id="HDB2D25F4DAEF4079B23550CB12F813F5"><enum>(B)</enum><text>the Committee on Homeland Security and Governmental Affairs, the Committee on Armed Services, the Committee on Commerce, Science, and Transportation, and the Select Committee on Intelligence of the Senate.</text></subparagraph></paragraph></subsection></section> <section id="H34A6E40AC36A4AF2835AD3D7B70DFF60"><enum>102.</enum><header>Department of Homeland Security bug bounty pilot program</header> <subsection commented="no" display-inline="no-display-inline" id="HEADD31CEF33848C1B70D1632C384889B"><enum>(a)</enum><header>Definitions</header><text>In this section:</text> <paragraph id="HEBF0763AC2294A54A06540A9465D2E87"><enum>(1)</enum><text display-inline="yes-display-inline">The term <term>appropriate congressional committees</term> means—</text> <subparagraph id="H5D3978FE8ACD40DF8410D11FEBE03E41"><enum>(A)</enum><text>the Committee on Homeland Security and Governmental Affairs of the Senate;</text></subparagraph> <subparagraph id="H7440F879618344A699E557E274BB66B5"><enum>(B)</enum><text>the Select Committee on Intelligence of the Senate;</text></subparagraph> <subparagraph id="H5B4CAC6145874BECBFBD08FF3F699B5E"><enum>(C)</enum><text>the Committee on Homeland Security of the House of Representatives; and</text></subparagraph> <subparagraph id="H99E8D4A20B64404384C4A06910A010B6"><enum>(D)</enum><text>Permanent Select Committee on Intelligence of the House of Representatives.</text></subparagraph></paragraph> <paragraph display-inline="no-display-inline" id="HFDE21E65D39545B49D249E5322964DFB"><enum>(2)</enum><text>The term <term>bug bounty program</term> means a program under which—</text> <subparagraph id="H31706A062E86426C826570CF41F2018F"><enum>(A)</enum><text>individuals, organizations, and companies are temporarily authorized to identify and report vulnerabilities of appropriate information systems of the Department; and</text></subparagraph> <subparagraph id="HF2A549169C3543CA8E911922637F1DE5"><enum>(B)</enum><text>eligible individuals, organizations, and companies receive compensation in exchange for such reports.</text></subparagraph></paragraph> <paragraph commented="no" display-inline="no-display-inline" id="HFC8419250E3D4F88A45FE8C95573C4A8"><enum>(3)</enum><text display-inline="yes-display-inline">The term <term>Department</term> means the Department of Homeland Security.</text></paragraph> <paragraph display-inline="no-display-inline" id="HE09458BF4E264CEB93EC62CC57E773A3"><enum>(4)</enum><text>The term <term>eligible individual, organization, or company</term> means an individual, organization, or company that meets such criteria as the Secretary determines in order to receive compensation in compliance with Federal laws.</text></paragraph> <paragraph display-inline="no-display-inline" id="H4EFDFE7FC6B143209ACA2776810DD930"><enum>(5)</enum><text>The term <term>information system</term> has the meaning given the term in section 3502 of title 44, United States Code.</text></paragraph> <paragraph commented="no" display-inline="no-display-inline" id="HE89C1589E64240E49F9EFEDBEAE317A9"><enum>(6)</enum><text display-inline="yes-display-inline">The term <term>pilot program</term> means the bug bounty pilot program required to be established under subsection (b)(1).</text></paragraph> <paragraph commented="no" display-inline="no-display-inline" id="H8A52061C346542909D3F10CB3BDE47C9"><enum>(7)</enum><text display-inline="yes-display-inline">The term <term>Secretary</term> means the Secretary of Homeland Security.</text></paragraph></subsection> <subsection commented="no" display-inline="no-display-inline" id="H96CF658DC54A4A0A8E06DF14BB340A17"><enum>(b)</enum><header>Bug bounty pilot program</header> <paragraph commented="no" display-inline="no-display-inline" id="HA1AC14742E8549B6BD8C5D9F288ED8FF"><enum>(1)</enum><header>Establishment</header><text display-inline="yes-display-inline">Not later than 180 days after the date of enactment of this Act, the Secretary shall establish, within the Office of the Chief Information Officer, a bug bounty pilot program to minimize vulnerabilities of appropriate information systems of the Department.</text></paragraph> <paragraph commented="no" display-inline="no-display-inline" id="H759BF40EBB714AA08A6268E49AD41533"><enum>(2)</enum><header>Responsibilities of Secretary</header><text display-inline="yes-display-inline">In establishing and conducting the pilot program, the Secretary shall—</text> <subparagraph commented="no" display-inline="no-display-inline" id="HBF66400E516D4117AF91FBC3866F2DC2"><enum>(A)</enum><text display-inline="yes-display-inline">designate appropriate information systems to be included in the pilot program;</text></subparagraph> <subparagraph id="H237B1C2ED8CC4FFEBE03F2D622E8F425"><enum>(B)</enum><text>provide compensation to eligible individuals, organizations, and companies for reports of previously unidentified security vulnerabilities within the information systems designated under subparagraph (A);</text></subparagraph> <subparagraph id="H5712F56980AE4DEA82E7255657F4DDCA"><enum>(C)</enum><text>establish criteria for individuals, organizations, and companies to be considered eligible for compensation under the pilot program in compliance with Federal laws;</text></subparagraph> <subparagraph commented="no" display-inline="no-display-inline" id="HE5443F67C20C4A34AAB8457907C96347"><enum>(D)</enum><text display-inline="yes-display-inline">consult with the Attorney General on how to ensure that approved individuals, organizations, or companies that comply with the requirements of the pilot program are protected from prosecution under section 1030 of title 18, United States Code, and similar provisions of law, and civil lawsuits for specific activities authorized under the pilot program;</text></subparagraph> <subparagraph display-inline="no-display-inline" id="HF0D5BA3ACAEA42BB9C9E1620B64A936A"><enum>(E)</enum><text>consult with the Secretary of Defense and the heads of other departments and agencies that have implemented programs to provide compensation for reports of previously undisclosed vulnerabilities in information systems, regarding lessons that may be applied from such programs; and</text></subparagraph> <subparagraph commented="no" display-inline="no-display-inline" id="H7422772B6EBD405187C93AE895543807"><enum>(F)</enum><text display-inline="yes-display-inline">develop an expeditious process by which an individual, organization, or company can register with the Department, submit to a background check as determined by the Department, and receive a determination as to eligibility; and</text></subparagraph> <subparagraph commented="no" display-inline="no-display-inline" id="H376D328E666546AEB9ED24D947705991"><enum>(G)</enum><text display-inline="yes-display-inline">engage qualified interested persons, including non-government sector representatives, about the structure of the pilot program as constructive and to the extent practicable.</text></subparagraph></paragraph> <paragraph commented="no" display-inline="no-display-inline" id="HACCCA5017C984813A63F2AFCEA4F58FB"><enum>(3)</enum><header>Contract authority</header><text display-inline="yes-display-inline">In establishing the pilot program, the Secretary, subject to the availability of appropriations, may award 1 or more competitive contracts to an entity, as necessary, to manage the pilot program.</text></paragraph></subsection> <subsection commented="no" display-inline="no-display-inline" id="H781D5B174E9F40FCB78642FF358E45AB"><enum>(c)</enum><header>Report to Congress</header><text display-inline="yes-display-inline">Not later than 180 days after the date on which the pilot program is completed, the Secretary shall submit to the appropriate congressional committees a report on the pilot program, which shall include—</text> <paragraph commented="no" display-inline="no-display-inline" id="H9230ACA7A81E450DBDDD270A3F3D45EC"><enum>(1)</enum><text display-inline="yes-display-inline">the number of individuals, organizations, or companies that participated in the pilot program, broken down by the number of individuals, organizations, or companies that—</text> <subparagraph commented="no" display-inline="no-display-inline" id="H5ED6885E12B145A8BAF37E0933C4167E"><enum>(A)</enum><text display-inline="yes-display-inline">registered;</text></subparagraph> <subparagraph commented="no" display-inline="no-display-inline" id="HA7FC2D11CF18475A9B3719E579B17727"><enum>(B)</enum><text display-inline="yes-display-inline">were determined eligible;</text></subparagraph> <subparagraph commented="no" display-inline="no-display-inline" id="HC1D064127A3C4C919520AA8FFBDD2C82"><enum>(C)</enum><text display-inline="yes-display-inline">submitted security vulnerabilities; and</text></subparagraph> <subparagraph commented="no" display-inline="no-display-inline" id="HC739482AC7474F14AE9AB6937718FA04"><enum>(D)</enum><text display-inline="yes-display-inline">received compensation;</text></subparagraph></paragraph> <paragraph commented="no" display-inline="no-display-inline" id="H61FFEEF14B234A15A4D13F01D2D70356"><enum>(2)</enum><text display-inline="yes-display-inline">the number and severity of vulnerabilities reported as part of the pilot program;</text></paragraph> <paragraph commented="no" display-inline="no-display-inline" id="H7E025CE6FEED452885C7D4230A0ADEEE"><enum>(3)</enum><text display-inline="yes-display-inline">the number of previously unidentified security vulnerabilities remediated as a result of the pilot program;</text></paragraph> <paragraph commented="no" display-inline="no-display-inline" id="HC9D9BB7B20CA4735AC814CE9F94A7F32"><enum>(4)</enum><text display-inline="yes-display-inline">the current number of outstanding previously unidentified security vulnerabilities and Department remediation plans;</text></paragraph> <paragraph commented="no" display-inline="no-display-inline" id="H0FE82D1A89F84E088A10B52158A93608"><enum>(5)</enum><text display-inline="yes-display-inline">the average length of time between the reporting of security vulnerabilities and remediation of the vulnerabilities;</text></paragraph> <paragraph commented="no" display-inline="no-display-inline" id="HB3E9081D76A2491DBD0CDA8197883AF5"><enum>(6)</enum><text display-inline="yes-display-inline">the types of compensation provided under the pilot program; and</text></paragraph> <paragraph commented="no" display-inline="no-display-inline" id="H9D417239A43F42AB9FF13D77D1787DB5"><enum>(7)</enum><text display-inline="yes-display-inline">the lessons learned from the pilot program.</text></paragraph></subsection> <subsection commented="no" display-inline="no-display-inline" id="HE9110423C5A74B0B8771ACCF0CB7E472"><enum>(d)</enum><header>Authorization of appropriations</header><text display-inline="yes-display-inline">There is authorized to be appropriated to the Department $250,000 for fiscal year 2019 to carry out this section.</text></subsection></section> <section id="H595AA9FC09C3456CAC648044F20FD410"><enum>103.</enum><header>Congressional submittal of reports relating to certain special access programs and similar programs</header><text display-inline="no-display-inline">The National Defense Authorization Act for Fiscal Year 1994 (<external-xref legal-doc="usc" parsable-cite="usc/50/3348">50 U.S.C. 3348</external-xref>) is amended—</text> <paragraph id="HA61B13B2514C4F0FBED9222E290252DE"><enum>(1)</enum><text>by striking <quote>Congress</quote> each place it appears and inserting <quote>the congressional oversight committees</quote>;</text></paragraph> <paragraph id="HAD537FAAB2924DDAB1DD90D36F90FB58"><enum>(2)</enum><text>in subsection (f)(1), by striking <quote>appropriate oversight committees</quote> and inserting <quote>congressional oversight committees</quote>; and</text></paragraph> <paragraph id="HEF2A758C4F0E48D7B3F0A0DB8ABFF064"><enum>(3)</enum><text>in subsection (g)—</text> <subparagraph id="H24F8B3F450624061BF9BC930A3CF9BE1"><enum>(A)</enum><text>by redesignating paragraphs (1) and (2) as paragraphs (2) and (3), respectively; and</text></subparagraph> <subparagraph id="HD5478B6918814F069E25379F0C0F127B"><enum>(B)</enum><text>by inserting before paragraph (2), as so redesignated, the following:</text> <quoted-block id="HBBFE01957E754450A7A1CDF546021A90" style="OLC"> <paragraph id="H2B558A5B0DE14FF79B5085A6DA61FF4C"><enum>(1)</enum><header>Congressional oversight committees</header><text>The term <quote>congressional oversight committees</quote> means—</text> <subparagraph id="H05E52832866B4ECFAEF4779244E90052"><enum>(A)</enum><text>congressional leadership and authorizing and appropriations congressional committees with jurisdiction or shared jurisdiction over a department or agency;</text></subparagraph> <subparagraph id="H9A9989C1C08842058D02474B1EF5A3BF"><enum>(B)</enum><text>the Committee on Homeland Security and Governmental Affairs of the Senate; and</text></subparagraph> <subparagraph id="HC02805A32C1046BB84D1EB11D6061B85"><enum>(C)</enum><text>the Committee on Oversight and Government Reform of the House of Representatives.</text></subparagraph></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></subparagraph></paragraph></section> <enum>II</enum><header>Federal acquisition supply chain security</header> <section id="HA73801D24C4F4CB3AED58162A766D3A6" section-type="subsequent-section"><enum>201.</enum><header>Short title</header><text display-inline="no-display-inline">This title may be cited as the <quote><short-title>Federal Acquisition Supply Chain Security Act of 2018</short-title></quote>.</text></section> <section id="H02E91B3373F54E389E60204CB6209C25"><enum>202.</enum><header>Federal acquisition supply chain security</header> <subsection id="H580892CFD57B4438881A49D1A5437EAC"><enum>(a)</enum><header>In general</header><text><external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/41/13">Chapter 13</external-xref> of title 41, United States Code, is amended by adding at the end the following new subchapter:</text> <quoted-block display-inline="no-display-inline" id="H6B30BE5B714D4314A93D6FFB9DDF6CF1" style="USC"> <subchapter id="H86E8F4A9DC6443B2A645D67A9FAB5B79"><enum>III</enum><header>Federal acquisition supply chain security</header> <section id="HAE0AF1D00A7A4FD1834A9B25121E160E"><enum>1321.</enum><header>Definitions</header><text display-inline="no-display-inline">In this subchapter:</text> <paragraph id="HA69EE4EFD924423B9659B0D947990040"><enum>(1)</enum><header>Appropriate congressional committees and leadership</header><text>The term <term>appropriate congressional committees and leadership</term> means—</text> <subparagraph id="H49B3423CEF8347E689694E15FEC42B85"><enum>(A)</enum><text>the Committee on Homeland Security and Governmental Affairs, the Committee on the Judiciary, the Committee on Appropriations, the Committee on Armed Services, the Committee on Commerce, Science, and Transportation, the Select Committee on Intelligence, and the majority and minority leader of the Senate; and</text></subparagraph> <subparagraph id="HE21BA10BD06F453ABFC123E48B732C79"><enum>(B)</enum><text>the Committee on Oversight and Government Reform, the Committee on the Judiciary, the Committee on Appropriations, the Committee on Homeland Security, the Committee on Armed Services, the Committee on Energy and Commerce, the Permanent Select Committee on Intelligence, and the Speaker and minority leader of the House of Representatives.</text></subparagraph></paragraph> <paragraph id="H2AF0CA62FF134E2AA9D141B23C813EBA"><enum>(2)</enum><header>Council</header><text>The term <term>Council</term> means the Federal Acquisition Security Council established under section 1322(a) of this title.</text></paragraph> <paragraph id="HB3D8E80682B947E3A1DB635F25BEE6CB"><enum>(3)</enum><header>Covered article</header><text>The term <term>covered article</term> has the meaning given that term in section 4713 of this title.</text></paragraph> <paragraph id="H230FFE290CA24A1C85ABDCB38EFD0E0F"><enum>(4)</enum><header>Covered procurement action</header><text>The term <term>covered procurement action</term> has the meaning given that term in section 4713 of this title.</text></paragraph> <paragraph id="HF05C683EB4484DFDA6CFB4693B55E370"><enum>(5)</enum><header>Information and communications technology</header><text>The term <term>information and communications technology</term> has the meaning given that term in section 4713 of this title.</text></paragraph> <paragraph id="H073A3D3A7F5D4DB2B9129F9D03672170"><enum>(6)</enum><header>Intelligence community</header><text>The term <term>intelligence community</term> has the meaning given that term in section 3(4) of the National Security Act of 1947 (<external-xref legal-doc="usc" parsable-cite="usc/50/3003">50 U.S.C. 3003(4)</external-xref>).</text></paragraph> <paragraph id="HFA1C04E93B244D7AB5BC96C17B1A11B8"><enum>(7)</enum><header>National security system</header><text>The term <term>national security system</term> has the meaning given that term in section 3552 of title 44.</text></paragraph> <paragraph id="H5E1EB93DA9014312B7C5D0057E395894"><enum>(8)</enum><header>Supply chain risk</header><text>The term <term>supply chain risk</term> has the meaning given that term in section 4713 of this title.</text></paragraph></section> <section id="HE302E958D2F34C5A979121BAB21B52C4"><enum>1322.</enum><header>Federal Acquisition Security Council establishment and membership</header> <subsection id="HA2791146A5ED4D04AEE8E9031E677B02"><enum>(a)</enum><header>Establishment</header><text>There is established in the executive branch a Federal Acquisition Security Council.</text></subsection> <subsection id="HB929759DDF114E788D7D1403904FE049"><enum>(b)</enum><header>Membership</header> <paragraph id="H42A448AE7DD34A5A92E0F50E6FAFE32A"><enum>(1)</enum><header>In general</header><text>The following agencies shall be represented on the Council:</text> <subparagraph id="H6E58EC452F724A51B482FDF12D736EAA"><enum>(A)</enum><text>The Office of Management and Budget.</text></subparagraph> <subparagraph id="H903BE71B74D54355BA90BA887CFF8AB6"><enum>(B)</enum><text>The General Services Administration.</text></subparagraph> <subparagraph id="H2BCE5BCCE0CE46C18B8E4B18C30EEE20"><enum>(C)</enum><text>The Department of Homeland Security, including the Cybersecurity and Infrastructure Security Agency.</text></subparagraph> <subparagraph id="H369A6F840C014C2D9D43A4E7E6EF89DC"><enum>(D)</enum><text>The Office of the Director of National Intelligence, including the National Counterintelligence and Security Center.</text></subparagraph> <subparagraph id="HB5E713043DCB4B9BB7B63EC1454C6D42"><enum>(E)</enum><text>The Department of Justice, including the Federal Bureau of Investigation.</text></subparagraph> <subparagraph id="H122032B4B32340F3A75501D077CED44C"><enum>(F)</enum><text>The Department of Defense, including the National Security Agency.</text></subparagraph> <subparagraph id="H817062BF074745D492A55AA2C53B7DC3"><enum>(G)</enum><text>The Department of Commerce, including the National Institute of Standards and Technology.</text></subparagraph> <subparagraph id="H1E62D66089E14CB2AB1E555C8EE8296C"><enum>(H)</enum><text>Such other executive agencies as determined by the Chairperson of the Council.</text></subparagraph></paragraph> <paragraph id="H00DD0613158448CD80E9D4579C5B0230"><enum>(2)</enum><header>Lead representatives</header> <subparagraph id="H06BAC5F1CCA149818BA73859030A7CF1"><enum>(A)</enum><header>Designation</header> <clause id="HDBF3565E1CB5425EA4E4DCB4E6376921"><enum>(i)</enum><header>In general</header><text>Not later than 45 days after the date of the enactment of the <short-title>Federal Acquisition Supply Chain Security Act of 2018</short-title>, the head of each agency represented on the Council shall designate a representative of that agency as the lead representative of the agency on the Council.</text></clause> <clause id="H829B9B0768954BD6822DC91CBE391369"><enum>(ii)</enum><header>Requirements</header><text>The representative of an agency designated under clause (i) shall have expertise in supply chain risk management, acquisitions, or information and communications technology.</text></clause></subparagraph> <subparagraph id="H363E79AFFDEA4263A5748E828134CD3E"><enum>(B)</enum><header>Functions</header><text>The lead representative of an agency designated under subparagraph (A) shall ensure that appropriate personnel, including leadership and subject matter experts of the agency, are aware of the business of the Council.</text></subparagraph></paragraph></subsection> <subsection id="HECC22F3CFE554CCD9877C7CEE9E26CB7"><enum>(c)</enum><header>Chairperson</header> <paragraph id="HDB666E27CC3744E29D76D1ED77AF1593"><enum>(1)</enum><header>Designation</header><text>Not later than 45 days after the date of the enactment of the <short-title>Federal Acquisition Supply Chain Security Act of 2018</short-title>, the Director of the Office of Management and Budget shall designate a senior-level official from the Office of Management and Budget to serve as the Chairperson of the Council.</text></paragraph> <paragraph id="H48BC3461D03C4F2D921F2B1AEBC226CB"><enum>(2)</enum><header>Functions</header><text>The Chairperson shall perform functions that include—</text> <subparagraph id="HF3C05C8F0A1E4F47861AD6B18C535B77"><enum>(A)</enum><text>subject to subsection (d), developing a schedule for meetings of the Council;</text></subparagraph> <subparagraph id="HC0EA5F4EB76E48B6B494154B14DF0F9C"><enum>(B)</enum><text>designating executive agencies to be represented on the Council under subsection (b)(1)(H);</text></subparagraph> <subparagraph id="HBC5349B5309C4782AACCDBF7DFE7C3E1"><enum>(C)</enum><text>in consultation with the lead representative of each agency represented on the Council, developing a charter for the Council; and</text></subparagraph> <subparagraph id="H12C808E24D174B85A2839E274A43C603"><enum>(D)</enum><text>not later than 7 days after completion of the charter, submitting the charter to the appropriate congressional committees and leadership.</text></subparagraph></paragraph></subsection> <subsection id="H297F01203CA04965959B34115332692F"><enum>(d)</enum><header>Meetings</header><text>The Council shall meet not later than 60 days after the date of the enactment of the <short-title>Federal Acquisition Supply Chain Security Act of 2018</short-title> and not less frequently than quarterly thereafter.</text></subsection></section> <section id="H3AB47AE253154DB4A8A4FEE35F1DAAB9"><enum>1323.</enum><header>Functions and authorities</header> <subsection id="H84F4ED2763594FD1BF1167798D518E7D"><enum>(a)</enum><header>In general</header><text>The Council shall perform functions that include the following:</text> <paragraph id="H8C9B80B4182C4341985F389ADC767F74"><enum>(1)</enum><text>Identifying and recommending development by the National Institute of Standards and Technology of supply chain risk management standards, guidelines, and practices for executive agencies to use when assessing and developing mitigation strategies to address supply chain risks, particularly in the acquisition and use of covered articles under section 1326(a) of this title.</text></paragraph> <paragraph id="H9E10992AEB49436BB4A4A908FA42729E"><enum>(2)</enum><text>Identifying or developing criteria for sharing information with executive agencies, other Federal entities, and non-Federal entities with respect to supply chain risk, including information related to the exercise of authorities provided under this section and sections 1326 and 4713 of this title. At a minimum, such criteria shall address—</text> <subparagraph id="HF4DA6AE09E1442C2987CC0F115D31D3A"><enum>(A)</enum><text>the content to be shared;</text></subparagraph> <subparagraph id="HF83F6F4F6C0A4EDCB37D5EE42FB61939"><enum>(B)</enum><text>the circumstances under which sharing is mandated or voluntary; and</text></subparagraph> <subparagraph id="H37CA49CC08B347F2AD2F9AEC515E44A6"><enum>(C)</enum><text>the circumstances under which it is appropriate for an executive agency to rely on information made available through such sharing in exercising the responsibilities and authorities provided under this section and section 4713 of this title.</text></subparagraph></paragraph> <paragraph id="H6FF29834D03B452FA1693BC56BDB052C"><enum>(3)</enum><text>Identifying an appropriate executive agency to—</text> <subparagraph id="H7ACE1793D02446FF8AC3D4C92FD4AE7D"><enum>(A)</enum><text>accept information submitted by executive agencies based on the criteria established under paragraph (2);</text></subparagraph> <subparagraph id="H62F5EDE19C6E430BABCC5A71DAEF5CE9"><enum>(B)</enum><text>facilitate the sharing of information received under subparagraph (A) to support supply chain risk analyses under section 1326 of this title, recommendations under this section, and covered procurement actions under section 4713 of this title;</text></subparagraph> <subparagraph id="H129EDFCF0C364A02BC163E92F4BC62BD"><enum>(C)</enum><text>share with the Council information regarding covered procurement actions by executive agencies taken under section 4713 of this title; and</text></subparagraph> <subparagraph id="HC96A95A12B7742059242B54901400859"><enum>(D)</enum><text>inform the Council of orders issued under this section.</text></subparagraph></paragraph> <paragraph id="HADD6D006D72A4C04B6838E7B100A68BB"><enum>(4)</enum><text>Identifying, as appropriate, executive agencies to provide—</text> <subparagraph id="H595F28BB5D63419CA1CFC08259B7681A"><enum>(A)</enum><text>shared services, such as support for making risk assessments, validation of products that may be suitable for acquisition, and mitigation activities; and</text></subparagraph> <subparagraph id="HE6DE03B51E494B09A550D446173B2659"><enum>(B)</enum><text>common contract solutions to support supply chain risk management activities, such as subscription services or machine-learning-enhanced analysis applications to support informed decision making.</text></subparagraph></paragraph> <paragraph id="H809366FCA2954550A0B798224683BE94"><enum>(5)</enum><text>Identifying and issuing guidance on additional steps that may be necessary to address supply chain risks arising in the course of executive agencies providing shared services, common contract solutions, acquisitions vehicles, or assisted acquisitions.</text></paragraph> <paragraph id="H87C6732830C24C09A967A14035731E23"><enum>(6)</enum><text>Engaging with the private sector and other nongovernmental stakeholders in performing the functions described in paragraphs (1) and (2) and on issues relating to the management of supply chain risks posed by the acquisition of covered articles.</text></paragraph> <paragraph id="H5187F28C5EF64D1CBEAC95ADA9018D2F"><enum>(7)</enum><text>Carrying out such other actions, as determined by the Council, that are necessary to reduce the supply chain risks posed by acquisitions and use of covered articles.</text></paragraph></subsection> <subsection id="H4C3E46851EF34C0BA86D4FF1A430B0B4"><enum>(b)</enum><header>Program office and committees</header><text>The Council may establish a program office and any committees, working groups, or other constituent bodies the Council deems appropriate, in its sole and unreviewable discretion, to carry out its functions.</text></subsection> <subsection id="H86B677C8DCBF4642B10DF0528F02F2B9"><enum>(c)</enum><header>Authority for exclusion or removal orders</header> <paragraph id="H199B49828CAD463F9FE45E6D414A6203"><enum>(1)</enum><header>Criteria</header><text>To reduce supply chain risk, the Council shall establish criteria and procedures for—</text> <subparagraph id="H67A2E3883750489BBB2696351F554CC4"><enum>(A)</enum><text>recommending orders applicable to executive agencies requiring the exclusion of sources or covered articles from executive agency procurement actions (in this section referred to as <quote>exclusion orders</quote>);</text></subparagraph> <subparagraph id="HAC22B956A7C946C4AD7305A66154BA99"><enum>(B)</enum><text>recommending orders applicable to executive agencies requiring the removal of covered articles from executive agency information systems (in this section referred to as <quote>removal orders</quote>);</text></subparagraph> <subparagraph id="HD91D34C31A6943D7B7CE7A70C3271B3B"><enum>(C)</enum><text>requesting and approving exceptions to an issued exclusion or removal order when warranted by circumstances, including alternative mitigation actions or other findings relating to the national interest, including national security reviews, national security investigations, or national security agreements; and</text></subparagraph> <subparagraph id="H7AC1B83CEE8847D9920EB96BA1128BB2"><enum>(D)</enum><text>ensuring that recommended orders do not conflict with standards and guidelines issued under section 11331 of title 40 and that the Council consults with the Director of the National Institute of Standards and Technology regarding any recommended orders that would implement standards and guidelines developed by the National Institute of Standards and Technology.</text></subparagraph></paragraph> <paragraph id="HDCFD73EF61C74E039BCC0379304B1B31"><enum>(2)</enum><header>Recommendations</header><text>The Council shall use the criteria established under paragraph (1), information made available under subsection (a)(3), and any other information the Council determines appropriate to issue recommendations, for application to executive agencies or any subset thereof, regarding the exclusion of sources or covered articles from any executive agency procurement action, including source selection and consent for a contractor to subcontract, or the removal of covered articles from executive agency information systems. Such recommendations shall include—</text> <subparagraph id="H90E43652189047A79C87785CE361A39B"><enum>(A)</enum><text>information necessary to positively identify the sources or covered articles recommended for exclusion or removal;</text></subparagraph> <subparagraph id="H4D475E01A2EF4821B25539CF8651D20D"><enum>(B)</enum><text>information regarding the scope and applicability of the recommended exclusion or removal order;</text></subparagraph> <subparagraph id="H3ED9EF27C4634A10BCEAD10AE1F7F8E7"><enum>(C)</enum><text>a summary of any risk assessment reviewed or conducted in support of the recommended exclusion or removal order;</text></subparagraph> <subparagraph id="H3DCB9F6661374872B1BAE5CFD3754C7A"><enum>(D)</enum><text>a summary of the basis for the recommendation, including a discussion of less intrusive measures that were considered and why such measures were not reasonably available to reduce supply chain risk;</text></subparagraph> <subparagraph id="H706C641FBE4E4B95B94714DB498A2E1F"><enum>(E)</enum><text>a description of the actions necessary to implement the recommended exclusion or removal order; and</text></subparagraph> <subparagraph id="H43AE7CE97F9E45A0AC2A735AF7182BCE"><enum>(F)</enum><text>where practicable, in the Council’s sole and unreviewable discretion, a description of mitigation steps that could be taken by the source that may result in the Council rescinding a recommendation.</text></subparagraph></paragraph> <paragraph id="H6A53BF530B3C4038808FCDA4B7F7C463"><enum>(3)</enum><header>Notice of recommendation and review</header><text>A notice of the Council’s recommendation under paragraph (2) shall be issued to any source named in the recommendation advising—</text> <subparagraph id="H3BDEC419A410495D8D89CB9647F1EB23"><enum>(A)</enum><text>that a recommendation has been made;</text></subparagraph> <subparagraph id="HF7239C2BA9964C119FB3051977BF6BBB"><enum>(B)</enum><text>of the criteria the Council relied upon under paragraph (1) and, to the extent consistent with national security and law enforcement interests, of information that forms the basis for the recommendation;</text></subparagraph> <subparagraph id="H0F3EB91B39FD4C5DB98E52CB6B710C32"><enum>(C)</enum><text>that, within 30 days after receipt of notice, the source may submit information and argument in opposition to the recommendation;</text></subparagraph> <subparagraph id="HA41CE5F665A8484499692E88985DB50B"><enum>(D)</enum><text>of the procedures governing the review and possible issuance of an exclusion or removal order pursuant to paragraph (5); and</text></subparagraph> <subparagraph id="H9E14AEBEB1EA438489F78EA4FEEB39D2"><enum>(E)</enum><text>where practicable, in the Council’s sole and unreviewable discretion, a description of mitigation steps that could be taken by the source that may result in the Council rescinding the recommendation.</text></subparagraph></paragraph> <paragraph id="H115E42C19E544085B06499F1CD6F74F8"><enum>(4)</enum><header>Confidentiality</header><text>Any notice issued to a source under paragraph (3) shall be kept confidential until—</text> <subparagraph id="H4919795DD2B745E6AE587738A7605F1C"><enum>(A)</enum><text>an exclusion or removal order is issued pursuant to paragraph (5); and</text></subparagraph> <subparagraph id="H67A5033C07674E529C3018BF54B87383"><enum>(B)</enum><text>the source has been notified pursuant to paragraph (6).</text></subparagraph></paragraph> <paragraph id="H9D0C34BEE5184DACB815EDF8C18FD418"><enum>(5)</enum><header>Exclusion and removal orders</header> <subparagraph id="HB9674685D14846A9A7B90DF369FF6F87"><enum>(A)</enum><header>Order issuance</header><text>Recommendations of the Council under paragraph (2), together with any information submitted by a source under paragraph (3) related to such a recommendation, shall be reviewed by the following officials, who may issue exclusion and removal orders based upon such recommendations:</text> <clause id="HCBF5C2C3CDD1429DB50D87F396915992"><enum>(i)</enum><text>The Secretary of Homeland Security, for exclusion and removal orders applicable to civilian agencies, to the extent not covered by clause (ii) or (iii).</text></clause> <clause id="HDD9054DF5BD3411FB5205A388EC51E74"><enum>(ii)</enum><text>The Secretary of Defense, for exclusion and removal orders applicable to the Department of Defense and national security systems other than sensitive compartmented information systems.</text></clause> <clause id="H16D4E588AB884B789AD820485ED8F0B9"><enum>(iii)</enum><text>The Director of National Intelligence, for exclusion and removal orders applicable to the intelligence community and sensitive compartmented information systems, to the extent not covered by clause (ii).</text></clause></subparagraph> <subparagraph id="H7FF2E1A5CEBD4D11829A418CE8F460C7"><enum>(B)</enum><header>Delegation</header><text>The officials identified in subparagraph (A) may not delegate any authority under this subparagraph to an official below the level one level below the Deputy Secretary or Principal Deputy Director, except that the Secretary of Defense may delegate authority for removal orders to the Commander of the United States Cyber Command, who may not redelegate such authority to an official below the level one level below the Deputy Commander.</text></subparagraph> <subparagraph id="H2963E0AF2FCA48D48950672EA2BD11F1"><enum>(C)</enum><header>Facilitation of exclusion orders</header><text>If officials identified under this paragraph from the Department of Homeland Security, the Department of Defense, and the Office of the Director of National Intelligence issue orders collectively resulting in a governmentwide exclusion, the Administrator for General Services and officials at other executive agencies responsible for management of the Federal Supply Schedules, governmentwide acquisition contracts and multi-agency contracts shall help facilitate implementation of such orders by removing the covered articles or sources identified in the orders from such contracts.</text></subparagraph> <subparagraph id="HC4A11E9215504DF0AAEF8095AAC51AA3"><enum>(D)</enum><header>Review of exclusion and removal orders</header><text>The officials identified under this paragraph shall review all exclusion and removal orders issued under subparagraph (A) not less frequently than annually pursuant to procedures established by the Council.</text></subparagraph> <subparagraph id="HCA9F5D93BDD94BB6A2A7D354A3CE80F3"><enum>(E)</enum><header>Rescission</header><text>Orders issued pursuant to subparagraph (A) may be rescinded by an authorized official from the relevant issuing agency.</text></subparagraph></paragraph> <paragraph id="H57BC4260C8954C0D816D350B7F948915"><enum>(6)</enum><header>Notifications</header><text>Upon issuance of an exclusion or removal order pursuant to paragraph (5)(A), the official identified under that paragraph who issued the order shall—</text> <subparagraph id="H75F5437E1FF745A98CBF640BE4045392"><enum>(A)</enum><text>notify any source named in the order of—</text> <clause id="HA5CA931BC6C64F448BB9A63A47DD83C4"><enum>(i)</enum><text>the exclusion or removal order; and</text></clause> <clause id="H8B807C9426554E77A9BFEA7B149CD857"><enum>(ii)</enum><text>to the extent consistent with national security and law enforcement interests, information that forms the basis for the order;</text></clause></subparagraph> <subparagraph id="HC48C351374D340FA8DFDBC6B1B962300"><enum>(B)</enum><text>provide classified or unclassified notice of the exclusion or removal order to the appropriate congressional committees and leadership; and</text></subparagraph> <subparagraph id="H1C5E703D5A9F4EC38FB31BFBD330A4F3"><enum>(C)</enum><text>provide the exclusion or removal order to the agency identified in subsection (a)(3).</text></subparagraph></paragraph> <paragraph id="H0AD00373D9F6468989E254F76FA386A0"><enum>(7)</enum><header>Compliance</header><text>Executive agencies shall comply with exclusion and removal orders issued pursuant to paragraph (5).</text></paragraph></subsection> <subsection id="H769D1373362748179E46ABCAB1791FF7"><enum>(d)</enum><header>Authority To request information</header><text>The Council may request such information from executive agencies as is necessary for the Council to carry out its functions.</text></subsection> <subsection id="H52A110D3F90F41849FFE6D5B48E84CF2"><enum>(e)</enum><header>Relationship to other councils</header><text>The Council shall consult and coordinate, as appropriate, with other relevant councils and interagency committees, including the Chief Information Officers Council, the Chief Acquisition Officers Council, the Federal Acquisition Regulatory Council, and the Committee on Foreign Investment in the United States, with respect to supply chain risks posed by the acquisition and use of covered articles.</text></subsection> <subsection id="H2D30B0CF1AB940E7BC744FD685D18020"><enum>(f)</enum><header>Rules of construction</header><text>Nothing in this section shall be construed—</text> <paragraph id="H99AD9935964A41DE875E81F5EA984BB0"><enum>(1)</enum><text>to limit the authority of the Office of Federal Procurement Policy to carry out the responsibilities of that Office under any other provision of law; or</text></paragraph> <paragraph id="HE23EBAB0AA974432A4DE8F473E2E56BC"><enum>(2)</enum><text>to authorize the issuance of an exclusion or removal order based solely on the fact of foreign ownership of a potential procurement source that is otherwise qualified to enter into procurement contracts with the Federal Government.</text></paragraph></subsection></section> <section id="H44CE2707CF9A4067AB41CCBC5EF43BBB"><enum>1324.</enum><header>Strategic plan</header> <subsection id="HFEDD1AC53690496EA9E47F78D4261BC8"><enum>(a)</enum><header>In general</header><text>Not later than 180 days after the date of the enactment of the <short-title>Federal Acquisition Supply Chain Security Act of 2018</short-title>, the Council shall develop a strategic plan for addressing supply chain risks posed by the acquisition of covered articles and for managing such risks that includes—</text> <paragraph id="HCAB57CE87D3542EE9EA149D509BD412F"><enum>(1)</enum><text>the criteria and processes required under section 1323(a) of this title, including a threshold and requirements for sharing relevant information about such risks with all executive agencies and, as appropriate, with other Federal entities and non-Federal entities;</text></paragraph> <paragraph id="H2B987848561D48F58C934E0AC451EB91"><enum>(2)</enum><text>an identification of existing authorities for addressing such risks;</text></paragraph> <paragraph id="H2EAD771DA47F477D8EF28285C61BDA08"><enum>(3)</enum><text>an identification and promulgation of best practices and procedures and available resources for executive agencies to assess and mitigate such risks;</text></paragraph> <paragraph id="H513EA30C001442D7A2DAB4EFC92802F1"><enum>(4)</enum><text>recommendations for any legislative, regulatory, or other policy changes to improve efforts to address such risks;</text></paragraph> <paragraph id="HF927997CA7CD4FBBA8802CC35B35A5F6"><enum>(5)</enum><text>recommendations for any legislative, regulatory, or other policy changes to incentivize the adoption of best practices for supply chain risk management by the private sector;</text></paragraph> <paragraph id="HE7B8EABB330544E79925FB48E9029FF9"><enum>(6)</enum><text>an evaluation of the effect of implementing new policies or procedures on existing contracts and the procurement process;</text></paragraph> <paragraph id="HD011E2C4C3704D2A80176BFC12EA3108"><enum>(7)</enum><text>a plan for engaging with executive agencies, the private sector, and other nongovernmental stakeholders to address such risks;</text></paragraph> <paragraph id="H263B84E0687B4C05AFA1CE305156416B"><enum>(8)</enum><text>a plan for identification, assessment, mitigation, and vetting of supply chain risks from existing and prospective information and communications technology made available by executive agencies to other executive agencies through common contract solutions, shared services, acquisition vehicles, or other assisted acquisition services; and</text></paragraph> <paragraph id="H15913708313249C58D1E2B335DF42594"><enum>(9)</enum><text>plans to strengthen the capacity of all executive agencies to conduct assessments of—</text> <subparagraph id="H0A3CD96BDBB34771A4E42AF91B64174F"><enum>(A)</enum><text>the supply chain risk posed by the acquisition of covered articles; and</text></subparagraph> <subparagraph id="HC0E1F119E28B4DE8A9D6B9FBF9836709"><enum>(B)</enum><text>compliance with the requirements of this subchapter.</text></subparagraph></paragraph></subsection> <subsection id="HA6FE129E101342C5A1BD4931BA8ABFA1"><enum>(b)</enum><header>Submission to congress</header><text>Not later than 7 calendar days after completion of the strategic plan required by subsection (a), the Chairperson of the Council shall submit the plan to the appropriate congressional committees and leadership.</text></subsection></section> <section id="HAF873BE01F774CC590A3C808BA83A631"><enum>1325.</enum><header>Annual report</header><text display-inline="no-display-inline">Not later than December 31 of each year, the Chairperson of the Council shall submit to the appropriate congressional committees and leadership a report on the activities of the Council during the preceding 12-month period.</text></section> <section id="H829CFBDA99334089A6BEA295B6B9FD35"><enum>1326.</enum><header>Requirements for executive agencies</header> <subsection id="H7DFAAB5859AE4C90B1E51455104658DD"><enum>(a)</enum><header>In general</header><text>The head of each executive agency shall be responsible for—</text> <paragraph id="H72C740297EE34492A39D62F5EE7F9070"><enum>(1)</enum><text>assessing the supply chain risk posed by the acquisition and use of covered articles and avoiding, mitigating, accepting, or transferring that risk, as appropriate and consistent with the standards, guidelines, and practices identified by the Council under section 1323(a)(1); and</text></paragraph> <paragraph id="H66E56D339E9949A1999B6D381A05155F"><enum>(2)</enum><text>prioritizing supply chain risk assessments conducted under paragraph (1) based on the criticality of the mission, system, component, service, or asset.</text></paragraph></subsection> <subsection id="H923191FC5DCC4E208D1BC9984001D67F"><enum>(b)</enum><header>Inclusions</header><text>The responsibility for assessing supply chain risk described in subsection (a) includes—</text> <paragraph id="H8569B746040E4615997392EEF3F67144"><enum>(1)</enum><text>developing an overall supply chain risk management strategy and implementation plan and policies and processes to guide and govern supply chain risk management activities;</text></paragraph> <paragraph id="H29A6C1496CDE484C8D5812FDEB084B30"><enum>(2)</enum><text>integrating supply chain risk management practices throughout the life cycle of the system, component, service, or asset;</text></paragraph> <paragraph id="HC923D99984A94284B3BAB2F390B07FC0"><enum>(3)</enum><text>limiting, avoiding, mitigating, accepting, or transferring any identified risk;</text></paragraph> <paragraph id="HCF7A340E32714E46A89D2DCBF91B28F8"><enum>(4)</enum><text>sharing relevant information with other executive agencies as determined appropriate by the Council in a manner consistent with section 1323(a) of this title;</text></paragraph> <paragraph id="H022DA731483B4E51B84F2423C79772DE"><enum>(5)</enum><text>reporting on progress and effectiveness of the agency’s supply chain risk management consistent with guidance issued by the Office of Management and Budget and the Council; and</text></paragraph> <paragraph id="H2BA4B9146C32405D9E296FA97C7FB64C"><enum>(6)</enum><text>ensuring that all relevant information, including classified information, with respect to acquisitions of covered articles that may pose a supply chain risk, consistent with section 1323(a) of this title, is incorporated into existing processes of the agency for conducting assessments described in subsection (a) and ongoing management of acquisition programs, including any identification, investigation, mitigation, or remediation needs.</text></paragraph></subsection> <subsection id="H8EABF39766FA471286FD803E67D90A0E"><enum>(c)</enum><header>Interagency acquisitions</header> <paragraph id="HC0B2D755987B4CA5A808A175A23E22B9"><enum>(1)</enum><header>In general</header><text>Except as provided in paragraph (2), in the case of an interagency acquisition, subsection (a) shall be carried out by the head of the executive agency whose funds are being used to procure the covered article.</text></paragraph> <paragraph id="HF6EBE3CE96B84758B796E8726DFE7A64"><enum>(2)</enum><header>Assisted acquisitions</header><text>In an assisted acquisition, the parties to the acquisition shall determine, as part of the interagency agreement governing the acquisition, which agency is responsible for carrying out subsection (a).</text></paragraph> <paragraph id="H4F32AAE9328F4F3E8302ED3B746414D4"><enum>(3)</enum><header>Definitions</header><text>In this subsection, the terms <term>assisted acquisition</term> and <term>interagency acquisition</term> have the meanings given those terms in section 2.101 of title 48, Code of Federal Regulations (or any corresponding similar regulation or ruling).</text></paragraph></subsection> <subsection id="HEA5C5641B2D44F24B8D7EAF8C80A62CF"><enum>(d)</enum><header>Assistance</header><text>The Secretary of Homeland Security may—</text> <paragraph id="HDF164499F5B44481BF7331490AEA8472"><enum>(1)</enum><text>assist executive agencies in conducting risk assessments described in subsection (a) and implementing mitigation requirements for information and communications technology; and</text></paragraph> <paragraph id="HB4A0D44DFE9643FD814DD1C50BA3CB7A"><enum>(2)</enum><text>provide such additional guidance or tools as are necessary to support actions taken by executive agencies.</text></paragraph></subsection></section> <section id="H61BFCD3CDF5D4D16BC11CECC76F16019"><enum>1327.</enum><header>Judicial review procedures</header> <subsection id="HEF19A61CB3534CAFA4473B723C4A8A0E"><enum>(a)</enum><header>In general</header><text>Except as provided in subsection (b) and chapter 71 of this title, and notwithstanding any other provision of law, an action taken under section 1323 or 4713 of this title, or any action taken by an executive agency to implement such an action, shall not be subject to administrative review or judicial review, including bid protests before the Government Accountability Office or in any Federal court.</text></subsection> <subsection id="H56994872D0DA454D857678BA91D8C262"><enum>(b)</enum><header>Petitions</header> <paragraph id="HEFC4382CBE44412D8F5315995721C39C"><enum>(1)</enum><header>In general</header><text>Not later than 60 days after a party is notified of an exclusion or removal order under section 1323(c)(6) of this title or a covered procurement action under section 4713 of this title, the party may file a petition for judicial review in the United States Court of Appeals for the District of Columbia Circuit claiming that the issuance of the exclusion or removal order or covered procurement action is unlawful.</text></paragraph> <paragraph id="H60A6013FA8EE4464BAB9E89EAB22EDBD"><enum>(2)</enum><header>Standard of review</header><text>The Court shall hold unlawful a covered action taken under sections 1323 or 4713 of this title, in response to a petition that the court finds to be—</text> <subparagraph id="H46C71B9F8C7E4866A44CB6354262B24C"><enum>(A)</enum><text>arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law;</text></subparagraph> <subparagraph id="HE7EB22F160B944699F99ACA1F95889AA"><enum>(B)</enum><text>contrary to constitutional right, power, privilege, or immunity;</text></subparagraph> <subparagraph id="HD944DB7CB5C14FF782A529324A2602DA"><enum>(C)</enum><text>in excess of statutory jurisdiction, authority, or limitation, or short of statutory right;</text></subparagraph> <subparagraph id="H4DD760D672554D4E8AD4F04E57E8B611"><enum>(D)</enum><text>lacking substantial support in the administrative record taken as a whole or in classified information submitted to the court under paragraph (3); or</text></subparagraph> <subparagraph id="H9B26F0C3C5AB4FAEB83C40ACA3BB34BA"><enum>(E)</enum><text>not in accord with procedures required by law.</text></subparagraph></paragraph> <paragraph id="H8C7D9CA1AE2E49E9A08A866EAA625BF8"><enum>(3)</enum><header>Exclusive jurisdiction</header><text>The United States Court of Appeals for the District of Columbia Circuit shall have exclusive jurisdiction over claims arising under sections 1323(c)(5) or 4713 of this title against the United States, any United States department or agency, or any component or official of any such department or agency, subject to review by the Supreme Court of the United States under section 1254 of title 28.</text></paragraph> <paragraph id="H35A9CD72266249F8B209BE317E4EABB6"><enum>(4)</enum><header>Administrative record and procedures</header> <subparagraph id="H614459DAAFDD4646B3BCB5F4CB7E8E4B"><enum>(A)</enum><header>In general</header><text>The procedures described in this paragraph shall apply to the review of a petition under this section.</text></subparagraph> <subparagraph id="H05EF0C0756744D8D819D12AE5E664C3A"><enum>(B)</enum><header>Administrative record</header> <clause id="H1ED086D085624A54ABFEAAE9FD0F1B42"><enum>(i)</enum><header>Filing of record</header><text>The United States shall file with the court an administrative record, which shall consist of the information that the appropriate official relied upon in issuing an exclusion or removal order under section 1323(c)(5) or a covered procurement action under section 4713 of this title.</text></clause> <clause id="HD5281FB0CD5C492E8ECC9E27391C6037"><enum>(ii)</enum><header>Unclassified, nonprivileged information</header><text>All unclassified information contained in the administrative record that is not otherwise privileged or subject to statutory protections shall be provided to the petitioner with appropriate protections for any privileged or confidential trade secrets and commercial or financial information.</text></clause> <clause id="H4641BCAA5557483290EA1AEB93F6D207"><enum>(iii)</enum><header>In camera and ex parte</header><text>The following information may be included in the administrative record and shall be submitted only to the court ex parte and in camera:</text> <subclause id="H69D450C54AEB4BCC91651E1580F239BB"><enum>(I)</enum><text>Classified information.</text></subclause> <subclause id="H8FE9F96B30E54927A22CB59B4CF7CCA2"><enum>(II)</enum><text>Sensitive security information, as defined by section 1520.5 of title 49, Code of Federal Regulations.</text></subclause> <subclause id="H357010D01AAE4FD6B17266D4C3C8FB40"><enum>(III)</enum><text>Privileged law enforcement information.</text></subclause> <subclause id="H935556C2F96A46A6BF0DA8DFFACBE8C8"><enum>(IV)</enum><text>Information obtained or derived from any activity authorized under the Foreign Intelligence Surveillance Act of 1978 (<external-xref legal-doc="usc" parsable-cite="usc/50/1801">50 U.S.C. 1801</external-xref> et seq.), except that, with respect to such information, subsections (c), (e), (f), (g), and (h) of section 106 (<external-xref legal-doc="usc" parsable-cite="usc/50/1806">50 U.S.C. 1806</external-xref>), subsections (d), (f), (g), (h), and (i) of section 305 (<external-xref legal-doc="usc" parsable-cite="usc/50/1825">50 U.S.C. 1825</external-xref>), subsections (c), (e), (f), (g), and (h) of section 405 (<external-xref legal-doc="usc" parsable-cite="usc/50/1845">50 U.S.C. 1845</external-xref>), and section 706 (<external-xref legal-doc="usc" parsable-cite="usc/50/1881e">50 U.S.C. 1881e</external-xref>) of that Act shall not apply.</text></subclause> <subclause commented="no" display-inline="no-display-inline" id="H103882BF287F4CC7A95C44283443D2F1"><enum>(V)</enum><text display-inline="yes-display-inline">Information subject to privilege or protections under any other provision of law.</text></subclause></clause> <clause id="H12DEC9097E3B475B9B65EC2D55D485D1"><enum>(iv)</enum><header>Under seal</header><text>Any information that is part of the administrative record filed ex parte and in camera under clause (iii), or cited by the court in any decision, shall be treated by the court consistent with the provisions of this subparagraph and shall remain under seal and preserved in the records of the court to be made available consistent with the above provisions in the event of further proceedings. In no event shall such information be released to the petitioner or as part of the public record.</text></clause> <clause id="H5EBF46571B8A466EA0F6CE12FFBBA899"><enum>(v)</enum><header>Return</header><text>After the expiration of the time to seek further review, or the conclusion of further proceedings, the court shall return the administrative record, including any and all copies, to the United States.</text></clause></subparagraph> <subparagraph id="H6D4C9BBE27A049B7914BB9BB1668D348"><enum>(C)</enum><header>Exclusive remedy</header><text>A determination by the court under this subsection shall be the exclusive judicial remedy for any claim described in this section against the United States, any United States department or agency, or any component or official of any such department or agency.</text></subparagraph> <subparagraph id="H521354087C2F445F97541409858C3A44"><enum>(D)</enum><header>Rule of construction</header><text>Nothing in this section shall be construed as limiting, superseding, or preventing the invocation of, any privileges or defenses that are otherwise available at law or in equity to protect against the disclosure of information.</text></subparagraph></paragraph></subsection> <subsection id="H864B3311DD2746AB9D1A5DD4D280D415"><enum>(c)</enum><header>Definition</header><text>In this section, the term <term>classified information</term>—</text> <paragraph id="HB80435534CBC41B4B116674F19BC911B"><enum>(1)</enum><text>has the meaning given that term in section 1(a) of the Classified Information Procedures Act (18 U.S.C. App.); and</text></paragraph> <paragraph id="H6D28FDACCB77414882649C2CA5ED4698"><enum>(2)</enum><text>includes—</text> <subparagraph id="HA57C17E1070A46128ED33FB17E7288EF"><enum>(A)</enum><text>any information or material that has been determined by the United States Government pursuant to an Executive order, statute, or regulation to require protection against unauthorized disclosure for reasons of national security; and</text></subparagraph> <subparagraph id="H37331B292BF942F38AC14CBF5DAC1F9E"><enum>(B)</enum><text>any restricted data, as defined in section 11 of the Atomic Energy Act of 1954 (<external-xref legal-doc="usc" parsable-cite="usc/42/2014">42 U.S.C. 2014</external-xref>).</text></subparagraph></paragraph></subsection></section> <section id="H89991A4CDBC2440B8EA761B97D32C391"><enum>1328.</enum><header>Termination</header><text display-inline="no-display-inline">This subchapter shall terminate on the date that is 5 years after the date of the enactment of the <short-title>Federal Acquisition Supply Chain Security Act of 2018</short-title>.</text></section></subchapter><after-quoted-block>.</after-quoted-block></quoted-block></subsection> <subsection id="HC56CCEDC3748476A9F1E0D86C28B9BD2"><enum>(b)</enum><header>Clerical amendment</header><text>The table of sections at the beginning of chapter 13 of such title is amended by adding at the end the following new items:</text> <quoted-block id="H34B4184B7CB040809304965C6CE2B641" style="USC"> <toc> <toc-entry idref="H86E8F4A9DC6443B2A645D67A9FAB5B79" level="subchapter">SUBCHAPTER III—Federal acquisition supply chain security</toc-entry> <toc-entry level="section">Sec. </toc-entry> <toc-entry idref="HAE0AF1D00A7A4FD1834A9B25121E160E" level="section">1321. Definitions.</toc-entry> <toc-entry idref="HE302E958D2F34C5A979121BAB21B52C4" level="section">1322. Federal Acquisition Security Council establishment and membership.</toc-entry> <toc-entry idref="H3AB47AE253154DB4A8A4FEE35F1DAAB9" level="section">1323. Functions and authorities.</toc-entry> <toc-entry idref="H44CE2707CF9A4067AB41CCBC5EF43BBB" level="section">1324. Strategic plan.</toc-entry> <toc-entry idref="HAF873BE01F774CC590A3C808BA83A631" level="section">1325. Annual report.</toc-entry> <toc-entry idref="H829CFBDA99334089A6BEA295B6B9FD35" level="section">1326. Requirements for executive agencies.</toc-entry> <toc-entry idref="H61BFCD3CDF5D4D16BC11CECC76F16019" level="section">1327. Judicial review procedures.</toc-entry> <toc-entry idref="H89991A4CDBC2440B8EA761B97D32C391" level="section">1328. Termination.</toc-entry></toc><after-quoted-block>.</after-quoted-block></quoted-block></subsection> <subsection id="HBE4B80704ECF4B27A969C678BCC91D89"><enum>(c)</enum><header>Effective date</header><text>The amendments made by this section shall take effect on the date that is 90 days after the date of the enactment of this Act and shall apply to contracts that are awarded before, on, or after that date.</text></subsection> <subsection id="HB7908297E18E4620BC8D6AC46753CA11"><enum>(d)</enum><header>Implementation</header> <paragraph id="H74427C4695B6464783003ED1DA23D660"><enum>(1)</enum><header>Interim final rule</header><text>Not later than one year after the date of the enactment of this Act, the Federal Acquisition Security Council shall prescribe an interim final rule to implement subchapter III of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/41/13">chapter 13</external-xref> of title 41, United States Code, as added by subsection (a).</text></paragraph> <paragraph id="HAAAC8B422753475AA7FB7C58A6B64BAE"><enum>(2)</enum><header>Final rule</header><text>Not later than one year after prescribing the interim final rule under paragraph (1) and considering public comments with respect to such interim final rule, the Council shall prescribe a final rule to implement subchapter III of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/41/13">chapter 13</external-xref> of title 41, United States Code, as added by subsection (a).</text></paragraph> <paragraph id="H7FCFCDFF3C234BB19432B94D8992359C"><enum>(3)</enum><header>Failure to act</header> <subparagraph id="HD2F5E9B6E9854254A7AB26F683B6FBA6"><enum>(A)</enum><header>In general</header><text>If the Council does not issue a final rule in accordance with paragraph (2) on or before the last day of the one-year period referred to in that paragraph, the Council shall submit to the appropriate congressional committees and leadership, not later than 10 days after such last day and every 90 days thereafter until the final rule is issued, a report explaining why the final rule was not timely issued and providing an estimate of the earliest date on which the final rule will be issued.</text></subparagraph> <subparagraph id="H8544EF0CD823412581AFAA68F39D5E15"><enum>(B)</enum><header>Appropriate congressional committees and leadership defined</header><text>In this paragraph, the term <term>appropriate congressional committees and leadership</term> has the meaning given that term in section 1321 of title 41, United States Code, as added by subsection (a).</text></subparagraph></paragraph></subsection></section> <section id="H720ABEE0448F47CC909ECF491E7CAD3F"><enum>203.</enum><header>Authorities of executive agencies relating to mitigating supply chain risks in the procurement of covered articles</header> <subsection id="H868B4241D2B4432CA8F48517A16732B8"><enum>(a)</enum><header>In general</header><text><external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/41/47">Chapter 47</external-xref> of title 41, United States Code, is amended by adding at the end the following new section:</text> <quoted-block display-inline="no-display-inline" id="HD4704BB5407247C5B17A021855C31774" style="USC"> <section id="H84B9988BA6C445CFA6D18F48EEFBAAC2"><enum>4713.</enum><header>Authorities relating to mitigating supply chain risks in the procurement of covered articles</header> <subsection id="H792F7BD7549D400E9D68C1EC9D608AF8"><enum>(a)</enum><header>Authority</header><text>Subject to subsection (b), the head of an executive agency may carry out a covered procurement action.</text></subsection> <subsection id="H6D2C637083E948AF8C6025E24C80AD91"><enum>(b)</enum><header>Determination and notification</header><text>Except as authorized by subsection (c) to address an urgent national security interest, the head of an executive agency may exercise the authority provided in subsection (a) only after—</text> <paragraph id="H76367F7CF6674F5595B74BA8CE58F66F"><enum>(1)</enum><text>obtaining a joint recommendation, in unclassified or classified form, from the chief acquisition officer and the chief information officer of the agency, or officials performing similar functions in the case of executive agencies that do not have such officials, which includes a review of any risk assessment made available by the executive agency identified under section 1323(a)(3) of this title, that there is a significant supply chain risk in a covered procurement;</text></paragraph> <paragraph id="H39618152806E4183A4AF0D4D92F76970"><enum>(2)</enum><text>providing notice of the joint recommendation described in paragraph (1) to any source named in the joint recommendation advising—</text> <subparagraph id="HCB036DB7F7C642FC90E1CA1D77A36757"><enum>(A)</enum><text>that a recommendation is being considered or has been obtained;</text></subparagraph> <subparagraph id="H1A870F6D45494AA195D82EB648E20B25"><enum>(B)</enum><text>to the extent consistent with the national security and law enforcement interests, of information that forms the basis for the recommendation;</text></subparagraph> <subparagraph id="H56B9975AC78D49A89F0BB4444F82C8FC"><enum>(C)</enum><text>that, within 30 days after receipt of the notice, the source may submit information and argument in opposition to the recommendation; and</text></subparagraph> <subparagraph id="H27D3D5E1C05042BDB0943996DDF445B3"><enum>(D)</enum><text>of the procedures governing the consideration of the submission and the possible exercise of the authority provided in subsection (a);</text></subparagraph></paragraph> <paragraph id="HABC326A6A3674661988FE294D86D953A"><enum>(3)</enum><text>making a determination in writing, in unclassified or classified form, after considering any information submitted by a source under paragraph (2) and in consultation with the chief information security officer of the agency, that—</text> <subparagraph id="H17F58E79CFD640F188A805DD3CB8B961"><enum>(A)</enum><text>use of the authority under subsection (a) is necessary to protect national security by reducing supply chain risk;</text></subparagraph> <subparagraph id="HE5A64A57B2BA480C8DD4493F6EC7B8B0"><enum>(B)</enum><text>less intrusive measures are not reasonably available to reduce such supply chain risk; and</text></subparagraph> <subparagraph id="H106DDFEF0DF4478EBF41EB856009DEE5"><enum>(C)</enum><text>the use of such authorities will apply to a single covered procurement or a class of covered procurements, and otherwise specifies the scope of the determination; and</text></subparagraph></paragraph> <paragraph id="H5466F763B6F74BF0B01CA1D232250D4D"><enum>(4)</enum><text>providing a classified or unclassified notice of the determination made under paragraph (3) to the appropriate congressional committees and leadership that includes—</text> <subparagraph id="H166F07B9B3B34027A09FE895094B861E"><enum>(A)</enum><text>the joint recommendation described in paragraph (1);</text></subparagraph> <subparagraph id="HD59358DAC18445D1904123EE0CC9434B"><enum>(B)</enum><text>a summary of any risk assessment reviewed in support of the joint recommendation required by paragraph (1); and</text></subparagraph> <subparagraph id="H7EDA0E729998411F9A366F553B9B5FC8"><enum>(C)</enum><text>a summary of the basis for the determination, including a discussion of less intrusive measures that were considered and why such measures were not reasonably available to reduce supply chain risk.</text></subparagraph></paragraph></subsection> <subsection id="H2447DF3CB8B94C54B0A7AE86C6B17001"><enum>(c)</enum><header>Procedures To address urgent national security interests</header><text>In any case in which the head of an executive agency determines that an urgent national security interest requires the immediate exercise of the authority provided in subsection (a), the head of the agency—</text> <paragraph id="HB0F6298886104085B088075F83CF071F"><enum>(1)</enum><text>may, to the extent necessary to address such national security interest, and subject to the conditions in paragraph (2)—</text> <subparagraph id="H39471EBDE9664D019432A18062E23B5D"><enum>(A)</enum><text>temporarily delay the notice required by subsection (b)(2);</text></subparagraph> <subparagraph id="HD4D27AAA201249D0BD71DF85F5EC0FD3"><enum>(B)</enum><text>make the determination required by subsection (b)(3), regardless of whether the notice required by subsection (b)(2) has been provided or whether the notified source has submitted any information in response to such notice;</text></subparagraph> <subparagraph id="HE1A1F18F710D482E99339DA7F0C752E6"><enum>(C)</enum><text>temporarily delay the notice required by subsection (b)(4); and</text></subparagraph> <subparagraph id="H6C558628E2F942F4BCA8E230912A71A5"><enum>(D)</enum><text>exercise the authority provided in subsection (a) in accordance with such determination within 60 calendar days after the day the determination is made; and</text></subparagraph></paragraph> <paragraph id="H29D893CA2E4A48389F28700204079D0A"><enum>(2)</enum><text>shall take actions necessary to comply with all requirements of subsection (b) as soon as practicable after addressing the urgent national security interest, including—</text> <subparagraph id="H23A2B9AB3FB34357A4392E61DF4042C6"><enum>(A)</enum><text>providing the notice required by subsection (b)(2);</text></subparagraph> <subparagraph id="HAC255BE1C07E4ADB8E65D6CD6C6BC6E9"><enum>(B)</enum><text>promptly considering any information submitted by the source in response to such notice, and making any appropriate modifications to the determination based on such information;</text></subparagraph> <subparagraph id="H64C06DD16BDA4878ACE099587317FDE4"><enum>(C)</enum><text>providing the notice required by subsection (b)(4), including a description of the urgent national security interest, and any modifications to the determination made in accordance with subparagraph (B); and</text></subparagraph> <subparagraph id="HC616D4728411476FA8635E93023BDC51"><enum>(D)</enum><text>providing notice to the appropriate congressional committees and leadership within 7 calendar days of the covered procurement actions taken under this section.</text></subparagraph></paragraph></subsection> <subsection id="H45F715403F18428C8BB1A02E610F5EAB"><enum>(d)</enum><header>Confidentiality</header><text>The notice required by subsection (b)(2) shall be kept confidential until a determination with respect to a covered procurement action has been made pursuant to subsection (b)(3).</text></subsection> <subsection id="HF8729A08BD4E4EC49C46B49A076319B8"><enum>(e)</enum><header>Delegation</header><text>The head of an executive agency may not delegate the authority provided in subsection (a) or the responsibility identified in subsection (f) to an official below the level one level below the Deputy Secretary or Principal Deputy Director.</text></subsection> <subsection id="H02D5CC57F11349A8BAF4BE8AD2B51CE9"><enum>(f)</enum><header>Annual review of determinations</header><text>The head of an executive agency shall conduct an annual review of all determinations made by such head under subsection (b) and promptly amend any covered procurement action as appropriate.</text></subsection> <subsection id="H9E0B985709C64FC8AFB66BBDD4A37629"><enum>(g)</enum><header>Regulations</header><text>The Federal Acquisition Regulatory Council shall prescribe such regulations as may be necessary to carry out this section.</text></subsection> <subsection id="H66B3E4458AC648208C04EB70CCF87C7B"><enum>(h)</enum><header>Reports required</header><text>Not less frequently than annually, the head of each executive agency that exercised the authority provided in subsection (a) or (c) during the preceding 12-month period shall submit to the appropriate congressional committees and leadership a report summarizing the actions taken by the agency under this section during that 12-month period.</text></subsection> <subsection id="HC199578D0C1C49149A85D07A509C3C75"><enum>(i)</enum><header>Rule of construction</header><text>Nothing in this section shall be construed to authorize the head of an executive agency to carry out a covered procurement action based solely on the fact of foreign ownership of a potential procurement source that is otherwise qualified to enter into procurement contracts with the Federal Government.</text></subsection> <subsection id="H1E26D53ACBBC412B91CD6C258C7979FC"><enum>(j)</enum><header>Termination</header><text>The authority provided under subsection (a) shall terminate on the date that is 5 years after the date of the enactment of the <short-title>Federal Acquisition Supply Chain Security Act of 2018</short-title>.</text></subsection> <subsection id="H5F45090607004416968BACD8890AD612"><enum>(k)</enum><header>Definitions</header><text>In this section:</text> <paragraph id="HD9D4C413633C4B6694C44431E67EE720"><enum>(1)</enum><header>Appropriate congressional committees and leadership</header><text>The term <term>appropriate congressional committees and leadership</term> means—</text> <subparagraph id="H8E4D8B9F9D21408397C4B6A456CE9AE9"><enum>(A)</enum><text>the Committee on Homeland Security and Governmental Affairs, the Committee on the Judiciary, the Committee on Appropriations, the Committee on Armed Services, the Committee on Commerce, Science, and Transportation, the Select Committee on Intelligence, and the majority and minority leader of the Senate; and</text></subparagraph> <subparagraph id="HA68B1E77D9BB478BBE57816B69CC6038"><enum>(B)</enum><text>the Committee on Oversight and Government Reform, the Committee on the Judiciary, the Committee on Appropriations, the Committee on Homeland Security, the Committee on Armed Services, the Committee on Energy and Commerce, the Permanent Select Committee on Intelligence, and the Speaker and minority leader of the House of Representatives.</text></subparagraph></paragraph> <paragraph id="HB360530913D74B53AB4325B7386624AA"><enum>(2)</enum><header>Covered article</header><text>The term <term>covered article</term> means—</text> <subparagraph id="H877ADAE28A5241D5B60B9CA7972385EC"><enum>(A)</enum><text>information technology, as defined in section 11101 of title 40, including cloud computing services of all types;</text></subparagraph> <subparagraph id="H64B59D560D344CF4AA5646347608C656"><enum>(B)</enum><text>telecommunications equipment or telecommunications service, as those terms are defined in section 3 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/153">47 U.S.C. 153</external-xref>);</text></subparagraph> <subparagraph id="HDE6FA762B2FE4C4E8B190ACFCD959F53"><enum>(C)</enum><text>the processing of information on a Federal or non-Federal information system, subject to the requirements of the Controlled Unclassified Information program; or</text></subparagraph> <subparagraph id="HE6A885BFF44A411DACF315ACA612C07D"><enum>(D)</enum><text>hardware, systems, devices, software, or services that include embedded or incidental information technology.</text></subparagraph></paragraph> <paragraph id="H64A454FFB64F40C5A43D31FFB243D952"><enum>(3)</enum><header>Covered procurement</header><text>The term <term>covered procurement</term> means—</text> <subparagraph id="H5EDD7A9EEE864C529415A574AC889ED3"><enum>(A)</enum><text>a source selection for a covered article involving either a performance specification, as provided in subsection (a)(3)(B) of section 3306 of this title, or an evaluation factor, as provided in subsection (b)(1)(A) of such section, relating to a supply chain risk, or where supply chain risk considerations are included in the agency’s determination of whether a source is a responsible source as defined in section 113 of this title;</text></subparagraph> <subparagraph id="HAC66AB061B81412A9E71E68D82D8D5D3"><enum>(B)</enum><text>the consideration of proposals for and issuance of a task or delivery order for a covered article, as provided in section 4106(d)(3) of this title, where the task or delivery order contract includes a contract clause establishing a requirement relating to a supply chain risk;</text></subparagraph> <subparagraph id="H444AF711580E4F85BB3346A41C64FA23"><enum>(C)</enum><text>any contract action involving a contract for a covered article where the contract includes a clause establishing requirements relating to a supply chain risk; or</text></subparagraph> <subparagraph id="HA50697421CA84CE1ADC2B0B512C9393C"><enum>(D)</enum><text>any other procurement in a category of procurements determined appropriate by the Federal Acquisition Regulatory Council, with the advice of the Federal Acquisition Security Council.</text></subparagraph></paragraph> <paragraph id="H5DB5D08F90444F57AE79A5EE24ABA300"><enum>(4)</enum><header>Covered procurement action</header><text>The term <term>covered procurement action</term> means any of the following actions, if the action takes place in the course of conducting a covered procurement:</text> <subparagraph id="H7E1B60544CE04899A7CFC6401B3BA3D4"><enum>(A)</enum><text>The exclusion of a source that fails to meet qualification requirements established under section 3311 of this title for the purpose of reducing supply chain risk in the acquisition or use of covered articles.</text></subparagraph> <subparagraph id="HF139FEF87EFB4CF6BAC4A2D0CA3B2E7E"><enum>(B)</enum><text>The exclusion of a source that fails to achieve an acceptable rating with regard to an evaluation factor providing for the consideration of supply chain risk in the evaluation of proposals for the award of a contract or the issuance of a task or delivery order.</text></subparagraph> <subparagraph id="HB6FEE71C7C2D4B349E337CCB07C603D5"><enum>(C)</enum><text>The determination that a source is not a responsible source as defined in section 113 of this title based on considerations of supply chain risk.</text></subparagraph> <subparagraph id="H2985F1A486F24E079261454CC7359BDA"><enum>(D)</enum><text>The decision to withhold consent for a contractor to subcontract with a particular source or to direct a contractor to exclude a particular source from consideration for a subcontract under the contract.</text></subparagraph></paragraph> <paragraph id="H514799433C8245FA99490987053E46DC"><enum>(5)</enum><header>Information and communications technology</header><text>The term <term>information and communications technology</term> means—</text> <subparagraph id="H5CA00A3056C74F61AA3E08272CD38811"><enum>(A)</enum><text>information technology, as defined in section 11101 of title 40;</text></subparagraph> <subparagraph id="HBB7A334187894DB5BAB470ECF0B1B4CF"><enum>(B)</enum><text>information systems, as defined in section 3502 of title 44; and</text></subparagraph> <subparagraph id="H4A4CF0B889584D57985C67B64651AC6C"><enum>(C)</enum><text>telecommunications equipment and telecommunications services, as those terms are defined in section 3 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/153">47 U.S.C. 153</external-xref>).</text></subparagraph></paragraph> <paragraph id="H57FCB1A5C6AA4278AD7DDE6F99117597"><enum>(6)</enum><header>Supply chain risk</header><text>The term <term>supply chain risk</term> means the risk that any person may sabotage, maliciously introduce unwanted function, extract data, or otherwise manipulate the design, integrity, manufacturing, production, distribution, installation, operation, maintenance, disposition, or retirement of covered articles so as to surveil, deny, disrupt, or otherwise manipulate the function, use, or operation of the covered articles or information stored or transmitted on the covered articles.</text></paragraph> <paragraph id="H29CEACD4D5C4447DA0A59E671088C085"><enum>(7)</enum><header>Executive agency</header><text>Notwithstanding section 3101(c)(1), this section applies to the Department of Defense, the Coast Guard, and the National Aeronautics and Space Administration.</text></paragraph></subsection></section><after-quoted-block>.</after-quoted-block></quoted-block></subsection> <subsection id="HE293388B78514582A5AA07F5435C5AFA"><enum>(b)</enum><header>Clerical amendment</header><text>The table of sections at the beginning of chapter 47 of such title is amended by adding at the end the following new item:</text> <quoted-block id="H240BFD33994641F78642F82D7E09258B" style="USC"> <toc> <toc-entry idref="H84B9988BA6C445CFA6D18F48EEFBAAC2" level="section">4713. Authorities relating to mitigating supply chain risks in the procurement of covered articles.</toc-entry></toc><after-quoted-block>.</after-quoted-block></quoted-block></subsection> <subsection id="HC312B2D4E3104ACAAC3CAE6795B8AEF0"><enum>(c)</enum><header>Effective date</header><text>The amendments made by this section shall take effect on the date that is 90 days after the date of the enactment of this Act and shall apply to contracts that are awarded before, on, or after that date.</text></subsection></section> <section id="HBAFE1DCE8EA947FDA0E5637B0C132DD5"><enum>204.</enum><header>Federal Information Security Modernization Act</header> <subsection id="H8D411D88E0064B97B658F968FA1D0AA1"><enum>(a)</enum><header>In general</header><text>Title 44, United States Code, is amended—</text> <paragraph id="H00527415900E465D86D01C52ECA983B9"><enum>(1)</enum><text>in section 3553(a)(5), by inserting <quote>and section 1326 of title 41</quote> after <quote>compliance with the requirements of this subchapter</quote>; and</text></paragraph> <paragraph id="HFE8216F38A7E4A1BA5705FEB4B4EBE40"><enum>(2)</enum><text>in section 3554(a)(1)(B)—</text> <subparagraph id="HACC27AE3CCAF41E9BC9C0D5D0FA6303A"><enum>(A)</enum><text>by inserting <quote>, subchapter III of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/41/13">chapter 13</external-xref> of title 41,</quote> after <quote>complying with the requirements of this subchapter</quote>;</text></subparagraph> <subparagraph id="H2C7909799D9A45D7915256F62E9CB59F"><enum>(B)</enum><text>in clause (iv), by striking <quote>; and</quote> and inserting a semicolon; and</text></subparagraph> <subparagraph id="H98B15D4A8A6940CFBC830AD8DAABF065"><enum>(C)</enum><text>by adding at the end the following new clause:</text> <quoted-block display-inline="no-display-inline" id="HD346C6F61F3F41768F9365F4187638B3" style="OLC"> <clause id="H9732614054484B89803C11F951695573"><enum>(vi)</enum><text>responsibilities relating to assessing and avoiding, mitigating, transferring, or accepting supply chain risks under section 1326 of title 41, and complying with exclusion and removal orders issued under section 1323 of such title; and</text></clause><after-quoted-block>.</after-quoted-block></quoted-block></subparagraph></paragraph></subsection> <subsection id="H517452CC6D314CC6BC3559B8FB058860"><enum>(b)</enum><header>Rule of construction</header><text>Nothing in this title shall be construed to alter or impede any authority or responsibility under section 3553 of title 44, United States Code.</text></subsection></section> <section commented="no" display-inline="no-display-inline" id="HB1D08D2C7C6644DFBD747649B6093FF6" section-type="subsequent-section"><enum>205.</enum><header>Effective date</header><text display-inline="no-display-inline">This title shall take effect on the date that is 90 days after the date of the enactment of this Act.</text></section> Passed the House of Representatives December 19, 2018.Karen L. Haas,Clerk.