
	

115 HR 6430 : Securing the Homeland Security Supply Chain Act of 2018
U.S. House of Representatives
2018-09-05
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



		IIB
		115th CONGRESS2d Session
		H. R. 6430
		IN THE SENATE OF THE UNITED STATES
		September 5, 2018Received; read twice and referred to the Committee on Homeland Security and Governmental AffairsAN ACT
		To amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to
			 implement certain requirements for information relating to supply chain
			 risk, and for other purposes.
	
	
 1.Short titleThis Act may be cited as the Securing the Homeland Security Supply Chain Act of 2018. 2.Department of Homeland Security requirements for information relating to supply chain risk (a)In generalSubtitle D of title VIII of the Homeland Security Act of 2002 (6 U.S.C. 391 et seq.) is amended by adding at the end the following new section:
				
					836.Requirements for information relating to supply chain risk
 (a)AuthoritySubject to subsection (b), the Secretary may— (1)carry out a covered procurement action;
 (2)limit, notwithstanding any other provision of law, in whole or in part, the disclosure of information, including classified information, relating to the basis for carrying out such an action; and
 (3)exclude, in whole or in part, a source carried out in the course of such an action applicable to a covered procurement of the Department.
 (b)Determination and notificationExcept as authorized by subsection (c) to address an urgent national security interest, the Secretary may exercise the authority provided in subsection (a) only after—
 (1)obtaining a joint recommendation, in unclassified or classified form, from the Chief Acquisition Officer and the Chief Information Officer of Department, including a review of any risk assessment made available by an appropriate person or entity, that there is a significant supply chain risk in a covered procurement;
 (2)notifying any source named in the joint recommendation described in paragraph (1) advising— (A)that a recommendation has been obtained;
 (B)to the extent consistent with the national security and law enforcement interests, the basis for such recommendation;
 (C)that, within 30 days after receipt of notice, such source may submit information and argument in opposition to such recommendation; and
 (D)of the procedures governing the consideration of such submission and the possible exercise of the authority provided in subsection (a);
 (3)notifying the relevant components of the Department that such risk assessment has demonstrated significant supply chain risk to a covered procurement; and
 (4)making a determination in writing, in unclassified or classified form, that after considering any information submitted by a source under paragraph (2), and in consultation with the Chief Information Officer of the Department, that—
 (A)use of authority under subsection (a)(1) is necessary to protect national security by reducing supply chain risk;
 (B)less intrusive measures are not reasonably available to reduce such risk; (C)a decision to limit disclosure of information under subsection (a)(2) is necessary to protect national security interest; and
 (D)the use of such authorities will apply to a single covered procurement or a class of covered procurements, and otherwise specifies the scope of such determination;
 (5)providing to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a classified or unclassified notice of the determination made under paragraph (4) that includes—
 (A)the joint recommendation described in paragraph (1); (B)a summary of any risk assessment reviewed in support of such joint recommendation; and
 (C)a summary of the basis for such determination, including a discussion of less intrusive measures that were considered and why such measures were not reasonably available to reduce supply chain risk;
 (6)notifying the Director of the Office of Management and Budget, and the heads of other Federal agencies as appropriate, in a manner and to the extent consistent with the requirements of national security; and
 (7)taking steps to maintain the confidentiality of any notifications under this subsection. (c)Procedures To address urgent national security interestsIn any case in which the Secretary determines that national security interests require the immediate exercise of the authorities under subsection (a), the Secretary—
 (1)may, to the extent necessary to address any such national security interest, and subject to the conditions specified in paragraph (2)—
 (A)temporarily delay the notice required by subsection (b)(2); (B)make the determination required by subsection (b)(4), regardless of whether the notice required by subsection (b)(2) has been provided or whether the notified source at issue has submitted any information in response to such notice;
 (C)temporarily delay the notice required by subsections (b)(4) and (b)(5); and (D)exercise the authority provided in subsection (a) in accordance with such determination; and
 (2)shall take actions necessary to comply with all requirements of subsection (b) as soon as practicable after addressing the urgent national security interest that is the subject of paragraph (1), including—
 (A)providing the notice required by subsection (b)(2); (B)promptly considering any information submitted by the source at issue in response to such notice, and making any appropriate modifications to the determination required by subsection (b)(4) based on such information; and
 (C)providing the notice required by subsections (b)(5) and (b)(6), including a description of such urgent national security, and any modifications to such determination made in accordance with subparagraph (B).
 (d)Annual review of determinationsThe Secretary shall annually review all determinations made under subsection (b). (e)DelegationThe Secretary may not delegate the authority provided in subsection (a) or the responsibility identified in subsection (d) to an official below the Deputy Secretary.
 (f)Limitation of reviewNotwithstanding any other provision of law, no action taken by the Secretary under subsection (a) may be subject to review in a bid protest before the Government Accountability Office or in any Federal court.
 (g)ConsultationIn developing procedures and guidelines for the implementation of the authorities described in this section, the Secretary shall review the procedures and guidelines utilized by the Department of Defense to carry out similar authorities.
 (h)DefinitionsIn this section: (1)Covered articleThe term covered article means:
 (A)Information technology, including cloud computing services of all types. (B)Telecommunications equipment.
 (C)Telecommunications services. (D)The processing of information on a Federal or non-Federal information system, subject to the requirements of the Controlled Unclassified Information program of the Department.
 (E)Hardware, systems, devices, software, or services that include embedded or incidental information technology.
 (2)Covered procurementThe term covered procurement means— (A)a source selection for a covered article involving either a performance specification, as provided in subsection (a)(3)(B) of section 3306 of title 41, United States Code, or an evaluation factor, as provided in subsection (c)(1)(A) of such section, relating to supply chain risk, or with respect to which supply chain risk considerations are included in the Department’s determination of whether a source is a responsible source as defined in section 113 of such title;
 (B)the consideration of proposals for and issuance of a task or delivery order for a covered article, as provided in section 4106(d)(3) of title 41, United States Code, with respect to which the task or delivery order contract includes a contract clause establishing a requirement relating to supply chain risk;
 (C)any contract action involving a contract for a covered article with respect to which such contract includes a clause establishing requirements relating to supply chain risk; or
 (D)any procurement made via Government Purchase Care for a covered article when supply chain risk has been identified as a concern.
 (3)Covered procurement actionThe term covered procurement action means any of the following actions, if such action takes place in the course of conducting a covered procurement:
 (A)The exclusion of a source that fails to meet qualification requirements established pursuant to section 3311 of title 41, United States Code, for the purpose of reducing supply chain risk in the acquisition or use of a covered article.
 (B)The exclusion of a source that fails to achieve an acceptable rating with regard to an evaluation factor providing for the consideration of supply chain risk in the evaluation of proposals for the award of a contract or the issuance of a task or delivery order.
 (C)The determination that a source is not a responsible source based on considerations of supply chain risk.
 (D)The decision to withhold consent for a contractor to subcontract with a particular source or to direct a contractor to exclude a particular source from consideration for a subcontract.
 (4)Information systemThe term information system has the meaning given such term in section 3502 of title 44, United States Code. (5)Information technologyThe term information technology has the meaning given such term in section 11101 of title 40, United States Code.
 (6)Responsible sourceThe term responsible source has the meaning given such term in section 113 of title 41, United States Code. (7)Supply chain riskThe term supply chain risk means the risk that a malicious actor may sabotage, maliciously introduce an unwanted function, extract or modify data, or otherwise manipulate the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered article so as to surveil, deny, disrupt, or otherwise manipulate the function, use, or operation of the information technology or information stored or transmitted on the covered articles.
 (8)Telecommunications equipmentThe term telecommunications equipment has the meaning given such term in section 153(52) of title 47, United States Code. (9)Telecommunications serviceThe term telecommunications service has the meaning given such term in section 153(53) of title 47, United States Code.
 (i)Effective dateThe requirements of this section shall take effect on the date that is 90 days after the date of the enactment of this Act and shall apply to—
 (1)contracts awarded on or after such date; and (2)task and delivery orders issued on or after such date pursuant to contracts awarded before, on, or after such date..
 (b)RulemakingSection 553 of title 5, United States Code, and section 1707 of title 41, United States Code, shall not apply to the Secretary of Homeland Security when carrying out the authorities and responsibilities under section 836 of the Homeland Security Act of 2002, as added by subsection (a).
 (c)Clerical amendmentThe table of contents in section 1(b) of the Homeland Security Act of 2002 is amended by inserting after the item relating to section 835 the following new item:
				
					
						Sec. 836. Requirements for information relating to supply chain risk..
			
	Passed the House of Representatives September 4, 2018.Karen L. Haas,Clerk.
