[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 3085 Engrossed in Senate (ES)]

<DOC>
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
115th CONGRESS
  2d Session
                                S. 3085

_______________________________________________________________________

                                 AN ACT


 
  To establish a Federal Acquisition Security Council and to provide 
executive agencies with authorities relating to mitigating supply chain 
   risks in the procurement of information technology, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Acquisition Supply Chain 
Security Act of 2018''.

SEC. 2. FEDERAL ACQUISITION SUPPLY CHAIN SECURITY.

    (a) In General.--Chapter 13 of title 41, United States Code, is 
amended by adding at the end the following new subchapter:

      ``SUBCHAPTER III--FEDERAL ACQUISITION SUPPLY CHAIN SECURITY

``Sec. 1321. Definitions
    ``In this subchapter:
            ``(1) Appropriate congressional committees and 
        leadership.--The term `appropriate congressional committees and 
        leadership' means--
                    ``(A) the Committee on Homeland Security and 
                Governmental Affairs, the Committee on the Judiciary, 
                the Committee on Appropriations, the Committee on Armed 
                Services, the Committee on Commerce, Science, and 
                Transportation, the Select Committee on Intelligence, 
                and the majority and minority leader of the Senate; and
                    ``(B) the Committee on Oversight and Government 
                Reform, the Committee on the Judiciary, the Committee 
                on Appropriations, the Committee on Homeland Security, 
                the Committee on Armed Services, the Committee on 
                Energy and Commerce, the Permanent Select Committee on 
                Intelligence, and the Speaker and minority leader of 
                the House of Representatives.
            ``(2) Council.--The term `Council' means the Federal 
        Acquisition Security Council established under section 1322(a) 
        of this title.
            ``(3) Covered article.--The term `covered article' has the 
        meaning given that term in section 4713 of this title.
            ``(4) Covered procurement action.--The term `covered 
        procurement action' has the meaning given that term in section 
        4713 of this title.
            ``(5) Information and communications technology.--The term 
        `information and communications technology' has the meaning 
        given that term in section 4713 of this title.
            ``(6) Intelligence community.--The term `intelligence 
        community' has the meaning given that term in section 3(4) of 
        the National Security Act of 1947 (50 U.S.C. 3003(4)).
            ``(7) National security system.--The term `national 
        security system' has the meaning given that term in section 
        3552 of title 44.
            ``(8) Supply chain risk.--The term `supply chain risk' has 
        the meaning given that term in section 4713 of this title.
``Sec. 1322. Federal Acquisition Security Council establishment and 
              membership
    ``(a) Establishment.--There is established in the executive branch 
a Federal Acquisition Security Council.
    ``(b) Membership.--
            ``(1) In general.--The following agencies shall be 
        represented on the Council:
                    ``(A) The Office of Management and Budget.
                    ``(B) The General Services Administration.
                    ``(C) The Department of Homeland Security, 
                including the Cybersecurity and Infrastructure Security 
                Agency.
                    ``(D) The Office of the Director of National 
                Intelligence, including the National 
                Counterintelligence and Security Center.
                    ``(E) The Department of Justice, including the 
                Federal Bureau of Investigation.
                    ``(F) The Department of Defense, including the 
                National Security Agency.
                    ``(G) The Department of Commerce, including the 
                National Institute of Standards and Technology.
                    ``(H) Such other executive agencies as determined 
                by the Chairperson of the Council.
            ``(2) Lead representatives.--
                    ``(A) Designation.--
                            ``(i) In general.--Not later than 45 days 
                        after the date of the enactment of the Federal 
                        Acquisition Supply Chain Security Act of 2018, 
                        the head of each agency represented on the 
                        Council shall designate a representative of 
                        that agency as the lead representative of the 
                        agency on the Council.
                            ``(ii) Requirements.--The representative of 
                        an agency designated under clause (i) shall 
                        have expertise in supply chain risk management, 
                        acquisitions, or information and communications 
                        technology.
                    ``(B) Functions.--The lead representative of an 
                agency designated under subparagraph (A) shall ensure 
                that appropriate personnel, including leadership and 
                subject matter experts of the agency, are aware of the 
                business of the Council.
    ``(c) Chairperson.--
            ``(1) Designation.--Not later than 45 days after the date 
        of the enactment of the Federal Acquisition Supply Chain 
        Security Act of 2018, the Director of the Office of Management 
        and Budget shall designate a senior-level official from the 
        Office of Management and Budget to serve as the Chairperson of 
        the Council.
            ``(2) Functions.--The Chairperson shall perform functions 
        that include--
                    ``(A) subject to subsection (d), developing a 
                schedule for meetings of the Council;
                    ``(B) designating executive agencies to be 
                represented on the Council under subsection (b)(1)(H);
                    ``(C) in consultation with the lead representative 
                of each agency represented on the Council, developing a 
                charter for the Council; and
                    ``(D) not later than 7 days after completion of the 
                charter, submitting the charter to the appropriate 
                congressional committees and leadership.
    ``(d) Meetings.--The Council shall meet not later than 60 days 
after the date of the enactment of the Federal Acquisition Supply Chain 
Security Act of 2018 and not less frequently than quarterly thereafter.
``Sec. 1323. Functions and authorities
    ``(a) In General.--The Council shall perform functions that include 
the following:
            ``(1) Identifying and recommending development by the 
        National Institute of Standards and Technology of supply chain 
        risk management standards, guidelines, and practices for 
        executive agencies to use when assessing and developing 
        mitigation strategies to address supply chain risks, 
        particularly in the acquisition and use of covered articles 
        under section 1326(a) of this title.
            ``(2) Identifying or developing criteria for sharing 
        information with executive agencies, other Federal entities, 
        and non-Federal entities with respect to supply chain risk, 
        including information related to the exercise of authorities 
        provided under this section and sections 1326 and 4713 of this 
        title. At a minimum, such criteria shall address--
                    ``(A) the content to be shared;
                    ``(B) the circumstances under which sharing is 
                mandated or voluntary; and
                    ``(C) the circumstances under which it is 
                appropriate for an executive agency to rely on 
                information made available through such sharing in 
                exercising the responsibilities and authorities 
                provided under this section and section 4713 of this 
                title.
            ``(3) Identifying an appropriate executive agency to--
                    ``(A) accept information submitted by executive 
                agencies based on the criteria established under 
                paragraph (2);
                    ``(B) facilitate the sharing of information 
                received under subparagraph (A) to support supply chain 
                risk analyses under section 1326 of this title, 
                recommendations under this section, and covered 
                procurement actions under section 4713 of this title;
                    ``(C) share with the Council information regarding 
                covered procurement actions by executive agencies taken 
                under section 4713 of this title; and
                    ``(D) inform the Council of orders issued under 
                this section.
            ``(4) Identifying, as appropriate, executive agencies to 
        provide--
                    ``(A) shared services, such as support for making 
                risk assessments, validation of products that may be 
                suitable for acquisition, and mitigation activities; 
                and
                    ``(B) common contract solutions to support supply 
                chain risk management activities, such as subscription 
                services or machine-learning-enhanced analysis 
                applications to support informed decisionmaking.
            ``(5) Identifying and issuing guidance on additional steps 
        that may be necessary to address supply chain risks arising in 
        the course of executive agencies providing shared services, 
        common contract solutions, acquisitions vehicles, or assisted 
        acquisitions.
            ``(6) Engaging with the private sector and other 
        nongovernmental stakeholders in performing the functions 
        described in paragraphs (1) and (2) and on issues relating to 
        the management of supply chain risks posed by the acquisition 
        of covered articles.
            ``(7) Carrying out such other actions, as determined by the 
        Council, that are necessary to reduce the supply chain risks 
        posed by acquisitions and use of covered articles.
    ``(b) Program Office and Committees.--The Council may establish a 
program office and any committees, working groups, or other constituent 
bodies the Council deems appropriate, in its sole and unreviewable 
discretion, to carry out its functions.
    ``(c) Authority for Exclusion or Removal Orders.--
            ``(1) Criteria.--To reduce supply chain risk, the Council 
        shall establish criteria and procedures for--
                    ``(A) recommending orders applicable to executive 
                agencies requiring the exclusion of sources or covered 
                articles from executive agency procurement actions (in 
                this section referred to as `exclusion orders');
                    ``(B) recommending orders applicable to executive 
                agencies requiring the removal of covered articles from 
                executive agency information systems (in this section 
                referred to as `removal orders');
                    ``(C) requesting and approving exceptions to an 
                issued exclusion or removal order when warranted by 
                circumstances, including alternative mitigation actions 
                or other findings relating to the national interest, 
                including national security reviews, national security 
                investigations, or national security agreements; and
                    ``(D) ensuring that recommended orders do not 
                conflict with standards and guidelines issued under 
                section 11331 of title 40 and that the Council consults 
                with the Director of the National Institute of 
                Standards and Technology regarding any recommended 
                orders that would implement standards and guidelines 
                developed by the National Institute of Standards and 
                Technology.
            ``(2) Recommendations.--The Council shall use the criteria 
        established under paragraph (1), information made available 
        under subsection (a)(3), and any other information the Council 
        determines appropriate to issue recommendations, for 
        application to executive agencies or any subset thereof, 
        regarding the exclusion of sources or covered articles from any 
        executive agency procurement action, including source selection 
        and consent for a contractor to subcontract, or the removal of 
        covered articles from executive agency information systems. 
        Such recommendations shall include--
                    ``(A) information necessary to positively identify 
                the sources or covered articles recommended for 
                exclusion or removal;
                    ``(B) information regarding the scope and 
                applicability of the recommended exclusion or removal 
                order;
                    ``(C) a summary of any risk assessment reviewed or 
                conducted in support of the recommended exclusion or 
                removal order;
                    ``(D) a summary of the basis for the 
                recommendation, including a discussion of less 
                intrusive measures that were considered and why such 
                measures were not reasonably available to reduce supply 
                chain risk;
                    ``(E) a description of the actions necessary to 
                implement the recommended exclusion or removal order; 
                and
                    ``(F) where practicable, in the Council's sole and 
                unreviewable discretion, a description of mitigation 
                steps that could be taken by the source that may result 
                in the Council rescinding a recommendation.
            ``(3) Notice of recommendation and review.--A notice of the 
        Council's recommendation under paragraph (2) shall be issued to 
        any source named in the recommendation advising--
                    ``(A) that a recommendation has been made;
                    ``(B) of the criteria the Council relied upon under 
                paragraph (1) and, to the extent consistent with 
                national security and law enforcement interests, of 
                information that forms the basis for the 
                recommendation;
                    ``(C) that, within 30 days after receipt of notice, 
                the source may submit information and argument in 
                opposition to the recommendation;
                    ``(D) of the procedures governing the review and 
                possible issuance of an exclusion or removal order 
                pursuant to paragraph (5); and
                    ``(E) where practicable, in the Council's sole and 
                unreviewable discretion, a description of mitigation 
                steps that could be taken by the source that may result 
                in the Council rescinding the recommendation.
            ``(4) Confidentiality.--Any notice issued to a source under 
        paragraph (3) shall be kept confidential until--
                    ``(A) an exclusion or removal order is issued 
                pursuant to paragraph (5); and
                    ``(B) the source has been notified pursuant to 
                paragraph (6).
            ``(5) Exclusion and removal orders.--
                    ``(A) Order issuance.--Recommendations of the 
                Council under paragraph (2), together with any 
                information submitted by a source under paragraph (3) 
                related to such a recommendation, shall be reviewed by 
                the following officials, who may issue exclusion and 
                removal orders based upon such recommendations:
                            ``(i) The Secretary of Homeland Security, 
                        for exclusion and removal orders applicable to 
                        civilian agencies, to the extent not covered by 
                        clause (ii) or (iii).
                            ``(ii) The Secretary of Defense, for 
                        exclusion and removal orders applicable to the 
                        Department of Defense and national security 
                        systems other than sensitive compartmented 
                        information systems.
                            ``(iii) The Director of National 
                        Intelligence, for exclusion and removal orders 
                        applicable to the intelligence community and 
                        sensitive compartmented information systems, to 
                        the extent not covered by clause (ii).
                    ``(B) Delegation.--The officials identified in 
                subparagraph (A) may not delegate any authority under 
                this subparagraph to an official below the level one 
                level below the Deputy Secretary or Principal Deputy 
                Director, except that the Secretary of Defense may 
                delegate authority for removal orders to the Commander 
                of the United States Cyber Command, who may not 
                redelegate such authority to an official below the 
                level one level below the Deputy Commander.
                    ``(C) Facilitation of exclusion orders.--If 
                officials identified under this paragraph from the 
                Department of Homeland Security, the Department of 
                Defense, and the Office of the Director of National 
                Intelligence issue orders collectively resulting in a 
                governmentwide exclusion, the Administrator for General 
                Services and officials at other executive agencies 
                responsible for management of the Federal Supply 
                Schedules, governmentwide acquisition contracts, and 
                multi-agency contracts shall help facilitate 
                implementation of such orders by removing the covered 
                articles or sources identified in the orders from such 
                contracts.
                    ``(D) Review of exclusion and removal orders.--The 
                officials identified under this paragraph shall review 
                all exclusion and removal orders issued under 
                subparagraph (A) not less frequently than annually 
                pursuant to procedures established by the Council.
                    ``(E) Rescission.--Orders issued pursuant to 
                subparagraph (A) may be rescinded by an authorized 
                official from the relevant issuing agency.
            ``(6) Notifications.--Upon issuance of an exclusion or 
        removal order pursuant to paragraph (5)(A), the official 
        identified under that paragraph who issued the order shall--
                    ``(A) notify any source named in the order of--
                            ``(i) the exclusion or removal order; and
                            ``(ii) to the extent consistent with 
                        national security and law enforcement 
                        interests, information that forms the basis for 
                        the order;
                    ``(B) provide classified or unclassified notice of 
                the exclusion or removal order to the appropriate 
                congressional committees and leadership; and
                    ``(C) provide the exclusion or removal order to the 
                agency identified in subsection (a)(3).
            ``(7) Compliance.--Executive agencies shall comply with 
        exclusion and removal orders issued pursuant to paragraph (5).
    ``(d) Authority To Request Information.--The Council may request 
such information from executive agencies as is necessary for the 
Council to carry out its functions.
    ``(e) Relationship to Other Councils.--The Council shall consult 
and coordinate, as appropriate, with other relevant councils and 
interagency committees, including the Chief Information Officers 
Council, the Chief Acquisition Officers Council, the Federal 
Acquisition Regulatory Council, and the Committee on Foreign Investment 
in the United States, with respect to supply chain risks posed by the 
acquisition and use of covered articles.
    ``(f) Rules of Construction.--Nothing in this section shall be 
construed--
            ``(1) to limit the authority of the Office of Federal 
        Procurement Policy to carry out the responsibilities of that 
        Office under any other provision of law; or
            ``(2) to authorize the issuance of an exclusion or removal 
        order based solely on the fact of foreign ownership of a 
        potential procurement source that is otherwise qualified to 
        enter into procurement contracts with the Federal Government.
``Sec. 1324. Strategic plan
    ``(a) In General.--Not later than 180 days after the date of the 
enactment of the Federal Acquisition Supply Chain Security Act of 2018, 
the Council shall develop a strategic plan for addressing supply chain 
risks posed by the acquisition of covered articles and for managing 
such risks, that includes--
            ``(1) the criteria and processes required under section 
        1323(a) of this title, including a threshold and requirements 
        for sharing relevant information about such risks with all 
        executive agencies and, as appropriate, with other Federal 
        entities and non-Federal entities;
            ``(2) an identification of existing authorities for 
        addressing such risks;
            ``(3) an identification and promulgation of best practices 
        and procedures and available resources for executive agencies 
        to assess and mitigate such risks;
            ``(4) recommendations for any legislative, regulatory, or 
        other policy changes to improve efforts to address such risks;
            ``(5) recommendations for any legislative, regulatory, or 
        other policy changes to incentivize the adoption of best 
        practices for supply chain risk management by the private 
        sector;
            ``(6) an evaluation of the effect of implementing new 
        policies or procedures on existing contracts and the 
        procurement process;
            ``(7) a plan for engaging with executive agencies, the 
        private sector, and other nongovernmental stakeholders to 
        address such risks;
            ``(8) a plan for identification, assessment, mitigation, 
        and vetting of supply chain risks from existing and prospective 
        information and communications technology made available by 
        executive agencies to other executive agencies through common 
        contract solutions, shared services, acquisition vehicles, or 
        other assisted acquisition services; and
            ``(9) plans to strengthen the capacity of all executive 
        agencies to conduct assessments of--
                    ``(A) the supply chain risk posed by the 
                acquisition of covered articles; and
                    ``(B) compliance with the requirements of this 
                subchapter.
    ``(b) Submission to Congress.--Not later than 7 calendar days after 
completion of the strategic plan required by subsection (a), the 
Chairperson of the Council shall submit the plan to the appropriate 
congressional committees and leadership.
``Sec. 1325. Annual report
    ``Not later than December 31 of each year, the Chairperson of the 
Council shall submit to the appropriate congressional committees and 
leadership a report on the activities of the Council during the 
preceding 12-month period.
``Sec. 1326. Requirements for executive agencies
    ``(a) In General.--The head of each executive agency shall be 
responsible for--
            ``(1) assessing the supply chain risk posed by the 
        acquisition and use of covered articles and avoiding, 
        mitigating, accepting, or transferring that risk, as 
        appropriate and consistent with the standards, guidelines, and 
        practices identified by the Council under section 1323(a)(1); 
        and
            ``(2) prioritizing supply chain risk assessments conducted 
        under paragraph (1) based on the criticality of the mission, 
        system, component, service, or asset.
    ``(b) Inclusions.--The responsibility for assessing supply chain 
risk described in subsection (a) includes--
            ``(1) developing an overall supply chain risk management 
        strategy and implementation plan and policies and processes to 
        guide and govern supply chain risk management activities;
            ``(2) integrating supply chain risk management practices 
        throughout the lifecycle of the system, component, service, or 
        asset;
            ``(3) limiting, avoiding, mitigating, accepting, or 
        transferring any identified risk;
            ``(4) sharing relevant information with other executive 
        agencies, as determined appropriate by the Council in a manner 
        consistent with section 1323(a) of this title;
            ``(5) reporting on progress and effectiveness of the 
        agency's supply chain risk management consistent with guidance 
        issued by the Office of Management and Budget and the Council; 
        and
            ``(6) ensuring that all relevant information, including 
        classified information, with respect to acquisitions of covered 
        articles that may pose a supply chain risk, consistent with 
        section 1323(a) of this title, is incorporated into existing 
        processes of the agency for conducting assessments described in 
        subsection (a) and ongoing management of acquisition programs, 
        including any identification, investigation, mitigation, or 
        remediation needs.
    ``(c) Interagency Acquisitions.--
            ``(1) In general.--Except as provided in paragraph (2), in 
        the case of an interagency acquisition, subsection (a) shall be 
        carried out by the head of the executive agency whose funds are 
        being used to procure the covered article.
            ``(2) Assisted acquisitions.--In an assisted acquisition, 
        the parties to the acquisition shall determine, as part of the 
        interagency agreement governing the acquisition, which agency 
        is responsible for carrying out subsection (a).
            ``(3) Definitions.--In this subsection, the terms `assisted 
        acquisition' and `interagency acquisition' have the meanings 
        given those terms in section 2.101 of title 48, Code of Federal 
        Regulations (or any corresponding similar regulation or 
        ruling).
    ``(d) Assistance.--The Secretary of Homeland Security may--
            ``(1) assist executive agencies in conducting risk 
        assessments described in subsection (a) and implementing 
        mitigation requirements for information and communications 
        technology; and
            ``(2) provide such additional guidance or tools as are 
        necessary to support actions taken by executive agencies.
``Sec. 1327. Judicial review procedures
    ``(a) In General.--Except as provided in subsection (b) and chapter 
71 of this title, and notwithstanding any other provision of law, an 
action taken under section 1323 or 4713 of this title, or any action 
taken by an executive agency to implement such an action, shall not be 
subject to administrative review or judicial review, including bid 
protests before the Government Accountability Office or in any Federal 
court.
    ``(b) Petitions.--
            ``(1) In general.--Not later than 60 days after a party is 
        notified of an exclusion or removal order under section 
        1323(c)(6) of this title or a covered procurement action under 
        section 4713 of this title, the party may file a petition for 
        judicial review in the United States Court of Appeals for the 
        District of Columbia Circuit claiming that the issuance of the 
        exclusion or removal order or covered procurement action is 
        unlawful.
            ``(2) Standard of review.--The Court shall hold unlawful a 
        covered action taken under sections 1323 or 4713 of this title, 
        in response to a petition that the court finds to be--
                    ``(A) arbitrary, capricious, an abuse of 
                discretion, or otherwise not in accordance with law;
                    ``(B) contrary to constitutional right, power, 
                privilege, or immunity;
                    ``(C) in excess of statutory jurisdiction, 
                authority, or limitation, or short of statutory right;
                    ``(D) lacking substantial support in the 
                administrative record taken as a whole or in classified 
                information submitted to the court under paragraph (3); 
                or
                    ``(E) not in accord with procedures required by 
                law.
            ``(3) Exclusive jurisdiction.--The United States Court of 
        Appeals for the District of Columbia Circuit shall have 
        exclusive jurisdiction over claims arising under sections 
        1323(c)(5) or 4713 of this title against the United States, any 
        United States department or agency, or any component or 
        official of any such department or agency, subject to review by 
        the Supreme Court of the United States under section 1254 of 
        title 28.
            ``(4) Administrative record and procedures.--
                    ``(A) In general.--The procedures described in this 
                paragraph shall apply to the review of a petition under 
                this section.
                    ``(B) Administrative record.--
                            ``(i) Filing of record.--The United States 
                        shall file with the court an administrative 
                        record, which shall consist of the information 
                        that the appropriate official relied upon in 
                        issuing an exclusion or removal order under 
                        section 1323(c)(5) or a covered procurement 
                        action under section 4713 of this title.
                            ``(ii) Unclassified, nonprivileged 
                        information.--All unclassified information 
                        contained in the administrative record that is 
                        not otherwise privileged or subject to 
                        statutory protections shall be provided to the 
                        petitioner with appropriate protections for any 
                        privileged or confidential trade secrets and 
                        commercial or financial information.
                            ``(iii) In camera and ex parte.--The 
                        following information may be included in the 
                        administrative record and shall be submitted 
                        only to the court ex parte and in camera:
                                    ``(I) Classified information.
                                    ``(II) Sensitive security 
                                information, as defined by section 
                                1520.5 of title 49, Code of Federal 
                                Regulations.
                                    ``(III) Privileged law enforcement 
                                information.
                                    ``(IV) Information obtained or 
                                derived from any activity authorized 
                                under the Foreign Intelligence 
                                Surveillance Act of 1978 (50 U.S.C. 
                                1801 et seq.), except that, with 
                                respect to such information, 
                                subsections (c), (e), (f), (g), and (h) 
                                of section 106 (50 U.S.C. 1806), 
                                subsections (d), (f), (g), (h), and (i) 
                                of section 305 (50 U.S.C. 1825), 
                                subsections (c), (e), (f), (g), and (h) 
                                of section 405 (50 U.S.C. 1845), and 
                                section 706 (50 U.S.C. 1881e) of that 
                                Act shall not apply.
                                    ``(V) Information subject to 
                                privilege or protections under any 
                                other provision of law.
                            ``(iv) Under seal.--Any information that is 
                        part of the administrative record filed ex 
                        parte and in camera under clause (iii), or 
                        cited by the court in any decision, shall be 
                        treated by the court consistent with the 
                        provisions of this subparagraph and shall 
                        remain under seal and preserved in the records 
                        of the court to be made available consistent 
                        with the above provisions in the event of 
                        further proceedings. In no event shall such 
                        information be released to the petitioner or as 
                        part of the public record.
                            ``(v) Return.--After the expiration of the 
                        time to seek further review, or the conclusion 
                        of further proceedings, the court shall return 
                        the administrative record, including any and 
                        all copies, to the United States.
                    ``(C) Exclusive remedy.--A determination by the 
                court under this subsection shall be the exclusive 
                judicial remedy for any claim described in this section 
                against the United States, any United States department 
                or agency, or any component or official of any such 
                department or agency.
                    ``(D) Rule of construction.--Nothing in this 
                section shall be construed as limiting, superseding, or 
                preventing the invocation of, any privileges or 
                defenses that are otherwise available at law or in 
                equity to protect against the disclosure of 
                information.
    ``(c) Definition.--In this section, the term `classified 
information'--
            ``(1) has the meaning given that term in section 1(a) of 
        the Classified Information Procedures Act (18 U.S.C. App.); and
            ``(2) includes--
                    ``(A) any information or material that has been 
                determined by the United States Government pursuant to 
                an Executive order, statute, or regulation to require 
                protection against unauthorized disclosure for reasons 
                of national security; and
                    ``(B) any restricted data, as defined in section 11 
                of the Atomic Energy Act of 1954 (42 U.S.C. 2014).
``Sec. 1328. Termination
    ``This subchapter shall terminate on the date that is 5 years after 
the date of the enactment of the Federal Acquisition Supply Chain 
Security Act of 2018.''.
    (b) Clerical Amendment.--The table of sections at the beginning of 
chapter 13 of such title is amended by adding at the end the following 
new items:

       ``subchapter iii--federal acquisition supply chain security

``Sec.
``1321. Definitions.
``1322. Federal Acquisition Security Council establishment and 
                            membership.
``1323. Functions and authorities.
``1324. Strategic plan.
``1325. Annual report.
``1326. Requirements for executive agencies.
``1327. Judicial review procedures.
``1328. Termination.''.
    (c) Effective Date.--The amendments made by this section shall take 
effect on the date that is 90 days after the date of the enactment of 
this Act and shall apply to contracts that are awarded before, on, or 
after that date.
    (d) Implementation.--
            (1) Interim final rule.--Not later than one year after the 
        date of the enactment of this Act, the Federal Acquisition 
        Security Council shall prescribe an interim final rule to 
        implement subchapter III of chapter 13 of title 41, United 
        States Code, as added by subsection (a).
            (2) Final rule.--Not later than one year after prescribing 
        the interim final rule under paragraph (1) and considering 
        public comments with respect to such interim final rule, the 
        Council shall prescribe a final rule to implement subchapter 
        III of chapter 13 of title 41, United States Code, as added by 
        subsection (a).
            (3) Failure to act.--
                    (A) In general.--If the Council does not issue a 
                final rule in accordance with paragraph (2) on or 
                before the last day of the 1-year period referred to in 
                that paragraph, the Council shall submit to the 
                appropriate congressional committees and leadership, 
                not later than 10 days after such last day and every 90 
                days thereafter until the final rule is issued, a 
                report explaining why the final rule was not timely 
                issued and providing an estimate of the earliest date 
                on which the final rule will be issued.
                    (B) Appropriate congressional committees and 
                leadership defined.--In this paragraph, the term 
                ``appropriate congressional committees and leadership'' 
                has the meaning given that term in section 1321 of 
                title 41, United States Code, as added by subsection 
                (a).

SEC. 3. AUTHORITIES OF EXECUTIVE AGENCIES RELATING TO MITIGATING SUPPLY 
              CHAIN RISKS IN THE PROCUREMENT OF COVERED ARTICLES.

    (a) In General.--Chapter 47 of title 41, United States Code, is 
amended by adding at the end the following new section:
``Sec. 4713. Authorities relating to mitigating supply chain risks in 
              the procurement of covered articles
    ``(a) Authority.--Subject to subsection (b), the head of an 
executive agency may carry out a covered procurement action.
    ``(b) Determination and Notification.--Except as authorized by 
subsection (c) to address an urgent national security interest, the 
head of an executive agency may exercise the authority provided in 
subsection (a) only after--
            ``(1) obtaining a joint recommendation, in unclassified or 
        classified form, from the chief acquisition officer and the 
        chief information officer of the agency, or officials 
        performing similar functions in the case of executive agencies 
        that do not have such officials, which includes a review of any 
        risk assessment made available by the executive agency 
        identified under section 1323(a)(3) of this title, that there 
        is a significant supply chain risk in a covered procurement;
            ``(2) providing notice of the joint recommendation 
        described in paragraph (1) to any source named in the joint 
        recommendation advising--
                    ``(A) that a recommendation is being considered or 
                has been obtained;
                    ``(B) to the extent consistent with the national 
                security and law enforcement interests, of information 
                that forms the basis for the recommendation;
                    ``(C) that, within 30 days after receipt of the 
                notice, the source may submit information and argument 
                in opposition to the recommendation; and
                    ``(D) of the procedures governing the consideration 
                of the submission and the possible exercise of the 
                authority provided in subsection (a);
            ``(3) making a determination in writing, in unclassified or 
        classified form, after considering any information submitted by 
        a source under paragraph (2) and in consultation with the chief 
        information security officer of the agency, that--
                    ``(A) use of the authority under subsection (a) is 
                necessary to protect national security by reducing 
                supply chain risk;
                    ``(B) less intrusive measures are not reasonably 
                available to reduce such supply chain risk; and
                    ``(C) the use of such authorities will apply to a 
                single covered procurement or a class of covered 
                procurements, and otherwise specifies the scope of the 
                determination; and
            ``(4) providing a classified or unclassified notice of the 
        determination made under paragraph (3) to the appropriate 
        congressional committees and leadership that includes--
                    ``(A) the joint recommendation described in 
                paragraph (1);
                    ``(B) a summary of any risk assessment reviewed in 
                support of the joint recommendation required by 
                paragraph (1); and
                    ``(C) a summary of the basis for the determination, 
                including a discussion of less intrusive measures that 
                were considered and why such measures were not 
                reasonably available to reduce supply chain risk.
    ``(c) Procedures To Address Urgent National Security Interests.--In 
any case in which the head of an executive agency determines that an 
urgent national security interest requires the immediate exercise of 
the authority provided in subsection (a), the head of the agency--
            ``(1) may, to the extent necessary to address such national 
        security interest, and subject to the conditions in paragraph 
        (2)--
                    ``(A) temporarily delay the notice required by 
                subsection (b)(2);
                    ``(B) make the determination required by subsection 
                (b)(3), regardless of whether the notice required by 
                subsection (b)(2) has been provided or whether the 
                notified source has submitted any information in 
                response to such notice;
                    ``(C) temporarily delay the notice required by 
                subsection (b)(4); and
                    ``(D) exercise the authority provided in subsection 
                (a) in accordance with such determination within 60 
                calendar days after the day the determination is made; 
                and
            ``(2) shall take actions necessary to comply with all 
        requirements of subsection (b) as soon as practicable after 
        addressing the urgent national security interest, including--
                    ``(A) providing the notice required by subsection 
                (b)(2);
                    ``(B) promptly considering any information 
                submitted by the source in response to such notice, and 
                making any appropriate modifications to the 
                determination based on such information;
                    ``(C) providing the notice required by subsection 
                (b)(4), including a description of the urgent national 
                security interest, and any modifications to the 
                determination made in accordance with subparagraph (B); 
                and
                    ``(D) providing notice to the appropriate 
                congressional committees and leadership within 7 
                calendar days of the covered procurement actions taken 
                under this section.
    ``(d) Confidentiality.--The notice required by subsection (b)(2) 
shall be kept confidential until a determination with respect to a 
covered procurement action has been made pursuant to subsection (b)(3).
    ``(e) Delegation.--The head of an executive agency may not delegate 
the authority provided in subsection (a) or the responsibility 
identified in subsection (g) to an official below the level one level 
below the Deputy Secretary or Principal Deputy Director.
    ``(f) Annual Review of Determinations.--The head of an executive 
agency shall conduct an annual review of all determinations made by 
such head under subsection (b) and promptly amend any covered 
procurement action as appropriate.
    ``(g) Regulations.--The Federal Acquisition Regulatory Council 
shall prescribe such regulations as may be necessary to carry out this 
section.
    ``(h) Reports Required.--Not less frequently than annually, the 
head of each executive agency that exercised the authority provided in 
subsection (a) or (c) during the preceding 12-month period shall submit 
to the appropriate congressional committees and leadership a report 
summarizing the actions taken by the agency under this section during 
that 12-month period.
    ``(i) Rule of Construction.--Nothing in this section shall be 
construed to authorize the head of an executive agency to carry out a 
covered procurement action based solely on the fact of foreign 
ownership of a potential procurement source that is otherwise qualified 
to enter into procurement contracts with the Federal Government.
    ``(j) Termination.--The authority provided under subsection (a) 
shall terminate on the date that is 5 years after the date of the 
enactment of the Federal Acquisition Supply Chain Security Act of 2018.
    ``(k) Definitions.--In this section:
            ``(1) Appropriate congressional committees and 
        leadership.--The term `appropriate congressional committees and 
        leadership' means--
                    ``(A) the Committee on Homeland Security and 
                Governmental Affairs, the Committee on the Judiciary, 
                the Committee on Appropriations, the Committee on Armed 
                Services, the Committee on Commerce, Science, and 
                Transportation, the Select Committee on Intelligence, 
                and the majority and minority leader of the Senate; and
                    ``(B) the Committee on Oversight and Government 
                Reform, the Committee on the Judiciary, the Committee 
                on Appropriations, the Committee on Homeland Security, 
                the Committee on Armed Services, the Committee on 
                Energy and Commerce, the Permanent Select Committee on 
                Intelligence, and the Speaker and minority leader of 
                the House of Representatives.
            ``(2) Covered article.--The term `covered article' means--
                    ``(A) information technology, as defined in section 
                11101 of title 40, including cloud computing services 
                of all types;
                    ``(B) telecommunications equipment or 
                telecommunications service, as those terms are defined 
                in section 3 of the Communications Act of 1934 (47 
                U.S.C. 153);
                    ``(C) the processing of information on a Federal or 
                non-Federal information system, subject to the 
                requirements of the Controlled Unclassified Information 
                program; or
                    ``(D) hardware, systems, devices, software, or 
                services that include embedded or incidental 
                information technology.
            ``(3) Covered procurement.--The term `covered procurement' 
        means--
                    ``(A) a source selection for a covered article 
                involving either a performance specification, as 
                provided in subsection (a)(3)(B) of section 3306 of 
                this title, or an evaluation factor, as provided in 
                subsection (b)(1)(A) of such section, relating to a 
                supply chain risk, or where supply chain risk 
                considerations are included in the agency's 
                determination of whether a source is a responsible 
                source as defined in section 113 of this title;
                    ``(B) the consideration of proposals for and 
                issuance of a task or delivery order for a covered 
                article, as provided in section 4106(d)(3) of this 
                title, where the task or delivery order contract 
                includes a contract clause establishing a requirement 
                relating to a supply chain risk;
                    ``(C) any contract action involving a contract for 
                a covered article where the contract includes a clause 
                establishing requirements relating to a supply chain 
                risk; or
                    ``(D) any other procurement in a category of 
                procurements determined appropriate by the Federal 
                Acquisition Regulatory Council, with the advice of the 
                Federal Acquisition Security Council.
            ``(4) Covered procurement action.--The term `covered 
        procurement action' means any of the following actions, if the 
        action takes place in the course of conducting a covered 
        procurement:
                    ``(A) The exclusion of a source that fails to meet 
                qualification requirements established under section 
                3311 of this title for the purpose of reducing supply 
                chain risk in the acquisition or use of covered 
                articles.
                    ``(B) The exclusion of a source that fails to 
                achieve an acceptable rating with regard to an 
                evaluation factor providing for the consideration of 
                supply chain risk in the evaluation of proposals for 
                the award of a contract or the issuance of a task or 
                delivery order.
                    ``(C) The determination that a source is not a 
                responsible source as defined in section 113 of this 
                title based on considerations of supply chain risk.
                    ``(D) The decision to withhold consent for a 
                contractor to subcontract with a particular source or 
                to direct a contractor to exclude a particular source 
                from consideration for a subcontract under the 
                contract.
            ``(5) Information and communications technology.--The term 
        `information and communications technology' means--
                    ``(A) information technology, as defined in section 
                11101 of title 40;
                    ``(B) information systems, as defined in section 
                3502 of title 44; and
                    ``(C) telecommunications equipment and 
                telecommunications services, as those terms are defined 
                in section 3 of the Communications Act of 1934 (47 
                U.S.C. 153).
            ``(6) Supply chain risk.--The term `supply chain risk' 
        means the risk that any person may sabotage, maliciously 
        introduce unwanted function, extract data, or otherwise 
        manipulate the design, integrity, manufacturing, production, 
        distribution, installation, operation, maintenance, 
        disposition, or retirement of covered articles so as to 
        surveil, deny, disrupt, or otherwise manipulate the function, 
        use, or operation of the covered articles or information stored 
        or transmitted on the covered articles.
            ``(7) Executive agency.--Notwithstanding section 
        3101(c)(1), this section applies to the Department of Defense, 
        the Coast Guard, and the National Aeronautics and Space 
        Administration.''.
    (b) Clerical Amendment.--The table of sections at the beginning of 
chapter 47 of such title is amended by adding at the end the following 
new item:

``Sec. 4713. Authorities relating to mitigating supply chain risks in 
                            the procurement of covered articles.''.
    (c) Effective Date.--The amendments made by this section shall take 
effect on the date that is 90 days after the date of the enactment of 
this Act and shall apply to contracts that are awarded before, on, or 
after that date.

SEC. 4. FEDERAL INFORMATION SECURITY MODERNIZATION ACT.

    (a) In General.--Title 44, United States Code, is amended--
            (1) in section 3553(a)(5), by inserting ``and section 1326 
        of title 41'' after ``compliance with the requirements of this 
        subchapter''; and
            (2) in section 3554(a)(1)(B)--
                    (A) by inserting ``, subchapter III of chapter 13 
                of title 41,'' after ``complying with the requirements 
                of this subchapter'';
                    (B) in clause (iv), by striking ``; and'' and 
                inserting a semicolon; and
                    (C) by adding at the end the following new clause:
                            ``(vi) responsibilities relating to 
                        assessing and avoiding, mitigating, 
                        transferring, or accepting supply chain risks 
                        under section 1326 of title 41, and complying 
                        with exclusion and removal orders issued under 
                        section 1323 of such title; and''.
    (b) Rule of Construction.--Nothing in this Act shall be construed 
to alter or impede any authority or responsibility under section 3553 
of title 44, United States Code.

SEC. 5. EFFECTIVE DATE.

    This Act shall take effect on the date that is 90 days after the 
date of the enactment of this Act.

            Passed the Senate December 18, 2018.

            Attest:

                                                             Secretary.
115th CONGRESS

  2d Session

                                S. 3085

_______________________________________________________________________

                                 AN ACT

  To establish a Federal Acquisition Security Council and to provide 
executive agencies with authorities relating to mitigating supply chain 
   risks in the procurement of information technology, and for other 
                               purposes.