[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 3085 Introduced in Senate (IS)]

<DOC>






115th CONGRESS
  2d Session
                                S. 3085

  To establish a Federal Acquisition Security Council and to provide 
executive agencies with authorities relating to mitigating supply chain 
   risks in the procurement of information technology, and for other 
                               purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             June 19, 2018

Mrs. McCaskill (for herself and Mr. Lankford) introduced the following 
 bill; which was read twice and referred to the Committee on Homeland 
                   Security and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
  To establish a Federal Acquisition Security Council and to provide 
executive agencies with authorities relating to mitigating supply chain 
   risks in the procurement of information technology, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Acquisition Supply Chain 
Security Act of 2018''.

SEC. 2. FEDERAL ACQUISITION SECURITY COUNCIL.

    (a) In General.--Chapter 13 of title 41, United States Code, is 
amended by adding at the end the following new subchapter:

         ``Subchapter III--Federal Acquisition Security Council

``Sec. 1321. Definitions
    ``In this subchapter:
            ``(1) Appropriate congressional committees.--The term 
        `appropriate congressional committees' means--
                    ``(A) the Committee on Homeland Security and 
                Governmental Affairs, the Committee on the Judiciary, 
                the Committee on Armed Services, the Committee on 
                Appropriations, the Select Committee on Intelligence, 
                and the majority and minority leader of the Senate; and
                    ``(B) the Committee on Oversight and Government 
                Reform, the Committee on the Judiciary, the Committee 
                on Armed Services, the Committee on Appropriations, the 
                Committee on Homeland Security, the Permanent Select 
                Committee on Intelligence, and the Speaker and minority 
                leader of the House of Representatives.
            ``(2) Council.--The term `Council' means the Federal 
        Acquisition Security Council established under section 1322(a).
            ``(3) Information technology.--The term `information 
        technology' has the meaning given that term in section 11101 of 
        title 40.
            ``(4) Supply chain risk.--The term `supply chain risk' has 
        the meaning given that term in section 4713.
``Sec. 1322. Establishment and membership
    ``(a) Establishment.--There is established in the executive branch 
a Federal Acquisition Security Council.
    ``(b) Membership.--
            ``(1) In general.--The following agencies shall be 
        represented on the Council:
                    ``(A) The Office of Management and Budget.
                    ``(B) The General Services Administration.
                    ``(C) The Department of Homeland Security.
                    ``(D) The Office of the Director of National 
                Intelligence.
                    ``(E) The Federal Bureau of Investigation.
                    ``(F) The Department of Defense.
                    ``(G) The National Institute of Standards and 
                Technology.
                    ``(H) Such other executive agencies as determined 
                by the Chairperson of the Council.
            ``(2) Lead representatives.--
                    ``(A) Designation.--
                            ``(i) In general.--The head of each agency 
                        represented on the Council shall designate a 
                        representative of that agency as the lead 
                        representative of the agency on the Council not 
                        later than 90 days after the date of the 
                        enactment of the Federal Acquisition Supply 
                        Chain Security Act of 2018.
                            ``(ii) Requirements.--The representative of 
                        an agency designated under clause (i) shall 
                        have expertise in supply chain risk management, 
                        acquisitions, or information technology.
                    ``(B) Functions.--The lead representative of an 
                agency designated under subparagraph (A) shall ensure 
                that appropriate personnel, including leadership and 
                subject matter experts of the agency, are aware of the 
                business of the Council.
    ``(c) Chairperson.--
            ``(1) Designation.--The Director of the Office of 
        Management and Budget shall designate a senior-level official 
        from the Office of Management and Budget to serve as the 
        Chairperson of the Council not later than 90 days after the 
        date of the enactment of the Federal Acquisition Supply Chain 
        Security Act of 2018.
            ``(2) Functions.--The Chairperson shall perform functions 
        that include--
                    ``(A) subject to subsection (d), developing a 
                schedule for meetings of the Council;
                    ``(B) designating executive agencies to be 
                represented on the Council under subsection (b)(1)(H);
                    ``(C) in consultation with the lead representative 
                of each agency represented on the Council, developing a 
                charter for the Council; and
                    ``(D) not later than 7 days after completion of the 
                charter, submitting the charter to the appropriate 
                congressional committees.
    ``(d) Meetings.--The Council shall meet not later than 180 days 
after the date of the enactment of the Federal Acquisition Supply Chain 
Security Act of 2018 and not less frequently than quarterly thereafter.
``Sec. 1323. Functions
    ``(a) In General.--The Council shall perform functions that include 
the following:
            ``(1) Developing criteria and processes--
                    ``(A) for assessing threats and vulnerabilities 
                relating to supply chain risk posed by the acquisition 
                of information technology to national security and the 
                public interest; and
                    ``(B) for sharing information among executive 
                agencies, including the intelligence community, and the 
                private sector where appropriate, with respect to 
                assessments of that risk.
            ``(2) Defining the responsibilities of executive agencies, 
        consistent with existing law, for management of such 
        assessments.
            ``(3) Issuing guidance to executive agencies for 
        incorporating information relating to supply chain risks and 
        other relevant information into procurement decisions for the 
        protection of national security and the public interest.
            ``(4) Developing standards and measures for supply chain 
        risk management, including assessments, evaluations, 
        mitigation, and response that take into consideration national 
        security and other factors relevant to the public interest.
            ``(5) Consulting, as appropriate, with the private sector 
        and other nongovernmental stakeholders on issues relating to 
        the management of supply chain risks posed by the acquisition 
        of information technology.
            ``(6) Determining whether the exclusion of a source made by 
        one executive agency should apply to all executive agencies 
        upon receiving a notification under section 4713 and carrying 
        out such other actions as are agreed upon by the Council.
    ``(b) Authority To Request Information.--The Council may request 
such information from executive agencies as is necessary for the 
Council to carry out its functions under subsection (a).
    ``(c) Program Office.--The Council may establish a program office 
to assist the Council in carrying out its functions under subsection 
(a).
    ``(d) Relationship to Other Councils.--The Council shall consult 
and coordinate with other relevant councils to the maximum extent 
practicable.
    ``(e) Rule of Construction.--Nothing in this section shall limit 
the authority of the Office of Federal Procurement Policy to carry out 
the responsibilities of that Office under any other provision of law.
``Sec. 1324. Strategic plan
    ``(a) In General.--Not later than 180 days after the date of the 
enactment of the Federal Acquisition Supply Chain Security Act of 2018, 
the Council shall develop a strategic plan for addressing supply chain 
risks posed by the acquisition of information technology and for 
managing such risks that includes--
            ``(1) the criteria and processes required under section 
        1323(a)(1), including a threshold and requirements for sharing 
        relevant information about such risks with all executive 
        agencies;
            ``(2) an identification of existing authorities for 
        addressing such risks;
            ``(3) an identification and promulgation of best practices 
        and procedures and available resources for executive agencies 
        to assess and mitigate such risks;
            ``(4) recommendations for any legislative, regulatory, or 
        other policy changes to improve efforts to address such risks;
            ``(5) an evaluation of the effect of implementing new 
        policies or procedures on existing contracts and the 
        procurement process;
            ``(6) a plan for engaging with executive agencies, the 
        private sector, and other nongovernmental stakeholders to 
        address such risks; and
            ``(7) plans to strengthen the capacity of all executive 
        agencies to conduct assessments of--
                    ``(A) the supply chain risk posed by the 
                acquisition of information technology; and
                    ``(B) compliance with the requirements of this 
                subchapter.
    ``(b) Submission to Congress.--Not later than 7 days after 
completion of the strategic plan required by subsection (a), the 
Chairperson of the Council shall submit the plan to the appropriate 
congressional committees.
``Sec. 1325. Annual report
    ``Not later than December 31 of each year, the Chairperson of the 
Council shall submit to the appropriate congressional committees a 
report on the activities of the Council during the preceding 12-month 
period.
``Sec. 1326. Requirements for executive agencies
    ``(a) In General.--The head of each executive agency shall--
            ``(1) be responsible for conducting assessments of the 
        supply chain risks posed by the acquisition of information 
        technology by that agency, developing mitigation and response 
        requirements, and ensuring ongoing management of such risks;
            ``(2) share relevant information with other executive 
        agencies as determined appropriate by the Administrator in a 
        manner consistent with section 1323; and
            ``(3) ensure that all relevant information, including 
        classified information, with respect to acquisitions of 
        information technology that may pose a supply chain risk, 
        consistent with section 1323(a)(1), is incorporated into 
        existing processes of the agency for conducting assessments 
        described in paragraph (1) and ongoing management of 
        acquisition programs, including any identification, 
        investigation, mitigation, or remediation needs.
    ``(b) Interagency Acquisitions.--
            ``(1) In general.--Except as provided in paragraph (2), in 
        the case of an interagency acquisition, subsection (a) shall be 
        carried out by the head of the executive agency the funds of 
        which are obligated or expended to conduct the acquisition.
            ``(2) Assisted acquisitions.--In an assisted acquisition, 
        the parties to the acquisition shall determine, as part of the 
        interagency agreement governing the acquisition, which agency 
        is responsible for carrying out subsection (a).
            ``(3) Definitions.--In this subsection, the terms `assisted 
        acquisition' and `interagency acquisition' have the meanings 
        given those terms in section 2.101 of title 48, Code of Federal 
        Regulations (or any corresponding similar regulation or 
        ruling).
``Sec. 1327. Termination
    ``This subchapter shall terminate on the date that is 5 years after 
the date of the enactment of the Federal Acquisition Supply Chain 
Security Act of 2018.''.
    (b) Clerical Amendment.--The table of sections at the beginning of 
chapter 13 of such title is amended by adding at the end the following 
new items:

         ``subchapter iii--federal acquisition security council

``Sec.
``1321. Definitions.
``1322. Establishment and membership.
``1323. Functions.
``1324. Strategic plan.
``1325. Annual report.
``1326. Requirements for executive agencies.
``1327. Termination.''.
    (c) Effective Date.--The amendments made by this section shall take 
effect on the date that is 90 days after the date of the enactment of 
this Act.

SEC. 3. RISK ASSESSMENTS FOR INFORMATION TECHNOLOGY MADE AVAILABLE TO 
              OTHER AGENCIES.

    (a) In General.--Not later than one year after the date of the 
enactment of this Act, the head of any executive agency that makes 
information technology available for procurement by other executive 
agencies shall--
            (1) identify information technology products made available 
        to other agencies that pose the greatest risk to national 
        security or the public interest;
            (2) complete a risk assessment of information technology 
        products identified under paragraph (1);
            (3) in each case in which the head of the executive agency 
        identifies a significant supply chain risk posed by information 
        technology--
                    (A) make the risk assessment with respect to that 
                information technology available to all executive 
                agencies through the Federal Acquisition Security 
                Council established under subchapter III of chapter 13 
                of title 41, United States Code, as added by section 2; 
                and
                    (B) develop a plan to mitigate that risk; and
            (4) develop a vetting process for conducting supply chain 
        risk assessments with respect to prospective providers of 
        information technology and make the process available to all 
        executive agencies.
    (b) Assistance.--The Secretary of Homeland Security may--
            (1) assist executive agencies in conducting risk 
        assessments described in subsection (a) and implementing 
        mitigation requirements for information technology; and
            (2) provide such additional guidance or tools as are 
        necessary to support actions taken by executive agencies under 
        subsection (a).
    (c) Definitions.--In this section:
            (1) Executive agency.--The term ``executive agency'' has 
        the meaning given that term in section 133 of title 41, United 
        States Code.
            (2) Information technology.--The term ``information 
        technology'' has the meaning given that term in section 11101 
        of title 40, United States Code.
            (3) Supply chain risk.--The term ``supply chain risk'' has 
        the meaning given that term in section 4713 of title 41, United 
        States Code, as added by section 4.

SEC. 4. AUTHORITIES OF EXECUTIVE AGENCIES RELATING TO MITIGATING SUPPLY 
              CHAIN RISKS IN THE PROCUREMENT OF INFORMATION TECHNOLOGY.

    (a) In General.--Chapter 47 of title 41, United States Code, is 
amended by adding at the end the following new section:
``Sec. 4713. Authorities relating to mitigating supply chain risks in 
              the procurement of information technology
    ``(a) Authority.--Subject to subsection (b), the head of an 
executive agency may--
            ``(1) carry out a covered procurement action; and
            ``(2) limit, notwithstanding any other provision of law, in 
        whole or in part, the disclosure of information relating to the 
        basis for carrying out a covered procurement action.
    ``(b) Determination and Notification.--The head of an executive 
agency may exercise the authority provided in subsection (a) only 
after--
            ``(1) obtaining a joint recommendation by the senior 
        procurement executive and chief information officer of the 
        agency, or such other officials of the agency as the head of 
        the agency considers appropriate, that there is a significant 
        supply chain risk in a covered procurement;
            ``(2) making a determination in writing, in unclassified or 
        classified form, that--
                    ``(A) use of the authority under subsection (a)(1) 
                is necessary to protect national security or the public 
                interest by reducing supply chain risk; and
                    ``(B) in a case where the head of the agency plans 
                to limit disclosure of information under subsection 
                (a)(2), the risk to national security due to the 
                disclosure of such information outweighs the risk due 
                to not disclosing such information; and
            ``(3) providing a classified or unclassified notice of the 
        determination made under paragraph (2) not later than 30 days 
        after making that determination to the Federal Acquisition 
        Security Council that includes--
                    ``(A) a summary of the information required for the 
                purchase of property or services under this title and 
                any other applicable law relating to procurement; and
                    ``(B) a summary of the basis for the determination, 
                including a discussion of less intrusive measures that 
                were considered and why such measures were not 
                reasonably available to reduce supply chain risk.
    ``(c) Limitation on Disclosure.--If the head of an executive agency 
has exercised the authority provided in subsection (a)(2) to limit 
disclosure of information--
            ``(1) no procurement action undertaken by the head of the 
        agency under such authority shall be subject to review in a bid 
        protest before the Government Accountability Office or in any 
        Federal court; and
            ``(2) the head of the agency shall--
                    ``(A) notify appropriate parties of a covered 
                procurement action and the basis for the action only to 
                the extent necessary to effectuate the covered 
                procurement action;
                    ``(B) notify and follow notification protocols as 
                directed by the Federal Acquisition Security Council; 
                and
                    ``(C) ensure the confidentiality of any such 
                notifications.
    ``(d) Regulations.--The Federal Acquisition Regulatory Council 
shall prescribe such regulations as may be necessary to carry out this 
section.
    ``(e) Reports Required.--Not less frequently than annually, the 
head of each executive agency shall submit to the appropriate 
congressional committees a report summarizing the actions taken by the 
agency under this section during the preceding 12-month period.
    ``(f) Termination.--The authority provided under subsection (a) 
shall terminate on the date that is 5 years after the date of the 
enactment of the Federal Acquisition Supply Chain Security Act of 2018.
    ``(g) Definitions.--In this section:
            ``(1) Appropriate congressional committees.--The term 
        `appropriate congressional committees' means--
                    ``(A) the Committee on Homeland Security and 
                Governmental Affairs, the Committee on the Judiciary, 
                the Committee on Appropriations, the Select Committee 
                on Intelligence, and the majority and minority leader 
                of the Senate; and
                    ``(B) the Committee on Oversight and Government 
                Reform, the Committee on the Judiciary, the Committee 
                on Appropriations, the Committee on Homeland Security, 
                the Permanent Select Committee on Intelligence, and the 
                Speaker and minority leader of the House of 
                Representatives.
            ``(2) Covered procurement.--The term `covered procurement' 
        means--
                    ``(A) a source selection for information technology 
                involving either a performance specification, as 
                provided in subsection (a)(3)(B) of section 3306 of 
                this title, or an evaluation factor, as provided in 
                subsection (b)(1)(A) of that section, relating to a 
                supply chain risk;
                    ``(B) the consideration of proposals for and 
                issuance of a task or delivery order for information 
                technology, as provided in section 4106(d)(3) of this 
                title, where the task or delivery order contract 
                includes a contract clause establishing a requirement 
                relating to a supply chain risk;
                    ``(C) any contract action involving a contract for 
                information technology where the contract includes a 
                clause establishing requirements relating to a supply 
                chain risk; or
                    ``(D) any other procurement in a category of 
                procurements determined appropriate by the Federal 
                Acquisition Regulatory Council, with the advice of the 
                Federal Acquisition Security Council.
            ``(3) Covered procurement action.--The term `covered 
        procurement action' means any of the following actions, if the 
        action takes place in the course of conducting a covered 
        procurement:
                    ``(A) The exclusion of a source that fails to meet 
                qualification requirements established under section 
                3311 of this title for the purpose of reducing supply 
                chain risk in the acquisition of information 
                technology.
                    ``(B) The exclusion of a source that fails to 
                achieve an acceptable rating with regard to an 
                evaluation factor providing for the consideration of 
                supply chain risk in the evaluation of proposals for 
                the award of a contract or the issuance of a task or 
                delivery order.
                    ``(C) The decision to withhold consent for a 
                contractor to subcontract with a particular source or 
                to direct a contractor to exclude a particular source 
                from consideration for a subcontract under the 
                contract.
            ``(4) Information technology.--The term `information 
        technology' has the meaning given that term in section 11101 of 
        title 40.
            ``(5) Supply chain risk.--The term `supply chain risk' 
        means the risk that any person may sabotage, maliciously 
        introduce unwanted function, extract data, or otherwise 
        manipulate the design, integrity, manufacturing, production, 
        distribution, installation, operation, maintenance, 
        disposition, or retirement of information technology so as to 
        surveil, deny, disrupt, or otherwise manipulate the function, 
        use, or operation of the information technology.''.
    (b) Clerical Amendment.--The table of sections at the beginning of 
chapter 47 of such title is amended by adding at the end the following 
new item:

``4713. Authorities relating to mitigating supply chain risks in the 
                            procurement of information technology.''.
    (c) Effective Date.--The amendments made by this section shall take 
effect on the date that is 180 days after the date of the enactment of 
this Act and shall apply to contracts that are awarded before, on, or 
after that date.
                                 <all>