[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 3085 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 666
115th CONGRESS
  2d Session
                                S. 3085

  To establish a Federal Acquisition Security Council and to provide 
executive agencies with authorities relating to mitigating supply chain 
   risks in the procurement of information technology, and for other 
                               purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             June 19, 2018

Mrs. McCaskill (for herself and Mr. Lankford) introduced the following 
 bill; which was read twice and referred to the Committee on Homeland 
                   Security and Governmental Affairs

                           November 26, 2018

               Reported by Mr. Johnson, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
  To establish a Federal Acquisition Security Council and to provide 
executive agencies with authorities relating to mitigating supply chain 
   risks in the procurement of information technology, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``Federal Acquisition Supply 
Chain Security Act of 2018''.</DELETED>

<DELETED>SEC. 2. FEDERAL ACQUISITION SECURITY COUNCIL.</DELETED>

<DELETED>    (a) In General.--Chapter 13 of title 41, United States 
Code, is amended by adding at the end the following new 
subchapter:</DELETED>

        <DELETED>``Subchapter III--Federal Acquisition Security 
                           Council</DELETED>

<DELETED>``Sec. 1321. Definitions</DELETED>
<DELETED>    ``In this subchapter:</DELETED>
        <DELETED>    ``(1) Appropriate congressional committees.--The 
        term `appropriate congressional committees' means--</DELETED>
                <DELETED>    ``(A) the Committee on Homeland Security 
                and Governmental Affairs, the Committee on the 
                Judiciary, the Committee on Armed Services, the 
                Committee on Appropriations, the Select Committee on 
                Intelligence, and the majority and minority leader of 
                the Senate; and</DELETED>
                <DELETED>    ``(B) the Committee on Oversight and 
                Government Reform, the Committee on the Judiciary, the 
                Committee on Armed Services, the Committee on 
                Appropriations, the Committee on Homeland Security, the 
                Permanent Select Committee on Intelligence, and the 
                Speaker and minority leader of the House of 
                Representatives.</DELETED>
        <DELETED>    ``(2) Council.--The term `Council' means the 
        Federal Acquisition Security Council established under section 
        1322(a).</DELETED>
        <DELETED>    ``(3) Information technology.--The term 
        `information technology' has the meaning given that term in 
        section 11101 of title 40.</DELETED>
        <DELETED>    ``(4) Supply chain risk.--The term `supply chain 
        risk' has the meaning given that term in section 
        4713.</DELETED>
<DELETED>``Sec. 1322. Establishment and membership</DELETED>
<DELETED>    ``(a) Establishment.--There is established in the 
executive branch a Federal Acquisition Security Council.</DELETED>
<DELETED>    ``(b) Membership.--</DELETED>
        <DELETED>    ``(1) In general.--The following agencies shall be 
        represented on the Council:</DELETED>
                <DELETED>    ``(A) The Office of Management and 
                Budget.</DELETED>
                <DELETED>    ``(B) The General Services 
                Administration.</DELETED>
                <DELETED>    ``(C) The Department of Homeland 
                Security.</DELETED>
                <DELETED>    ``(D) The Office of the Director of 
                National Intelligence.</DELETED>
                <DELETED>    ``(E) The Federal Bureau of 
                Investigation.</DELETED>
                <DELETED>    ``(F) The Department of Defense.</DELETED>
                <DELETED>    ``(G) The National Institute of Standards 
                and Technology.</DELETED>
                <DELETED>    ``(H) Such other executive agencies as 
                determined by the Chairperson of the Council.</DELETED>
        <DELETED>    ``(2) Lead representatives.--</DELETED>
                <DELETED>    ``(A) Designation.--</DELETED>
                        <DELETED>    ``(i) In general.--The head of 
                        each agency represented on the Council shall 
                        designate a representative of that agency as 
                        the lead representative of the agency on the 
                        Council not later than 90 days after the date 
                        of the enactment of the Federal Acquisition 
                        Supply Chain Security Act of 2018.</DELETED>
                        <DELETED>    ``(ii) Requirements.--The 
                        representative of an agency designated under 
                        clause (i) shall have expertise in supply chain 
                        risk management, acquisitions, or information 
                        technology.</DELETED>
                <DELETED>    ``(B) Functions.--The lead representative 
                of an agency designated under subparagraph (A) shall 
                ensure that appropriate personnel, including leadership 
                and subject matter experts of the agency, are aware of 
                the business of the Council.</DELETED>
<DELETED>    ``(c) Chairperson.--</DELETED>
        <DELETED>    ``(1) Designation.--The Director of the Office of 
        Management and Budget shall designate a senior-level official 
        from the Office of Management and Budget to serve as the 
        Chairperson of the Council not later than 90 days after the 
        date of the enactment of the Federal Acquisition Supply Chain 
        Security Act of 2018.</DELETED>
        <DELETED>    ``(2) Functions.--The Chairperson shall perform 
        functions that include--</DELETED>
                <DELETED>    ``(A) subject to subsection (d), 
                developing a schedule for meetings of the 
                Council;</DELETED>
                <DELETED>    ``(B) designating executive agencies to be 
                represented on the Council under subsection 
                (b)(1)(H);</DELETED>
                <DELETED>    ``(C) in consultation with the lead 
                representative of each agency represented on the 
                Council, developing a charter for the Council; 
                and</DELETED>
                <DELETED>    ``(D) not later than 7 days after 
                completion of the charter, submitting the charter to 
                the appropriate congressional committees.</DELETED>
<DELETED>    ``(d) Meetings.--The Council shall meet not later than 180 
days after the date of the enactment of the Federal Acquisition Supply 
Chain Security Act of 2018 and not less frequently than quarterly 
thereafter.</DELETED>
<DELETED>``Sec. 1323. Functions</DELETED>
<DELETED>    ``(a) In General.--The Council shall perform functions 
that include the following:</DELETED>
        <DELETED>    ``(1) Developing criteria and processes--
        </DELETED>
                <DELETED>    ``(A) for assessing threats and 
                vulnerabilities relating to supply chain risk posed by 
                the acquisition of information technology to national 
                security and the public interest; and</DELETED>
                <DELETED>    ``(B) for sharing information among 
                executive agencies, including the intelligence 
                community, and the private sector where appropriate, 
                with respect to assessments of that risk.</DELETED>
        <DELETED>    ``(2) Defining the responsibilities of executive 
        agencies, consistent with existing law, for management of such 
        assessments.</DELETED>
        <DELETED>    ``(3) Issuing guidance to executive agencies for 
        incorporating information relating to supply chain risks and 
        other relevant information into procurement decisions for the 
        protection of national security and the public 
        interest.</DELETED>
        <DELETED>    ``(4) Developing standards and measures for supply 
        chain risk management, including assessments, evaluations, 
        mitigation, and response that take into consideration national 
        security and other factors relevant to the public 
        interest.</DELETED>
        <DELETED>    ``(5) Consulting, as appropriate, with the private 
        sector and other nongovernmental stakeholders on issues 
        relating to the management of supply chain risks posed by the 
        acquisition of information technology.</DELETED>
        <DELETED>    ``(6) Determining whether the exclusion of a 
        source made by one executive agency should apply to all 
        executive agencies upon receiving a notification under section 
        4713 and carrying out such other actions as are agreed upon by 
        the Council.</DELETED>
<DELETED>    ``(b) Authority To Request Information.--The Council may 
request such information from executive agencies as is necessary for 
the Council to carry out its functions under subsection (a).</DELETED>
<DELETED>    ``(c) Program Office.--The Council may establish a program 
office to assist the Council in carrying out its functions under 
subsection (a).</DELETED>
<DELETED>    ``(d) Relationship to Other Councils.--The Council shall 
consult and coordinate with other relevant councils to the maximum 
extent practicable.</DELETED>
<DELETED>    ``(e) Rule of Construction.--Nothing in this section shall 
limit the authority of the Office of Federal Procurement Policy to 
carry out the responsibilities of that Office under any other provision 
of law.</DELETED>
<DELETED>``Sec. 1324. Strategic plan</DELETED>
<DELETED>    ``(a) In General.--Not later than 180 days after the date 
of the enactment of the Federal Acquisition Supply Chain Security Act 
of 2018, the Council shall develop a strategic plan for addressing 
supply chain risks posed by the acquisition of information technology 
and for managing such risks that includes--</DELETED>
        <DELETED>    ``(1) the criteria and processes required under 
        section 1323(a)(1), including a threshold and requirements for 
        sharing relevant information about such risks with all 
        executive agencies;</DELETED>
        <DELETED>    ``(2) an identification of existing authorities 
        for addressing such risks;</DELETED>
        <DELETED>    ``(3) an identification and promulgation of best 
        practices and procedures and available resources for executive 
        agencies to assess and mitigate such risks;</DELETED>
        <DELETED>    ``(4) recommendations for any legislative, 
        regulatory, or other policy changes to improve efforts to 
        address such risks;</DELETED>
        <DELETED>    ``(5) an evaluation of the effect of implementing 
        new policies or procedures on existing contracts and the 
        procurement process;</DELETED>
        <DELETED>    ``(6) a plan for engaging with executive agencies, 
        the private sector, and other nongovernmental stakeholders to 
        address such risks; and</DELETED>
        <DELETED>    ``(7) plans to strengthen the capacity of all 
        executive agencies to conduct assessments of--</DELETED>
                <DELETED>    ``(A) the supply chain risk posed by the 
                acquisition of information technology; and</DELETED>
                <DELETED>    ``(B) compliance with the requirements of 
                this subchapter.</DELETED>
<DELETED>    ``(b) Submission to Congress.--Not later than 7 days after 
completion of the strategic plan required by subsection (a), the 
Chairperson of the Council shall submit the plan to the appropriate 
congressional committees.</DELETED>
<DELETED>``Sec. 1325. Annual report</DELETED>
<DELETED>    ``Not later than December 31 of each year, the Chairperson 
of the Council shall submit to the appropriate congressional committees 
a report on the activities of the Council during the preceding 12-month 
period.</DELETED>
<DELETED>``Sec. 1326. Requirements for executive agencies</DELETED>
<DELETED>    ``(a) In General.--The head of each executive agency 
shall--</DELETED>
        <DELETED>    ``(1) be responsible for conducting assessments of 
        the supply chain risks posed by the acquisition of information 
        technology by that agency, developing mitigation and response 
        requirements, and ensuring ongoing management of such 
        risks;</DELETED>
        <DELETED>    ``(2) share relevant information with other 
        executive agencies as determined appropriate by the 
        Administrator in a manner consistent with section 1323; 
        and</DELETED>
        <DELETED>    ``(3) ensure that all relevant information, 
        including classified information, with respect to acquisitions 
        of information technology that may pose a supply chain risk, 
        consistent with section 1323(a)(1), is incorporated into 
        existing processes of the agency for conducting assessments 
        described in paragraph (1) and ongoing management of 
        acquisition programs, including any identification, 
        investigation, mitigation, or remediation needs.</DELETED>
<DELETED>    ``(b) Interagency Acquisitions.--</DELETED>
        <DELETED>    ``(1) In general.--Except as provided in paragraph 
        (2), in the case of an interagency acquisition, subsection (a) 
        shall be carried out by the head of the executive agency the 
        funds of which are obligated or expended to conduct the 
        acquisition.</DELETED>
        <DELETED>    ``(2) Assisted acquisitions.--In an assisted 
        acquisition, the parties to the acquisition shall determine, as 
        part of the interagency agreement governing the acquisition, 
        which agency is responsible for carrying out subsection 
        (a).</DELETED>
        <DELETED>    ``(3) Definitions.--In this subsection, the terms 
        `assisted acquisition' and `interagency acquisition' have the 
        meanings given those terms in section 2.101 of title 48, Code 
        of Federal Regulations (or any corresponding similar regulation 
        or ruling).</DELETED>
<DELETED>``Sec. 1327. Termination</DELETED>
<DELETED>    ``This subchapter shall terminate on the date that is 5 
years after the date of the enactment of the Federal Acquisition Supply 
Chain Security Act of 2018.''.</DELETED>
<DELETED>    (b) Clerical Amendment.--The table of sections at the 
beginning of chapter 13 of such title is amended by adding at the end 
the following new items:</DELETED>

    <DELETED> ``subchapter iii--federal acquisition security council

<DELETED>``Sec.
<DELETED>``1321. Definitions.
<DELETED>``1322. Establishment and membership.
<DELETED>``1323. Functions.
<DELETED>``1324. Strategic plan.
<DELETED>``1325. Annual report.
<DELETED>``1326. Requirements for executive agencies.
<DELETED>``1327. Termination.''.
<DELETED>    (c) Effective Date.--The amendments made by this section 
shall take effect on the date that is 90 days after the date of the 
enactment of this Act.</DELETED>

<DELETED>SEC. 3. RISK ASSESSMENTS FOR INFORMATION TECHNOLOGY MADE 
              AVAILABLE TO OTHER AGENCIES.</DELETED>

<DELETED>    (a) In General.--Not later than one year after the date of 
the enactment of this Act, the head of any executive agency that makes 
information technology available for procurement by other executive 
agencies shall--</DELETED>
        <DELETED>    (1) identify information technology products made 
        available to other agencies that pose the greatest risk to 
        national security or the public interest;</DELETED>
        <DELETED>    (2) complete a risk assessment of information 
        technology products identified under paragraph (1);</DELETED>
        <DELETED>    (3) in each case in which the head of the 
        executive agency identifies a significant supply chain risk 
        posed by information technology--</DELETED>
                <DELETED>    (A) make the risk assessment with respect 
                to that information technology available to all 
                executive agencies through the Federal Acquisition 
                Security Council established under subchapter III of 
                chapter 13 of title 41, United States Code, as added by 
                section 2; and</DELETED>
                <DELETED>    (B) develop a plan to mitigate that risk; 
                and</DELETED>
        <DELETED>    (4) develop a vetting process for conducting 
        supply chain risk assessments with respect to prospective 
        providers of information technology and make the process 
        available to all executive agencies.</DELETED>
<DELETED>    (b) Assistance.--The Secretary of Homeland Security may--
</DELETED>
        <DELETED>    (1) assist executive agencies in conducting risk 
        assessments described in subsection (a) and implementing 
        mitigation requirements for information technology; 
        and</DELETED>
        <DELETED>    (2) provide such additional guidance or tools as 
        are necessary to support actions taken by executive agencies 
        under subsection (a).</DELETED>
<DELETED>    (c) Definitions.--In this section:</DELETED>
        <DELETED>    (1) Executive agency.--The term ``executive 
        agency'' has the meaning given that term in section 133 of 
        title 41, United States Code.</DELETED>
        <DELETED>    (2) Information technology.--The term 
        ``information technology'' has the meaning given that term in 
        section 11101 of title 40, United States Code.</DELETED>
        <DELETED>    (3) Supply chain risk.--The term ``supply chain 
        risk'' has the meaning given that term in section 4713 of title 
        41, United States Code, as added by section 4.</DELETED>

<DELETED>SEC. 4. AUTHORITIES OF EXECUTIVE AGENCIES RELATING TO 
              MITIGATING SUPPLY CHAIN RISKS IN THE PROCUREMENT OF 
              INFORMATION TECHNOLOGY.</DELETED>

<DELETED>    (a) In General.--Chapter 47 of title 41, United States 
Code, is amended by adding at the end the following new 
section:</DELETED>
<DELETED>``Sec. 4713. Authorities relating to mitigating supply chain 
              risks in the procurement of information 
              technology</DELETED>
<DELETED>    ``(a) Authority.--Subject to subsection (b), the head of 
an executive agency may--</DELETED>
        <DELETED>    ``(1) carry out a covered procurement action; 
        and</DELETED>
        <DELETED>    ``(2) limit, notwithstanding any other provision 
        of law, in whole or in part, the disclosure of information 
        relating to the basis for carrying out a covered procurement 
        action.</DELETED>
<DELETED>    ``(b) Determination and Notification.--The head of an 
executive agency may exercise the authority provided in subsection (a) 
only after--</DELETED>
        <DELETED>    ``(1) obtaining a joint recommendation by the 
        senior procurement executive and chief information officer of 
        the agency, or such other officials of the agency as the head 
        of the agency considers appropriate, that there is a 
        significant supply chain risk in a covered 
        procurement;</DELETED>
        <DELETED>    ``(2) making a determination in writing, in 
        unclassified or classified form, that--</DELETED>
                <DELETED>    ``(A) use of the authority under 
                subsection (a)(1) is necessary to protect national 
                security or the public interest by reducing supply 
                chain risk; and</DELETED>
                <DELETED>    ``(B) in a case where the head of the 
                agency plans to limit disclosure of information under 
                subsection (a)(2), the risk to national security due to 
                the disclosure of such information outweighs the risk 
                due to not disclosing such information; and</DELETED>
        <DELETED>    ``(3) providing a classified or unclassified 
        notice of the determination made under paragraph (2) not later 
        than 30 days after making that determination to the Federal 
        Acquisition Security Council that includes--</DELETED>
                <DELETED>    ``(A) a summary of the information 
                required for the purchase of property or services under 
                this title and any other applicable law relating to 
                procurement; and</DELETED>
                <DELETED>    ``(B) a summary of the basis for the 
                determination, including a discussion of less intrusive 
                measures that were considered and why such measures 
                were not reasonably available to reduce supply chain 
                risk.</DELETED>
<DELETED>    ``(c) Limitation on Disclosure.--If the head of an 
executive agency has exercised the authority provided in subsection 
(a)(2) to limit disclosure of information--</DELETED>
        <DELETED>    ``(1) no procurement action undertaken by the head 
        of the agency under such authority shall be subject to review 
        in a bid protest before the Government Accountability Office or 
        in any Federal court; and</DELETED>
        <DELETED>    ``(2) the head of the agency shall--</DELETED>
                <DELETED>    ``(A) notify appropriate parties of a 
                covered procurement action and the basis for the action 
                only to the extent necessary to effectuate the covered 
                procurement action;</DELETED>
                <DELETED>    ``(B) notify and follow notification 
                protocols as directed by the Federal Acquisition 
                Security Council; and</DELETED>
                <DELETED>    ``(C) ensure the confidentiality of any 
                such notifications.</DELETED>
<DELETED>    ``(d) Regulations.--The Federal Acquisition Regulatory 
Council shall prescribe such regulations as may be necessary to carry 
out this section.</DELETED>
<DELETED>    ``(e) Reports Required.--Not less frequently than 
annually, the head of each executive agency shall submit to the 
appropriate congressional committees a report summarizing the actions 
taken by the agency under this section during the preceding 12-month 
period.</DELETED>
<DELETED>    ``(f) Termination.--The authority provided under 
subsection (a) shall terminate on the date that is 5 years after the 
date of the enactment of the Federal Acquisition Supply Chain Security 
Act of 2018.</DELETED>
<DELETED>    ``(g) Definitions.--In this section:</DELETED>
        <DELETED>    ``(1) Appropriate congressional committees.--The 
        term `appropriate congressional committees' means--</DELETED>
                <DELETED>    ``(A) the Committee on Homeland Security 
                and Governmental Affairs, the Committee on the 
                Judiciary, the Committee on Appropriations, the Select 
                Committee on Intelligence, and the majority and 
                minority leader of the Senate; and</DELETED>
                <DELETED>    ``(B) the Committee on Oversight and 
                Government Reform, the Committee on the Judiciary, the 
                Committee on Appropriations, the Committee on Homeland 
                Security, the Permanent Select Committee on 
                Intelligence, and the Speaker and minority leader of 
                the House of Representatives.</DELETED>
        <DELETED>    ``(2) Covered procurement.--The term `covered 
        procurement' means--</DELETED>
                <DELETED>    ``(A) a source selection for information 
                technology involving either a performance 
                specification, as provided in subsection (a)(3)(B) of 
                section 3306 of this title, or an evaluation factor, as 
                provided in subsection (b)(1)(A) of that section, 
                relating to a supply chain risk;</DELETED>
                <DELETED>    ``(B) the consideration of proposals for 
                and issuance of a task or delivery order for 
                information technology, as provided in section 
                4106(d)(3) of this title, where the task or delivery 
                order contract includes a contract clause establishing 
                a requirement relating to a supply chain 
                risk;</DELETED>
                <DELETED>    ``(C) any contract action involving a 
                contract for information technology where the contract 
                includes a clause establishing requirements relating to 
                a supply chain risk; or</DELETED>
                <DELETED>    ``(D) any other procurement in a category 
                of procurements determined appropriate by the Federal 
                Acquisition Regulatory Council, with the advice of the 
                Federal Acquisition Security Council.</DELETED>
        <DELETED>    ``(3) Covered procurement action.--The term 
        `covered procurement action' means any of the following 
        actions, if the action takes place in the course of conducting 
        a covered procurement:</DELETED>
                <DELETED>    ``(A) The exclusion of a source that fails 
                to meet qualification requirements established under 
                section 3311 of this title for the purpose of reducing 
                supply chain risk in the acquisition of information 
                technology.</DELETED>
                <DELETED>    ``(B) The exclusion of a source that fails 
                to achieve an acceptable rating with regard to an 
                evaluation factor providing for the consideration of 
                supply chain risk in the evaluation of proposals for 
                the award of a contract or the issuance of a task or 
                delivery order.</DELETED>
                <DELETED>    ``(C) The decision to withhold consent for 
                a contractor to subcontract with a particular source or 
                to direct a contractor to exclude a particular source 
                from consideration for a subcontract under the 
                contract.</DELETED>
        <DELETED>    ``(4) Information technology.--The term 
        `information technology' has the meaning given that term in 
        section 11101 of title 40.</DELETED>
        <DELETED>    ``(5) Supply chain risk.--The term `supply chain 
        risk' means the risk that any person may sabotage, maliciously 
        introduce unwanted function, extract data, or otherwise 
        manipulate the design, integrity, manufacturing, production, 
        distribution, installation, operation, maintenance, 
        disposition, or retirement of information technology so as to 
        surveil, deny, disrupt, or otherwise manipulate the function, 
        use, or operation of the information technology.''.</DELETED>
<DELETED>    (b) Clerical Amendment.--The table of sections at the 
beginning of chapter 47 of such title is amended by adding at the end 
the following new item:</DELETED>

<DELETED>``4713. Authorities relating to mitigating supply chain risks 
                            in the procurement of information 
                            technology.''.
<DELETED>    (c) Effective Date.--The amendments made by this section 
shall take effect on the date that is 180 days after the date of the 
enactment of this Act and shall apply to contracts that are awarded 
before, on, or after that date.</DELETED>

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Acquisition Supply Chain 
Security Act of 2018''.

SEC. 2. FEDERAL ACQUISITION SUPPLY CHAIN SECURITY.

    (a) In General.--Chapter 13 of title 41, United States Code, is 
amended by adding at the end the following new subchapter:

      ``SUBCHAPTER III--FEDERAL ACQUISITION SUPPLY CHAIN SECURITY

``Sec. 1321. Definitions
    ``In this subchapter:
            ``(1) Appropriate congressional committees and 
        leadership.--The term `appropriate congressional committees and 
        leadership' means--
                    ``(A) the Committee on Homeland Security and 
                Governmental Affairs, the Committee on the Judiciary, 
                the Committee on Armed Services, the Committee on 
                Appropriations, the Select Committee on Intelligence, 
                and the majority and minority leader of the Senate; and
                    ``(B) the Committee on Oversight and Government 
                Reform, the Committee on the Judiciary, the Committee 
                on Armed Services, the Committee on Appropriations, the 
                Committee on Homeland Security, the Permanent Select 
                Committee on Intelligence, and the Speaker and minority 
                leader of the House of Representatives.
            ``(2) Council.--The term `Council' means the Federal 
        Acquisition Security Council established under section 1322(a) 
        of this title.
            ``(3) Covered article.--The term `covered article' has the 
        meaning given that term in section 4713 of this title.
            ``(4) Covered procurement action.--The term `covered 
        procurement action' has the meaning given that term in section 
        4713 of this title.
            ``(5) Information and communications technology.--The term 
        `information and communications technology' has the meaning 
        given that term in section 4713 of this title.
            ``(6) Intelligence community.--The term `intelligence 
        community' has the meaning given that term in section 3(4) of 
        the National Security Act of 1947 (50 U.S.C. 3003(4)).
            ``(7) National security system.--The term `national 
        security system' has the meaning given that term in section 
        3552 of title 44.
            ``(8) Supply chain risk.--The term `supply chain risk' has 
        the meaning given that term in section 4713 of this title.
``Sec. 1322. Federal Acquisition Security Council establishment and 
              membership
    ``(a) Establishment.--There is established in the executive branch 
a Federal Acquisition Security Council.
    ``(b) Membership.--
            ``(1) In general.--The following agencies shall be 
        represented on the Council:
                    ``(A) The Office of Management and Budget.
                    ``(B) The General Services Administration.
                    ``(C) The Department of Homeland Security.
                    ``(D) The Office of the Director of National 
                Intelligence, including the National 
                Counterintelligence and Security Center.
                    ``(E) The Department of Justice, including the 
                Federal Bureau of Investigation.
                    ``(F) The Department of Defense, including the 
                National Security Agency.
                    ``(G) The Department of Commerce, including the 
                National Institute of Standards and Technology.
                    ``(H) Such other executive agencies as determined 
                by the Chairperson of the Council.
            ``(2) Lead representatives.--
                    ``(A) Designation.--
                            ``(i) In general.--Not later than 90 days 
                        after the date of the enactment of the Federal 
                        Acquisition Supply Chain Security Act of 2018, 
                        the head of each agency represented on the 
                        Council shall designate a representative of 
                        that agency as the lead representative of the 
                        agency on the Council.
                            ``(ii) Requirements.--The representative of 
                        an agency designated under clause (i) shall 
                        have expertise in supply chain risk management, 
                        acquisitions, or information and communications 
                        technology.
                    ``(B) Functions.--The lead representative of an 
                agency designated under subparagraph (A) shall ensure 
                that appropriate personnel, including leadership and 
                subject matter experts of the agency, are aware of the 
                business of the Council.
    ``(c) Chairperson.--
            ``(1) Designation.--Not later than 90 days after the date 
        of the enactment of the Federal Acquisition Supply Chain 
        Security Act of 2018, the Director of the Office of Management 
        and Budget shall designate a senior-level official from the 
        Office of Management and Budget to serve as the Chairperson of 
        the Council.
            ``(2) Functions.--The Chairperson shall perform functions 
        that include--
                    ``(A) subject to subsection (d), developing a 
                schedule for meetings of the Council;
                    ``(B) designating executive agencies to be 
                represented on the Council under subsection (b)(1)(H);
                    ``(C) in consultation with the lead representative 
                of each agency represented on the Council, developing a 
                charter for the Council; and
                    ``(D) not later than 7 days after completion of the 
                charter, submitting the charter to the appropriate 
                congressional committees and leadership.
    ``(d) Meetings.--The Council shall meet not later than 180 days 
after the date of the enactment of the Federal Acquisition Supply Chain 
Security Act of 2018 and not less frequently than quarterly thereafter.
``Sec. 1323. Functions and authorities
    ``(a) In General.--The Council shall perform functions that include 
the following:
            ``(1) Identifying and recommending development by the 
        National Institute of Standards and Technology of supply chain 
        risk management standards, guidelines, and practices for 
        executive agencies to use when assessing and developing 
        mitigation strategies to address supply chain risks, 
        particularly in the acquisition and use of covered articles 
        under section 1326(a) of this title.
            ``(2) Identifying or developing criteria for sharing 
        information with respect to supply chain risk, including 
        information related to the exercise of authorities provided 
        under this section and sections 1326 and 4713 of this title. At 
        a minimum, such criteria shall address--
                    ``(A) the content to be shared;
                    ``(B) the circumstances under which sharing is 
                mandated or voluntary; and
                    ``(C) the circumstances under which it is 
                appropriate for an executive agency to rely on 
                information made available through such sharing in 
                exercising the responsibilities and authorities 
                provided under this section and section 4713 of this 
                title.
            ``(3) Identifying an appropriate executive agency to--
                    ``(A) accept information submitted by executive 
                agencies based on the criteria established under 
                paragraph (2);
                    ``(B) facilitate the sharing of information 
                received under subparagraph (A) to support supply chain 
                risk analyses under section 1326 of this title, 
                recommendations under this section, and covered 
                procurement actions under section 4713 of this title;
                    ``(C) share with the Council information regarding 
                covered procurement actions by executive agencies taken 
                under section 4713 of this title; and
                    ``(D) inform the Council of orders issued under 
                this section.
            ``(4) Identifying, as appropriate, executive agencies to 
        provide--
                    ``(A) shared services, such as support for making 
                risk assessments, validation of products that may be 
                suitable for acquisition, and mitigation activities; 
                and
                    ``(B) common contract solutions to support supply 
                chain risk management activities, such as subscription 
                services or machine-learning-enhanced analysis 
                applications to support informed decision making.
            ``(5) Identifying and issuing guidance on additional steps 
        that may be necessary to address supply chain risks arising in 
        the course of executive agencies providing shared services, 
        common contract solutions, acquisitions vehicles, or assisted 
        acquisitions.
            ``(6) Engaging, as appropriate, with the private sector and 
        other nongovernmental stakeholders on issues relating to the 
        management of supply chain risks posed by the acquisition of 
        covered articles.
            ``(7) Carrying out such other actions, as determined by the 
        Council, that are necessary to reduce the supply chain risks 
        posed by acquisitions and use of covered articles.
    ``(b) Program Office and Committees.--The Council may establish a 
program office and any committees, working groups, or other constituent 
bodies the Council deems appropriate, in its sole and unreviewable 
discretion, to carry out its functions.
    ``(c) Authority for Exclusion or Removal Orders.--
            ``(1) Criteria.--To reduce supply chain risk, the Council 
        shall establish criteria and procedures for--
                    ``(A) recommending orders applicable to executive 
                agencies requiring the exclusion of sources or covered 
                articles from executive agency procurement actions (in 
                this section referred to as `exclusion orders');
                    ``(B) recommending orders applicable to executive 
                agencies requiring the removal of covered articles from 
                executive agency information systems (in this section 
                referred to as `removal orders');
                    ``(C) requesting and approving exceptions to an 
                issued exclusion or removal order when warranted by 
                circumstances, including alternative mitigation 
                actions; and
                    ``(D) ensuring that recommended orders do not 
                conflict with standards and guidelines issued under 
                section 11331 of title 40 and that the Council consults 
                with the Director of the National Institute of 
                Standards and Technology regarding any recommended 
                orders that would implement standards and guidelines 
                developed by the National Institute of Standards and 
                Technology.
            ``(2) Recommendations.--The Council shall use the criteria 
        established under paragraph (1), information made available 
        under subsection (a)(3), and any other information the Council 
        determines appropriate to issue recommendations, for 
        application to executive agencies or any subset thereof, 
        regarding the exclusion of sources or covered articles from any 
        executive agency procurement action, including source selection 
        and consent for a contractor to subcontract, or the removal of 
        covered articles from executive agency information systems. 
        Such recommendations shall include--
                    ``(A) information necessary to positively identify 
                the sources or covered articles recommended for 
                exclusion or removal;
                    ``(B) information regarding the scope and 
                applicability of the recommended exclusion or removal 
                order;
                    ``(C) a summary of any risk assessment reviewed or 
                conducted in support of the recommended exclusion or 
                removal order;
                    ``(D) a summary of the basis for the 
                recommendation, including a discussion of less 
                intrusive measures that were considered and why such 
                measures were not reasonably available to reduce supply 
                chain risk;
                    ``(E) a description of the actions necessary to 
                implement the recommended exclusion or removal order; 
                and
                    ``(F) where practicable, in the Council's sole and 
                unreviewable discretion, a description of mitigation 
                steps that could be taken by the source that may result 
                in the Council rescinding a recommendation.
            ``(3) Notice of recommendation and review.--A notice of the 
        Council's recommendation under paragraph (2) shall be issued to 
        any source named in the recommendation advising--
                    ``(A) that a recommendation has been made;
                    ``(B) of the criteria the Council relied upon under 
                paragraph (1) and, to the extent consistent with 
                national security and law enforcement interests, of 
                information that forms the basis for the 
                recommendation;
                    ``(C) that, within 30 days after receipt of notice, 
                the source may submit information and argument in 
                opposition to the recommendation;
                    ``(D) of the procedures governing the review and 
                possible issuance of an exclusion or removal order 
                pursuant to paragraph (4); and
                    ``(E) where practicable, in the Council's sole and 
                unreviewable discretion, a description of mitigation 
                steps that could be taken by the source that may result 
                in the Council rescinding the recommendation.
            ``(4) Exclusion and removal orders.--
                    ``(A) Order issuance.--Recommendations of the 
                Council under paragraph (2), together with any 
                information submitted by a source under paragraph (3) 
                related to such a recommendation, shall be reviewed by 
                the following officials, who in their sole and 
                unreviewable discretion may issue exclusion and removal 
                orders based upon such recommendations:
                            ``(i) The Secretary of Homeland Security, 
                        for exclusion and removal orders applicable to 
                        civilian agencies, to the extent not covered by 
                        clause (ii) or (iii).
                            ``(ii) The Secretary of Defense, for 
                        exclusion and removal orders applicable to the 
                        Department of Defense and national security 
                        systems other than sensitive compartmented 
                        information systems.
                            ``(iii) The Director of National 
                        Intelligence, for exclusion and removal orders 
                        applicable to the intelligence community and 
                        sensitive compartmented information systems, to 
                        the extent not covered by clause (ii).
                    ``(B) Delegation.--The officials identified in 
                subparagraph (A) may not delegate any authority under 
                this subparagraph to an official below the level one 
                level below the Deputy Secretary or Principal Deputy 
                Director, except that the Secretary of Defense may 
                delegate authority for removal orders to the Commander 
                of the United States Cyber Command, who may not 
                redelegate such authority to an official below the 
                level one level below the Deputy Commander.
                    ``(C) Facilitation of exclusion orders.--If 
                officials identified under this paragraph from the 
                Department of Homeland Security, the Department of 
                Defense, and the Office of the Director of National 
                Intelligence issue orders collectively resulting in a 
                governmentwide exclusion, the Administrator for General 
                Services and officials at other executive agencies 
                responsible for management of the Federal Supply 
                Schedules, governmentwide acquisition contracts and 
                multi-agency contracts shall help facilitate 
                implementation of such orders by removing the covered 
                articles or sources identified in the orders from such 
                contracts.
                    ``(D) Review of exclusion and removal orders.--The 
                officials identified under this paragraph shall review 
                all exclusion and removal orders issued under 
                subparagraph (A) not less frequently than annually 
                pursuant to procedures established by the Council.
                    ``(E) Rescission.--Orders issued pursuant to 
                subparagraph (A) may be rescinded by an authorized 
                official from the relevant issuing agency.
            ``(5) Notifications.--Upon issuance of an exclusion or 
        removal order pursuant to paragraph (4)(A), the official 
        identified under that paragraph who issued the order shall--
                    ``(A) notify any source named in the order of--
                            ``(i) the exclusion or removal order; and
                            ``(ii) to the extent consistent with 
                        national security and law enforcement 
                        interests, information that forms the basis for 
                        the order;
                    ``(B) provide classified or unclassified notice of 
                the exclusion or removal order to the appropriate 
                congressional committees and leadership; and
                    ``(C) provide the exclusion or removal order to the 
                agency identified in subsection (a)(3).
            ``(6) Compliance.--Executive agencies shall comply with 
        exclusion and removal orders issued pursuant to paragraph (4).
    ``(d) Authority To Request Information.--The Council may request 
such information from executive agencies as is necessary for the 
Council to carry out its functions.
    ``(e) Relationship to Other Councils.--The Council shall consult 
and coordinate, as appropriate, with other relevant councils, including 
the Chief Information Officers Council, the Chief Acquisition Officers 
Council, and the Federal Acquisition Regulatory Council, with respect 
to supply chain risks posed by the acquisition and use of covered 
articles.
    ``(f) Rule of Construction.--Nothing in this section shall limit 
the authority of the Office of Federal Procurement Policy to carry out 
the responsibilities of that Office under any other provision of law.
``Sec. 1324. Strategic plan
    ``(a) In General.--Not later than 180 days after the date of the 
enactment of the Federal Acquisition Supply Chain Security Act of 2018, 
the Council shall develop a strategic plan for addressing supply chain 
risks posed by the acquisition of covered articles and for managing 
such risks that includes--
            ``(1) the criteria and processes required under section 
        1323(a) of this title, including a threshold and requirements 
        for sharing relevant information about such risks with all 
        executive agencies;
            ``(2) an identification of existing authorities for 
        addressing such risks;
            ``(3) an identification and promulgation of best practices 
        and procedures and available resources for executive agencies 
        to assess and mitigate such risks;
            ``(4) recommendations for any legislative, regulatory, or 
        other policy changes to improve efforts to address such risks;
            ``(5) an evaluation of the effect of implementing new 
        policies or procedures on existing contracts and the 
        procurement process;
            ``(6) a plan for engaging with executive agencies, the 
        private sector, and other nongovernmental stakeholders to 
        address such risks;
            ``(7) a plan for identification, assessment, mitigation, 
        and vetting of supply chain risks from existing and prospective 
        information and communications technology made available by 
        executive agencies to other executive agencies through common 
        contract solutions, shared services, acquisition vehicles, or 
        other assisted acquisition services; and
            ``(8) plans to strengthen the capacity of all executive 
        agencies to conduct assessments of--
                    ``(A) the supply chain risk posed by the 
                acquisition of covered articles; and
                    ``(B) compliance with the requirements of this 
                subchapter.
    ``(b) Submission to Congress.--Not later than 7 calendar days after 
completion of the strategic plan required by subsection (a), the 
Chairperson of the Council shall submit the plan to the appropriate 
congressional committees and leadership.
``Sec. 1325. Annual report
    ``Not later than December 31 of each year, the Chairperson of the 
Council shall submit to the appropriate congressional committees and 
leadership a report on the activities of the Council during the 
preceding 12-month period.
``Sec. 1326. Requirements for executive agencies
    ``(a) In General.--The head of each executive agency shall be 
responsible for--
            ``(1) assessing the supply chain risk posed by the 
        acquisition and use of covered articles and avoiding, 
        mitigating, accepting, or transferring that risk, as 
        appropriate and consistent with the standards, guidelines, and 
        practices identified by the Council under section 1323(a)(1); 
        and
            ``(2) prioritizing supply chain risk assessments conducted 
        under paragraph (1) based on the criticality of the mission, 
        system, component, service, or asset.
    ``(b) Inclusions.--The responsibility for assessing supply chain 
risk described in subsection (a) includes--
            ``(1) developing an overall supply chain risk management 
        strategy and implementation plan and policies and processes to 
        guide and govern supply chain risk management activities;
            ``(2) integrating supply chain risk management practices 
        throughout the life cycle of the system, component, service, or 
        asset;
            ``(3) limiting, avoiding, mitigating, accepting, or 
        transferring any identified risk;
            ``(4) sharing relevant information with other executive 
        agencies as determined appropriate by the Council in a manner 
        consistent with section 1323(a) of this title;
            ``(5) reporting on progress and effectiveness of the 
        agency's supply chain risk management consistent with guidance 
        issued by the Office of Management and Budget and the Council; 
        and
            ``(6) ensuring that all relevant information, including 
        classified information, with respect to acquisitions of covered 
        articles that may pose a supply chain risk, consistent with 
        section 1323(a) of this title, is incorporated into existing 
        processes of the agency for conducting assessments described in 
        subsection (a) and ongoing management of acquisition programs, 
        including any identification, investigation, mitigation, or 
        remediation needs.
    ``(c) Interagency Acquisitions.--
            ``(1) In general.--Except as provided in paragraph (2), in 
        the case of an interagency acquisition, subsection (a) shall be 
        carried out by the head of the executive agency whose funds are 
        being used to procure the covered article.
            ``(2) Assisted acquisitions.--In an assisted acquisition, 
        the parties to the acquisition shall determine, as part of the 
        interagency agreement governing the acquisition, which agency 
        is responsible for carrying out subsection (a).
            ``(3) Definitions.--In this subsection, the terms `assisted 
        acquisition' and `interagency acquisition' have the meanings 
        given those terms in section 2.101 of title 48, Code of Federal 
        Regulations (or any corresponding similar regulation or 
        ruling).
    ``(d) Assistance.--The Secretary of Homeland Security may--
            ``(1) assist executive agencies in conducting risk 
        assessments described in subsection (a) and implementing 
        mitigation requirements for information and communications 
        technology; and
            ``(2) provide such additional guidance or tools as are 
        necessary to support actions taken by executive agencies.
``Sec. 1327. Judicial review procedures
    ``(a) In General.--Except as provided in subsection (b) and chapter 
71 of this title, and notwithstanding any other provision of law, an 
action taken under section 1323 or 4713 of this title, or any action 
taken by an executive agency to implement such an action, shall not be 
subject to administrative review or judicial review, including bid 
protests before the Government Accountability Office or in any Federal 
court.
    ``(b) Petitions.--
            ``(1) In general.--Not later than 60 days after a party is 
        notified of an exclusion or removal order under section 
        1323(c)(5) of this title or a covered procurement action under 
        section 4713 of this title, the party may file a petition for 
        judicial review in the United States Court of Appeals for the 
        District of Columbia Circuit claiming that the issuance of the 
        exclusion or removal order or covered procurement action is 
        unlawful.
            ``(2) Standard of review.--The Court shall hold unlawful a 
        covered action taken under sections 1323 or 4713 of this title, 
        in response to a petition that the court finds to be--
                    ``(A) arbitrary, capricious, an abuse of 
                discretion, or otherwise not in accordance with law;
                    ``(B) contrary to constitutional right, power, 
                privilege, or immunity;
                    ``(C) in excess of statutory jurisdiction, 
                authority, or limitation, or short of statutory right;
                    ``(D) lacking substantial support in the 
                administrative record taken as a whole or in classified 
                information submitted to the court under paragraph (3); 
                or
                    ``(E) not in accord with procedures required by 
                law.
            ``(3) Exclusive jurisdiction.--The United States Court of 
        Appeals for the District of Columbia Circuit shall have 
        exclusive jurisdiction over claims arising under sections 
        1323(c)(4) or 4713 of this title against the United States, any 
        United States department or agency, or any component or 
        official of any such department or agency, subject to review by 
        the Supreme Court of the United States under section 1254 of 
        title 28.
            ``(4) Administrative record and procedures.--
                    ``(A) In general.--The procedures described in this 
                paragraph shall apply to the review of a petition under 
                this section.
                    ``(B) Administrative record.--
                            ``(i) Filing of record.--The United States 
                        shall file with the court an administrative 
                        record, which shall consist of the information 
                        that the appropriate official relied upon in 
                        issuing an exclusion or removal order under 
                        section 1323(c)(4) or a covered procurement 
                        action under section 4713 of this title.
                            ``(ii) Unclassified, nonprivileged 
                        information.--All unclassified information 
                        contained in the administrative record that is 
                        not otherwise privileged or subject to 
                        statutory protections shall be provided to the 
                        petitioner with appropriate protections for any 
                        privileged or confidential trade secrets and 
                        commercial or financial information.
                            ``(iii) In camera and ex parte.--The 
                        following information may be included in the 
                        administrative record and shall be submitted 
                        only to the court ex parte and in camera:
                                    ``(I) Classified information.
                                    ``(II) Sensitive security 
                                information, as defined by section 
                                1520.5 of title 49, Code of Federal 
                                Regulations.
                                    ``(III) Privileged law enforcement 
                                information.
                                    ``(IV) Information obtained or 
                                derived from any activity authorized 
                                under the Foreign Intelligence 
                                Surveillance Act of 1978 (50 U.S.C. 
                                1801 et seq.), except that, with 
                                respect to such information, 
                                subsections (c), (e), (f), (g), and (h) 
                                of section 106 (50 U.S.C. 1806), 
                                subsections (d), (f), (g), (h), and (i) 
                                of section 305 (50 U.S.C. 1825), 
                                subsections (c), (e), (f), (g), and (h) 
                                of section 405 (50 U.S.C. 1845), and 
                                section 706 (50 U.S.C. 1881e) of that 
                                Act shall not apply.
                                    ``(V) Information subject to 
                                privilege or protections under any 
                                other provision of law.
                            ``(iv) Under seal.--Any information that is 
                        part of the administrative record filed ex 
                        parte and in camera under clause (iii), or 
                        cited by the court in any decision, shall be 
                        treated by the court consistent with the 
                        provisions of this subparagraph and shall 
                        remain under seal and preserved in the records 
                        of the court to be made available consistent 
                        with the above provisions in the event of 
                        further proceedings. In no event shall such 
                        information be released to the petitioner or as 
                        part of the public record.
                            ``(v) Return.--After the expiration of the 
                        time to seek further review, or the conclusion 
                        of further proceedings, the court shall return 
                        the administrative record, including any and 
                        all copies, to the United States.
                    ``(C) Exclusive remedy.--A determination by the 
                court under this subsection shall be the exclusive 
                judicial remedy for any claim described in this section 
                against the United States, any United States department 
                or agency, or any component or official of any such 
                department or agency.
                    ``(D) Rule of construction.--Nothing in this 
                section shall be construed as limiting, superseding, or 
                preventing the invocation of, any privileges or 
                defenses that are otherwise available at law or in 
                equity to protect against the disclosure of 
                information.
    ``(c) Definition.--In this section, the term `classified 
information'--
            ``(1) has the meaning given that term in section 1(a) of 
        the Classified Information Procedures Act (18 U.S.C. App.); and
            ``(2) includes--
                    ``(A) any information or material that has been 
                determined by the United States Government pursuant to 
                an Executive order, statute, or regulation to require 
                protection against unauthorized disclosure for reasons 
                of national security; and
                    ``(B) any restricted data, as defined in section 11 
                of the Atomic Energy Act of 1954 (42 U.S.C. 2014).
``Sec. 1328. Termination
    ``This subchapter shall terminate on the date that is 5 years after 
the date of the enactment of the Federal Acquisition Supply Chain 
Security Act of 2018.''.
    (b) Clerical Amendment.--The table of sections at the beginning of 
chapter 13 of such title is amended by adding at the end the following 
new items:

      ``subchapter iii--federal acquisition supply chain security

``Sec.
``1321. Definitions.
``1322. Federal Acquisition Security Council establishment and 
                            membership.
``1323. Functions and authorities.
``1324. Strategic plan.
``1325. Annual report.
``1326. Requirements for executive agencies.
``1327. Judicial review procedures.
``1328. Termination.''.
    (c) Effective Date.--The amendments made by this section shall take 
effect on the date that is 90 days after the date of the enactment of 
this Act and shall apply to contracts that are awarded before, on, or 
after that date.
    (d) Implementation.--
            (1) Interim final rule.--Not later than one year after the 
        date of the enactment of this Act, the Federal Acquisition 
        Security Council shall prescribe an interim final rule to 
        implement subchapter III of chapter 13 of title 41, United 
        States Code, as added by subsection (a).
            (2) Final rule.--Not later than one year after prescribing 
        the interim final rule under paragraph (1) and considering 
        public comments with respect to such interim final rule, the 
        Council shall prescribe a final rule to implement subchapter 
        III of chapter 13 of title 41, United States Code, as added by 
        subsection (a).
            (3) Failure to act.--
                    (A) In general.--If the Council does not issue a 
                final rule in accordance with paragraph (2) on or 
                before the last day of the one-year period referred to 
                in that paragraph, the Council shall submit to the 
                appropriate congressional committees and leadership, 
                not later than 10 days after such last day and every 90 
                days thereafter until the final rule is issued, a 
                report explaining why the final rule was not timely 
                issued and providing an estimate of the earliest date 
                on which the final rule will be issued.
                    (B) Appropriate congressional committees and 
                leadership defined.--In this paragraph, the term 
                ``appropriate congressional committees and leadership'' 
                has the meaning given that term in section 1321 of 
                title 41, United States Code, as added by subsection 
                (a).

SEC. 3. AUTHORITIES OF EXECUTIVE AGENCIES RELATING TO MITIGATING SUPPLY 
              CHAIN RISKS IN THE PROCUREMENT OF COVERED ARTICLES.

    (a) In General.--Chapter 47 of title 41, United States Code, is 
amended by adding at the end the following new section:
``Sec. 4713. Authorities relating to mitigating supply chain risks in 
              the procurement of covered articles
    ``(a) Authority.--Subject to subsection (b), the head of an 
executive agency may--
            ``(1) carry out a covered procurement action; and
            ``(2) limit, notwithstanding any other provision of law, in 
        whole or in part, the disclosure of information relating to the 
        basis for carrying out a covered procurement action.
    ``(b) Determination and Notification.--Except as authorized by 
subsection (c) to address an urgent national security interest, the 
head of an executive agency may exercise the authority provided in 
subsection (a) only after--
            ``(1) obtaining a joint recommendation, in unclassified or 
        classified form, from the chief acquisition officer and the 
        chief information officer of the agency, or officials 
        performing similar functions in the case of executive agencies 
        that do not have such officials, which includes a review of any 
        risk assessment made available by the executive agency 
        identified under section 1323(a)(3) of this title, that there 
        is a significant supply chain risk in a covered procurement;
            ``(2) providing notice of the joint recommendation 
        described in paragraph (1) to any source named in the joint 
        recommendation advising--
                    ``(A) that a recommendation is being considered or 
                has been obtained;
                    ``(B) to the extent consistent with the national 
                security and law enforcement interests, of information 
                that forms the basis for the recommendation;
                    ``(C) that, within 30 days after receipt of the 
                notice, the source may submit information and argument 
                in opposition to the recommendation; and
                    ``(D) of the procedures governing the consideration 
                of the submission and the possible exercise of the 
                authority provided in subsection (a);
            ``(3) making a determination in writing, in unclassified or 
        classified form, after considering any information submitted by 
        a source under paragraph (2) and in consultation with the chief 
        information security officer of the agency, that--
                    ``(A) use of the authority under subsection (a)(1) 
                is necessary to protect national security by reducing 
                supply chain risk;
                    ``(B) less intrusive measures are not reasonably 
                available to reduce such supply chain risk;
                    ``(C) a decision to limit disclosure of information 
                under subsection (a)(2) is necessary to protect an 
                urgent national security interest; and
                    ``(D) the use of such authorities will apply to a 
                single covered procurement or a class of covered 
                procurements, and otherwise specifies the scope of the 
                determination; and
            ``(4) providing a classified or unclassified notice of the 
        determination made under paragraph (3) to the appropriate 
        congressional committees and leadership that includes--
                    ``(A) the joint recommendation described in 
                paragraph (1);
                    ``(B) a summary of any risk assessment reviewed in 
                support of the joint recommendation required by 
                paragraph (1); and
                    ``(C) a summary of the basis for the determination, 
                including a discussion of less intrusive measures that 
                were considered and why such measures were not 
                reasonably available to reduce supply chain risk.
    ``(c) Procedures To Address Urgent National Security Interests.--In 
any case in which the head of an executive agency determines that an 
urgent national security interest requires the immediate exercise of 
the authority provided in subsection (a), the head of the agency--
            ``(1) may, to the extent necessary to address such national 
        security interest, and subject to the conditions in paragraph 
        (2)--
                    ``(A) temporarily delay the notice required by 
                subsection (b)(2);
                    ``(B) make the determination required by subsection 
                (b)(3), regardless of whether the notice required by 
                subsection (b)(2) has been provided or whether the 
                notified source has submitted any information in 
                response to such notice;
                    ``(C) temporarily delay the notice required by 
                subsection (b)(4); and
                    ``(D) exercise the authority provided in subsection 
                (a) in accordance with such determination within 60 
                calendar days after the day the determination is made; 
                and
            ``(2) shall take actions necessary to comply with all 
        requirements of subsection (b) as soon as practicable after 
        addressing the urgent national security interest, including--
                    ``(A) providing the notice required by subsection 
                (b)(2);
                    ``(B) promptly considering any information 
                submitted by the source in response to such notice, and 
                making any appropriate modifications to the 
                determination based on such information;
                    ``(C) providing the notice required by subsection 
                (b)(4), including a description of the urgent national 
                security interest, and any modifications to the 
                determination made in accordance with subparagraph (B); 
                and
                    ``(D) providing notice to the appropriate 
                congressional committees and leadership within 7 
                calendar days of the covered procurement actions taken 
                under this section.
    ``(d) Delegation.--The head of an executive agency may not delegate 
the authority provided in subsection (a) or the responsibility 
identified in subsection (f) to an official below the level one level 
below the Deputy Secretary or Principal Deputy Director.
    ``(e) Limitation on Disclosure.--If the head of an executive agency 
has exercised the authority provided in subsection (a)(2) to limit 
disclosure of information, the agency head or a designee identified by 
the agency head shall--
            ``(1) provide to the executive agency identified by the 
        Council under paragraph (3) of section 1323(a) of this title 
        information identified by the criteria under paragraph (2) of 
        that section, in a manner and to the extent consistent with the 
        requirements of national security and law enforcement 
        interests; and
            ``(2) take steps to maintain the confidentiality of any 
        such notifications.
    ``(f) Annual Review of Determinations.--The head of an executive 
agency shall conduct an annual review of all determinations made by 
such head under subsection (b) and promptly amend any covered 
procurement action as appropriate.
    ``(g) Regulations.--The Federal Acquisition Regulatory Council 
shall prescribe such regulations as may be necessary to carry out this 
section.
    ``(h) Reports Required.--Not less frequently than annually, the 
head of each executive agency that exercised the authority provided in 
subsection (a) or (c) during the preceding 12-month period shall submit 
to the appropriate congressional committees and leadership a report 
summarizing the actions taken by the agency under this section during 
that 12-month period.
    ``(i) Applicability.--Notwithstanding section 3101(c)(1)(A) of this 
title, this section applies to the Department of Defense, the Coast 
Guard, and the National Aeronautics and Space Administration.
    ``(j) Termination.--The authority provided under subsection (a) 
shall terminate on the date that is 5 years after the date of the 
enactment of the Federal Acquisition Supply Chain Security Act of 2018.
    ``(k) Definitions.--In this section:
            ``(1) Appropriate congressional committees and 
        leadership.--The term `appropriate congressional committees and 
        leadership' means--
                    ``(A) the Committee on Homeland Security and 
                Governmental Affairs, the Committee on the Judiciary, 
                the Committee on Appropriations, the Select Committee 
                on Intelligence, and the majority and minority leader 
                of the Senate; and
                    ``(B) the Committee on Oversight and Government 
                Reform, the Committee on the Judiciary, the Committee 
                on Appropriations, the Committee on Homeland Security, 
                the Permanent Select Committee on Intelligence, and the 
                Speaker and minority leader of the House of 
                Representatives.
            ``(2) Covered article.--The term `covered article' means--
                    ``(A) information technology, as defined in section 
                11101 of title 40, including cloud computing services 
                of all types;
                    ``(B) telecommunications equipment or 
                telecommunications service, as those terms are defined 
                in section 3 of the Communications Act of 1934 (47 
                U.S.C. 153);
                    ``(C) the processing of information on a Federal or 
                non-Federal information system, subject to the 
                requirements of the Controlled Unclassified Information 
                program; or
                    ``(D) hardware, systems, devices, software, or 
                services that include embedded or incidental 
                information technology.
            ``(3) Covered procurement.--The term `covered procurement' 
        means--
                    ``(A) a source selection for a covered article 
                involving either a performance specification, as 
                provided in subsection (a)(3)(B) of section 3306 of 
                this title, or an evaluation factor, as provided in 
                subsection (b)(1)(A) of such section, relating to a 
                supply chain risk, or where supply chain risk 
                considerations are included in the agency's 
                determination of whether a source is a responsible 
                source as defined in section 113 of this title;
                    ``(B) the consideration of proposals for and 
                issuance of a task or delivery order for a covered 
                article, as provided in section 4106(d)(3) of this 
                title, where the task or delivery order contract 
                includes a contract clause establishing a requirement 
                relating to a supply chain risk;
                    ``(C) any contract action involving a contract for 
                a covered article where the contract includes a clause 
                establishing requirements relating to a supply chain 
                risk; or
                    ``(D) any other procurement in a category of 
                procurements determined appropriate by the Federal 
                Acquisition Regulatory Council, with the advice of the 
                Federal Acquisition Security Council.
            ``(4) Covered procurement action.--The term `covered 
        procurement action' means any of the following actions, if the 
        action takes place in the course of conducting a covered 
        procurement:
                    ``(A) The exclusion of a source that fails to meet 
                qualification requirements established under section 
                3311 of this title for the purpose of reducing supply 
                chain risk in the acquisition or use of covered 
                articles.
                    ``(B) The exclusion of a source that fails to 
                achieve an acceptable rating with regard to an 
                evaluation factor providing for the consideration of 
                supply chain risk in the evaluation of proposals for 
                the award of a contract or the issuance of a task or 
                delivery order.
                    ``(C) The determination that a source is not a 
                responsible source as defined in section 113 of this 
                title based on considerations of supply chain risk.
                    ``(D) The decision to withhold consent for a 
                contractor to subcontract with a particular source or 
                to direct a contractor to exclude a particular source 
                from consideration for a subcontract under the 
                contract.
            ``(5) Information and communications technology.--The term 
        `information and communications technology' means--
                    ``(A) information technology, as defined in section 
                11101 of title 40;
                    ``(B) information systems, as defined in section 
                3502 of title 44; and
                    ``(C) telecommunications equipment and 
                telecommunications services, as those terms are defined 
                in section 3 of the Communications Act of 1934 (47 
                U.S.C. 153).
            ``(6) Supply chain risk.--The term `supply chain risk' 
        means the risk that any person may sabotage, maliciously 
        introduce unwanted function, extract data, or otherwise 
        manipulate the design, integrity, manufacturing, production, 
        distribution, installation, operation, maintenance, 
        disposition, or retirement of covered articles so as to 
        surveil, deny, disrupt, or otherwise manipulate the function, 
        use, or operation of the covered articles or information stored 
        or transmitted on the covered articles.''.
    (b) Clerical Amendment.--The table of sections at the beginning of 
chapter 47 of such title is amended by adding at the end the following 
new item:

``4713. Authorities relating to mitigating supply chain risks in the 
                            procurement of covered articles.''.
    (c) Effective Date.--The amendments made by this section shall take 
effect on the date that is 90 days after the date of the enactment of 
this Act and shall apply to contracts that are awarded before, on, or 
after that date.

SEC. 4. FEDERAL INFORMATION SECURITY MODERNIZATION ACT.

    (a) In General.--Title 44, United States Code, is amended--
            (1) in section 3553(a)(5), by inserting ``and section 1326 
        of title 41'' after ``compliance with the requirements of this 
        subchapter''; and
            (2) in section 3554(a)(1)(B)--
                    (A) by inserting ``, subchapter III of chapter 13 
                of title 41,'' after ``complying with the requirements 
                of this subchapter'';
                    (B) in clause (iv), by striking ``; and'' and 
                inserting a semicolon; and
                    (C) by adding at the end the following new clause:
                            ``(vi) responsibilities relating to 
                        assessing and avoiding, mitigating, 
                        transferring, or accepting supply chain risks 
                        under section 1326 of title 41, and complying 
                        with exclusion and removal orders issued under 
                        section 1323 of such title; and''.
    (b) Rule of Construction.--Nothing in this Act shall be construed 
to alter or impede any authority or responsibility under section 3553 
of title 44, United States Code.

SEC. 5. EFFECTIVE DATE.

    This Act shall take effect on the date that is 90 days after the 
date of the enactment of this Act.
                                                       Calendar No. 666

115th CONGRESS

  2d Session

                                S. 3085

_______________________________________________________________________

                                 A BILL

  To establish a Federal Acquisition Security Council and to provide 
executive agencies with authorities relating to mitigating supply chain 
   risks in the procurement of information technology, and for other 
                               purposes.

_______________________________________________________________________

                           November 26, 2018

                       Reported with an amendment