[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3320 Reported in House (RH)]

<DOC>





                                                 Union Calendar No. 146
116th CONGRESS
  1st Session
                                H. R. 3320

                          [Report No. 116-188]

 To amend the Homeland Security Act of 2002 to authorize the Secretary 
of Homeland Security to implement certain requirements for information 
         relating to supply chain risk, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             June 18, 2019

 Mr. King of New York (for himself, Mr. Thompson of Mississippi, Miss 
 Rice of New York, Mr. Correa, Mr. Rogers of Alabama, Mr. Rose of New 
York, and Mr. Payne) introduced the following bill; which was referred 
                 to the Committee on Homeland Security

                            August 27, 2019

            Additional sponsors: Mr. McCaul and Mr. Hagedorn

                            August 27, 2019

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]
 [For text of introduced bill, see copy of bill as introduced on June 
                               18, 2019]


_______________________________________________________________________

                                 A BILL


 
 To amend the Homeland Security Act of 2002 to authorize the Secretary 
of Homeland Security to implement certain requirements for information 
         relating to supply chain risk, and for other purposes.


 


    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Securing the Homeland Security 
Supply Chain Act of 2019''.

SEC. 2. DEPARTMENT OF HOMELAND SECURITY REQUIREMENTS FOR INFORMATION 
              RELATING TO SUPPLY CHAIN RISK.

    (a) In General.--Subtitle D of title VIII of the Homeland Security 
Act of 2002 (6 U.S.C. 391 et seq.) is amended by adding at the end the 
following new section:

``SEC. 836. REQUIREMENTS FOR INFORMATION RELATING TO SUPPLY CHAIN RISK.

    ``(a) Authority.--Subject to subsection (b), the Secretary may--
            ``(1) carry out a covered procurement action;
            ``(2) limit, notwithstanding any other provision of law, in 
        whole or in part, the disclosure of information, including 
        classified information, relating to the basis for carrying out 
        such an action; and
            ``(3) exclude, in whole or in part, a source carried out in 
        the course of such an action applicable to a covered 
        procurement of the Department.
    ``(b) Determination and Notification.--Except as authorized by 
subsection (c) to address an urgent national security interest, the 
Secretary may exercise the authority provided in subsection (a) only 
after--
            ``(1) obtaining a joint recommendation, in unclassified or 
        classified form, from the Chief Acquisition Officer and the 
        Chief Information Officer of the Department, including a review 
        of any risk assessment made available by an appropriate person 
        or entity, including the national risk management center at the 
        Cybersecurity and Infrastructure Security Agency, that there is 
        a significant supply chain risk in a covered procurement;
            ``(2) notifying any source named in the joint 
        recommendation described in paragraph (1) advising--
                    ``(A) that a recommendation has been obtained;
                    ``(B) to the extent consistent with the national 
                security and law enforcement interests, the basis for 
                such recommendation;
                    ``(C) that, within 30 days after receipt of notice, 
                such source may submit information and argument in 
                opposition to such recommendation; and
                    ``(D) of the procedures governing the consideration 
                of such submission and the possible exercise of the 
                authority provided in subsection (a);
            ``(3) notifying the relevant components of the Department 
        that such risk assessment has demonstrated significant supply 
        chain risk to a covered procurement;
            ``(4) making a determination in writing, in unclassified or 
        classified form, that after considering any information 
        submitted by a source under paragraph (2), and in consultation 
        with the Chief Information Officer of the Department, that--
                    ``(A) use of authority under subsection (a)(1) is 
                necessary to protect national security by reducing 
                supply chain risk;
                    ``(B) less intrusive measures are not reasonably 
                available to reduce such risk;
                    ``(C) a decision to limit disclosure of information 
                under subsection (a)(2) is necessary to protect 
                national security interest; and
                    ``(D) the use of such authorities will apply to a 
                single covered procurement or a class of covered 
                procurements, and otherwise specifies the scope of such 
                determination;
            ``(5) providing to the Committee on Homeland Security of 
        the House of Representatives and the Committee on Homeland 
        Security and Governmental Affairs of the Senate a classified or 
        unclassified notice of the determination made under paragraph 
        (4) that includes--
                    ``(A) the joint recommendation described in 
                paragraph (1);
                    ``(B) a summary of any risk assessment reviewed in 
                support of such joint recommendation; and
                    ``(C) a summary of the basis for such 
                determination, including a discussion of less intrusive 
                measures that were considered and why such measures 
                were not reasonably available to reduce supply chain 
                risk;
            ``(6) notifying the Director of the Office of Management 
        and Budget, and the heads of other Federal agencies as 
        appropriate, in a manner and to the extent consistent with the 
        requirements of national security; and
            ``(7) taking steps to maintain the confidentiality of any 
        notifications under this subsection.
    ``(c) Procedures To Address Urgent National Security Interests.--In 
any case in which the Secretary determines that national security 
interests require the immediate exercise of the authorities under 
subsection (a), the Secretary--
            ``(1) may, to the extent necessary to address any such 
        national security interest, and subject to the conditions 
        specified in paragraph (2)--
                    ``(A) temporarily delay the notice required by 
                subsection (b)(2);
                    ``(B) make the determination required by subsection 
                (b)(4), regardless of whether the notice required by 
                subsection (b)(2) has been provided or whether the 
                notified source at issue has submitted any information 
                in response to such notice;
                    ``(C) temporarily delay the notice required by 
                subsections (b)(4) and (b)(5); and
                    ``(D) exercise the authority provided in subsection 
                (a) in accordance with such determination; and
            ``(2) shall take actions necessary to comply with all 
        requirements of subsection (b) as soon as practicable after 
        addressing the urgent national security interest that is the 
        subject of paragraph (1), including--
                    ``(A) providing the notice required by subsection 
                (b)(2);
                    ``(B) promptly considering any information 
                submitted by the source at issue in response to such 
                notice, and making any appropriate modifications to the 
                determination required by subsection (b)(4) based on 
                such information; and
                    ``(C) providing the notice required by subsections 
                (b)(5) and (b)(6), including a description of such 
                urgent national security, and any modifications to such 
                determination made in accordance with subparagraph (B).
    ``(d) Annual Review of Determinations.--The Secretary shall 
annually review all determinations made under subsection (b).
    ``(e) Delegation.--The Secretary may not delegate the authority 
provided in subsection (a) or the responsibility identified in 
subsection (d) to an official below the Deputy Secretary.
    ``(f) Limitation of Review.--Notwithstanding any other provision of 
law, no action taken by the Secretary under subsection (a) may be 
subject to review in a bid protest before the Government Accountability 
Office or in any Federal court.
    ``(g) Consultation.--In developing procedures and guidelines for 
the implementation of the authorities described in this section, the 
Secretary shall review the procedures and guidelines utilized by the 
Department of Defense to carry out similar authorities.
    ``(h) Definitions.--In this section:
            ``(1) Covered article.--The term `covered article' means:
                    ``(A) Information technology, including cloud 
                computing services of all types.
                    ``(B) Telecommunications equipment.
                    ``(C) Telecommunications services.
                    ``(D) The processing of information on a Federal or 
                non-Federal information system, subject to the 
                requirements of the Controlled Unclassified Information 
                program of the Department.
                    ``(E) Hardware, systems, devices, software, or 
                services that include embedded or incidental 
                information technology.
            ``(2) Covered procurement.--The term `covered procurement' 
        means--
                    ``(A) a source selection for a covered article 
                involving either a performance specification, as 
                provided in subsection (a)(3)(B) of section 3306 of 
                title 41, United States Code, or an evaluation factor, 
                as provided in subsection (c)(1)(A) of such section, 
                relating to supply chain risk, or with respect to which 
                supply chain risk considerations are included in the 
                Department's determination of whether a source is a 
                responsible source as defined in section 113 of such 
                title;
                    ``(B) the consideration of proposals for and 
                issuance of a task or delivery order for a covered 
                article, as provided in section 4106(d)(3) of title 41, 
                United States Code, with respect to which the task or 
                delivery order contract includes a contract clause 
                establishing a requirement relating to supply chain 
                risk;
                    ``(C) any contract action involving a contract for 
                a covered article with respect to which such contract 
                includes a clause establishing requirements relating to 
                supply chain risk; or
                    ``(D) any procurement made via Government Purchase 
                Care for a covered article when supply chain risk has 
                been identified as a concern.
            ``(3) Covered procurement action.--The term `covered 
        procurement action' means any of the following actions, if such 
        action takes place in the course of conducting a covered 
        procurement:
                    ``(A) The exclusion of a source that fails to meet 
                qualification requirements established pursuant to 
                section 3311 of title 41, United States Code, for the 
                purpose of reducing supply chain risk in the 
                acquisition or use of a covered article.
                    ``(B) The exclusion of a source that fails to 
                achieve an acceptable rating with regard to an 
                evaluation factor providing for the consideration of 
                supply chain risk in the evaluation of proposals for 
                the award of a contract or the issuance of a task or 
                delivery order.
                    ``(C) The determination that a source is not a 
                responsible source based on considerations of supply 
                chain risk.
                    ``(D) The decision to withhold consent for a 
                contractor to subcontract with a particular source or 
                to direct a contractor to exclude a particular source 
                from consideration for a subcontract.
            ``(4) Information system.--The term `information system' 
        has the meaning given such term in section 3502 of title 44, 
        United States Code.
            ``(5) Information technology.--The term `information 
        technology' has the meaning given such term in section 11101 of 
        title 40, United States Code.
            ``(6) Responsible source.--The term `responsible source' 
        has the meaning given such term in section 113 of title 41, 
        United States Code.
            ``(7) Supply chain risk.--The term `supply chain risk' 
        means the risk that a malicious actor may sabotage, maliciously 
        introduce an unwanted function, extract or modify data, or 
        otherwise manipulate the design, integrity, manufacturing, 
        production, distribution, installation, operation, or 
        maintenance of a covered article so as to surveil, deny, 
        disrupt, or otherwise manipulate the function, use, or 
        operation of the information technology or information stored 
        or transmitted on the covered articles.
            ``(8) Telecommunications equipment.--The term 
        `telecommunications equipment' has the meaning given such term 
        in section 3(52) of the Communications Act of 1934 (47 U.S.C. 
        153(52)).
            ``(9) Telecommunications service.--The term 
        `telecommunications service' has the meaning given such term in 
        section 3(53) of the Communications Act of 1934 (47 U.S.C. 
        153(53)).
    ``(i) Effective Date.--The requirements of this section shall take 
effect on the date that is 90 days after the date of the enactment of 
this Act and shall apply to--
            ``(1) contracts awarded on or after such date; and
            ``(2) task and delivery orders issued on or after such date 
        pursuant to contracts awarded before, on, or after such 
        date.''.
    (b) Rulemaking.--Section 553 of title 5, United States Code, and 
section 1707 of title 41, United States Code, shall not apply to the 
Secretary of Homeland Security when carrying out the authorities and 
responsibilities under section 836 of the Homeland Security Act of 
2002, as added by subsection (a).
    (c) Clerical Amendment.--The table of contents in section 1(b) of 
the Homeland Security Act of 2002 is amended by inserting after the 
item relating to section 835 the following new item:

``Sec. 836. Requirements for information relating to supply chain 
                            risk.''.

SEC. 3. REPORT ON THREATS POSED BY FOREIGN STATE-OWNED ENTITIES TO DHS 
              INFORMATION TECHNOLOGY AND COMMUNICATIONS SYSTEMS.

    Not later than 180 days after the date of the enactment of this 
Act, the Under Secretary for Management of the Department of Homeland 
Security, in coordination with the national risk management center of 
the Cybersecurity and Infrastructure Security Agency of the Department, 
shall submit to the Committee on Homeland Security of the House of 
Representatives and the Committee on Homeland Security and Governmental 
Affairs of the Senate a report on cybersecurity threats posed by 
terrorist actors and foreign state-owned entities to the information 
technology and communications systems of Department of Homeland 
Security, including information relating to the following:
            (1) The use of foreign state-owned entities' information 
        and communications technology by the Department of Homeland 
        Security, listed by component.
            (2) The threats, in consultation with the Department's 
        Office of Intelligence and Analysis, of foreign state-owned 
        entities' information and communications technology equipment 
        that could impact the Department.
                                                 Union Calendar No. 146

116th CONGRESS

  1st Session

                               H. R. 3320

                          [Report No. 116-188]

_______________________________________________________________________

                                 A BILL

 To amend the Homeland Security Act of 2002 to authorize the Secretary 
of Homeland Security to implement certain requirements for information 
         relating to supply chain risk, and for other purposes.

_______________________________________________________________________

                            August 27, 2019

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed