[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 1457 Introduced in Senate (IS)]

<DOC>






116th CONGRESS
  1st Session
                                S. 1457

   To provide for interagency coordination on risk mitigation in the 
communications equipment and services marketplace and the supply chain 
                    thereof, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                              May 14, 2019

 Mrs. Blackburn (for herself and Mr. Cornyn) introduced the following 
 bill; which was read twice and referred to the Committee on Commerce, 
                      Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
   To provide for interagency coordination on risk mitigation in the 
communications equipment and services marketplace and the supply chain 
                    thereof, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Sharing Urgent, Potentially 
Problematic Locations that Yield Communications Hazards in American 
Internet Networks Act of 2019'' or the ``SUPPLY CHAIN Act of 2019''.

SEC. 2. INTERAGENCY COORDINATION ON RISK MITIGATION IN THE 
              COMMUNICATIONS EQUIPMENT AND SERVICES MARKETPLACE AND THE 
              SUPPLY CHAIN THEREOF.

    (a) Definitions.--In this section:
            (1) Appropriate committees of congress.--The term 
        ``appropriate committees of Congress'' means--
                    (A) the Committee on Commerce, Science, and 
                Transportation, the Committee on Foreign Relations, the 
                Committee on Armed Services, the Committee on the 
                Judiciary, the Committee on Homeland Security and 
                Governmental Affairs, and the Select Committee on 
                Intelligence of the Senate; and
                    (B) the Committee on Energy and Commerce, the 
                Committee on Foreign Affairs, the Committee on Armed 
                Services, the Committee on the Judiciary, the Committee 
                on Homeland Security, and the Permanent Select 
                Committee on Intelligence of the House of 
                Representatives.
            (2) Appropriate federal entity.--The term ``appropriate 
        Federal entity'' means--
                    (A) the Department of Defense;
                    (B) the Department of Energy;
                    (C) the Department of Homeland Security;
                    (D) the Department of Justice;
                    (E) the Department of Transportation;
                    (F) the Department of the Treasury; and
                    (G) the Office of the Director of National 
                Intelligence.
            (3) Classified information.--The term ``classified 
        information'' means any information or material that has been 
        determined by the Federal Government pursuant to an Executive 
        order, statute, or regulation, to require protection against 
        unauthorized disclosure for reasons of national security.
            (4) Communications equipment and services.--The term 
        ``communications equipment and services'' includes any 
        hardware, software, or other product or service primarily 
        intended to fulfill or enable the function of information 
        processing and communications by electronic means, including 
        transmission and display, including over the internet.
            (5) Risk.--The term ``risk'' means any aspect or property 
        of the components of communications equipment and services or 
        the associated supply chain that may be used to gain 
        unauthorized access to a communications network, disrupt a 
        communications network, disrupt the manufacture of 
        communications equipment, disrupt consensus-driven industry 
        standards for communications equipment and services, or 
        otherwise harm a communications network or the users of the 
        network, including gaining unauthorized access to data or 
        redirecting data.
            (6) Secretary.--The term ``Secretary'' means the Secretary 
        of Commerce.
            (7) Supply chain.--The term ``supply chain'', with respect 
        to communications equipment and services--
                    (A) means the network of persons and activities 
                from source to delivery of the equipment and services; 
                and
                    (B) includes--
                            (i) vendors, suppliers, and providers of 
                        the equipment and services; and
                            (ii) persons who manufacture, assemble, 
                        develop, or test the equipment and services.
    (b) Ongoing Review.--Consistent with the protection of classified 
information, the Secretary shall, in coordination with the head of each 
appropriate Federal entity, conduct an ongoing review of risks to the 
communications equipment and services marketplace and the supply chain 
thereof.
    (c) Long-Term Scenario and Strategic Planning.--
            (1) Development, issuance, and implementation of 
        procedures.--Not later than 180 days after the date of 
        enactment of this section, consistent with the protection of 
        classified information, the Secretary, in coordination with the 
        head of each appropriate Federal entity, shall--
                    (A) develop and issue procedures to regularly 
                facilitate--
                            (i) long-term scenario and strategic 
                        planning with private entities that have 
                        appropriate security clearances to review 
                        classified information about risks, including 
                        by--
                                    (I) assessing the severity of risks 
                                posed to the marketplace of individual 
                                components of communications equipment 
                                and services and the supply chain 
                                thereof;
                                    (II) identifying counterfeit 
                                communications equipment and services 
                                in the marketplace;
                                    (III) assessing the ability of 
                                foreign governments or third parties to 
                                exploit the marketplace in a manner 
                                that raises risks;
                                    (IV) identifying--
                                            (aa) emerging risks and 
                                        long-term trends in the 
                                        marketplace of individual 
                                        components or standards of 
                                        communications equipment and 
                                        services and the supply chain 
                                        thereof; and
                                            (bb) strategies to mitigate 
                                        risks described in item (aa); 
                                        and
                                    (V) analyzing opportunities for 
                                asymmetric advantage;
                            (ii) the--
                                    (I) preparation of unclassified 
                                information that raises awareness of 
                                risks, including, as appropriate, 
                                unclassified versions of any 
                                information shared under clause (i); 
                                and
                                    (II) dissemination by the Secretary 
                                of the unclassified information 
                                described in subclause (I) to private 
                                entities that do not have appropriate 
                                security clearances; and
                            (iii) the voluntary sharing from private 
                        entities to the Secretary of information about 
                        risks to the marketplace; and
                    (B) carry out the procedures developed and issued 
                under subparagraph (A).
            (2) Manner of presentation.--The information shared with 
        private entities under paragraph (1)(A)(i) shall be presented 
        in a manner that identifies, assesses, and prioritizes risks, 
        the mitigation of risks, and opportunities for asymmetric 
        advantage.
            (3) Information shared with or provided to the federal 
        government.--
                    (A) No waiver of privilege or protection.--The 
                provision of information to the Federal Government by a 
                private entity under clause (i) or (iii) of paragraph 
                (1)(A) shall not constitute a waiver of any applicable 
                privilege or protection provided by law, including 
                trade secret protection.
                    (B) Proprietary information.--Information provided 
                to the Federal Government by a private entity under 
                clause (i) or (iii) of paragraph (1)(A) shall be 
                considered the commercial, financial, and proprietary 
                information of the private entity.
                    (C) Exemption from disclosure under foia.--
                Information provided to the Federal Government by a 
                private entity under clause (i) or (iii) of paragraph 
                (1)(A) shall be exempt from disclosure under section 
                552(b)(3) of title 5, United States Code.
                    (D) Exemption from federal regulatory authority.--
                Information provided to the Federal Government by a 
                private entity under clause (i) or (iii) of paragraph 
                (1)(A) shall not be used by any Federal entity to 
                regulate, including through an enforcement action, the 
                lawful activities of the private entity.
                    (E) Protection from liability.--No cause of action 
                shall lie or be maintained in any court against a 
                private entity, and such action shall be promptly 
                dismissed, if the action is related to or arises out of 
                the provision of information to the Federal Government 
                by the private entity under clause (i) or (iii) of 
                paragraph (1)(A).
    (d) Report to Congress.--
            (1) In general.--Not later than 1 year after the date of 
        enactment of this section, and biennially thereafter, the 
        Secretary, in coordination with the head of each appropriate 
        Federal entity, shall submit to the appropriate committees of 
        Congress a report on the implementation of this section.
            (2) Contents.--The report required under paragraph (1) 
        shall--
                    (A) include any recommendations that the Secretary, 
                in collaboration with the heads of the appropriate 
                Federal entities, may have for improvements or 
                modifications to the procedures developed and issued 
                under this section;
                    (B) evaluate the effectiveness of the procedures 
                developed and issued under subsection (c)(1)(A);
                    (C) identify processes and procedures that improve 
                the ability of private entities and the Federal 
                Government to adapt to emerging risks to the 
                marketplace;
                    (D) provide technical guidance on procurement of 
                communications equipment and services offered by 
                private entities in order to mitigate vulnerabilities;
                    (E) include recommendations to streamline the 
                provision of security clearances for relevant private 
                sector actors; and
                    (F) assess coordination between the heads of the 
                appropriate Federal entities, including by identifying 
                distinct competencies and jurisdictions of each 
                appropriate Federal entity.
            (3) Form of reports.--Each report submitted under paragraph 
        (1) shall be in unclassified form, but may include a classified 
        annex.
    (e) Rule of Construction.--Nothing in this section shall be 
construed to authorize the Secretary or the head of any other Federal 
agency to issue new regulations.
                                 <all>