[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4611 Engrossed in House (EH)]
<DOC>
117th CONGRESS
1st Session
H. R. 4611
_______________________________________________________________________
AN ACT
To direct the Secretary of Homeland Security to issue guidance with
respect to certain information and communications technology or
services contracts, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``DHS Software Supply Chain Risk
Management Act of 2021''.
SEC. 2. DEPARTMENT OF HOMELAND SECURITY GUIDANCE WITH RESPECT TO
CERTAIN INFORMATION AND COMMUNICATIONS TECHNOLOGY OR
SERVICES CONTRACTS.
(a) Guidance.--The Secretary of Homeland Security, acting through
the Under Secretary, shall issue guidance with respect to new and
existing covered contracts.
(b) New Covered Contracts.--In developing guidance under subsection
(a), with respect to each new covered contract, as a condition on the
award of such a contract, each contractor responding to a solicitation
for such a contract shall submit to the covered officer--
(1) a planned bill of materials when submitting a bid
proposal; and
(2) the certification and notifications described in
subsection (e).
(c) Existing Covered Contracts.--In developing guidance under
subsection (a), with respect to each existing covered contract, each
contractor with an existing covered contract shall submit to the
covered officer--
(1) the bill of materials used for such contract, upon the
request of such officer; and
(2) the certification and notifications described in
subsection (e).
(d) Updating Bill of Materials.--With respect to a covered
contract, in the case of a change to the information included in a bill
of materials submitted pursuant to subsections (b)(1) and (c)(1), each
contractor shall submit to the covered officer the update to such bill
of materials, in a timely manner.
(e) Certification and Notifications.--The certification and
notifications referred to in subsections (b)(2) and (c)(2), with
respect to a covered contract, are the following:
(1) A certification that each item listed on the submitted
bill of materials is free from all known vulnerabilities or
defects affecting the security of the end product or service
identified in--
(A) the National Institute of Standards and
Technology National Vulnerability Database; and
(B) any database designated by the Under Secretary,
in coordination with the Director of the Cybersecurity
and Infrastructure Security Agency, that tracks
security vulnerabilities and defects in open source or
third-party developed software.
(2) A notification of each vulnerability or defect
affecting the security of the end product or service, if
identified, through--
(A) the certification of such submitted bill of
materials required under paragraph (1); or
(B) any other manner of identification.
(3) A notification relating to the plan to mitigate,
repair, or resolve each security vulnerability or defect listed
in the notification required under paragraph (2).
(f) Enforcement.--In developing guidance under subsection (a), the
Secretary shall instruct covered officers with respect to--
(1) the processes available to such officers enforcing
subsections (b) and (c); and
(2) when such processes should be used.
(g) Effective Date.--The guidance required under subsection (a)
shall take effect on the date that is 180 days after the date of the
enactment of this section.
(h) GAO Report.--Not later than 1 year after the date of the
enactment of this Act, the Comptroller General of the United States
shall submit to the Secretary, the Committee on Homeland Security of
the House of Representatives, and the Committee on Homeland Security
and Governmental Affairs of the Senate a report that includes--
(1) a review of the implementation of this section;
(2) information relating to the engagement of the
Department of Homeland Security with industry;
(3) an assessment of how the guidance issued pursuant to
subsection (a) complies with Executive Order 14208 (86 Fed.
Reg. 26633; relating to improving the nation's cybersecurity);
and
(4) any recommendations relating to improving the supply
chain with respect to covered contracts.
(i) Definitions.--In this section:
(1) Bill of materials.--The term ``bill of materials''
means a list of the parts and components (whether new or
reused) of an end product or service, including, with respect
to each part and component, information relating to the origin,
composition, integrity, and any other information as determined
appropriate by the Under Secretary.
(2) Covered contract.--The term ``covered contract'' means
a contract relating to the procurement of covered information
and communications technology or services for the Department of
Homeland Security.
(3) Covered information and communications technology or
services.--The term ``covered information and communications
technology or services'' means the terms--
(A) ``information technology'' (as such term is
defined in section 11101(6) of title 40, United States
Code);
(B) ``information system'' (as such term is defined
in section 3502(8) of title 44, United States Code);
(C) ``telecommunications equipment'' (as such term
is defined in section 3(52) of the Communications Act
of 1934 (47 U.S.C. 153(52))); and
(D) ``telecommunications service'' (as such term is
defined in section 3(53) of the Communications Act of
1934 (47 U.S.C. 153(53))).
(4) Covered officer.--The term ``covered officer'' means--
(A) a contracting officer of the Department; and
(B) any other official of the Department as
determined appropriate by the Under Secretary.
(5) Software.--The term ``software'' means computer
programs and associated data that may be dynamically written or
modified during execution.
(6) Under secretary.--The term ``Under Secretary'' means
the Under Secretary for Management of the Department of
Homeland Security.
SEC. 3. DETERMINATION OF BUDGETARY EFFECTS.
The budgetary effects of this Act, for the purpose of complying
with the Statutory Pay-As-You-Go Act of 2010, shall be determined by
reference to the latest statement titled ``Budgetary Effects of PAYGO
Legislation'' for this Act, submitted for printing in the Congressional
Record by the Chairman of the House Budget Committee, provided that
such statement has been submitted prior to the vote on passage.
Passed the House of Representatives October 20, 2021.
Attest:
Clerk.
117th CONGRESS
1st Session
H. R. 4611
_______________________________________________________________________
AN ACT
To direct the Secretary of Homeland Security to issue guidance with
respect to certain information and communications technology or
services contracts, and for other purposes.