[Congressional Record Volume 164, Number 199 (Tuesday, December 18, 2018)]
[Senate]
[Pages S7809-S7817]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




         FEDERAL ACQUISITION SUPPLY CHAIN SECURITY ACT OF 2018

  Mr. BOOZMAN. Mr. President, I ask unanimous consent that the Senate 
proceed to the immediate consideration of Calendar No. 666, S. 3085.
  The PRESIDING OFFICER. The clerk will report the bill by title.
  The senior assistant legislative clerk read as follows:

       A bill (S. 3085) to establish a Federal Acquisition 
     Security Council and to provide executive agencies with 
     authorities relating to mitigating supply chain risks in the 
     procurement of information technology, and for other 
     purposes.

  There being no objection, the Senate proceeded to consider the bill, 
which had been reported from the Committee on Homeland Security and 
Governmental Affairs, with an amendment to strike all after the 
enacting clause and insert in lieu thereof the following:

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Federal Acquisition Supply 
     Chain Security Act of 2018''.

     SEC. 2. FEDERAL ACQUISITION SUPPLY CHAIN SECURITY.

       (a) In General.--Chapter 13 of title 41, United States 
     Code, is amended by adding at the end the following new 
     subchapter:

      ``SUBCHAPTER III--FEDERAL ACQUISITION SUPPLY CHAIN SECURITY

     ``Sec. 1321. Definitions

       ``In this subchapter:
       ``(1) Appropriate congressional committees and 
     leadership.--The term `appropriate congressional committees 
     and leadership' means--
       ``(A) the Committee on Homeland Security and Governmental 
     Affairs, the Committee on the Judiciary, the Committee on 
     Armed Services, the Committee on Appropriations, the Select 
     Committee on Intelligence, and the majority and minority 
     leader of the Senate; and
       ``(B) the Committee on Oversight and Government Reform, the 
     Committee on the Judiciary, the Committee on Armed Services, 
     the Committee on Appropriations, the Committee on Homeland 
     Security, the Permanent Select Committee on Intelligence, and 
     the Speaker and minority leader of the House of 
     Representatives.
       ``(2) Council.--The term `Council' means the Federal 
     Acquisition Security Council established under section 
     1322(a) of this title.
       ``(3) Covered article.--The term `covered article' has the 
     meaning given that term in section 4713 of this title.
       ``(4) Covered procurement action.--The term `covered 
     procurement action' has the meaning given that term in 
     section 4713 of this title.
       ``(5) Information and communications technology.--The term 
     `information and communications technology' has the meaning 
     given that term in section 4713 of this title.
       ``(6) Intelligence community.--The term `intelligence 
     community' has the meaning given that term in section 3(4) of 
     the National Security Act of 1947 (50 U.S.C. 3003(4)).
       ``(7) National security system.--The term `national 
     security system' has the meaning given that term in section 
     3552 of title 44.
       ``(8) Supply chain risk.--The term `supply chain risk' has 
     the meaning given that term in section 4713 of this title.

     ``Sec. 1322. Federal Acquisition Security Council 
       establishment and membership

       ``(a) Establishment.--There is established in the executive 
     branch a Federal Acquisition Security Council.
       ``(b) Membership.--
       ``(1) In general.--The following agencies shall be 
     represented on the Council:
       ``(A) The Office of Management and Budget.
       ``(B) The General Services Administration.
       ``(C) The Department of Homeland Security.
       ``(D) The Office of the Director of National Intelligence, 
     including the National Counterintelligence and Security 
     Center.
       ``(E) The Department of Justice, including the Federal 
     Bureau of Investigation.
       ``(F) The Department of Defense, including the National 
     Security Agency.
       ``(G) The Department of Commerce, including the National 
     Institute of Standards and Technology.
       ``(H) Such other executive agencies as determined by the 
     Chairperson of the Council.
       ``(2) Lead representatives.--
       ``(A) Designation.--
       ``(i) In general.--Not later than 90 days after the date of 
     the enactment of the Federal Acquisition Supply Chain 
     Security Act of 2018, the head of each agency represented on 
     the Council shall designate a representative of that agency 
     as the lead representative of the agency on the Council.
       ``(ii) Requirements.--The representative of an agency 
     designated under clause (i) shall have expertise in supply 
     chain risk management, acquisitions, or information and 
     communications technology.
       ``(B) Functions.--The lead representative of an agency 
     designated under subparagraph (A) shall ensure that 
     appropriate personnel, including leadership and subject 
     matter experts of the agency, are aware of the business of 
     the Council.
       ``(c) Chairperson.--
       ``(1) Designation.--Not later than 90 days after the date 
     of the enactment of the Federal Acquisition Supply Chain 
     Security Act of 2018, the Director of the Office of 
     Management and Budget shall designate a senior-level official 
     from the Office of Management and Budget to serve as the 
     Chairperson of the Council.
       ``(2) Functions.--The Chairperson shall perform functions 
     that include--
       ``(A) subject to subsection (d), developing a schedule for 
     meetings of the Council;
       ``(B) designating executive agencies to be represented on 
     the Council under subsection (b)(1)(H);
       ``(C) in consultation with the lead representative of each 
     agency represented on the Council, developing a charter for 
     the Council; and
       ``(D) not later than 7 days after completion of the 
     charter, submitting the charter to the appropriate 
     congressional committees and leadership.
       ``(d) Meetings.--The Council shall meet not later than 180 
     days after the date of the enactment of the Federal 
     Acquisition Supply Chain Security Act of 2018 and not less 
     frequently than quarterly thereafter.

     ``Sec. 1323. Functions and authorities

       ``(a) In General.--The Council shall perform functions that 
     include the following:
       ``(1) Identifying and recommending development by the 
     National Institute of Standards and Technology of supply 
     chain risk management standards, guidelines, and practices 
     for executive agencies to use when assessing and developing 
     mitigation strategies to address supply chain risks, 
     particularly in the acquisition and use of covered articles 
     under section 1326(a) of this title.
       ``(2) Identifying or developing criteria for sharing 
     information with respect to supply chain risk, including 
     information related to the exercise of authorities provided 
     under this section and sections 1326 and 4713 of this title. 
     At a minimum, such criteria shall address--
       ``(A) the content to be shared;
       ``(B) the circumstances under which sharing is mandated or 
     voluntary; and
       ``(C) the circumstances under which it is appropriate for 
     an executive agency to rely on information made available 
     through such sharing in exercising the responsibilities and 
     authorities provided under this section and section 4713 of 
     this title.
       ``(3) Identifying an appropriate executive agency to--
       ``(A) accept information submitted by executive agencies 
     based on the criteria established under paragraph (2);

[[Page S7810]]

       ``(B) facilitate the sharing of information received under 
     subparagraph (A) to support supply chain risk analyses under 
     section 1326 of this title, recommendations under this 
     section, and covered procurement actions under section 4713 
     of this title;
       ``(C) share with the Council information regarding covered 
     procurement actions by executive agencies taken under section 
     4713 of this title; and
       ``(D) inform the Council of orders issued under this 
     section.
       ``(4) Identifying, as appropriate, executive agencies to 
     provide--
       ``(A) shared services, such as support for making risk 
     assessments, validation of products that may be suitable for 
     acquisition, and mitigation activities; and
       ``(B) common contract solutions to support supply chain 
     risk management activities, such as subscription services or 
     machine-learning-enhanced analysis applications to support 
     informed decision making.
       ``(5) Identifying and issuing guidance on additional steps 
     that may be necessary to address supply chain risks arising 
     in the course of executive agencies providing shared 
     services, common contract solutions, acquisitions vehicles, 
     or assisted acquisitions.
       ``(6) Engaging, as appropriate, with the private sector and 
     other nongovernmental stakeholders on issues relating to the 
     management of supply chain risks posed by the acquisition of 
     covered articles.
       ``(7) Carrying out such other actions, as determined by the 
     Council, that are necessary to reduce the supply chain risks 
     posed by acquisitions and use of covered articles.
       ``(b) Program Office and Committees.--The Council may 
     establish a program office and any committees, working 
     groups, or other constituent bodies the Council deems 
     appropriate, in its sole and unreviewable discretion, to 
     carry out its functions.
       ``(c) Authority for Exclusion or Removal Orders.--
       ``(1) Criteria.--To reduce supply chain risk, the Council 
     shall establish criteria and procedures for--
       ``(A) recommending orders applicable to executive agencies 
     requiring the exclusion of sources or covered articles from 
     executive agency procurement actions (in this section 
     referred to as `exclusion orders');
       ``(B) recommending orders applicable to executive agencies 
     requiring the removal of covered articles from executive 
     agency information systems (in this section referred to as 
     `removal orders');
       ``(C) requesting and approving exceptions to an issued 
     exclusion or removal order when warranted by circumstances, 
     including alternative mitigation actions; and
       ``(D) ensuring that recommended orders do not conflict with 
     standards and guidelines issued under section 11331 of title 
     40 and that the Council consults with the Director of the 
     National Institute of Standards and Technology regarding any 
     recommended orders that would implement standards and 
     guidelines developed by the National Institute of Standards 
     and Technology.
       ``(2) Recommendations.--The Council shall use the criteria 
     established under paragraph (1), information made available 
     under subsection (a)(3), and any other information the 
     Council determines appropriate to issue recommendations, for 
     application to executive agencies or any subset thereof, 
     regarding the exclusion of sources or covered articles from 
     any executive agency procurement action, including source 
     selection and consent for a contractor to subcontract, or the 
     removal of covered articles from executive agency information 
     systems. Such recommendations shall include--
       ``(A) information necessary to positively identify the 
     sources or covered articles recommended for exclusion or 
     removal;
       ``(B) information regarding the scope and applicability of 
     the recommended exclusion or removal order;
       ``(C) a summary of any risk assessment reviewed or 
     conducted in support of the recommended exclusion or removal 
     order;
       ``(D) a summary of the basis for the recommendation, 
     including a discussion of less intrusive measures that were 
     considered and why such measures were not reasonably 
     available to reduce supply chain risk;
       ``(E) a description of the actions necessary to implement 
     the recommended exclusion or removal order; and
       ``(F) where practicable, in the Council's sole and 
     unreviewable discretion, a description of mitigation steps 
     that could be taken by the source that may result in the 
     Council rescinding a recommendation.
       ``(3) Notice of recommendation and review.--A notice of the 
     Council's recommendation under paragraph (2) shall be issued 
     to any source named in the recommendation advising--
       ``(A) that a recommendation has been made;
       ``(B) of the criteria the Council relied upon under 
     paragraph (1) and, to the extent consistent with national 
     security and law enforcement interests, of information that 
     forms the basis for the recommendation;
       ``(C) that, within 30 days after receipt of notice, the 
     source may submit information and argument in opposition to 
     the recommendation;
       ``(D) of the procedures governing the review and possible 
     issuance of an exclusion or removal order pursuant to 
     paragraph (4); and
       ``(E) where practicable, in the Council's sole and 
     unreviewable discretion, a description of mitigation steps 
     that could be taken by the source that may result in the 
     Council rescinding the recommendation.
       ``(4) Exclusion and removal orders.--
       ``(A) Order issuance.--Recommendations of the Council under 
     paragraph (2), together with any information submitted by a 
     source under paragraph (3) related to such a recommendation, 
     shall be reviewed by the following officials, who in their 
     sole and unreviewable discretion may issue exclusion and 
     removal orders based upon such recommendations:
       ``(i) The Secretary of Homeland Security, for exclusion and 
     removal orders applicable to civilian agencies, to the extent 
     not covered by clause (ii) or (iii).
       ``(ii) The Secretary of Defense, for exclusion and removal 
     orders applicable to the Department of Defense and national 
     security systems other than sensitive compartmented 
     information systems.
       ``(iii) The Director of National Intelligence, for 
     exclusion and removal orders applicable to the intelligence 
     community and sensitive compartmented information systems, to 
     the extent not covered by clause (ii).
       ``(B) Delegation.--The officials identified in subparagraph 
     (A) may not delegate any authority under this subparagraph to 
     an official below the level one level below the Deputy 
     Secretary or Principal Deputy Director, except that the 
     Secretary of Defense may delegate authority for removal 
     orders to the Commander of the United States Cyber Command, 
     who may not redelegate such authority to an official below 
     the level one level below the Deputy Commander.
       ``(C) Facilitation of exclusion orders.--If officials 
     identified under this paragraph from the Department of 
     Homeland Security, the Department of Defense, and the Office 
     of the Director of National Intelligence issue orders 
     collectively resulting in a governmentwide exclusion, the 
     Administrator for General Services and officials at other 
     executive agencies responsible for management of the Federal 
     Supply Schedules, governmentwide acquisition contracts and 
     multi-agency contracts shall help facilitate implementation 
     of such orders by removing the covered articles or sources 
     identified in the orders from such contracts.
       ``(D) Review of exclusion and removal orders.--The 
     officials identified under this paragraph shall review all 
     exclusion and removal orders issued under subparagraph (A) 
     not less frequently than annually pursuant to procedures 
     established by the Council.
       ``(E) Rescission.--Orders issued pursuant to subparagraph 
     (A) may be rescinded by an authorized official from the 
     relevant issuing agency.
       ``(5) Notifications.--Upon issuance of an exclusion or 
     removal order pursuant to paragraph (4)(A), the official 
     identified under that paragraph who issued the order shall--
       ``(A) notify any source named in the order of--
       ``(i) the exclusion or removal order; and
       ``(ii) to the extent consistent with national security and 
     law enforcement interests, information that forms the basis 
     for the order;
       ``(B) provide classified or unclassified notice of the 
     exclusion or removal order to the appropriate congressional 
     committees and leadership; and
       ``(C) provide the exclusion or removal order to the agency 
     identified in subsection (a)(3).
       ``(6) Compliance.--Executive agencies shall comply with 
     exclusion and removal orders issued pursuant to paragraph 
     (4).
       ``(d) Authority To Request Information.--The Council may 
     request such information from executive agencies as is 
     necessary for the Council to carry out its functions.
       ``(e) Relationship to Other Councils.--The Council shall 
     consult and coordinate, as appropriate, with other relevant 
     councils, including the Chief Information Officers Council, 
     the Chief Acquisition Officers Council, and the Federal 
     Acquisition Regulatory Council, with respect to supply chain 
     risks posed by the acquisition and use of covered articles.
       ``(f) Rule of Construction.--Nothing in this section shall 
     limit the authority of the Office of Federal Procurement 
     Policy to carry out the responsibilities of that Office under 
     any other provision of law.

     ``Sec. 1324. Strategic plan

       ``(a) In General.--Not later than 180 days after the date 
     of the enactment of the Federal Acquisition Supply Chain 
     Security Act of 2018, the Council shall develop a strategic 
     plan for addressing supply chain risks posed by the 
     acquisition of covered articles and for managing such risks 
     that includes--
       ``(1) the criteria and processes required under section 
     1323(a) of this title, including a threshold and requirements 
     for sharing relevant information about such risks with all 
     executive agencies;
       ``(2) an identification of existing authorities for 
     addressing such risks;
       ``(3) an identification and promulgation of best practices 
     and procedures and available resources for executive agencies 
     to assess and mitigate such risks;
       ``(4) recommendations for any legislative, regulatory, or 
     other policy changes to improve efforts to address such 
     risks;
       ``(5) an evaluation of the effect of implementing new 
     policies or procedures on existing contracts and the 
     procurement process;
       ``(6) a plan for engaging with executive agencies, the 
     private sector, and other nongovernmental stakeholders to 
     address such risks;
       ``(7) a plan for identification, assessment, mitigation, 
     and vetting of supply chain risks from existing and 
     prospective information and communications technology made 
     available by executive agencies to other executive agencies 
     through common contract solutions, shared services, 
     acquisition vehicles, or other assisted acquisition services; 
     and
       ``(8) plans to strengthen the capacity of all executive 
     agencies to conduct assessments of--
       ``(A) the supply chain risk posed by the acquisition of 
     covered articles; and
       ``(B) compliance with the requirements of this subchapter.
       ``(b) Submission to Congress.--Not later than 7 calendar 
     days after completion of the

[[Page S7811]]

     strategic plan required by subsection (a), the Chairperson of 
     the Council shall submit the plan to the appropriate 
     congressional committees and leadership.

     ``Sec. 1325. Annual report

       ``Not later than December 31 of each year, the Chairperson 
     of the Council shall submit to the appropriate congressional 
     committees and leadership a report on the activities of the 
     Council during the preceding 12-month period.

     ``Sec. 1326. Requirements for executive agencies

       ``(a) In General.--The head of each executive agency shall 
     be responsible for--
       ``(1) assessing the supply chain risk posed by the 
     acquisition and use of covered articles and avoiding, 
     mitigating, accepting, or transferring that risk, as 
     appropriate and consistent with the standards, guidelines, 
     and practices identified by the Council under section 
     1323(a)(1); and
       ``(2) prioritizing supply chain risk assessments conducted 
     under paragraph (1) based on the criticality of the mission, 
     system, component, service, or asset.
       ``(b) Inclusions.--The responsibility for assessing supply 
     chain risk described in subsection (a) includes--
       ``(1) developing an overall supply chain risk management 
     strategy and implementation plan and policies and processes 
     to guide and govern supply chain risk management activities;
       ``(2) integrating supply chain risk management practices 
     throughout the life cycle of the system, component, service, 
     or asset;
       ``(3) limiting, avoiding, mitigating, accepting, or 
     transferring any identified risk;
       ``(4) sharing relevant information with other executive 
     agencies as determined appropriate by the Council in a manner 
     consistent with section 1323(a) of this title;
       ``(5) reporting on progress and effectiveness of the 
     agency's supply chain risk management consistent with 
     guidance issued by the Office of Management and Budget and 
     the Council; and
       ``(6) ensuring that all relevant information, including 
     classified information, with respect to acquisitions of 
     covered articles that may pose a supply chain risk, 
     consistent with section 1323(a) of this title, is 
     incorporated into existing processes of the agency for 
     conducting assessments described in subsection (a) and 
     ongoing management of acquisition programs, including any 
     identification, investigation, mitigation, or remediation 
     needs.
       ``(c) Interagency Acquisitions.--
       ``(1) In general.--Except as provided in paragraph (2), in 
     the case of an interagency acquisition, subsection (a) shall 
     be carried out by the head of the executive agency whose 
     funds are being used to procure the covered article.
       ``(2) Assisted acquisitions.--In an assisted acquisition, 
     the parties to the acquisition shall determine, as part of 
     the interagency agreement governing the acquisition, which 
     agency is responsible for carrying out subsection (a).
       ``(3) Definitions.--In this subsection, the terms `assisted 
     acquisition' and `interagency acquisition' have the meanings 
     given those terms in section 2.101 of title 48, Code of 
     Federal Regulations (or any corresponding similar regulation 
     or ruling).
       ``(d) Assistance.--The Secretary of Homeland Security may--
       ``(1) assist executive agencies in conducting risk 
     assessments described in subsection (a) and implementing 
     mitigation requirements for information and communications 
     technology; and
       ``(2) provide such additional guidance or tools as are 
     necessary to support actions taken by executive agencies.

     ``Sec. 1327. Judicial review procedures

       ``(a) In General.--Except as provided in subsection (b) and 
     chapter 71 of this title, and notwithstanding any other 
     provision of law, an action taken under section 1323 or 4713 
     of this title, or any action taken by an executive agency to 
     implement such an action, shall not be subject to 
     administrative review or judicial review, including bid 
     protests before the Government Accountability Office or in 
     any Federal court.
       ``(b) Petitions.--
       ``(1) In general.--Not later than 60 days after a party is 
     notified of an exclusion or removal order under section 
     1323(c)(5) of this title or a covered procurement action 
     under section 4713 of this title, the party may file a 
     petition for judicial review in the United States Court of 
     Appeals for the District of Columbia Circuit claiming that 
     the issuance of the exclusion or removal order or covered 
     procurement action is unlawful.
       ``(2) Standard of review.--The Court shall hold unlawful a 
     covered action taken under sections 1323 or 4713 of this 
     title, in response to a petition that the court finds to be--
       ``(A) arbitrary, capricious, an abuse of discretion, or 
     otherwise not in accordance with law;
       ``(B) contrary to constitutional right, power, privilege, 
     or immunity;
       ``(C) in excess of statutory jurisdiction, authority, or 
     limitation, or short of statutory right;
       ``(D) lacking substantial support in the administrative 
     record taken as a whole or in classified information 
     submitted to the court under paragraph (3); or
       ``(E) not in accord with procedures required by law.
       ``(3) Exclusive jurisdiction.--The United States Court of 
     Appeals for the District of Columbia Circuit shall have 
     exclusive jurisdiction over claims arising under sections 
     1323(c)(4) or 4713 of this title against the United States, 
     any United States department or agency, or any component or 
     official of any such department or agency, subject to review 
     by the Supreme Court of the United States under section 1254 
     of title 28.
       ``(4) Administrative record and procedures.--
       ``(A) In general.--The procedures described in this 
     paragraph shall apply to the review of a petition under this 
     section.
       ``(B) Administrative record.--
       ``(i) Filing of record.--The United States shall file with 
     the court an administrative record, which shall consist of 
     the information that the appropriate official relied upon in 
     issuing an exclusion or removal order under section 
     1323(c)(4) or a covered procurement action under section 4713 
     of this title.
       ``(ii) Unclassified, nonprivileged information.--All 
     unclassified information contained in the administrative 
     record that is not otherwise privileged or subject to 
     statutory protections shall be provided to the petitioner 
     with appropriate protections for any privileged or 
     confidential trade secrets and commercial or financial 
     information.
       ``(iii) In camera and ex parte.--The following information 
     may be included in the administrative record and shall be 
     submitted only to the court ex parte and in camera:

       ``(I) Classified information.
       ``(II) Sensitive security information, as defined by 
     section 1520.5 of title 49, Code of Federal Regulations.
       ``(III) Privileged law enforcement information.
       ``(IV) Information obtained or derived from any activity 
     authorized under the Foreign Intelligence Surveillance Act of 
     1978 (50 U.S.C. 1801 et seq.), except that, with respect to 
     such information, subsections (c), (e), (f), (g), and (h) of 
     section 106 (50 U.S.C. 1806), subsections (d), (f), (g), (h), 
     and (i) of section 305 (50 U.S.C. 1825), subsections (c), 
     (e), (f), (g), and (h) of section 405 (50 U.S.C. 1845), and 
     section 706 (50 U.S.C. 1881e) of that Act shall not apply.
       ``(V) Information subject to privilege or protections under 
     any other provision of law.

       ``(iv) Under seal.--Any information that is part of the 
     administrative record filed ex parte and in camera under 
     clause (iii), or cited by the court in any decision, shall be 
     treated by the court consistent with the provisions of this 
     subparagraph and shall remain under seal and preserved in the 
     records of the court to be made available consistent with the 
     above provisions in the event of further proceedings. In no 
     event shall such information be released to the petitioner or 
     as part of the public record.
       ``(v) Return.--After the expiration of the time to seek 
     further review, or the conclusion of further proceedings, the 
     court shall return the administrative record, including any 
     and all copies, to the United States.
       ``(C) Exclusive remedy.--A determination by the court under 
     this subsection shall be the exclusive judicial remedy for 
     any claim described in this section against the United 
     States, any United States department or agency, or any 
     component or official of any such department or agency.
       ``(D) Rule of construction.--Nothing in this section shall 
     be construed as limiting, superseding, or preventing the 
     invocation of, any privileges or defenses that are otherwise 
     available at law or in equity to protect against the 
     disclosure of information.
       ``(c) Definition.--In this section, the term `classified 
     information'--
       ``(1) has the meaning given that term in section 1(a) of 
     the Classified Information Procedures Act (18 U.S.C. App.); 
     and
       ``(2) includes--
       ``(A) any information or material that has been determined 
     by the United States Government pursuant to an Executive 
     order, statute, or regulation to require protection against 
     unauthorized disclosure for reasons of national security; and
       ``(B) any restricted data, as defined in section 11 of the 
     Atomic Energy Act of 1954 (42 U.S.C. 2014).

     ``Sec. 1328. Termination

       ``This subchapter shall terminate on the date that is 5 
     years after the date of the enactment of the Federal 
     Acquisition Supply Chain Security Act of 2018.''.
       (b) Clerical Amendment.--The table of sections at the 
     beginning of chapter 13 of such title is amended by adding at 
     the end the following new items:

      ``subchapter iii--federal acquisition supply chain security

``Sec.
``1321. Definitions.
``1322. Federal Acquisition Security Council establishment and 
              membership.
``1323. Functions and authorities.
``1324. Strategic plan.
``1325. Annual report.
``1326. Requirements for executive agencies.
``1327. Judicial review procedures.
``1328. Termination.''.

       (c) Effective Date.--The amendments made by this section 
     shall take effect on the date that is 90 days after the date 
     of the enactment of this Act and shall apply to contracts 
     that are awarded before, on, or after that date.
       (d) Implementation.--
       (1) Interim final rule.--Not later than one year after the 
     date of the enactment of this Act, the Federal Acquisition 
     Security Council shall prescribe an interim final rule to 
     implement subchapter III of chapter 13 of title 41, United 
     States Code, as added by subsection (a).
       (2) Final rule.--Not later than one year after prescribing 
     the interim final rule under paragraph (1) and considering 
     public comments with respect to such interim final rule, the 
     Council shall prescribe a final rule to implement subchapter 
     III of chapter 13 of title 41, United States Code, as added 
     by subsection (a).
       (3) Failure to act.--
       (A) In general.--If the Council does not issue a final rule 
     in accordance with paragraph (2) on or before the last day of 
     the one-year period referred to in that paragraph, the 
     Council shall submit to the appropriate congressional 
     committees and leadership, not later than 10 days after

[[Page S7812]]

     such last day and every 90 days thereafter until the final 
     rule is issued, a report explaining why the final rule was 
     not timely issued and providing an estimate of the earliest 
     date on which the final rule will be issued.
       (B) Appropriate congressional committees and leadership 
     defined.--In this paragraph, the term ``appropriate 
     congressional committees and leadership'' has the meaning 
     given that term in section 1321 of title 41, United States 
     Code, as added by subsection (a).

     SEC. 3. AUTHORITIES OF EXECUTIVE AGENCIES RELATING TO 
                   MITIGATING SUPPLY CHAIN RISKS IN THE 
                   PROCUREMENT OF COVERED ARTICLES.

       (a) In General.--Chapter 47 of title 41, United States 
     Code, is amended by adding at the end the following new 
     section:

     ``Sec. 4713. Authorities relating to mitigating supply chain 
       risks in the procurement of covered articles

       ``(a) Authority.--Subject to subsection (b), the head of an 
     executive agency may--
       ``(1) carry out a covered procurement action; and
       ``(2) limit, notwithstanding any other provision of law, in 
     whole or in part, the disclosure of information relating to 
     the basis for carrying out a covered procurement action.
       ``(b) Determination and Notification.--Except as authorized 
     by subsection (c) to address an urgent national security 
     interest, the head of an executive agency may exercise the 
     authority provided in subsection (a) only after--
       ``(1) obtaining a joint recommendation, in unclassified or 
     classified form, from the chief acquisition officer and the 
     chief information officer of the agency, or officials 
     performing similar functions in the case of executive 
     agencies that do not have such officials, which includes a 
     review of any risk assessment made available by the executive 
     agency identified under section 1323(a)(3) of this title, 
     that there is a significant supply chain risk in a covered 
     procurement;
       ``(2) providing notice of the joint recommendation 
     described in paragraph (1) to any source named in the joint 
     recommendation advising--
       ``(A) that a recommendation is being considered or has been 
     obtained;
       ``(B) to the extent consistent with the national security 
     and law enforcement interests, of information that forms the 
     basis for the recommendation;
       ``(C) that, within 30 days after receipt of the notice, the 
     source may submit information and argument in opposition to 
     the recommendation; and
       ``(D) of the procedures governing the consideration of the 
     submission and the possible exercise of the authority 
     provided in subsection (a);
       ``(3) making a determination in writing, in unclassified or 
     classified form, after considering any information submitted 
     by a source under paragraph (2) and in consultation with the 
     chief information security officer of the agency, that--
       ``(A) use of the authority under subsection (a)(1) is 
     necessary to protect national security by reducing supply 
     chain risk;
       ``(B) less intrusive measures are not reasonably available 
     to reduce such supply chain risk;
       ``(C) a decision to limit disclosure of information under 
     subsection (a)(2) is necessary to protect an urgent national 
     security interest; and
       ``(D) the use of such authorities will apply to a single 
     covered procurement or a class of covered procurements, and 
     otherwise specifies the scope of the determination; and
       ``(4) providing a classified or unclassified notice of the 
     determination made under paragraph (3) to the appropriate 
     congressional committees and leadership that includes--
       ``(A) the joint recommendation described in paragraph (1);
       ``(B) a summary of any risk assessment reviewed in support 
     of the joint recommendation required by paragraph (1); and
       ``(C) a summary of the basis for the determination, 
     including a discussion of less intrusive measures that were 
     considered and why such measures were not reasonably 
     available to reduce supply chain risk.
       ``(c) Procedures To Address Urgent National Security 
     Interests.--In any case in which the head of an executive 
     agency determines that an urgent national security interest 
     requires the immediate exercise of the authority provided in 
     subsection (a), the head of the agency--
       ``(1) may, to the extent necessary to address such national 
     security interest, and subject to the conditions in paragraph 
     (2)--
       ``(A) temporarily delay the notice required by subsection 
     (b)(2);
       ``(B) make the determination required by subsection (b)(3), 
     regardless of whether the notice required by subsection 
     (b)(2) has been provided or whether the notified source has 
     submitted any information in response to such notice;
       ``(C) temporarily delay the notice required by subsection 
     (b)(4); and
       ``(D) exercise the authority provided in subsection (a) in 
     accordance with such determination within 60 calendar days 
     after the day the determination is made; and
       ``(2) shall take actions necessary to comply with all 
     requirements of subsection (b) as soon as practicable after 
     addressing the urgent national security interest, including--
       ``(A) providing the notice required by subsection (b)(2);
       ``(B) promptly considering any information submitted by the 
     source in response to such notice, and making any appropriate 
     modifications to the determination based on such information;
       ``(C) providing the notice required by subsection (b)(4), 
     including a description of the urgent national security 
     interest, and any modifications to the determination made in 
     accordance with subparagraph (B); and
       ``(D) providing notice to the appropriate congressional 
     committees and leadership within 7 calendar days of the 
     covered procurement actions taken under this section.
       ``(d) Delegation.--The head of an executive agency may not 
     delegate the authority provided in subsection (a) or the 
     responsibility identified in subsection (f) to an official 
     below the level one level below the Deputy Secretary or 
     Principal Deputy Director.
       ``(e) Limitation on Disclosure.--If the head of an 
     executive agency has exercised the authority provided in 
     subsection (a)(2) to limit disclosure of information, the 
     agency head or a designee identified by the agency head 
     shall--
       ``(1) provide to the executive agency identified by the 
     Council under paragraph (3) of section 1323(a) of this title 
     information identified by the criteria under paragraph (2) of 
     that section, in a manner and to the extent consistent with 
     the requirements of national security and law enforcement 
     interests; and
       ``(2) take steps to maintain the confidentiality of any 
     such notifications.
       ``(f) Annual Review of Determinations.--The head of an 
     executive agency shall conduct an annual review of all 
     determinations made by such head under subsection (b) and 
     promptly amend any covered procurement action as appropriate.
       ``(g) Regulations.--The Federal Acquisition Regulatory 
     Council shall prescribe such regulations as may be necessary 
     to carry out this section.
       ``(h) Reports Required.--Not less frequently than annually, 
     the head of each executive agency that exercised the 
     authority provided in subsection (a) or (c) during the 
     preceding 12-month period shall submit to the appropriate 
     congressional committees and leadership a report summarizing 
     the actions taken by the agency under this section during 
     that 12-month period.
       ``(i) Applicability.--Notwithstanding section 3101(c)(1)(A) 
     of this title, this section applies to the Department of 
     Defense, the Coast Guard, and the National Aeronautics and 
     Space Administration.
       ``(j) Termination.--The authority provided under subsection 
     (a) shall terminate on the date that is 5 years after the 
     date of the enactment of the Federal Acquisition Supply Chain 
     Security Act of 2018.
       ``(k) Definitions.--In this section:
       ``(1) Appropriate congressional committees and 
     leadership.--The term `appropriate congressional committees 
     and leadership' means--
       ``(A) the Committee on Homeland Security and Governmental 
     Affairs, the Committee on the Judiciary, the Committee on 
     Appropriations, the Select Committee on Intelligence, and the 
     majority and minority leader of the Senate; and
       ``(B) the Committee on Oversight and Government Reform, the 
     Committee on the Judiciary, the Committee on Appropriations, 
     the Committee on Homeland Security, the Permanent Select 
     Committee on Intelligence, and the Speaker and minority 
     leader of the House of Representatives.
       ``(2) Covered article.--The term `covered article' means--
       ``(A) information technology, as defined in section 11101 
     of title 40, including cloud computing services of all types;
       ``(B) telecommunications equipment or telecommunications 
     service, as those terms are defined in section 3 of the 
     Communications Act of 1934 (47 U.S.C. 153);
       ``(C) the processing of information on a Federal or non-
     Federal information system, subject to the requirements of 
     the Controlled Unclassified Information program; or
       ``(D) hardware, systems, devices, software, or services 
     that include embedded or incidental information technology.
       ``(3) Covered procurement.--The term `covered procurement' 
     means--
       ``(A) a source selection for a covered article involving 
     either a performance specification, as provided in subsection 
     (a)(3)(B) of section 3306 of this title, or an evaluation 
     factor, as provided in subsection (b)(1)(A) of such section, 
     relating to a supply chain risk, or where supply chain risk 
     considerations are included in the agency's determination of 
     whether a source is a responsible source as defined in 
     section 113 of this title;
       ``(B) the consideration of proposals for and issuance of a 
     task or delivery order for a covered article, as provided in 
     section 4106(d)(3) of this title, where the task or delivery 
     order contract includes a contract clause establishing a 
     requirement relating to a supply chain risk;
       ``(C) any contract action involving a contract for a 
     covered article where the contract includes a clause 
     establishing requirements relating to a supply chain risk; or
       ``(D) any other procurement in a category of procurements 
     determined appropriate by the Federal Acquisition Regulatory 
     Council, with the advice of the Federal Acquisition Security 
     Council.
       ``(4) Covered procurement action.--The term `covered 
     procurement action' means any of the following actions, if 
     the action takes place in the course of conducting a covered 
     procurement:
       ``(A) The exclusion of a source that fails to meet 
     qualification requirements established under section 3311 of 
     this title for the purpose of reducing supply chain risk in 
     the acquisition or use of covered articles.
       ``(B) The exclusion of a source that fails to achieve an 
     acceptable rating with regard to an evaluation factor 
     providing for the consideration of supply chain risk in the 
     evaluation of proposals for the award of a contract or the 
     issuance of a task or delivery order.
       ``(C) The determination that a source is not a responsible 
     source as defined in section 113 of this title based on 
     considerations of supply chain risk.
       ``(D) The decision to withhold consent for a contractor to 
     subcontract with a particular source or to direct a 
     contractor to exclude a particular source from consideration 
     for a subcontract under the contract.

[[Page S7813]]

       ``(5) Information and communications technology.--The term 
     `information and communications technology' means--
       ``(A) information technology, as defined in section 11101 
     of title 40;
       ``(B) information systems, as defined in section 3502 of 
     title 44; and
       ``(C) telecommunications equipment and telecommunications 
     services, as those terms are defined in section 3 of the 
     Communications Act of 1934 (47 U.S.C. 153).
       ``(6) Supply chain risk.--The term `supply chain risk' 
     means the risk that any person may sabotage, maliciously 
     introduce unwanted function, extract data, or otherwise 
     manipulate the design, integrity, manufacturing, production, 
     distribution, installation, operation, maintenance, 
     disposition, or retirement of covered articles so as to 
     surveil, deny, disrupt, or otherwise manipulate the function, 
     use, or operation of the covered articles or information 
     stored or transmitted on the covered articles.''.
       (b) Clerical Amendment.--The table of sections at the 
     beginning of chapter 47 of such title is amended by adding at 
     the end the following new item:

``4713. Authorities relating to mitigating supply chain risks in the 
              procurement of covered articles.''.

       (c) Effective Date.--The amendments made by this section 
     shall take effect on the date that is 90 days after the date 
     of the enactment of this Act and shall apply to contracts 
     that are awarded before, on, or after that date.

     SEC. 4. FEDERAL INFORMATION SECURITY MODERNIZATION ACT.

       (a) In General.--Title 44, United States Code, is amended--
       (1) in section 3553(a)(5), by inserting ``and section 1326 
     of title 41'' after ``compliance with the requirements of 
     this subchapter''; and
       (2) in section 3554(a)(1)(B)--
       (A) by inserting ``, subchapter III of chapter 13 of title 
     41,'' after ``complying with the requirements of this 
     subchapter'';
       (B) in clause (iv), by striking ``; and'' and inserting a 
     semicolon; and
       (C) by adding at the end the following new clause:
       ``(vi) responsibilities relating to assessing and avoiding, 
     mitigating, transferring, or accepting supply chain risks 
     under section 1326 of title 41, and complying with exclusion 
     and removal orders issued under section 1323 of such title; 
     and''.
       (b) Rule of Construction.--Nothing in this Act shall be 
     construed to alter or impede any authority or responsibility 
     under section 3553 of title 44, United States Code.

     SEC. 5. EFFECTIVE DATE.

       This Act shall take effect on the date that is 90 days 
     after the date of the enactment of this Act.

  Mr. BOOZMAN. I ask unanimous consent that the committee-reported 
substitute amendment be withdrawn; that the McCaskill substitute 
amendment at the desk be considered and agreed to; that the bill, as 
amended, be considered read a third time and passed; and that the 
motion to reconsider be considered made and laid upon the table.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  The committee-reported amendment in the nature of a substitute was 
withdrawn.
  The amendment (No. 4158) in the nature of a substitute was agreed to, 
as follows:

                (Purpose: In the nature of a substitute)

       Strike all after the enacting clause and insert the 
     following:

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Federal Acquisition Supply 
     Chain Security Act of 2018''.

     SEC. 2. FEDERAL ACQUISITION SUPPLY CHAIN SECURITY.

       (a) In General.--Chapter 13 of title 41, United States 
     Code, is amended by adding at the end the following new 
     subchapter:

      ``SUBCHAPTER III--FEDERAL ACQUISITION SUPPLY CHAIN SECURITY

     ``Sec. 1321. Definitions

       ``In this subchapter:
       ``(1) Appropriate congressional committees and 
     leadership.--The term `appropriate congressional committees 
     and leadership' means--
       ``(A) the Committee on Homeland Security and Governmental 
     Affairs, the Committee on the Judiciary, the Committee on 
     Appropriations, the Committee on Armed Services, the 
     Committee on Commerce, Science, and Transportation, the 
     Select Committee on Intelligence, and the majority and 
     minority leader of the Senate; and
       ``(B) the Committee on Oversight and Government Reform, the 
     Committee on the Judiciary, the Committee on Appropriations, 
     the Committee on Homeland Security, the Committee on Armed 
     Services, the Committee on Energy and Commerce, the Permanent 
     Select Committee on Intelligence, and the Speaker and 
     minority leader of the House of Representatives.
       ``(2) Council.--The term `Council' means the Federal 
     Acquisition Security Council established under section 
     1322(a) of this title.
       ``(3) Covered article.--The term `covered article' has the 
     meaning given that term in section 4713 of this title.
       ``(4) Covered procurement action.--The term `covered 
     procurement action' has the meaning given that term in 
     section 4713 of this title.
       ``(5) Information and communications technology.--The term 
     `information and communications technology' has the meaning 
     given that term in section 4713 of this title.
       ``(6) Intelligence community.--The term `intelligence 
     community' has the meaning given that term in section 3(4) of 
     the National Security Act of 1947 (50 U.S.C. 3003(4)).
       ``(7) National security system.--The term `national 
     security system' has the meaning given that term in section 
     3552 of title 44.
       ``(8) Supply chain risk.--The term `supply chain risk' has 
     the meaning given that term in section 4713 of this title.

     ``Sec. 1322. Federal Acquisition Security Council 
       establishment and membership

       ``(a) Establishment.--There is established in the executive 
     branch a Federal Acquisition Security Council.
       ``(b) Membership.--
       ``(1) In general.--The following agencies shall be 
     represented on the Council:
       ``(A) The Office of Management and Budget.
       ``(B) The General Services Administration.
       ``(C) The Department of Homeland Security, including the 
     Cybersecurity and Infrastructure Security Agency.
       ``(D) The Office of the Director of National Intelligence, 
     including the National Counterintelligence and Security 
     Center.
       ``(E) The Department of Justice, including the Federal 
     Bureau of Investigation.
       ``(F) The Department of Defense, including the National 
     Security Agency.
       ``(G) The Department of Commerce, including the National 
     Institute of Standards and Technology.
       ``(H) Such other executive agencies as determined by the 
     Chairperson of the Council.
       ``(2) Lead representatives.--
       ``(A) Designation.--
       ``(i) In general.--Not later than 45 days after the date of 
     the enactment of the Federal Acquisition Supply Chain 
     Security Act of 2018, the head of each agency represented on 
     the Council shall designate a representative of that agency 
     as the lead representative of the agency on the Council.
       ``(ii) Requirements.--The representative of an agency 
     designated under clause (i) shall have expertise in supply 
     chain risk management, acquisitions, or information and 
     communications technology.
       ``(B) Functions.--The lead representative of an agency 
     designated under subparagraph (A) shall ensure that 
     appropriate personnel, including leadership and subject 
     matter experts of the agency, are aware of the business of 
     the Council.
       ``(c) Chairperson.--
       ``(1) Designation.--Not later than 45 days after the date 
     of the enactment of the Federal Acquisition Supply Chain 
     Security Act of 2018, the Director of the Office of 
     Management and Budget shall designate a senior-level official 
     from the Office of Management and Budget to serve as the 
     Chairperson of the Council.
       ``(2) Functions.--The Chairperson shall perform functions 
     that include--
       ``(A) subject to subsection (d), developing a schedule for 
     meetings of the Council;
       ``(B) designating executive agencies to be represented on 
     the Council under subsection (b)(1)(H);
       ``(C) in consultation with the lead representative of each 
     agency represented on the Council, developing a charter for 
     the Council; and
       ``(D) not later than 7 days after completion of the 
     charter, submitting the charter to the appropriate 
     congressional committees and leadership.
       ``(d) Meetings.--The Council shall meet not later than 60 
     days after the date of the enactment of the Federal 
     Acquisition Supply Chain Security Act of 2018 and not less 
     frequently than quarterly thereafter.

     ``Sec. 1323. Functions and authorities

       ``(a) In General.--The Council shall perform functions that 
     include the following:
       ``(1) Identifying and recommending development by the 
     National Institute of Standards and Technology of supply 
     chain risk management standards, guidelines, and practices 
     for executive agencies to use when assessing and developing 
     mitigation strategies to address supply chain risks, 
     particularly in the acquisition and use of covered articles 
     under section 1326(a) of this title.
       ``(2) Identifying or developing criteria for sharing 
     information with executive agencies, other Federal entities, 
     and non-Federal entities with respect to supply chain risk, 
     including information related to the exercise of authorities 
     provided under this section and sections 1326 and 4713 of 
     this title. At a minimum, such criteria shall address--
       ``(A) the content to be shared;
       ``(B) the circumstances under which sharing is mandated or 
     voluntary; and
       ``(C) the circumstances under which it is appropriate for 
     an executive agency to rely on information made available 
     through such sharing in exercising the responsibilities and 
     authorities provided under this section and section 4713 of 
     this title.
       ``(3) Identifying an appropriate executive agency to--
       ``(A) accept information submitted by executive agencies 
     based on the criteria established under paragraph (2);
       ``(B) facilitate the sharing of information received under 
     subparagraph (A) to support supply chain risk analyses under 
     section 1326 of this title, recommendations under this 
     section, and covered procurement actions under section 4713 
     of this title;
       ``(C) share with the Council information regarding covered 
     procurement actions by executive agencies taken under section 
     4713 of this title; and

[[Page S7814]]

       ``(D) inform the Council of orders issued under this 
     section.
       ``(4) Identifying, as appropriate, executive agencies to 
     provide--
       ``(A) shared services, such as support for making risk 
     assessments, validation of products that may be suitable for 
     acquisition, and mitigation activities; and
       ``(B) common contract solutions to support supply chain 
     risk management activities, such as subscription services or 
     machine-learning-enhanced analysis applications to support 
     informed decisionmaking.
       ``(5) Identifying and issuing guidance on additional steps 
     that may be necessary to address supply chain risks arising 
     in the course of executive agencies providing shared 
     services, common contract solutions, acquisitions vehicles, 
     or assisted acquisitions.
       ``(6) Engaging with the private sector and other 
     nongovernmental stakeholders in performing the functions 
     described in paragraphs (1) and (2) and on issues relating to 
     the management of supply chain risks posed by the acquisition 
     of covered articles.
       ``(7) Carrying out such other actions, as determined by the 
     Council, that are necessary to reduce the supply chain risks 
     posed by acquisitions and use of covered articles.
       ``(b) Program Office and Committees.--The Council may 
     establish a program office and any committees, working 
     groups, or other constituent bodies the Council deems 
     appropriate, in its sole and unreviewable discretion, to 
     carry out its functions.
       ``(c) Authority for Exclusion or Removal Orders.--
       ``(1) Criteria.--To reduce supply chain risk, the Council 
     shall establish criteria and procedures for--
       ``(A) recommending orders applicable to executive agencies 
     requiring the exclusion of sources or covered articles from 
     executive agency procurement actions (in this section 
     referred to as `exclusion orders');
       ``(B) recommending orders applicable to executive agencies 
     requiring the removal of covered articles from executive 
     agency information systems (in this section referred to as 
     `removal orders');
       ``(C) requesting and approving exceptions to an issued 
     exclusion or removal order when warranted by circumstances, 
     including alternative mitigation actions or other findings 
     relating to the national interest, including national 
     security reviews, national security investigations, or 
     national security agreements; and
       ``(D) ensuring that recommended orders do not conflict with 
     standards and guidelines issued under section 11331 of title 
     40 and that the Council consults with the Director of the 
     National Institute of Standards and Technology regarding any 
     recommended orders that would implement standards and 
     guidelines developed by the National Institute of Standards 
     and Technology.
       ``(2) Recommendations.--The Council shall use the criteria 
     established under paragraph (1), information made available 
     under subsection (a)(3), and any other information the 
     Council determines appropriate to issue recommendations, for 
     application to executive agencies or any subset thereof, 
     regarding the exclusion of sources or covered articles from 
     any executive agency procurement action, including source 
     selection and consent for a contractor to subcontract, or the 
     removal of covered articles from executive agency information 
     systems. Such recommendations shall include--
       ``(A) information necessary to positively identify the 
     sources or covered articles recommended for exclusion or 
     removal;
       ``(B) information regarding the scope and applicability of 
     the recommended exclusion or removal order;
       ``(C) a summary of any risk assessment reviewed or 
     conducted in support of the recommended exclusion or removal 
     order;
       ``(D) a summary of the basis for the recommendation, 
     including a discussion of less intrusive measures that were 
     considered and why such measures were not reasonably 
     available to reduce supply chain risk;
       ``(E) a description of the actions necessary to implement 
     the recommended exclusion or removal order; and
       ``(F) where practicable, in the Council's sole and 
     unreviewable discretion, a description of mitigation steps 
     that could be taken by the source that may result in the 
     Council rescinding a recommendation.
       ``(3) Notice of recommendation and review.--A notice of the 
     Council's recommendation under paragraph (2) shall be issued 
     to any source named in the recommendation advising--
       ``(A) that a recommendation has been made;
       ``(B) of the criteria the Council relied upon under 
     paragraph (1) and, to the extent consistent with national 
     security and law enforcement interests, of information that 
     forms the basis for the recommendation;
       ``(C) that, within 30 days after receipt of notice, the 
     source may submit information and argument in opposition to 
     the recommendation;
       ``(D) of the procedures governing the review and possible 
     issuance of an exclusion or removal order pursuant to 
     paragraph (5); and
       ``(E) where practicable, in the Council's sole and 
     unreviewable discretion, a description of mitigation steps 
     that could be taken by the source that may result in the 
     Council rescinding the recommendation.
       ``(4) Confidentiality.--Any notice issued to a source under 
     paragraph (3) shall be kept confidential until--
       ``(A) an exclusion or removal order is issued pursuant to 
     paragraph (5); and
       ``(B) the source has been notified pursuant to paragraph 
     (6).
       ``(5) Exclusion and removal orders.--
       ``(A) Order issuance.--Recommendations of the Council under 
     paragraph (2), together with any information submitted by a 
     source under paragraph (3) related to such a recommendation, 
     shall be reviewed by the following officials, who may issue 
     exclusion and removal orders based upon such recommendations:
       ``(i) The Secretary of Homeland Security, for exclusion and 
     removal orders applicable to civilian agencies, to the extent 
     not covered by clause (ii) or (iii).
       ``(ii) The Secretary of Defense, for exclusion and removal 
     orders applicable to the Department of Defense and national 
     security systems other than sensitive compartmented 
     information systems.
       ``(iii) The Director of National Intelligence, for 
     exclusion and removal orders applicable to the intelligence 
     community and sensitive compartmented information systems, to 
     the extent not covered by clause (ii).
       ``(B) Delegation.--The officials identified in subparagraph 
     (A) may not delegate any authority under this subparagraph to 
     an official below the level one level below the Deputy 
     Secretary or Principal Deputy Director, except that the 
     Secretary of Defense may delegate authority for removal 
     orders to the Commander of the United States Cyber Command, 
     who may not redelegate such authority to an official below 
     the level one level below the Deputy Commander.
       ``(C) Facilitation of exclusion orders.--If officials 
     identified under this paragraph from the Department of 
     Homeland Security, the Department of Defense, and the Office 
     of the Director of National Intelligence issue orders 
     collectively resulting in a governmentwide exclusion, the 
     Administrator for General Services and officials at other 
     executive agencies responsible for management of the Federal 
     Supply Schedules, governmentwide acquisition contracts, and 
     multi-agency contracts shall help facilitate implementation 
     of such orders by removing the covered articles or sources 
     identified in the orders from such contracts.
       ``(D) Review of exclusion and removal orders.--The 
     officials identified under this paragraph shall review all 
     exclusion and removal orders issued under subparagraph (A) 
     not less frequently than annually pursuant to procedures 
     established by the Council.
       ``(E) Rescission.--Orders issued pursuant to subparagraph 
     (A) may be rescinded by an authorized official from the 
     relevant issuing agency.
       ``(6) Notifications.--Upon issuance of an exclusion or 
     removal order pursuant to paragraph (5)(A), the official 
     identified under that paragraph who issued the order shall--
       ``(A) notify any source named in the order of--
       ``(i) the exclusion or removal order; and
       ``(ii) to the extent consistent with national security and 
     law enforcement interests, information that forms the basis 
     for the order;
       ``(B) provide classified or unclassified notice of the 
     exclusion or removal order to the appropriate congressional 
     committees and leadership; and
       ``(C) provide the exclusion or removal order to the agency 
     identified in subsection (a)(3).
       ``(7) Compliance.--Executive agencies shall comply with 
     exclusion and removal orders issued pursuant to paragraph 
     (5).
       ``(d) Authority To Request Information.--The Council may 
     request such information from executive agencies as is 
     necessary for the Council to carry out its functions.
       ``(e) Relationship to Other Councils.--The Council shall 
     consult and coordinate, as appropriate, with other relevant 
     councils and interagency committees, including the Chief 
     Information Officers Council, the Chief Acquisition Officers 
     Council, the Federal Acquisition Regulatory Council, and the 
     Committee on Foreign Investment in the United States, with 
     respect to supply chain risks posed by the acquisition and 
     use of covered articles.
       ``(f) Rules of Construction.--Nothing in this section shall 
     be construed--
       ``(1) to limit the authority of the Office of Federal 
     Procurement Policy to carry out the responsibilities of that 
     Office under any other provision of law; or
       ``(2) to authorize the issuance of an exclusion or removal 
     order based solely on the fact of foreign ownership of a 
     potential procurement source that is otherwise qualified to 
     enter into procurement contracts with the Federal Government.

     ``Sec. 1324. Strategic plan

       ``(a) In General.--Not later than 180 days after the date 
     of the enactment of the Federal Acquisition Supply Chain 
     Security Act of 2018, the Council shall develop a strategic 
     plan for addressing supply chain risks posed by the 
     acquisition of covered articles and for managing such risks, 
     that includes--
       ``(1) the criteria and processes required under section 
     1323(a) of this title, including a threshold and requirements 
     for sharing relevant information about such risks with all 
     executive agencies and, as appropriate, with other Federal 
     entities and non-Federal entities;
       ``(2) an identification of existing authorities for 
     addressing such risks;
       ``(3) an identification and promulgation of best practices 
     and procedures and available resources for executive agencies 
     to assess and mitigate such risks;

[[Page S7815]]

       ``(4) recommendations for any legislative, regulatory, or 
     other policy changes to improve efforts to address such 
     risks;
       ``(5) recommendations for any legislative, regulatory, or 
     other policy changes to incentivize the adoption of best 
     practices for supply chain risk management by the private 
     sector;
       ``(6) an evaluation of the effect of implementing new 
     policies or procedures on existing contracts and the 
     procurement process;
       ``(7) a plan for engaging with executive agencies, the 
     private sector, and other nongovernmental stakeholders to 
     address such risks;
       ``(8) a plan for identification, assessment, mitigation, 
     and vetting of supply chain risks from existing and 
     prospective information and communications technology made 
     available by executive agencies to other executive agencies 
     through common contract solutions, shared services, 
     acquisition vehicles, or other assisted acquisition services; 
     and
       ``(9) plans to strengthen the capacity of all executive 
     agencies to conduct assessments of--
       ``(A) the supply chain risk posed by the acquisition of 
     covered articles; and
       ``(B) compliance with the requirements of this subchapter.
       ``(b) Submission to Congress.--Not later than 7 calendar 
     days after completion of the strategic plan required by 
     subsection (a), the Chairperson of the Council shall submit 
     the plan to the appropriate congressional committees and 
     leadership.

     ``Sec. 1325. Annual report

       ``Not later than December 31 of each year, the Chairperson 
     of the Council shall submit to the appropriate congressional 
     committees and leadership a report on the activities of the 
     Council during the preceding 12-month period.

     ``Sec. 1326. Requirements for executive agencies

       ``(a) In General.--The head of each executive agency shall 
     be responsible for--
       ``(1) assessing the supply chain risk posed by the 
     acquisition and use of covered articles and avoiding, 
     mitigating, accepting, or transferring that risk, as 
     appropriate and consistent with the standards, guidelines, 
     and practices identified by the Council under section 
     1323(a)(1); and
       ``(2) prioritizing supply chain risk assessments conducted 
     under paragraph (1) based on the criticality of the mission, 
     system, component, service, or asset.
       ``(b) Inclusions.--The responsibility for assessing supply 
     chain risk described in subsection (a) includes--
       ``(1) developing an overall supply chain risk management 
     strategy and implementation plan and policies and processes 
     to guide and govern supply chain risk management activities;
       ``(2) integrating supply chain risk management practices 
     throughout the lifecycle of the system, component, service, 
     or asset;
       ``(3) limiting, avoiding, mitigating, accepting, or 
     transferring any identified risk;
       ``(4) sharing relevant information with other executive 
     agencies, as determined appropriate by the Council in a 
     manner consistent with section 1323(a) of this title;
       ``(5) reporting on progress and effectiveness of the 
     agency's supply chain risk management consistent with 
     guidance issued by the Office of Management and Budget and 
     the Council; and
       ``(6) ensuring that all relevant information, including 
     classified information, with respect to acquisitions of 
     covered articles that may pose a supply chain risk, 
     consistent with section 1323(a) of this title, is 
     incorporated into existing processes of the agency for 
     conducting assessments described in subsection (a) and 
     ongoing management of acquisition programs, including any 
     identification, investigation, mitigation, or remediation 
     needs.
       ``(c) Interagency Acquisitions.--
       ``(1) In general.--Except as provided in paragraph (2), in 
     the case of an interagency acquisition, subsection (a) shall 
     be carried out by the head of the executive agency whose 
     funds are being used to procure the covered article.
       ``(2) Assisted acquisitions.--In an assisted acquisition, 
     the parties to the acquisition shall determine, as part of 
     the interagency agreement governing the acquisition, which 
     agency is responsible for carrying out subsection (a).
       ``(3) Definitions.--In this subsection, the terms `assisted 
     acquisition' and `interagency acquisition' have the meanings 
     given those terms in section 2.101 of title 48, Code of 
     Federal Regulations (or any corresponding similar regulation 
     or ruling).
       ``(d) Assistance.--The Secretary of Homeland Security may--
       ``(1) assist executive agencies in conducting risk 
     assessments described in subsection (a) and implementing 
     mitigation requirements for information and communications 
     technology; and
       ``(2) provide such additional guidance or tools as are 
     necessary to support actions taken by executive agencies.

     ``Sec. 1327. Judicial review procedures

       ``(a) In General.--Except as provided in subsection (b) and 
     chapter 71 of this title, and notwithstanding any other 
     provision of law, an action taken under section 1323 or 4713 
     of this title, or any action taken by an executive agency to 
     implement such an action, shall not be subject to 
     administrative review or judicial review, including bid 
     protests before the Government Accountability Office or in 
     any Federal court.
       ``(b) Petitions.--
       ``(1) In general.--Not later than 60 days after a party is 
     notified of an exclusion or removal order under section 
     1323(c)(6) of this title or a covered procurement action 
     under section 4713 of this title, the party may file a 
     petition for judicial review in the United States Court of 
     Appeals for the District of Columbia Circuit claiming that 
     the issuance of the exclusion or removal order or covered 
     procurement action is unlawful.
       ``(2) Standard of review.--The Court shall hold unlawful a 
     covered action taken under sections 1323 or 4713 of this 
     title, in response to a petition that the court finds to be--
       ``(A) arbitrary, capricious, an abuse of discretion, or 
     otherwise not in accordance with law;
       ``(B) contrary to constitutional right, power, privilege, 
     or immunity;
       ``(C) in excess of statutory jurisdiction, authority, or 
     limitation, or short of statutory right;
       ``(D) lacking substantial support in the administrative 
     record taken as a whole or in classified information 
     submitted to the court under paragraph (3); or
       ``(E) not in accord with procedures required by law.
       ``(3) Exclusive jurisdiction.--The United States Court of 
     Appeals for the District of Columbia Circuit shall have 
     exclusive jurisdiction over claims arising under sections 
     1323(c)(5) or 4713 of this title against the United States, 
     any United States department or agency, or any component or 
     official of any such department or agency, subject to review 
     by the Supreme Court of the United States under section 1254 
     of title 28.
       ``(4) Administrative record and procedures.--
       ``(A) In general.--The procedures described in this 
     paragraph shall apply to the review of a petition under this 
     section.
       ``(B) Administrative record.--
       ``(i) Filing of record.--The United States shall file with 
     the court an administrative record, which shall consist of 
     the information that the appropriate official relied upon in 
     issuing an exclusion or removal order under section 
     1323(c)(5) or a covered procurement action under section 4713 
     of this title.
       ``(ii) Unclassified, nonprivileged information.--All 
     unclassified information contained in the administrative 
     record that is not otherwise privileged or subject to 
     statutory protections shall be provided to the petitioner 
     with appropriate protections for any privileged or 
     confidential trade secrets and commercial or financial 
     information.
       ``(iii) In camera and ex parte.--The following information 
     may be included in the administrative record and shall be 
     submitted only to the court ex parte and in camera:

       ``(I) Classified information.
       ``(II) Sensitive security information, as defined by 
     section 1520.5 of title 49, Code of Federal Regulations.
       ``(III) Privileged law enforcement information.
       ``(IV) Information obtained or derived from any activity 
     authorized under the Foreign Intelligence Surveillance Act of 
     1978 (50 U.S.C. 1801 et seq.), except that, with respect to 
     such information, subsections (c), (e), (f), (g), and (h) of 
     section 106 (50 U.S.C. 1806), subsections (d), (f), (g), (h), 
     and (i) of section 305 (50 U.S.C. 1825), subsections (c), 
     (e), (f), (g), and (h) of section 405 (50 U.S.C. 1845), and 
     section 706 (50 U.S.C. 1881e) of that Act shall not apply.
       ``(V) Information subject to privilege or protections under 
     any other provision of law.

       ``(iv) Under seal.--Any information that is part of the 
     administrative record filed ex parte and in camera under 
     clause (iii), or cited by the court in any decision, shall be 
     treated by the court consistent with the provisions of this 
     subparagraph and shall remain under seal and preserved in the 
     records of the court to be made available consistent with the 
     above provisions in the event of further proceedings. In no 
     event shall such information be released to the petitioner or 
     as part of the public record.
       ``(v) Return.--After the expiration of the time to seek 
     further review, or the conclusion of further proceedings, the 
     court shall return the administrative record, including any 
     and all copies, to the United States.
       ``(C) Exclusive remedy.--A determination by the court under 
     this subsection shall be the exclusive judicial remedy for 
     any claim described in this section against the United 
     States, any United States department or agency, or any 
     component or official of any such department or agency.
       ``(D) Rule of construction.--Nothing in this section shall 
     be construed as limiting, superseding, or preventing the 
     invocation of, any privileges or defenses that are otherwise 
     available at law or in equity to protect against the 
     disclosure of information.
       ``(c) Definition.--In this section, the term `classified 
     information'--
       ``(1) has the meaning given that term in section 1(a) of 
     the Classified Information Procedures Act (18 U.S.C. App.); 
     and
       ``(2) includes--
       ``(A) any information or material that has been determined 
     by the United States Government pursuant to an Executive 
     order, statute, or regulation to require protection against 
     unauthorized disclosure for reasons of national security; and
       ``(B) any restricted data, as defined in section 11 of the 
     Atomic Energy Act of 1954 (42 U.S.C. 2014).

[[Page S7816]]

  


     ``Sec. 1328. Termination

       ``This subchapter shall terminate on the date that is 5 
     years after the date of the enactment of the Federal 
     Acquisition Supply Chain Security Act of 2018.''.
       (b) Clerical Amendment.--The table of sections at the 
     beginning of chapter 13 of such title is amended by adding at 
     the end the following new items:

       ``subchapter iii--federal acquisition supply chain security

``Sec.
``1321. Definitions.
``1322. Federal Acquisition Security Council establishment and 
              membership.
``1323. Functions and authorities.
``1324. Strategic plan.
``1325. Annual report.
``1326. Requirements for executive agencies.
``1327. Judicial review procedures.
``1328. Termination.''.
       (c) Effective Date.--The amendments made by this section 
     shall take effect on the date that is 90 days after the date 
     of the enactment of this Act and shall apply to contracts 
     that are awarded before, on, or after that date.
       (d) Implementation.--
       (1) Interim final rule.--Not later than one year after the 
     date of the enactment of this Act, the Federal Acquisition 
     Security Council shall prescribe an interim final rule to 
     implement subchapter III of chapter 13 of title 41, United 
     States Code, as added by subsection (a).
       (2) Final rule.--Not later than one year after prescribing 
     the interim final rule under paragraph (1) and considering 
     public comments with respect to such interim final rule, the 
     Council shall prescribe a final rule to implement subchapter 
     III of chapter 13 of title 41, United States Code, as added 
     by subsection (a).
       (3) Failure to act.--
       (A) In general.--If the Council does not issue a final rule 
     in accordance with paragraph (2) on or before the last day of 
     the 1-year period referred to in that paragraph, the Council 
     shall submit to the appropriate congressional committees and 
     leadership, not later than 10 days after such last day and 
     every 90 days thereafter until the final rule is issued, a 
     report explaining why the final rule was not timely issued 
     and providing an estimate of the earliest date on which the 
     final rule will be issued.
       (B) Appropriate congressional committees and leadership 
     defined.--In this paragraph, the term ``appropriate 
     congressional committees and leadership'' has the meaning 
     given that term in section 1321 of title 41, United States 
     Code, as added by subsection (a).

     SEC. 3. AUTHORITIES OF EXECUTIVE AGENCIES RELATING TO 
                   MITIGATING SUPPLY CHAIN RISKS IN THE 
                   PROCUREMENT OF COVERED ARTICLES.

       (a) In General.--Chapter 47 of title 41, United States 
     Code, is amended by adding at the end the following new 
     section:

     ``Sec. 4713. Authorities relating to mitigating supply chain 
       risks in the procurement of covered articles

       ``(a) Authority.--Subject to subsection (b), the head of an 
     executive agency may carry out a covered procurement action.
       ``(b) Determination and Notification.--Except as authorized 
     by subsection (c) to address an urgent national security 
     interest, the head of an executive agency may exercise the 
     authority provided in subsection (a) only after--
       ``(1) obtaining a joint recommendation, in unclassified or 
     classified form, from the chief acquisition officer and the 
     chief information officer of the agency, or officials 
     performing similar functions in the case of executive 
     agencies that do not have such officials, which includes a 
     review of any risk assessment made available by the executive 
     agency identified under section 1323(a)(3) of this title, 
     that there is a significant supply chain risk in a covered 
     procurement;
       ``(2) providing notice of the joint recommendation 
     described in paragraph (1) to any source named in the joint 
     recommendation advising--
       ``(A) that a recommendation is being considered or has been 
     obtained;
       ``(B) to the extent consistent with the national security 
     and law enforcement interests, of information that forms the 
     basis for the recommendation;
       ``(C) that, within 30 days after receipt of the notice, the 
     source may submit information and argument in opposition to 
     the recommendation; and
       ``(D) of the procedures governing the consideration of the 
     submission and the possible exercise of the authority 
     provided in subsection (a);
       ``(3) making a determination in writing, in unclassified or 
     classified form, after considering any information submitted 
     by a source under paragraph (2) and in consultation with the 
     chief information security officer of the agency, that--
       ``(A) use of the authority under subsection (a) is 
     necessary to protect national security by reducing supply 
     chain risk;
       ``(B) less intrusive measures are not reasonably available 
     to reduce such supply chain risk; and
       ``(C) the use of such authorities will apply to a single 
     covered procurement or a class of covered procurements, and 
     otherwise specifies the scope of the determination; and
       ``(4) providing a classified or unclassified notice of the 
     determination made under paragraph (3) to the appropriate 
     congressional committees and leadership that includes--
       ``(A) the joint recommendation described in paragraph (1);
       ``(B) a summary of any risk assessment reviewed in support 
     of the joint recommendation required by paragraph (1); and
       ``(C) a summary of the basis for the determination, 
     including a discussion of less intrusive measures that were 
     considered and why such measures were not reasonably 
     available to reduce supply chain risk.
       ``(c) Procedures To Address Urgent National Security 
     Interests.--In any case in which the head of an executive 
     agency determines that an urgent national security interest 
     requires the immediate exercise of the authority provided in 
     subsection (a), the head of the agency--
       ``(1) may, to the extent necessary to address such national 
     security interest, and subject to the conditions in paragraph 
     (2)--
       ``(A) temporarily delay the notice required by subsection 
     (b)(2);
       ``(B) make the determination required by subsection (b)(3), 
     regardless of whether the notice required by subsection 
     (b)(2) has been provided or whether the notified source has 
     submitted any information in response to such notice;
       ``(C) temporarily delay the notice required by subsection 
     (b)(4); and
       ``(D) exercise the authority provided in subsection (a) in 
     accordance with such determination within 60 calendar days 
     after the day the determination is made; and
       ``(2) shall take actions necessary to comply with all 
     requirements of subsection (b) as soon as practicable after 
     addressing the urgent national security interest, including--
       ``(A) providing the notice required by subsection (b)(2);
       ``(B) promptly considering any information submitted by the 
     source in response to such notice, and making any appropriate 
     modifications to the determination based on such information;
       ``(C) providing the notice required by subsection (b)(4), 
     including a description of the urgent national security 
     interest, and any modifications to the determination made in 
     accordance with subparagraph (B); and
       ``(D) providing notice to the appropriate congressional 
     committees and leadership within 7 calendar days of the 
     covered procurement actions taken under this section.
       ``(d) Confidentiality.--The notice required by subsection 
     (b)(2) shall be kept confidential until a determination with 
     respect to a covered procurement action has been made 
     pursuant to subsection (b)(3).
       ``(e) Delegation.--The head of an executive agency may not 
     delegate the authority provided in subsection (a) or the 
     responsibility identified in subsection (g) to an official 
     below the level one level below the Deputy Secretary or 
     Principal Deputy Director.
       ``(f) Annual Review of Determinations.--The head of an 
     executive agency shall conduct an annual review of all 
     determinations made by such head under subsection (b) and 
     promptly amend any covered procurement action as appropriate.
       ``(g) Regulations.--The Federal Acquisition Regulatory 
     Council shall prescribe such regulations as may be necessary 
     to carry out this section.
       ``(h) Reports Required.--Not less frequently than annually, 
     the head of each executive agency that exercised the 
     authority provided in subsection (a) or (c) during the 
     preceding 12-month period shall submit to the appropriate 
     congressional committees and leadership a report summarizing 
     the actions taken by the agency under this section during 
     that 12-month period.
       ``(i) Rule of Construction.--Nothing in this section shall 
     be construed to authorize the head of an executive agency to 
     carry out a covered procurement action based solely on the 
     fact of foreign ownership of a potential procurement source 
     that is otherwise qualified to enter into procurement 
     contracts with the Federal Government.
       ``(j) Termination.--The authority provided under subsection 
     (a) shall terminate on the date that is 5 years after the 
     date of the enactment of the Federal Acquisition Supply Chain 
     Security Act of 2018.
       ``(k) Definitions.--In this section:
       ``(1) Appropriate congressional committees and 
     leadership.--The term `appropriate congressional committees 
     and leadership' means--
       ``(A) the Committee on Homeland Security and Governmental 
     Affairs, the Committee on the Judiciary, the Committee on 
     Appropriations, the Committee on Armed Services, the 
     Committee on Commerce, Science, and Transportation, the 
     Select Committee on Intelligence, and the majority and 
     minority leader of the Senate; and
       ``(B) the Committee on Oversight and Government Reform, the 
     Committee on the Judiciary, the Committee on Appropriations, 
     the Committee on Homeland Security, the Committee on Armed 
     Services, the Committee on Energy and Commerce, the Permanent 
     Select Committee on Intelligence, and the Speaker and 
     minority leader of the House of Representatives.
       ``(2) Covered article.--The term `covered article' means--
       ``(A) information technology, as defined in section 11101 
     of title 40, including cloud computing services of all types;
       ``(B) telecommunications equipment or telecommunications 
     service, as those terms are defined in section 3 of the 
     Communications Act of 1934 (47 U.S.C. 153);
       ``(C) the processing of information on a Federal or non-
     Federal information system, subject to the requirements of 
     the Controlled Unclassified Information program; or

[[Page S7817]]

       ``(D) hardware, systems, devices, software, or services 
     that include embedded or incidental information technology.
       ``(3) Covered procurement.--The term `covered procurement' 
     means--
       ``(A) a source selection for a covered article involving 
     either a performance specification, as provided in subsection 
     (a)(3)(B) of section 3306 of this title, or an evaluation 
     factor, as provided in subsection (b)(1)(A) of such section, 
     relating to a supply chain risk, or where supply chain risk 
     considerations are included in the agency's determination of 
     whether a source is a responsible source as defined in 
     section 113 of this title;
       ``(B) the consideration of proposals for and issuance of a 
     task or delivery order for a covered article, as provided in 
     section 4106(d)(3) of this title, where the task or delivery 
     order contract includes a contract clause establishing a 
     requirement relating to a supply chain risk;
       ``(C) any contract action involving a contract for a 
     covered article where the contract includes a clause 
     establishing requirements relating to a supply chain risk; or
       ``(D) any other procurement in a category of procurements 
     determined appropriate by the Federal Acquisition Regulatory 
     Council, with the advice of the Federal Acquisition Security 
     Council.
       ``(4) Covered procurement action.--The term `covered 
     procurement action' means any of the following actions, if 
     the action takes place in the course of conducting a covered 
     procurement:
       ``(A) The exclusion of a source that fails to meet 
     qualification requirements established under section 3311 of 
     this title for the purpose of reducing supply chain risk in 
     the acquisition or use of covered articles.
       ``(B) The exclusion of a source that fails to achieve an 
     acceptable rating with regard to an evaluation factor 
     providing for the consideration of supply chain risk in the 
     evaluation of proposals for the award of a contract or the 
     issuance of a task or delivery order.
       ``(C) The determination that a source is not a responsible 
     source as defined in section 113 of this title based on 
     considerations of supply chain risk.
       ``(D) The decision to withhold consent for a contractor to 
     subcontract with a particular source or to direct a 
     contractor to exclude a particular source from consideration 
     for a subcontract under the contract.
       ``(5) Information and communications technology.--The term 
     `information and communications technology' means--
       ``(A) information technology, as defined in section 11101 
     of title 40;
       ``(B) information systems, as defined in section 3502 of 
     title 44; and
       ``(C) telecommunications equipment and telecommunications 
     services, as those terms are defined in section 3 of the 
     Communications Act of 1934 (47 U.S.C. 153).
       ``(6) Supply chain risk.--The term `supply chain risk' 
     means the risk that any person may sabotage, maliciously 
     introduce unwanted function, extract data, or otherwise 
     manipulate the design, integrity, manufacturing, production, 
     distribution, installation, operation, maintenance, 
     disposition, or retirement of covered articles so as to 
     surveil, deny, disrupt, or otherwise manipulate the function, 
     use, or operation of the covered articles or information 
     stored or transmitted on the covered articles.
       ``(7) Executive agency.--Notwithstanding section 
     3101(c)(1), this section applies to the Department of 
     Defense, the Coast Guard, and the National Aeronautics and 
     Space Administration.''.
       (b) Clerical Amendment.--The table of sections at the 
     beginning of chapter 47 of such title is amended by adding at 
     the end the following new item:

``Sec. 4713. Authorities relating to mitigating supply chain risks in 
              the procurement of covered articles.''.
       (c) Effective Date.--The amendments made by this section 
     shall take effect on the date that is 90 days after the date 
     of the enactment of this Act and shall apply to contracts 
     that are awarded before, on, or after that date.

     SEC. 4. FEDERAL INFORMATION SECURITY MODERNIZATION ACT.

       (a) In General.--Title 44, United States Code, is amended--
       (1) in section 3553(a)(5), by inserting ``and section 1326 
     of title 41'' after ``compliance with the requirements of 
     this subchapter''; and
       (2) in section 3554(a)(1)(B)--
       (A) by inserting ``, subchapter III of chapter 13 of title 
     41,'' after ``complying with the requirements of this 
     subchapter'';
       (B) in clause (iv), by striking ``; and'' and inserting a 
     semicolon; and
       (C) by adding at the end the following new clause:
       ``(vi) responsibilities relating to assessing and avoiding, 
     mitigating, transferring, or accepting supply chain risks 
     under section 1326 of title 41, and complying with exclusion 
     and removal orders issued under section 1323 of such title; 
     and''.
       (b) Rule of Construction.--Nothing in this Act shall be 
     construed to alter or impede any authority or responsibility 
     under section 3553 of title 44, United States Code.

     SEC. 5. EFFECTIVE DATE.

       This Act shall take effect on the date that is 90 days 
     after the date of the enactment of this Act.

  The bill (S. 3085), as amended, was ordered to be engrossed for a 
third reading, was read the third time, and passed.

                          ____________________