[Congressional Record Volume 164, Number 199 (Tuesday, December 18, 2018)]
[Senate]
[Pages S7809-S7817]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
FEDERAL ACQUISITION SUPPLY CHAIN SECURITY ACT OF 2018
Mr. BOOZMAN. Mr. President, I ask unanimous consent that the Senate
proceed to the immediate consideration of Calendar No. 666, S. 3085.
The PRESIDING OFFICER. The clerk will report the bill by title.
The senior assistant legislative clerk read as follows:
A bill (S. 3085) to establish a Federal Acquisition
Security Council and to provide executive agencies with
authorities relating to mitigating supply chain risks in the
procurement of information technology, and for other
purposes.
There being no objection, the Senate proceeded to consider the bill,
which had been reported from the Committee on Homeland Security and
Governmental Affairs, with an amendment to strike all after the
enacting clause and insert in lieu thereof the following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Federal Acquisition Supply
Chain Security Act of 2018''.
SEC. 2. FEDERAL ACQUISITION SUPPLY CHAIN SECURITY.
(a) In General.--Chapter 13 of title 41, United States
Code, is amended by adding at the end the following new
subchapter:
``SUBCHAPTER III--FEDERAL ACQUISITION SUPPLY CHAIN SECURITY
``Sec. 1321. Definitions
``In this subchapter:
``(1) Appropriate congressional committees and
leadership.--The term `appropriate congressional committees
and leadership' means--
``(A) the Committee on Homeland Security and Governmental
Affairs, the Committee on the Judiciary, the Committee on
Armed Services, the Committee on Appropriations, the Select
Committee on Intelligence, and the majority and minority
leader of the Senate; and
``(B) the Committee on Oversight and Government Reform, the
Committee on the Judiciary, the Committee on Armed Services,
the Committee on Appropriations, the Committee on Homeland
Security, the Permanent Select Committee on Intelligence, and
the Speaker and minority leader of the House of
Representatives.
``(2) Council.--The term `Council' means the Federal
Acquisition Security Council established under section
1322(a) of this title.
``(3) Covered article.--The term `covered article' has the
meaning given that term in section 4713 of this title.
``(4) Covered procurement action.--The term `covered
procurement action' has the meaning given that term in
section 4713 of this title.
``(5) Information and communications technology.--The term
`information and communications technology' has the meaning
given that term in section 4713 of this title.
``(6) Intelligence community.--The term `intelligence
community' has the meaning given that term in section 3(4) of
the National Security Act of 1947 (50 U.S.C. 3003(4)).
``(7) National security system.--The term `national
security system' has the meaning given that term in section
3552 of title 44.
``(8) Supply chain risk.--The term `supply chain risk' has
the meaning given that term in section 4713 of this title.
``Sec. 1322. Federal Acquisition Security Council
establishment and membership
``(a) Establishment.--There is established in the executive
branch a Federal Acquisition Security Council.
``(b) Membership.--
``(1) In general.--The following agencies shall be
represented on the Council:
``(A) The Office of Management and Budget.
``(B) The General Services Administration.
``(C) The Department of Homeland Security.
``(D) The Office of the Director of National Intelligence,
including the National Counterintelligence and Security
Center.
``(E) The Department of Justice, including the Federal
Bureau of Investigation.
``(F) The Department of Defense, including the National
Security Agency.
``(G) The Department of Commerce, including the National
Institute of Standards and Technology.
``(H) Such other executive agencies as determined by the
Chairperson of the Council.
``(2) Lead representatives.--
``(A) Designation.--
``(i) In general.--Not later than 90 days after the date of
the enactment of the Federal Acquisition Supply Chain
Security Act of 2018, the head of each agency represented on
the Council shall designate a representative of that agency
as the lead representative of the agency on the Council.
``(ii) Requirements.--The representative of an agency
designated under clause (i) shall have expertise in supply
chain risk management, acquisitions, or information and
communications technology.
``(B) Functions.--The lead representative of an agency
designated under subparagraph (A) shall ensure that
appropriate personnel, including leadership and subject
matter experts of the agency, are aware of the business of
the Council.
``(c) Chairperson.--
``(1) Designation.--Not later than 90 days after the date
of the enactment of the Federal Acquisition Supply Chain
Security Act of 2018, the Director of the Office of
Management and Budget shall designate a senior-level official
from the Office of Management and Budget to serve as the
Chairperson of the Council.
``(2) Functions.--The Chairperson shall perform functions
that include--
``(A) subject to subsection (d), developing a schedule for
meetings of the Council;
``(B) designating executive agencies to be represented on
the Council under subsection (b)(1)(H);
``(C) in consultation with the lead representative of each
agency represented on the Council, developing a charter for
the Council; and
``(D) not later than 7 days after completion of the
charter, submitting the charter to the appropriate
congressional committees and leadership.
``(d) Meetings.--The Council shall meet not later than 180
days after the date of the enactment of the Federal
Acquisition Supply Chain Security Act of 2018 and not less
frequently than quarterly thereafter.
``Sec. 1323. Functions and authorities
``(a) In General.--The Council shall perform functions that
include the following:
``(1) Identifying and recommending development by the
National Institute of Standards and Technology of supply
chain risk management standards, guidelines, and practices
for executive agencies to use when assessing and developing
mitigation strategies to address supply chain risks,
particularly in the acquisition and use of covered articles
under section 1326(a) of this title.
``(2) Identifying or developing criteria for sharing
information with respect to supply chain risk, including
information related to the exercise of authorities provided
under this section and sections 1326 and 4713 of this title.
At a minimum, such criteria shall address--
``(A) the content to be shared;
``(B) the circumstances under which sharing is mandated or
voluntary; and
``(C) the circumstances under which it is appropriate for
an executive agency to rely on information made available
through such sharing in exercising the responsibilities and
authorities provided under this section and section 4713 of
this title.
``(3) Identifying an appropriate executive agency to--
``(A) accept information submitted by executive agencies
based on the criteria established under paragraph (2);
[[Page S7810]]
``(B) facilitate the sharing of information received under
subparagraph (A) to support supply chain risk analyses under
section 1326 of this title, recommendations under this
section, and covered procurement actions under section 4713
of this title;
``(C) share with the Council information regarding covered
procurement actions by executive agencies taken under section
4713 of this title; and
``(D) inform the Council of orders issued under this
section.
``(4) Identifying, as appropriate, executive agencies to
provide--
``(A) shared services, such as support for making risk
assessments, validation of products that may be suitable for
acquisition, and mitigation activities; and
``(B) common contract solutions to support supply chain
risk management activities, such as subscription services or
machine-learning-enhanced analysis applications to support
informed decision making.
``(5) Identifying and issuing guidance on additional steps
that may be necessary to address supply chain risks arising
in the course of executive agencies providing shared
services, common contract solutions, acquisitions vehicles,
or assisted acquisitions.
``(6) Engaging, as appropriate, with the private sector and
other nongovernmental stakeholders on issues relating to the
management of supply chain risks posed by the acquisition of
covered articles.
``(7) Carrying out such other actions, as determined by the
Council, that are necessary to reduce the supply chain risks
posed by acquisitions and use of covered articles.
``(b) Program Office and Committees.--The Council may
establish a program office and any committees, working
groups, or other constituent bodies the Council deems
appropriate, in its sole and unreviewable discretion, to
carry out its functions.
``(c) Authority for Exclusion or Removal Orders.--
``(1) Criteria.--To reduce supply chain risk, the Council
shall establish criteria and procedures for--
``(A) recommending orders applicable to executive agencies
requiring the exclusion of sources or covered articles from
executive agency procurement actions (in this section
referred to as `exclusion orders');
``(B) recommending orders applicable to executive agencies
requiring the removal of covered articles from executive
agency information systems (in this section referred to as
`removal orders');
``(C) requesting and approving exceptions to an issued
exclusion or removal order when warranted by circumstances,
including alternative mitigation actions; and
``(D) ensuring that recommended orders do not conflict with
standards and guidelines issued under section 11331 of title
40 and that the Council consults with the Director of the
National Institute of Standards and Technology regarding any
recommended orders that would implement standards and
guidelines developed by the National Institute of Standards
and Technology.
``(2) Recommendations.--The Council shall use the criteria
established under paragraph (1), information made available
under subsection (a)(3), and any other information the
Council determines appropriate to issue recommendations, for
application to executive agencies or any subset thereof,
regarding the exclusion of sources or covered articles from
any executive agency procurement action, including source
selection and consent for a contractor to subcontract, or the
removal of covered articles from executive agency information
systems. Such recommendations shall include--
``(A) information necessary to positively identify the
sources or covered articles recommended for exclusion or
removal;
``(B) information regarding the scope and applicability of
the recommended exclusion or removal order;
``(C) a summary of any risk assessment reviewed or
conducted in support of the recommended exclusion or removal
order;
``(D) a summary of the basis for the recommendation,
including a discussion of less intrusive measures that were
considered and why such measures were not reasonably
available to reduce supply chain risk;
``(E) a description of the actions necessary to implement
the recommended exclusion or removal order; and
``(F) where practicable, in the Council's sole and
unreviewable discretion, a description of mitigation steps
that could be taken by the source that may result in the
Council rescinding a recommendation.
``(3) Notice of recommendation and review.--A notice of the
Council's recommendation under paragraph (2) shall be issued
to any source named in the recommendation advising--
``(A) that a recommendation has been made;
``(B) of the criteria the Council relied upon under
paragraph (1) and, to the extent consistent with national
security and law enforcement interests, of information that
forms the basis for the recommendation;
``(C) that, within 30 days after receipt of notice, the
source may submit information and argument in opposition to
the recommendation;
``(D) of the procedures governing the review and possible
issuance of an exclusion or removal order pursuant to
paragraph (4); and
``(E) where practicable, in the Council's sole and
unreviewable discretion, a description of mitigation steps
that could be taken by the source that may result in the
Council rescinding the recommendation.
``(4) Exclusion and removal orders.--
``(A) Order issuance.--Recommendations of the Council under
paragraph (2), together with any information submitted by a
source under paragraph (3) related to such a recommendation,
shall be reviewed by the following officials, who in their
sole and unreviewable discretion may issue exclusion and
removal orders based upon such recommendations:
``(i) The Secretary of Homeland Security, for exclusion and
removal orders applicable to civilian agencies, to the extent
not covered by clause (ii) or (iii).
``(ii) The Secretary of Defense, for exclusion and removal
orders applicable to the Department of Defense and national
security systems other than sensitive compartmented
information systems.
``(iii) The Director of National Intelligence, for
exclusion and removal orders applicable to the intelligence
community and sensitive compartmented information systems, to
the extent not covered by clause (ii).
``(B) Delegation.--The officials identified in subparagraph
(A) may not delegate any authority under this subparagraph to
an official below the level one level below the Deputy
Secretary or Principal Deputy Director, except that the
Secretary of Defense may delegate authority for removal
orders to the Commander of the United States Cyber Command,
who may not redelegate such authority to an official below
the level one level below the Deputy Commander.
``(C) Facilitation of exclusion orders.--If officials
identified under this paragraph from the Department of
Homeland Security, the Department of Defense, and the Office
of the Director of National Intelligence issue orders
collectively resulting in a governmentwide exclusion, the
Administrator for General Services and officials at other
executive agencies responsible for management of the Federal
Supply Schedules, governmentwide acquisition contracts and
multi-agency contracts shall help facilitate implementation
of such orders by removing the covered articles or sources
identified in the orders from such contracts.
``(D) Review of exclusion and removal orders.--The
officials identified under this paragraph shall review all
exclusion and removal orders issued under subparagraph (A)
not less frequently than annually pursuant to procedures
established by the Council.
``(E) Rescission.--Orders issued pursuant to subparagraph
(A) may be rescinded by an authorized official from the
relevant issuing agency.
``(5) Notifications.--Upon issuance of an exclusion or
removal order pursuant to paragraph (4)(A), the official
identified under that paragraph who issued the order shall--
``(A) notify any source named in the order of--
``(i) the exclusion or removal order; and
``(ii) to the extent consistent with national security and
law enforcement interests, information that forms the basis
for the order;
``(B) provide classified or unclassified notice of the
exclusion or removal order to the appropriate congressional
committees and leadership; and
``(C) provide the exclusion or removal order to the agency
identified in subsection (a)(3).
``(6) Compliance.--Executive agencies shall comply with
exclusion and removal orders issued pursuant to paragraph
(4).
``(d) Authority To Request Information.--The Council may
request such information from executive agencies as is
necessary for the Council to carry out its functions.
``(e) Relationship to Other Councils.--The Council shall
consult and coordinate, as appropriate, with other relevant
councils, including the Chief Information Officers Council,
the Chief Acquisition Officers Council, and the Federal
Acquisition Regulatory Council, with respect to supply chain
risks posed by the acquisition and use of covered articles.
``(f) Rule of Construction.--Nothing in this section shall
limit the authority of the Office of Federal Procurement
Policy to carry out the responsibilities of that Office under
any other provision of law.
``Sec. 1324. Strategic plan
``(a) In General.--Not later than 180 days after the date
of the enactment of the Federal Acquisition Supply Chain
Security Act of 2018, the Council shall develop a strategic
plan for addressing supply chain risks posed by the
acquisition of covered articles and for managing such risks
that includes--
``(1) the criteria and processes required under section
1323(a) of this title, including a threshold and requirements
for sharing relevant information about such risks with all
executive agencies;
``(2) an identification of existing authorities for
addressing such risks;
``(3) an identification and promulgation of best practices
and procedures and available resources for executive agencies
to assess and mitigate such risks;
``(4) recommendations for any legislative, regulatory, or
other policy changes to improve efforts to address such
risks;
``(5) an evaluation of the effect of implementing new
policies or procedures on existing contracts and the
procurement process;
``(6) a plan for engaging with executive agencies, the
private sector, and other nongovernmental stakeholders to
address such risks;
``(7) a plan for identification, assessment, mitigation,
and vetting of supply chain risks from existing and
prospective information and communications technology made
available by executive agencies to other executive agencies
through common contract solutions, shared services,
acquisition vehicles, or other assisted acquisition services;
and
``(8) plans to strengthen the capacity of all executive
agencies to conduct assessments of--
``(A) the supply chain risk posed by the acquisition of
covered articles; and
``(B) compliance with the requirements of this subchapter.
``(b) Submission to Congress.--Not later than 7 calendar
days after completion of the
[[Page S7811]]
strategic plan required by subsection (a), the Chairperson of
the Council shall submit the plan to the appropriate
congressional committees and leadership.
``Sec. 1325. Annual report
``Not later than December 31 of each year, the Chairperson
of the Council shall submit to the appropriate congressional
committees and leadership a report on the activities of the
Council during the preceding 12-month period.
``Sec. 1326. Requirements for executive agencies
``(a) In General.--The head of each executive agency shall
be responsible for--
``(1) assessing the supply chain risk posed by the
acquisition and use of covered articles and avoiding,
mitigating, accepting, or transferring that risk, as
appropriate and consistent with the standards, guidelines,
and practices identified by the Council under section
1323(a)(1); and
``(2) prioritizing supply chain risk assessments conducted
under paragraph (1) based on the criticality of the mission,
system, component, service, or asset.
``(b) Inclusions.--The responsibility for assessing supply
chain risk described in subsection (a) includes--
``(1) developing an overall supply chain risk management
strategy and implementation plan and policies and processes
to guide and govern supply chain risk management activities;
``(2) integrating supply chain risk management practices
throughout the life cycle of the system, component, service,
or asset;
``(3) limiting, avoiding, mitigating, accepting, or
transferring any identified risk;
``(4) sharing relevant information with other executive
agencies as determined appropriate by the Council in a manner
consistent with section 1323(a) of this title;
``(5) reporting on progress and effectiveness of the
agency's supply chain risk management consistent with
guidance issued by the Office of Management and Budget and
the Council; and
``(6) ensuring that all relevant information, including
classified information, with respect to acquisitions of
covered articles that may pose a supply chain risk,
consistent with section 1323(a) of this title, is
incorporated into existing processes of the agency for
conducting assessments described in subsection (a) and
ongoing management of acquisition programs, including any
identification, investigation, mitigation, or remediation
needs.
``(c) Interagency Acquisitions.--
``(1) In general.--Except as provided in paragraph (2), in
the case of an interagency acquisition, subsection (a) shall
be carried out by the head of the executive agency whose
funds are being used to procure the covered article.
``(2) Assisted acquisitions.--In an assisted acquisition,
the parties to the acquisition shall determine, as part of
the interagency agreement governing the acquisition, which
agency is responsible for carrying out subsection (a).
``(3) Definitions.--In this subsection, the terms `assisted
acquisition' and `interagency acquisition' have the meanings
given those terms in section 2.101 of title 48, Code of
Federal Regulations (or any corresponding similar regulation
or ruling).
``(d) Assistance.--The Secretary of Homeland Security may--
``(1) assist executive agencies in conducting risk
assessments described in subsection (a) and implementing
mitigation requirements for information and communications
technology; and
``(2) provide such additional guidance or tools as are
necessary to support actions taken by executive agencies.
``Sec. 1327. Judicial review procedures
``(a) In General.--Except as provided in subsection (b) and
chapter 71 of this title, and notwithstanding any other
provision of law, an action taken under section 1323 or 4713
of this title, or any action taken by an executive agency to
implement such an action, shall not be subject to
administrative review or judicial review, including bid
protests before the Government Accountability Office or in
any Federal court.
``(b) Petitions.--
``(1) In general.--Not later than 60 days after a party is
notified of an exclusion or removal order under section
1323(c)(5) of this title or a covered procurement action
under section 4713 of this title, the party may file a
petition for judicial review in the United States Court of
Appeals for the District of Columbia Circuit claiming that
the issuance of the exclusion or removal order or covered
procurement action is unlawful.
``(2) Standard of review.--The Court shall hold unlawful a
covered action taken under sections 1323 or 4713 of this
title, in response to a petition that the court finds to be--
``(A) arbitrary, capricious, an abuse of discretion, or
otherwise not in accordance with law;
``(B) contrary to constitutional right, power, privilege,
or immunity;
``(C) in excess of statutory jurisdiction, authority, or
limitation, or short of statutory right;
``(D) lacking substantial support in the administrative
record taken as a whole or in classified information
submitted to the court under paragraph (3); or
``(E) not in accord with procedures required by law.
``(3) Exclusive jurisdiction.--The United States Court of
Appeals for the District of Columbia Circuit shall have
exclusive jurisdiction over claims arising under sections
1323(c)(4) or 4713 of this title against the United States,
any United States department or agency, or any component or
official of any such department or agency, subject to review
by the Supreme Court of the United States under section 1254
of title 28.
``(4) Administrative record and procedures.--
``(A) In general.--The procedures described in this
paragraph shall apply to the review of a petition under this
section.
``(B) Administrative record.--
``(i) Filing of record.--The United States shall file with
the court an administrative record, which shall consist of
the information that the appropriate official relied upon in
issuing an exclusion or removal order under section
1323(c)(4) or a covered procurement action under section 4713
of this title.
``(ii) Unclassified, nonprivileged information.--All
unclassified information contained in the administrative
record that is not otherwise privileged or subject to
statutory protections shall be provided to the petitioner
with appropriate protections for any privileged or
confidential trade secrets and commercial or financial
information.
``(iii) In camera and ex parte.--The following information
may be included in the administrative record and shall be
submitted only to the court ex parte and in camera:
``(I) Classified information.
``(II) Sensitive security information, as defined by
section 1520.5 of title 49, Code of Federal Regulations.
``(III) Privileged law enforcement information.
``(IV) Information obtained or derived from any activity
authorized under the Foreign Intelligence Surveillance Act of
1978 (50 U.S.C. 1801 et seq.), except that, with respect to
such information, subsections (c), (e), (f), (g), and (h) of
section 106 (50 U.S.C. 1806), subsections (d), (f), (g), (h),
and (i) of section 305 (50 U.S.C. 1825), subsections (c),
(e), (f), (g), and (h) of section 405 (50 U.S.C. 1845), and
section 706 (50 U.S.C. 1881e) of that Act shall not apply.
``(V) Information subject to privilege or protections under
any other provision of law.
``(iv) Under seal.--Any information that is part of the
administrative record filed ex parte and in camera under
clause (iii), or cited by the court in any decision, shall be
treated by the court consistent with the provisions of this
subparagraph and shall remain under seal and preserved in the
records of the court to be made available consistent with the
above provisions in the event of further proceedings. In no
event shall such information be released to the petitioner or
as part of the public record.
``(v) Return.--After the expiration of the time to seek
further review, or the conclusion of further proceedings, the
court shall return the administrative record, including any
and all copies, to the United States.
``(C) Exclusive remedy.--A determination by the court under
this subsection shall be the exclusive judicial remedy for
any claim described in this section against the United
States, any United States department or agency, or any
component or official of any such department or agency.
``(D) Rule of construction.--Nothing in this section shall
be construed as limiting, superseding, or preventing the
invocation of, any privileges or defenses that are otherwise
available at law or in equity to protect against the
disclosure of information.
``(c) Definition.--In this section, the term `classified
information'--
``(1) has the meaning given that term in section 1(a) of
the Classified Information Procedures Act (18 U.S.C. App.);
and
``(2) includes--
``(A) any information or material that has been determined
by the United States Government pursuant to an Executive
order, statute, or regulation to require protection against
unauthorized disclosure for reasons of national security; and
``(B) any restricted data, as defined in section 11 of the
Atomic Energy Act of 1954 (42 U.S.C. 2014).
``Sec. 1328. Termination
``This subchapter shall terminate on the date that is 5
years after the date of the enactment of the Federal
Acquisition Supply Chain Security Act of 2018.''.
(b) Clerical Amendment.--The table of sections at the
beginning of chapter 13 of such title is amended by adding at
the end the following new items:
``subchapter iii--federal acquisition supply chain security
``Sec.
``1321. Definitions.
``1322. Federal Acquisition Security Council establishment and
membership.
``1323. Functions and authorities.
``1324. Strategic plan.
``1325. Annual report.
``1326. Requirements for executive agencies.
``1327. Judicial review procedures.
``1328. Termination.''.
(c) Effective Date.--The amendments made by this section
shall take effect on the date that is 90 days after the date
of the enactment of this Act and shall apply to contracts
that are awarded before, on, or after that date.
(d) Implementation.--
(1) Interim final rule.--Not later than one year after the
date of the enactment of this Act, the Federal Acquisition
Security Council shall prescribe an interim final rule to
implement subchapter III of chapter 13 of title 41, United
States Code, as added by subsection (a).
(2) Final rule.--Not later than one year after prescribing
the interim final rule under paragraph (1) and considering
public comments with respect to such interim final rule, the
Council shall prescribe a final rule to implement subchapter
III of chapter 13 of title 41, United States Code, as added
by subsection (a).
(3) Failure to act.--
(A) In general.--If the Council does not issue a final rule
in accordance with paragraph (2) on or before the last day of
the one-year period referred to in that paragraph, the
Council shall submit to the appropriate congressional
committees and leadership, not later than 10 days after
[[Page S7812]]
such last day and every 90 days thereafter until the final
rule is issued, a report explaining why the final rule was
not timely issued and providing an estimate of the earliest
date on which the final rule will be issued.
(B) Appropriate congressional committees and leadership
defined.--In this paragraph, the term ``appropriate
congressional committees and leadership'' has the meaning
given that term in section 1321 of title 41, United States
Code, as added by subsection (a).
SEC. 3. AUTHORITIES OF EXECUTIVE AGENCIES RELATING TO
MITIGATING SUPPLY CHAIN RISKS IN THE
PROCUREMENT OF COVERED ARTICLES.
(a) In General.--Chapter 47 of title 41, United States
Code, is amended by adding at the end the following new
section:
``Sec. 4713. Authorities relating to mitigating supply chain
risks in the procurement of covered articles
``(a) Authority.--Subject to subsection (b), the head of an
executive agency may--
``(1) carry out a covered procurement action; and
``(2) limit, notwithstanding any other provision of law, in
whole or in part, the disclosure of information relating to
the basis for carrying out a covered procurement action.
``(b) Determination and Notification.--Except as authorized
by subsection (c) to address an urgent national security
interest, the head of an executive agency may exercise the
authority provided in subsection (a) only after--
``(1) obtaining a joint recommendation, in unclassified or
classified form, from the chief acquisition officer and the
chief information officer of the agency, or officials
performing similar functions in the case of executive
agencies that do not have such officials, which includes a
review of any risk assessment made available by the executive
agency identified under section 1323(a)(3) of this title,
that there is a significant supply chain risk in a covered
procurement;
``(2) providing notice of the joint recommendation
described in paragraph (1) to any source named in the joint
recommendation advising--
``(A) that a recommendation is being considered or has been
obtained;
``(B) to the extent consistent with the national security
and law enforcement interests, of information that forms the
basis for the recommendation;
``(C) that, within 30 days after receipt of the notice, the
source may submit information and argument in opposition to
the recommendation; and
``(D) of the procedures governing the consideration of the
submission and the possible exercise of the authority
provided in subsection (a);
``(3) making a determination in writing, in unclassified or
classified form, after considering any information submitted
by a source under paragraph (2) and in consultation with the
chief information security officer of the agency, that--
``(A) use of the authority under subsection (a)(1) is
necessary to protect national security by reducing supply
chain risk;
``(B) less intrusive measures are not reasonably available
to reduce such supply chain risk;
``(C) a decision to limit disclosure of information under
subsection (a)(2) is necessary to protect an urgent national
security interest; and
``(D) the use of such authorities will apply to a single
covered procurement or a class of covered procurements, and
otherwise specifies the scope of the determination; and
``(4) providing a classified or unclassified notice of the
determination made under paragraph (3) to the appropriate
congressional committees and leadership that includes--
``(A) the joint recommendation described in paragraph (1);
``(B) a summary of any risk assessment reviewed in support
of the joint recommendation required by paragraph (1); and
``(C) a summary of the basis for the determination,
including a discussion of less intrusive measures that were
considered and why such measures were not reasonably
available to reduce supply chain risk.
``(c) Procedures To Address Urgent National Security
Interests.--In any case in which the head of an executive
agency determines that an urgent national security interest
requires the immediate exercise of the authority provided in
subsection (a), the head of the agency--
``(1) may, to the extent necessary to address such national
security interest, and subject to the conditions in paragraph
(2)--
``(A) temporarily delay the notice required by subsection
(b)(2);
``(B) make the determination required by subsection (b)(3),
regardless of whether the notice required by subsection
(b)(2) has been provided or whether the notified source has
submitted any information in response to such notice;
``(C) temporarily delay the notice required by subsection
(b)(4); and
``(D) exercise the authority provided in subsection (a) in
accordance with such determination within 60 calendar days
after the day the determination is made; and
``(2) shall take actions necessary to comply with all
requirements of subsection (b) as soon as practicable after
addressing the urgent national security interest, including--
``(A) providing the notice required by subsection (b)(2);
``(B) promptly considering any information submitted by the
source in response to such notice, and making any appropriate
modifications to the determination based on such information;
``(C) providing the notice required by subsection (b)(4),
including a description of the urgent national security
interest, and any modifications to the determination made in
accordance with subparagraph (B); and
``(D) providing notice to the appropriate congressional
committees and leadership within 7 calendar days of the
covered procurement actions taken under this section.
``(d) Delegation.--The head of an executive agency may not
delegate the authority provided in subsection (a) or the
responsibility identified in subsection (f) to an official
below the level one level below the Deputy Secretary or
Principal Deputy Director.
``(e) Limitation on Disclosure.--If the head of an
executive agency has exercised the authority provided in
subsection (a)(2) to limit disclosure of information, the
agency head or a designee identified by the agency head
shall--
``(1) provide to the executive agency identified by the
Council under paragraph (3) of section 1323(a) of this title
information identified by the criteria under paragraph (2) of
that section, in a manner and to the extent consistent with
the requirements of national security and law enforcement
interests; and
``(2) take steps to maintain the confidentiality of any
such notifications.
``(f) Annual Review of Determinations.--The head of an
executive agency shall conduct an annual review of all
determinations made by such head under subsection (b) and
promptly amend any covered procurement action as appropriate.
``(g) Regulations.--The Federal Acquisition Regulatory
Council shall prescribe such regulations as may be necessary
to carry out this section.
``(h) Reports Required.--Not less frequently than annually,
the head of each executive agency that exercised the
authority provided in subsection (a) or (c) during the
preceding 12-month period shall submit to the appropriate
congressional committees and leadership a report summarizing
the actions taken by the agency under this section during
that 12-month period.
``(i) Applicability.--Notwithstanding section 3101(c)(1)(A)
of this title, this section applies to the Department of
Defense, the Coast Guard, and the National Aeronautics and
Space Administration.
``(j) Termination.--The authority provided under subsection
(a) shall terminate on the date that is 5 years after the
date of the enactment of the Federal Acquisition Supply Chain
Security Act of 2018.
``(k) Definitions.--In this section:
``(1) Appropriate congressional committees and
leadership.--The term `appropriate congressional committees
and leadership' means--
``(A) the Committee on Homeland Security and Governmental
Affairs, the Committee on the Judiciary, the Committee on
Appropriations, the Select Committee on Intelligence, and the
majority and minority leader of the Senate; and
``(B) the Committee on Oversight and Government Reform, the
Committee on the Judiciary, the Committee on Appropriations,
the Committee on Homeland Security, the Permanent Select
Committee on Intelligence, and the Speaker and minority
leader of the House of Representatives.
``(2) Covered article.--The term `covered article' means--
``(A) information technology, as defined in section 11101
of title 40, including cloud computing services of all types;
``(B) telecommunications equipment or telecommunications
service, as those terms are defined in section 3 of the
Communications Act of 1934 (47 U.S.C. 153);
``(C) the processing of information on a Federal or non-
Federal information system, subject to the requirements of
the Controlled Unclassified Information program; or
``(D) hardware, systems, devices, software, or services
that include embedded or incidental information technology.
``(3) Covered procurement.--The term `covered procurement'
means--
``(A) a source selection for a covered article involving
either a performance specification, as provided in subsection
(a)(3)(B) of section 3306 of this title, or an evaluation
factor, as provided in subsection (b)(1)(A) of such section,
relating to a supply chain risk, or where supply chain risk
considerations are included in the agency's determination of
whether a source is a responsible source as defined in
section 113 of this title;
``(B) the consideration of proposals for and issuance of a
task or delivery order for a covered article, as provided in
section 4106(d)(3) of this title, where the task or delivery
order contract includes a contract clause establishing a
requirement relating to a supply chain risk;
``(C) any contract action involving a contract for a
covered article where the contract includes a clause
establishing requirements relating to a supply chain risk; or
``(D) any other procurement in a category of procurements
determined appropriate by the Federal Acquisition Regulatory
Council, with the advice of the Federal Acquisition Security
Council.
``(4) Covered procurement action.--The term `covered
procurement action' means any of the following actions, if
the action takes place in the course of conducting a covered
procurement:
``(A) The exclusion of a source that fails to meet
qualification requirements established under section 3311 of
this title for the purpose of reducing supply chain risk in
the acquisition or use of covered articles.
``(B) The exclusion of a source that fails to achieve an
acceptable rating with regard to an evaluation factor
providing for the consideration of supply chain risk in the
evaluation of proposals for the award of a contract or the
issuance of a task or delivery order.
``(C) The determination that a source is not a responsible
source as defined in section 113 of this title based on
considerations of supply chain risk.
``(D) The decision to withhold consent for a contractor to
subcontract with a particular source or to direct a
contractor to exclude a particular source from consideration
for a subcontract under the contract.
[[Page S7813]]
``(5) Information and communications technology.--The term
`information and communications technology' means--
``(A) information technology, as defined in section 11101
of title 40;
``(B) information systems, as defined in section 3502 of
title 44; and
``(C) telecommunications equipment and telecommunications
services, as those terms are defined in section 3 of the
Communications Act of 1934 (47 U.S.C. 153).
``(6) Supply chain risk.--The term `supply chain risk'
means the risk that any person may sabotage, maliciously
introduce unwanted function, extract data, or otherwise
manipulate the design, integrity, manufacturing, production,
distribution, installation, operation, maintenance,
disposition, or retirement of covered articles so as to
surveil, deny, disrupt, or otherwise manipulate the function,
use, or operation of the covered articles or information
stored or transmitted on the covered articles.''.
(b) Clerical Amendment.--The table of sections at the
beginning of chapter 47 of such title is amended by adding at
the end the following new item:
``4713. Authorities relating to mitigating supply chain risks in the
procurement of covered articles.''.
(c) Effective Date.--The amendments made by this section
shall take effect on the date that is 90 days after the date
of the enactment of this Act and shall apply to contracts
that are awarded before, on, or after that date.
SEC. 4. FEDERAL INFORMATION SECURITY MODERNIZATION ACT.
(a) In General.--Title 44, United States Code, is amended--
(1) in section 3553(a)(5), by inserting ``and section 1326
of title 41'' after ``compliance with the requirements of
this subchapter''; and
(2) in section 3554(a)(1)(B)--
(A) by inserting ``, subchapter III of chapter 13 of title
41,'' after ``complying with the requirements of this
subchapter'';
(B) in clause (iv), by striking ``; and'' and inserting a
semicolon; and
(C) by adding at the end the following new clause:
``(vi) responsibilities relating to assessing and avoiding,
mitigating, transferring, or accepting supply chain risks
under section 1326 of title 41, and complying with exclusion
and removal orders issued under section 1323 of such title;
and''.
(b) Rule of Construction.--Nothing in this Act shall be
construed to alter or impede any authority or responsibility
under section 3553 of title 44, United States Code.
SEC. 5. EFFECTIVE DATE.
This Act shall take effect on the date that is 90 days
after the date of the enactment of this Act.
Mr. BOOZMAN. I ask unanimous consent that the committee-reported
substitute amendment be withdrawn; that the McCaskill substitute
amendment at the desk be considered and agreed to; that the bill, as
amended, be considered read a third time and passed; and that the
motion to reconsider be considered made and laid upon the table.
The PRESIDING OFFICER. Without objection, it is so ordered.
The committee-reported amendment in the nature of a substitute was
withdrawn.
The amendment (No. 4158) in the nature of a substitute was agreed to,
as follows:
(Purpose: In the nature of a substitute)
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Federal Acquisition Supply
Chain Security Act of 2018''.
SEC. 2. FEDERAL ACQUISITION SUPPLY CHAIN SECURITY.
(a) In General.--Chapter 13 of title 41, United States
Code, is amended by adding at the end the following new
subchapter:
``SUBCHAPTER III--FEDERAL ACQUISITION SUPPLY CHAIN SECURITY
``Sec. 1321. Definitions
``In this subchapter:
``(1) Appropriate congressional committees and
leadership.--The term `appropriate congressional committees
and leadership' means--
``(A) the Committee on Homeland Security and Governmental
Affairs, the Committee on the Judiciary, the Committee on
Appropriations, the Committee on Armed Services, the
Committee on Commerce, Science, and Transportation, the
Select Committee on Intelligence, and the majority and
minority leader of the Senate; and
``(B) the Committee on Oversight and Government Reform, the
Committee on the Judiciary, the Committee on Appropriations,
the Committee on Homeland Security, the Committee on Armed
Services, the Committee on Energy and Commerce, the Permanent
Select Committee on Intelligence, and the Speaker and
minority leader of the House of Representatives.
``(2) Council.--The term `Council' means the Federal
Acquisition Security Council established under section
1322(a) of this title.
``(3) Covered article.--The term `covered article' has the
meaning given that term in section 4713 of this title.
``(4) Covered procurement action.--The term `covered
procurement action' has the meaning given that term in
section 4713 of this title.
``(5) Information and communications technology.--The term
`information and communications technology' has the meaning
given that term in section 4713 of this title.
``(6) Intelligence community.--The term `intelligence
community' has the meaning given that term in section 3(4) of
the National Security Act of 1947 (50 U.S.C. 3003(4)).
``(7) National security system.--The term `national
security system' has the meaning given that term in section
3552 of title 44.
``(8) Supply chain risk.--The term `supply chain risk' has
the meaning given that term in section 4713 of this title.
``Sec. 1322. Federal Acquisition Security Council
establishment and membership
``(a) Establishment.--There is established in the executive
branch a Federal Acquisition Security Council.
``(b) Membership.--
``(1) In general.--The following agencies shall be
represented on the Council:
``(A) The Office of Management and Budget.
``(B) The General Services Administration.
``(C) The Department of Homeland Security, including the
Cybersecurity and Infrastructure Security Agency.
``(D) The Office of the Director of National Intelligence,
including the National Counterintelligence and Security
Center.
``(E) The Department of Justice, including the Federal
Bureau of Investigation.
``(F) The Department of Defense, including the National
Security Agency.
``(G) The Department of Commerce, including the National
Institute of Standards and Technology.
``(H) Such other executive agencies as determined by the
Chairperson of the Council.
``(2) Lead representatives.--
``(A) Designation.--
``(i) In general.--Not later than 45 days after the date of
the enactment of the Federal Acquisition Supply Chain
Security Act of 2018, the head of each agency represented on
the Council shall designate a representative of that agency
as the lead representative of the agency on the Council.
``(ii) Requirements.--The representative of an agency
designated under clause (i) shall have expertise in supply
chain risk management, acquisitions, or information and
communications technology.
``(B) Functions.--The lead representative of an agency
designated under subparagraph (A) shall ensure that
appropriate personnel, including leadership and subject
matter experts of the agency, are aware of the business of
the Council.
``(c) Chairperson.--
``(1) Designation.--Not later than 45 days after the date
of the enactment of the Federal Acquisition Supply Chain
Security Act of 2018, the Director of the Office of
Management and Budget shall designate a senior-level official
from the Office of Management and Budget to serve as the
Chairperson of the Council.
``(2) Functions.--The Chairperson shall perform functions
that include--
``(A) subject to subsection (d), developing a schedule for
meetings of the Council;
``(B) designating executive agencies to be represented on
the Council under subsection (b)(1)(H);
``(C) in consultation with the lead representative of each
agency represented on the Council, developing a charter for
the Council; and
``(D) not later than 7 days after completion of the
charter, submitting the charter to the appropriate
congressional committees and leadership.
``(d) Meetings.--The Council shall meet not later than 60
days after the date of the enactment of the Federal
Acquisition Supply Chain Security Act of 2018 and not less
frequently than quarterly thereafter.
``Sec. 1323. Functions and authorities
``(a) In General.--The Council shall perform functions that
include the following:
``(1) Identifying and recommending development by the
National Institute of Standards and Technology of supply
chain risk management standards, guidelines, and practices
for executive agencies to use when assessing and developing
mitigation strategies to address supply chain risks,
particularly in the acquisition and use of covered articles
under section 1326(a) of this title.
``(2) Identifying or developing criteria for sharing
information with executive agencies, other Federal entities,
and non-Federal entities with respect to supply chain risk,
including information related to the exercise of authorities
provided under this section and sections 1326 and 4713 of
this title. At a minimum, such criteria shall address--
``(A) the content to be shared;
``(B) the circumstances under which sharing is mandated or
voluntary; and
``(C) the circumstances under which it is appropriate for
an executive agency to rely on information made available
through such sharing in exercising the responsibilities and
authorities provided under this section and section 4713 of
this title.
``(3) Identifying an appropriate executive agency to--
``(A) accept information submitted by executive agencies
based on the criteria established under paragraph (2);
``(B) facilitate the sharing of information received under
subparagraph (A) to support supply chain risk analyses under
section 1326 of this title, recommendations under this
section, and covered procurement actions under section 4713
of this title;
``(C) share with the Council information regarding covered
procurement actions by executive agencies taken under section
4713 of this title; and
[[Page S7814]]
``(D) inform the Council of orders issued under this
section.
``(4) Identifying, as appropriate, executive agencies to
provide--
``(A) shared services, such as support for making risk
assessments, validation of products that may be suitable for
acquisition, and mitigation activities; and
``(B) common contract solutions to support supply chain
risk management activities, such as subscription services or
machine-learning-enhanced analysis applications to support
informed decisionmaking.
``(5) Identifying and issuing guidance on additional steps
that may be necessary to address supply chain risks arising
in the course of executive agencies providing shared
services, common contract solutions, acquisitions vehicles,
or assisted acquisitions.
``(6) Engaging with the private sector and other
nongovernmental stakeholders in performing the functions
described in paragraphs (1) and (2) and on issues relating to
the management of supply chain risks posed by the acquisition
of covered articles.
``(7) Carrying out such other actions, as determined by the
Council, that are necessary to reduce the supply chain risks
posed by acquisitions and use of covered articles.
``(b) Program Office and Committees.--The Council may
establish a program office and any committees, working
groups, or other constituent bodies the Council deems
appropriate, in its sole and unreviewable discretion, to
carry out its functions.
``(c) Authority for Exclusion or Removal Orders.--
``(1) Criteria.--To reduce supply chain risk, the Council
shall establish criteria and procedures for--
``(A) recommending orders applicable to executive agencies
requiring the exclusion of sources or covered articles from
executive agency procurement actions (in this section
referred to as `exclusion orders');
``(B) recommending orders applicable to executive agencies
requiring the removal of covered articles from executive
agency information systems (in this section referred to as
`removal orders');
``(C) requesting and approving exceptions to an issued
exclusion or removal order when warranted by circumstances,
including alternative mitigation actions or other findings
relating to the national interest, including national
security reviews, national security investigations, or
national security agreements; and
``(D) ensuring that recommended orders do not conflict with
standards and guidelines issued under section 11331 of title
40 and that the Council consults with the Director of the
National Institute of Standards and Technology regarding any
recommended orders that would implement standards and
guidelines developed by the National Institute of Standards
and Technology.
``(2) Recommendations.--The Council shall use the criteria
established under paragraph (1), information made available
under subsection (a)(3), and any other information the
Council determines appropriate to issue recommendations, for
application to executive agencies or any subset thereof,
regarding the exclusion of sources or covered articles from
any executive agency procurement action, including source
selection and consent for a contractor to subcontract, or the
removal of covered articles from executive agency information
systems. Such recommendations shall include--
``(A) information necessary to positively identify the
sources or covered articles recommended for exclusion or
removal;
``(B) information regarding the scope and applicability of
the recommended exclusion or removal order;
``(C) a summary of any risk assessment reviewed or
conducted in support of the recommended exclusion or removal
order;
``(D) a summary of the basis for the recommendation,
including a discussion of less intrusive measures that were
considered and why such measures were not reasonably
available to reduce supply chain risk;
``(E) a description of the actions necessary to implement
the recommended exclusion or removal order; and
``(F) where practicable, in the Council's sole and
unreviewable discretion, a description of mitigation steps
that could be taken by the source that may result in the
Council rescinding a recommendation.
``(3) Notice of recommendation and review.--A notice of the
Council's recommendation under paragraph (2) shall be issued
to any source named in the recommendation advising--
``(A) that a recommendation has been made;
``(B) of the criteria the Council relied upon under
paragraph (1) and, to the extent consistent with national
security and law enforcement interests, of information that
forms the basis for the recommendation;
``(C) that, within 30 days after receipt of notice, the
source may submit information and argument in opposition to
the recommendation;
``(D) of the procedures governing the review and possible
issuance of an exclusion or removal order pursuant to
paragraph (5); and
``(E) where practicable, in the Council's sole and
unreviewable discretion, a description of mitigation steps
that could be taken by the source that may result in the
Council rescinding the recommendation.
``(4) Confidentiality.--Any notice issued to a source under
paragraph (3) shall be kept confidential until--
``(A) an exclusion or removal order is issued pursuant to
paragraph (5); and
``(B) the source has been notified pursuant to paragraph
(6).
``(5) Exclusion and removal orders.--
``(A) Order issuance.--Recommendations of the Council under
paragraph (2), together with any information submitted by a
source under paragraph (3) related to such a recommendation,
shall be reviewed by the following officials, who may issue
exclusion and removal orders based upon such recommendations:
``(i) The Secretary of Homeland Security, for exclusion and
removal orders applicable to civilian agencies, to the extent
not covered by clause (ii) or (iii).
``(ii) The Secretary of Defense, for exclusion and removal
orders applicable to the Department of Defense and national
security systems other than sensitive compartmented
information systems.
``(iii) The Director of National Intelligence, for
exclusion and removal orders applicable to the intelligence
community and sensitive compartmented information systems, to
the extent not covered by clause (ii).
``(B) Delegation.--The officials identified in subparagraph
(A) may not delegate any authority under this subparagraph to
an official below the level one level below the Deputy
Secretary or Principal Deputy Director, except that the
Secretary of Defense may delegate authority for removal
orders to the Commander of the United States Cyber Command,
who may not redelegate such authority to an official below
the level one level below the Deputy Commander.
``(C) Facilitation of exclusion orders.--If officials
identified under this paragraph from the Department of
Homeland Security, the Department of Defense, and the Office
of the Director of National Intelligence issue orders
collectively resulting in a governmentwide exclusion, the
Administrator for General Services and officials at other
executive agencies responsible for management of the Federal
Supply Schedules, governmentwide acquisition contracts, and
multi-agency contracts shall help facilitate implementation
of such orders by removing the covered articles or sources
identified in the orders from such contracts.
``(D) Review of exclusion and removal orders.--The
officials identified under this paragraph shall review all
exclusion and removal orders issued under subparagraph (A)
not less frequently than annually pursuant to procedures
established by the Council.
``(E) Rescission.--Orders issued pursuant to subparagraph
(A) may be rescinded by an authorized official from the
relevant issuing agency.
``(6) Notifications.--Upon issuance of an exclusion or
removal order pursuant to paragraph (5)(A), the official
identified under that paragraph who issued the order shall--
``(A) notify any source named in the order of--
``(i) the exclusion or removal order; and
``(ii) to the extent consistent with national security and
law enforcement interests, information that forms the basis
for the order;
``(B) provide classified or unclassified notice of the
exclusion or removal order to the appropriate congressional
committees and leadership; and
``(C) provide the exclusion or removal order to the agency
identified in subsection (a)(3).
``(7) Compliance.--Executive agencies shall comply with
exclusion and removal orders issued pursuant to paragraph
(5).
``(d) Authority To Request Information.--The Council may
request such information from executive agencies as is
necessary for the Council to carry out its functions.
``(e) Relationship to Other Councils.--The Council shall
consult and coordinate, as appropriate, with other relevant
councils and interagency committees, including the Chief
Information Officers Council, the Chief Acquisition Officers
Council, the Federal Acquisition Regulatory Council, and the
Committee on Foreign Investment in the United States, with
respect to supply chain risks posed by the acquisition and
use of covered articles.
``(f) Rules of Construction.--Nothing in this section shall
be construed--
``(1) to limit the authority of the Office of Federal
Procurement Policy to carry out the responsibilities of that
Office under any other provision of law; or
``(2) to authorize the issuance of an exclusion or removal
order based solely on the fact of foreign ownership of a
potential procurement source that is otherwise qualified to
enter into procurement contracts with the Federal Government.
``Sec. 1324. Strategic plan
``(a) In General.--Not later than 180 days after the date
of the enactment of the Federal Acquisition Supply Chain
Security Act of 2018, the Council shall develop a strategic
plan for addressing supply chain risks posed by the
acquisition of covered articles and for managing such risks,
that includes--
``(1) the criteria and processes required under section
1323(a) of this title, including a threshold and requirements
for sharing relevant information about such risks with all
executive agencies and, as appropriate, with other Federal
entities and non-Federal entities;
``(2) an identification of existing authorities for
addressing such risks;
``(3) an identification and promulgation of best practices
and procedures and available resources for executive agencies
to assess and mitigate such risks;
[[Page S7815]]
``(4) recommendations for any legislative, regulatory, or
other policy changes to improve efforts to address such
risks;
``(5) recommendations for any legislative, regulatory, or
other policy changes to incentivize the adoption of best
practices for supply chain risk management by the private
sector;
``(6) an evaluation of the effect of implementing new
policies or procedures on existing contracts and the
procurement process;
``(7) a plan for engaging with executive agencies, the
private sector, and other nongovernmental stakeholders to
address such risks;
``(8) a plan for identification, assessment, mitigation,
and vetting of supply chain risks from existing and
prospective information and communications technology made
available by executive agencies to other executive agencies
through common contract solutions, shared services,
acquisition vehicles, or other assisted acquisition services;
and
``(9) plans to strengthen the capacity of all executive
agencies to conduct assessments of--
``(A) the supply chain risk posed by the acquisition of
covered articles; and
``(B) compliance with the requirements of this subchapter.
``(b) Submission to Congress.--Not later than 7 calendar
days after completion of the strategic plan required by
subsection (a), the Chairperson of the Council shall submit
the plan to the appropriate congressional committees and
leadership.
``Sec. 1325. Annual report
``Not later than December 31 of each year, the Chairperson
of the Council shall submit to the appropriate congressional
committees and leadership a report on the activities of the
Council during the preceding 12-month period.
``Sec. 1326. Requirements for executive agencies
``(a) In General.--The head of each executive agency shall
be responsible for--
``(1) assessing the supply chain risk posed by the
acquisition and use of covered articles and avoiding,
mitigating, accepting, or transferring that risk, as
appropriate and consistent with the standards, guidelines,
and practices identified by the Council under section
1323(a)(1); and
``(2) prioritizing supply chain risk assessments conducted
under paragraph (1) based on the criticality of the mission,
system, component, service, or asset.
``(b) Inclusions.--The responsibility for assessing supply
chain risk described in subsection (a) includes--
``(1) developing an overall supply chain risk management
strategy and implementation plan and policies and processes
to guide and govern supply chain risk management activities;
``(2) integrating supply chain risk management practices
throughout the lifecycle of the system, component, service,
or asset;
``(3) limiting, avoiding, mitigating, accepting, or
transferring any identified risk;
``(4) sharing relevant information with other executive
agencies, as determined appropriate by the Council in a
manner consistent with section 1323(a) of this title;
``(5) reporting on progress and effectiveness of the
agency's supply chain risk management consistent with
guidance issued by the Office of Management and Budget and
the Council; and
``(6) ensuring that all relevant information, including
classified information, with respect to acquisitions of
covered articles that may pose a supply chain risk,
consistent with section 1323(a) of this title, is
incorporated into existing processes of the agency for
conducting assessments described in subsection (a) and
ongoing management of acquisition programs, including any
identification, investigation, mitigation, or remediation
needs.
``(c) Interagency Acquisitions.--
``(1) In general.--Except as provided in paragraph (2), in
the case of an interagency acquisition, subsection (a) shall
be carried out by the head of the executive agency whose
funds are being used to procure the covered article.
``(2) Assisted acquisitions.--In an assisted acquisition,
the parties to the acquisition shall determine, as part of
the interagency agreement governing the acquisition, which
agency is responsible for carrying out subsection (a).
``(3) Definitions.--In this subsection, the terms `assisted
acquisition' and `interagency acquisition' have the meanings
given those terms in section 2.101 of title 48, Code of
Federal Regulations (or any corresponding similar regulation
or ruling).
``(d) Assistance.--The Secretary of Homeland Security may--
``(1) assist executive agencies in conducting risk
assessments described in subsection (a) and implementing
mitigation requirements for information and communications
technology; and
``(2) provide such additional guidance or tools as are
necessary to support actions taken by executive agencies.
``Sec. 1327. Judicial review procedures
``(a) In General.--Except as provided in subsection (b) and
chapter 71 of this title, and notwithstanding any other
provision of law, an action taken under section 1323 or 4713
of this title, or any action taken by an executive agency to
implement such an action, shall not be subject to
administrative review or judicial review, including bid
protests before the Government Accountability Office or in
any Federal court.
``(b) Petitions.--
``(1) In general.--Not later than 60 days after a party is
notified of an exclusion or removal order under section
1323(c)(6) of this title or a covered procurement action
under section 4713 of this title, the party may file a
petition for judicial review in the United States Court of
Appeals for the District of Columbia Circuit claiming that
the issuance of the exclusion or removal order or covered
procurement action is unlawful.
``(2) Standard of review.--The Court shall hold unlawful a
covered action taken under sections 1323 or 4713 of this
title, in response to a petition that the court finds to be--
``(A) arbitrary, capricious, an abuse of discretion, or
otherwise not in accordance with law;
``(B) contrary to constitutional right, power, privilege,
or immunity;
``(C) in excess of statutory jurisdiction, authority, or
limitation, or short of statutory right;
``(D) lacking substantial support in the administrative
record taken as a whole or in classified information
submitted to the court under paragraph (3); or
``(E) not in accord with procedures required by law.
``(3) Exclusive jurisdiction.--The United States Court of
Appeals for the District of Columbia Circuit shall have
exclusive jurisdiction over claims arising under sections
1323(c)(5) or 4713 of this title against the United States,
any United States department or agency, or any component or
official of any such department or agency, subject to review
by the Supreme Court of the United States under section 1254
of title 28.
``(4) Administrative record and procedures.--
``(A) In general.--The procedures described in this
paragraph shall apply to the review of a petition under this
section.
``(B) Administrative record.--
``(i) Filing of record.--The United States shall file with
the court an administrative record, which shall consist of
the information that the appropriate official relied upon in
issuing an exclusion or removal order under section
1323(c)(5) or a covered procurement action under section 4713
of this title.
``(ii) Unclassified, nonprivileged information.--All
unclassified information contained in the administrative
record that is not otherwise privileged or subject to
statutory protections shall be provided to the petitioner
with appropriate protections for any privileged or
confidential trade secrets and commercial or financial
information.
``(iii) In camera and ex parte.--The following information
may be included in the administrative record and shall be
submitted only to the court ex parte and in camera:
``(I) Classified information.
``(II) Sensitive security information, as defined by
section 1520.5 of title 49, Code of Federal Regulations.
``(III) Privileged law enforcement information.
``(IV) Information obtained or derived from any activity
authorized under the Foreign Intelligence Surveillance Act of
1978 (50 U.S.C. 1801 et seq.), except that, with respect to
such information, subsections (c), (e), (f), (g), and (h) of
section 106 (50 U.S.C. 1806), subsections (d), (f), (g), (h),
and (i) of section 305 (50 U.S.C. 1825), subsections (c),
(e), (f), (g), and (h) of section 405 (50 U.S.C. 1845), and
section 706 (50 U.S.C. 1881e) of that Act shall not apply.
``(V) Information subject to privilege or protections under
any other provision of law.
``(iv) Under seal.--Any information that is part of the
administrative record filed ex parte and in camera under
clause (iii), or cited by the court in any decision, shall be
treated by the court consistent with the provisions of this
subparagraph and shall remain under seal and preserved in the
records of the court to be made available consistent with the
above provisions in the event of further proceedings. In no
event shall such information be released to the petitioner or
as part of the public record.
``(v) Return.--After the expiration of the time to seek
further review, or the conclusion of further proceedings, the
court shall return the administrative record, including any
and all copies, to the United States.
``(C) Exclusive remedy.--A determination by the court under
this subsection shall be the exclusive judicial remedy for
any claim described in this section against the United
States, any United States department or agency, or any
component or official of any such department or agency.
``(D) Rule of construction.--Nothing in this section shall
be construed as limiting, superseding, or preventing the
invocation of, any privileges or defenses that are otherwise
available at law or in equity to protect against the
disclosure of information.
``(c) Definition.--In this section, the term `classified
information'--
``(1) has the meaning given that term in section 1(a) of
the Classified Information Procedures Act (18 U.S.C. App.);
and
``(2) includes--
``(A) any information or material that has been determined
by the United States Government pursuant to an Executive
order, statute, or regulation to require protection against
unauthorized disclosure for reasons of national security; and
``(B) any restricted data, as defined in section 11 of the
Atomic Energy Act of 1954 (42 U.S.C. 2014).
[[Page S7816]]
``Sec. 1328. Termination
``This subchapter shall terminate on the date that is 5
years after the date of the enactment of the Federal
Acquisition Supply Chain Security Act of 2018.''.
(b) Clerical Amendment.--The table of sections at the
beginning of chapter 13 of such title is amended by adding at
the end the following new items:
``subchapter iii--federal acquisition supply chain security
``Sec.
``1321. Definitions.
``1322. Federal Acquisition Security Council establishment and
membership.
``1323. Functions and authorities.
``1324. Strategic plan.
``1325. Annual report.
``1326. Requirements for executive agencies.
``1327. Judicial review procedures.
``1328. Termination.''.
(c) Effective Date.--The amendments made by this section
shall take effect on the date that is 90 days after the date
of the enactment of this Act and shall apply to contracts
that are awarded before, on, or after that date.
(d) Implementation.--
(1) Interim final rule.--Not later than one year after the
date of the enactment of this Act, the Federal Acquisition
Security Council shall prescribe an interim final rule to
implement subchapter III of chapter 13 of title 41, United
States Code, as added by subsection (a).
(2) Final rule.--Not later than one year after prescribing
the interim final rule under paragraph (1) and considering
public comments with respect to such interim final rule, the
Council shall prescribe a final rule to implement subchapter
III of chapter 13 of title 41, United States Code, as added
by subsection (a).
(3) Failure to act.--
(A) In general.--If the Council does not issue a final rule
in accordance with paragraph (2) on or before the last day of
the 1-year period referred to in that paragraph, the Council
shall submit to the appropriate congressional committees and
leadership, not later than 10 days after such last day and
every 90 days thereafter until the final rule is issued, a
report explaining why the final rule was not timely issued
and providing an estimate of the earliest date on which the
final rule will be issued.
(B) Appropriate congressional committees and leadership
defined.--In this paragraph, the term ``appropriate
congressional committees and leadership'' has the meaning
given that term in section 1321 of title 41, United States
Code, as added by subsection (a).
SEC. 3. AUTHORITIES OF EXECUTIVE AGENCIES RELATING TO
MITIGATING SUPPLY CHAIN RISKS IN THE
PROCUREMENT OF COVERED ARTICLES.
(a) In General.--Chapter 47 of title 41, United States
Code, is amended by adding at the end the following new
section:
``Sec. 4713. Authorities relating to mitigating supply chain
risks in the procurement of covered articles
``(a) Authority.--Subject to subsection (b), the head of an
executive agency may carry out a covered procurement action.
``(b) Determination and Notification.--Except as authorized
by subsection (c) to address an urgent national security
interest, the head of an executive agency may exercise the
authority provided in subsection (a) only after--
``(1) obtaining a joint recommendation, in unclassified or
classified form, from the chief acquisition officer and the
chief information officer of the agency, or officials
performing similar functions in the case of executive
agencies that do not have such officials, which includes a
review of any risk assessment made available by the executive
agency identified under section 1323(a)(3) of this title,
that there is a significant supply chain risk in a covered
procurement;
``(2) providing notice of the joint recommendation
described in paragraph (1) to any source named in the joint
recommendation advising--
``(A) that a recommendation is being considered or has been
obtained;
``(B) to the extent consistent with the national security
and law enforcement interests, of information that forms the
basis for the recommendation;
``(C) that, within 30 days after receipt of the notice, the
source may submit information and argument in opposition to
the recommendation; and
``(D) of the procedures governing the consideration of the
submission and the possible exercise of the authority
provided in subsection (a);
``(3) making a determination in writing, in unclassified or
classified form, after considering any information submitted
by a source under paragraph (2) and in consultation with the
chief information security officer of the agency, that--
``(A) use of the authority under subsection (a) is
necessary to protect national security by reducing supply
chain risk;
``(B) less intrusive measures are not reasonably available
to reduce such supply chain risk; and
``(C) the use of such authorities will apply to a single
covered procurement or a class of covered procurements, and
otherwise specifies the scope of the determination; and
``(4) providing a classified or unclassified notice of the
determination made under paragraph (3) to the appropriate
congressional committees and leadership that includes--
``(A) the joint recommendation described in paragraph (1);
``(B) a summary of any risk assessment reviewed in support
of the joint recommendation required by paragraph (1); and
``(C) a summary of the basis for the determination,
including a discussion of less intrusive measures that were
considered and why such measures were not reasonably
available to reduce supply chain risk.
``(c) Procedures To Address Urgent National Security
Interests.--In any case in which the head of an executive
agency determines that an urgent national security interest
requires the immediate exercise of the authority provided in
subsection (a), the head of the agency--
``(1) may, to the extent necessary to address such national
security interest, and subject to the conditions in paragraph
(2)--
``(A) temporarily delay the notice required by subsection
(b)(2);
``(B) make the determination required by subsection (b)(3),
regardless of whether the notice required by subsection
(b)(2) has been provided or whether the notified source has
submitted any information in response to such notice;
``(C) temporarily delay the notice required by subsection
(b)(4); and
``(D) exercise the authority provided in subsection (a) in
accordance with such determination within 60 calendar days
after the day the determination is made; and
``(2) shall take actions necessary to comply with all
requirements of subsection (b) as soon as practicable after
addressing the urgent national security interest, including--
``(A) providing the notice required by subsection (b)(2);
``(B) promptly considering any information submitted by the
source in response to such notice, and making any appropriate
modifications to the determination based on such information;
``(C) providing the notice required by subsection (b)(4),
including a description of the urgent national security
interest, and any modifications to the determination made in
accordance with subparagraph (B); and
``(D) providing notice to the appropriate congressional
committees and leadership within 7 calendar days of the
covered procurement actions taken under this section.
``(d) Confidentiality.--The notice required by subsection
(b)(2) shall be kept confidential until a determination with
respect to a covered procurement action has been made
pursuant to subsection (b)(3).
``(e) Delegation.--The head of an executive agency may not
delegate the authority provided in subsection (a) or the
responsibility identified in subsection (g) to an official
below the level one level below the Deputy Secretary or
Principal Deputy Director.
``(f) Annual Review of Determinations.--The head of an
executive agency shall conduct an annual review of all
determinations made by such head under subsection (b) and
promptly amend any covered procurement action as appropriate.
``(g) Regulations.--The Federal Acquisition Regulatory
Council shall prescribe such regulations as may be necessary
to carry out this section.
``(h) Reports Required.--Not less frequently than annually,
the head of each executive agency that exercised the
authority provided in subsection (a) or (c) during the
preceding 12-month period shall submit to the appropriate
congressional committees and leadership a report summarizing
the actions taken by the agency under this section during
that 12-month period.
``(i) Rule of Construction.--Nothing in this section shall
be construed to authorize the head of an executive agency to
carry out a covered procurement action based solely on the
fact of foreign ownership of a potential procurement source
that is otherwise qualified to enter into procurement
contracts with the Federal Government.
``(j) Termination.--The authority provided under subsection
(a) shall terminate on the date that is 5 years after the
date of the enactment of the Federal Acquisition Supply Chain
Security Act of 2018.
``(k) Definitions.--In this section:
``(1) Appropriate congressional committees and
leadership.--The term `appropriate congressional committees
and leadership' means--
``(A) the Committee on Homeland Security and Governmental
Affairs, the Committee on the Judiciary, the Committee on
Appropriations, the Committee on Armed Services, the
Committee on Commerce, Science, and Transportation, the
Select Committee on Intelligence, and the majority and
minority leader of the Senate; and
``(B) the Committee on Oversight and Government Reform, the
Committee on the Judiciary, the Committee on Appropriations,
the Committee on Homeland Security, the Committee on Armed
Services, the Committee on Energy and Commerce, the Permanent
Select Committee on Intelligence, and the Speaker and
minority leader of the House of Representatives.
``(2) Covered article.--The term `covered article' means--
``(A) information technology, as defined in section 11101
of title 40, including cloud computing services of all types;
``(B) telecommunications equipment or telecommunications
service, as those terms are defined in section 3 of the
Communications Act of 1934 (47 U.S.C. 153);
``(C) the processing of information on a Federal or non-
Federal information system, subject to the requirements of
the Controlled Unclassified Information program; or
[[Page S7817]]
``(D) hardware, systems, devices, software, or services
that include embedded or incidental information technology.
``(3) Covered procurement.--The term `covered procurement'
means--
``(A) a source selection for a covered article involving
either a performance specification, as provided in subsection
(a)(3)(B) of section 3306 of this title, or an evaluation
factor, as provided in subsection (b)(1)(A) of such section,
relating to a supply chain risk, or where supply chain risk
considerations are included in the agency's determination of
whether a source is a responsible source as defined in
section 113 of this title;
``(B) the consideration of proposals for and issuance of a
task or delivery order for a covered article, as provided in
section 4106(d)(3) of this title, where the task or delivery
order contract includes a contract clause establishing a
requirement relating to a supply chain risk;
``(C) any contract action involving a contract for a
covered article where the contract includes a clause
establishing requirements relating to a supply chain risk; or
``(D) any other procurement in a category of procurements
determined appropriate by the Federal Acquisition Regulatory
Council, with the advice of the Federal Acquisition Security
Council.
``(4) Covered procurement action.--The term `covered
procurement action' means any of the following actions, if
the action takes place in the course of conducting a covered
procurement:
``(A) The exclusion of a source that fails to meet
qualification requirements established under section 3311 of
this title for the purpose of reducing supply chain risk in
the acquisition or use of covered articles.
``(B) The exclusion of a source that fails to achieve an
acceptable rating with regard to an evaluation factor
providing for the consideration of supply chain risk in the
evaluation of proposals for the award of a contract or the
issuance of a task or delivery order.
``(C) The determination that a source is not a responsible
source as defined in section 113 of this title based on
considerations of supply chain risk.
``(D) The decision to withhold consent for a contractor to
subcontract with a particular source or to direct a
contractor to exclude a particular source from consideration
for a subcontract under the contract.
``(5) Information and communications technology.--The term
`information and communications technology' means--
``(A) information technology, as defined in section 11101
of title 40;
``(B) information systems, as defined in section 3502 of
title 44; and
``(C) telecommunications equipment and telecommunications
services, as those terms are defined in section 3 of the
Communications Act of 1934 (47 U.S.C. 153).
``(6) Supply chain risk.--The term `supply chain risk'
means the risk that any person may sabotage, maliciously
introduce unwanted function, extract data, or otherwise
manipulate the design, integrity, manufacturing, production,
distribution, installation, operation, maintenance,
disposition, or retirement of covered articles so as to
surveil, deny, disrupt, or otherwise manipulate the function,
use, or operation of the covered articles or information
stored or transmitted on the covered articles.
``(7) Executive agency.--Notwithstanding section
3101(c)(1), this section applies to the Department of
Defense, the Coast Guard, and the National Aeronautics and
Space Administration.''.
(b) Clerical Amendment.--The table of sections at the
beginning of chapter 47 of such title is amended by adding at
the end the following new item:
``Sec. 4713. Authorities relating to mitigating supply chain risks in
the procurement of covered articles.''.
(c) Effective Date.--The amendments made by this section
shall take effect on the date that is 90 days after the date
of the enactment of this Act and shall apply to contracts
that are awarded before, on, or after that date.
SEC. 4. FEDERAL INFORMATION SECURITY MODERNIZATION ACT.
(a) In General.--Title 44, United States Code, is amended--
(1) in section 3553(a)(5), by inserting ``and section 1326
of title 41'' after ``compliance with the requirements of
this subchapter''; and
(2) in section 3554(a)(1)(B)--
(A) by inserting ``, subchapter III of chapter 13 of title
41,'' after ``complying with the requirements of this
subchapter'';
(B) in clause (iv), by striking ``; and'' and inserting a
semicolon; and
(C) by adding at the end the following new clause:
``(vi) responsibilities relating to assessing and avoiding,
mitigating, transferring, or accepting supply chain risks
under section 1326 of title 41, and complying with exclusion
and removal orders issued under section 1323 of such title;
and''.
(b) Rule of Construction.--Nothing in this Act shall be
construed to alter or impede any authority or responsibility
under section 3553 of title 44, United States Code.
SEC. 5. EFFECTIVE DATE.
This Act shall take effect on the date that is 90 days
after the date of the enactment of this Act.
The bill (S. 3085), as amended, was ordered to be engrossed for a
third reading, was read the third time, and passed.
____________________