[Congressional Record Volume 168, Number 78 (Tuesday, May 10, 2022)]
[House]
[Pages H4758-H4759]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                              {time}  1730
               SUPPLY CHAIN SECURITY TRAINING ACT OF 2021

  Mr. CONNOLLY. Mr. Speaker, I move to suspend the rules and pass the 
bill (S. 2201) to manage supply chain risk through counterintelligence 
training, and for other purposes.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                                S. 2201

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Supply Chain Security 
     Training Act of 2021''.

     SEC. 2. TRAINING PROGRAM TO MANAGE SUPPLY CHAIN RISK.

       (a) In General.--Not later than 180 days after the date of 
     the enactment of this Act, the Administrator of General 
     Services, through the Federal Acquisition Institute, shall 
     develop a training program for officials with supply chain 
     risk management responsibilities at Federal agencies.
       (b) Content.--The training program shall be designed to 
     prepare such personnel to perform supply chain risk 
     management activities and identify and mitigate supply chain 
     security risks that arise throughout the acquisition 
     lifecycle, including for the acquisition of information and 
     communications technology. The training program shall--
       (1) include, considering the protection of classified and 
     other sensitive information, information on current, specific 
     supply chain security threats and vulnerabilities; and
       (2) be updated as determined to be necessary by the 
     Administrator.
       (c) Coordination and Consultation.--In developing and 
     determining updates to the training program, the 
     Administrator shall--
       (1) coordinate with the Federal Acquisition Security 
     Council, the Secretary of Homeland Security, and the Director 
     of the Office of Personnel Management; and
       (2) consult with the Director of the Department of 
     Defense's Defense Acquisition University, the Director of 
     National Intelligence, and the Director of the National 
     Institute of Standards and Technology.
       (d) Guidance.--
       (1) In general.--Not later than 180 days after the training 
     program is developed under subsection (a), the Director of 
     the Office of Management and Budget shall promulgate guidance 
     to Federal agencies requiring executive agency adoption and 
     use of the training program. Such guidance shall--
       (A) allow executive agencies to incorporate the training 
     program into existing agency training programs; and
       (B) provide guidance on how to identify executive agency 
     officials with supply chain risk management responsibilities.
       (2) Availability.--The Director of the Office of Management 
     and Budget shall make the guidance promulgated under 
     paragraph (1) available to Federal agencies of the 
     legislative and judicial branches.

     SEC. 3. REPORTS ON IMPLEMENTATION OF PROGRAM.

       Not later than 180 days after the completion of the first 
     course, and annually thereafter for the next three years, the 
     Administrator of General Services shall submit to the 
     appropriate congressional committees and leadership a report 
     on implementation of the training program required under 
     section 2.

     SEC. 4. DEFINITIONS.

       In this Act:
       (1) Appropriate congressional committees and leadership.--
     The term ``appropriate congressional committees'' means--
       (A) the Committee on Homeland Security and Governmental 
     Affairs and the Committee on Armed Services of the Senate; 
     and
       (B) the Committee on Oversight and Reform and the Committee 
     on Armed Services of the House of Representatives.
       (2) Information and communications technology.--The term 
     ``information and communications technology'' has the meaning 
     given the term in section 4713(k) of title 41, United States 
     Code.
       (3) Executive agency.--The term ``executive agency'' has 
     the meaning given the term in section 133 of title 41, United 
     States Code.
       (4) Federal agency.--The term ``Federal agency'' means any 
     agency, committee, commission, office, or other establishment 
     in the executive, legislative, or judicial branch of the 
     Federal Government.
       (5) Training program.--The term ``training program'' means 
     the training program developed pursuant to section 2(a).

  The SPEAKER pro tempore. Pursuant to the rule, the gentleman from 
Virginia (Mr. Connolly) and the gentlewoman from South Carolina (Ms. 
Mace) each will control 20 minutes.
  The Chair recognizes the gentleman from Virginia.


                             General Leave

  Mr. CONNOLLY. Mr. Speaker, I ask unanimous consent that all Members 
may have 5 legislative days in which to revise and extend their remarks 
and include extraneous material on this measure.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Virginia?
  There was no objection.
  Mr. CONNOLLY. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, I rise in support of S. 2201, the Supply Chain Security 
Training Act, led by Chairman Gary Peters of the Committee on Homeland 
Security and Governmental Affairs and Senator Ron Johnson of Wisconsin.
  I thank Representatives   Joe Neguse and Scott Franklin, who did 
excellent bipartisan work here to lead the House companion, H.R. 5962, 
which was reported by the Oversight and Reform Committee on February 4 
without opposition.
  This important bill to defend our Nation's information and 
communications technology supply chains cannot be enacted soon enough.
  In December 2020, a Government Accountability Office report revealed 
that Federal agencies had failed to fully implement supply chain and 
risk management standards for information and communications 
technology.
  That same month, the discovery of the SolarWinds breach made urgently 
clear how dangerous supply chain vulnerabilities can be. The networks 
of at least nine Federal agencies were compromised by Russian actors, 
allowing

[[Page H4759]]

them access to Federal systems for months before they were even 
discovered.
  To help address these concerns, the Supply Chain Security Training 
Act establishes a training program for agency employees with 
responsibilities related to supply chain risk management, better 
preparing them to identify and mitigate supply chain threats associated 
with the acquisition of products and services.
  The training requirements created by this bill will ensure that the 
acquisition workforce has the capability to identify items in the 
supply chain that could be used to exploit Federal information systems.
  As the largest purchaser of goods and services in the world, the 
Federal Government relies on a complex supply chain that spans 
continents and is continuously targeted by foreign adversaries and 
cybercriminals scheming to breach Federal information systems.
  To protect our national security interests and guard against these 
attacks, we must equip our Federal acquisition officials with the 
expertise and skills they need to reinforce our cybersecurity defenses 
through purchasing decisions.
  I encourage my colleagues to support this bill, and I reserve the 
balance of my time.
  Ms. MACE. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, recent cyberattacks on the U.S. Government continue to 
reveal weaknesses in our Federal information technology systems. One 
such weakness resides in the software products Federal agencies 
purchase from the private sector.
  IT and software products, like most goods and services, now rely on 
global supply chains for their development, and this means increased 
vulnerabilities to threats from malicious and criminal actors, as well 
as our foreign enemies, as my colleague, Mr. Connolly, just recognized.
  Congress must ensure Federal agencies proactively address supply 
chain security risks. The Supply Chain Security Training Act will 
ensure the Federal workforce properly understands these supply chain 
risks and the appropriate policies to implement to address the risks.
  Specifically, the bill tasks the General Services Administration with 
developing, and the Office of Management and Budget, OMB, with 
implementing a governmentwide supply chain security training program. 
This training will prepare the Federal workforce to better identify and 
mitigate the security risks throughout the acquisition lifecycle of 
information and communications technology products and services. For 
instance, Federal agency personnel would be better able to recognize 
and avoid purchasing software products with malware vulnerabilities.
  This is smart legislation that builds on existing congressional 
reforms. For instance, the bill requires coordination with the existing 
Federal Acquisition Security Council, an interagency effort established 
by Congress in 2018 to develop policies and procedures addressing 
supply chain risks.
  Despite these existing efforts, there are currently no Federal 
workforce training requirements in place to ensure supply chain 
security policies are properly and consistently implemented. The 
national security stakes are too high to leave such a strategic gap in 
our Federal defenses.
  S. 2201 represents a practical policy reform to a very real threat. I 
appreciate my colleagues Representatives Neguse and Franklin's 
leadership on championing the House companion bill, H.R. 5962.
  I look forward to seeing the Supply Chain Security Training Act pass 
the House and advance to the President's desk.
  Mr. Speaker, I reserve the balance of my time.
  Mr. CONNOLLY. Mr. Speaker, I have no further speakers on this side. I 
reserve the balance of my time.
  Ms. MACE. Mr. Speaker, I also want to again recognize my colleagues, 
Representatives Neguse and Franklin, who crafted the House companion 
legislation, H.R. 5962.
  I encourage my colleagues to support this bill, and I yield back the 
balance of my time.
  Mr. CONNOLLY. Mr. Speaker, I thank my friend from South Carolina for 
her leadership and support on this important piece of legislation, 
which will help guard Federal assets.

  I urge passage of the bill, and I yield back the balance of my time.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentleman from Virginia (Mr. Connolly) that the House suspend the rules 
and pass the bill, S. 2201.
  The question was taken; and (two-thirds being in the affirmative) the 
rules were suspended and the bill was passed.
  A motion to reconsider was laid on the table.

                          ____________________