[House Report 116-188]
[From the U.S. Government Publishing Office]


116th Congress   }                                            {    Report
                          HOUSE OF REPRESENTATIVES
 1st Session     }                                            {   116-188

======================================================================



 
        SECURING THE HOMELAND SECURITY SUPPLY CHAIN ACT OF 2019

                                _______
                                

August 27, 2019.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

 Mr. Thompson of Mississippi, from the Committee on Homeland Security, 
                        submitted the following

                              R E P O R T

                        [To accompany H.R. 3320]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security, to whom was referred 
the bill (H.R. 3320) to amend the Homeland Security Act of 2002 
to authorize the Secretary of Homeland Security to implement 
certain requirements for information relating to supply chain 
risk, and for other purposes, having considered the same, 
report favorably thereon with an amendment and recommend that 
the bill as amended do pass.

                                CONTENTS

                                                                   Page
Purpose and Summary..............................................     4
Background and Need for Legislation..............................     5
Hearings.........................................................     5
Committee Consideration..........................................     6
Committee Votes..................................................     6
Committee Oversight Findings.....................................     6
C.B.O. Estimate, New Budget Authority, Entitlement Authority, and 
  Tax Expenditures...............................................     6
Federal Mandates Statement.......................................     8
Statement of General Performance Goals and Objectives............     8
Duplicative Federal Programs.....................................     8
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
  Benefits.......................................................     8
Advisory Committee Statement.....................................     8
Applicability to Legislative Branch..............................
Section-by-Section Analysis of the Legislation...................     8
Changes in Existing Law Made by the Bill, as Reported............    10

    The amendment is as follows:
  Strike all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``Securing the Homeland Security Supply 
Chain Act of 2019''.

SEC. 2. DEPARTMENT OF HOMELAND SECURITY REQUIREMENTS FOR INFORMATION 
                    RELATING TO SUPPLY CHAIN RISK.

  (a) In General.--Subtitle D of title VIII of the Homeland Security 
Act of 2002 (6 U.S.C. 391 et seq.) is amended by adding at the end the 
following new section:

``SEC. 836. REQUIREMENTS FOR INFORMATION RELATING TO SUPPLY CHAIN RISK.

  ``(a) Authority.--Subject to subsection (b), the Secretary may--
          ``(1) carry out a covered procurement action;
          ``(2) limit, notwithstanding any other provision of law, in 
        whole or in part, the disclosure of information, including 
        classified information, relating to the basis for carrying out 
        such an action; and
          ``(3) exclude, in whole or in part, a source carried out in 
        the course of such an action applicable to a covered 
        procurement of the Department.
  ``(b) Determination and Notification.--Except as authorized by 
subsection (c) to address an urgent national security interest, the 
Secretary may exercise the authority provided in subsection (a) only 
after--
          ``(1) obtaining a joint recommendation, in unclassified or 
        classified form, from the Chief Acquisition Officer and the 
        Chief Information Officer of the Department, including a review 
        of any risk assessment made available by an appropriate person 
        or entity, including the national risk management center at the 
        Cybersecurity and Infrastructure Security Agency, that there is 
        a significant supply chain risk in a covered procurement;
          ``(2) notifying any source named in the joint recommendation 
        described in paragraph (1) advising--
                  ``(A) that a recommendation has been obtained;
                  ``(B) to the extent consistent with the national 
                security and law enforcement interests, the basis for 
                such recommendation;
                  ``(C) that, within 30 days after receipt of notice, 
                such source may submit information and argument in 
                opposition to such recommendation; and
                  ``(D) of the procedures governing the consideration 
                of such submission and the possible exercise of the 
                authority provided in subsection (a);
          ``(3) notifying the relevant components of the Department 
        that such risk assessment has demonstrated significant supply 
        chain risk to a covered procurement;
          ``(4) making a determination in writing, in unclassified or 
        classified form, that after considering any information 
        submitted by a source under paragraph (2), and in consultation 
        with the Chief Information Officer of the Department, that--
                  ``(A) use of authority under subsection (a)(1) is 
                necessary to protect national security by reducing 
                supply chain risk;
                  ``(B) less intrusive measures are not reasonably 
                available to reduce such risk;
                  ``(C) a decision to limit disclosure of information 
                under subsection (a)(2) is necessary to protect 
                national security interest; and
                  ``(D) the use of such authorities will apply to a 
                single covered procurement or a class of covered 
                procurements, and otherwise specifies the scope of such 
                determination;
          ``(5) providing to the Committee on Homeland Security of the 
        House of Representatives and the Committee on Homeland Security 
        and Governmental Affairs of the Senate a classified or 
        unclassified notice of the determination made under paragraph 
        (4) that includes--
                  ``(A) the joint recommendation described in paragraph 
                (1);
                  ``(B) a summary of any risk assessment reviewed in 
                support of such joint recommendation; and
                  ``(C) a summary of the basis for such determination, 
                including a discussion of less intrusive measures that 
                were considered and why such measures were not 
                reasonably available to reduce supply chain risk;
          ``(6) notifying the Director of the Office of Management and 
        Budget, and the heads of other Federal agencies as appropriate, 
        in a manner and to the extent consistent with the requirements 
        of national security; and
          ``(7) taking steps to maintain the confidentiality of any 
        notifications under this subsection.
  ``(c) Procedures To Address Urgent National Security Interests.--In 
any case in which the Secretary determines that national security 
interests require the immediate exercise of the authorities under 
subsection (a), the Secretary--
          ``(1) may, to the extent necessary to address any such 
        national security interest, and subject to the conditions 
        specified in paragraph (2)--
                  ``(A) temporarily delay the notice required by 
                subsection (b)(2);
                  ``(B) make the determination required by subsection 
                (b)(4), regardless of whether the notice required by 
                subsection (b)(2) has been provided or whether the 
                notified source at issue has submitted any information 
                in response to such notice;
                  ``(C) temporarily delay the notice required by 
                subsections (b)(4) and (b)(5); and
                  ``(D) exercise the authority provided in subsection 
                (a) in accordance with such determination; and
          ``(2) shall take actions necessary to comply with all 
        requirements of subsection (b) as soon as practicable after 
        addressing the urgent national security interest that is the 
        subject of paragraph (1), including--
                  ``(A) providing the notice required by subsection 
                (b)(2);
                  ``(B) promptly considering any information submitted 
                by the source at issue in response to such notice, and 
                making any appropriate modifications to the 
                determination required by subsection (b)(4) based on 
                such information; and
                  ``(C) providing the notice required by subsections 
                (b)(5) and (b)(6), including a description of such 
                urgent national security, and any modifications to such 
                determination made in accordance with subparagraph (B).
  ``(d) Annual Review of Determinations.--The Secretary shall annually 
review all determinations made under subsection (b).
  ``(e) Delegation.--The Secretary may not delegate the authority 
provided in subsection (a) or the responsibility identified in 
subsection (d) to an official below the Deputy Secretary.
  ``(f) Limitation of Review.--Notwithstanding any other provision of 
law, no action taken by the Secretary under subsection (a) may be 
subject to review in a bid protest before the Government Accountability 
Office or in any Federal court.
  ``(g) Consultation.--In developing procedures and guidelines for the 
implementation of the authorities described in this section, the 
Secretary shall review the procedures and guidelines utilized by the 
Department of Defense to carry out similar authorities.
  ``(h) Definitions.--In this section:
          ``(1) Covered article.--The term `covered article' means:
                  ``(A) Information technology, including cloud 
                computing services of all types.
                  ``(B) Telecommunications equipment.
                  ``(C) Telecommunications services.
                  ``(D) The processing of information on a Federal or 
                non-Federal information system, subject to the 
                requirements of the Controlled Unclassified Information 
                program of the Department.
                  ``(E) Hardware, systems, devices, software, or 
                services that include embedded or incidental 
                information technology.
          ``(2) Covered procurement.--The term `covered procurement' 
        means--
                  ``(A) a source selection for a covered article 
                involving either a performance specification, as 
                provided in subsection (a)(3)(B) of section 3306 of 
                title 41, United States Code, or an evaluation factor, 
                as provided in subsection (c)(1)(A) of such section, 
                relating to supply chain risk, or with respect to which 
                supply chain risk considerations are included in the 
                Department's determination of whether a source is a 
                responsible source as defined in section 113 of such 
                title;
                  ``(B) the consideration of proposals for and issuance 
                of a task or delivery order for a covered article, as 
                provided in section 4106(d)(3) of title 41, United 
                States Code, with respect to which the task or delivery 
                order contract includes a contract clause establishing 
                a requirement relating to supply chain risk;
                  ``(C) any contract action involving a contract for a 
                covered article with respect to which such contract 
                includes a clause establishing requirements relating to 
                supply chain risk; or
                  ``(D) any procurement made via Government Purchase 
                Care for a covered article when supply chain risk has 
                been identified as a concern.
          ``(3) Covered procurement action.--The term `covered 
        procurement action' means any of the following actions, if such 
        action takes place in the course of conducting a covered 
        procurement:
                  ``(A) The exclusion of a source that fails to meet 
                qualification requirements established pursuant to 
                section 3311 of title 41, United States Code, for the 
                purpose of reducing supply chain risk in the 
                acquisition or use of a covered article.
                  ``(B) The exclusion of a source that fails to achieve 
                an acceptable rating with regard to an evaluation 
                factor providing for the consideration of supply chain 
                risk in the evaluation of proposals for the award of a 
                contract or the issuance of a task or delivery order.
                  ``(C) The determination that a source is not a 
                responsible source based on considerations of supply 
                chain risk.
                  ``(D) The decision to withhold consent for a 
                contractor to subcontract with a particular source or 
                to direct a contractor to exclude a particular source 
                from consideration for a subcontract.
          ``(4) Information system.--The term `information system' has 
        the meaning given such term in section 3502 of title 44, United 
        States Code.
          ``(5) Information technology.--The term `information 
        technology' has the meaning given such term in section 11101 of 
        title 40, United States Code.
          ``(6) Responsible source.--The term `responsible source' has 
        the meaning given such term in section 113 of title 41, United 
        States Code.
          ``(7) Supply chain risk.--The term `supply chain risk' means 
        the risk that a malicious actor may sabotage, maliciously 
        introduce an unwanted function, extract or modify data, or 
        otherwise manipulate the design, integrity, manufacturing, 
        production, distribution, installation, operation, or 
        maintenance of a covered article so as to surveil, deny, 
        disrupt, or otherwise manipulate the function, use, or 
        operation of the information technology or information stored 
        or transmitted on the covered articles.
          ``(8) Telecommunications equipment.--The term 
        `telecommunications equipment' has the meaning given such term 
        in section 3(52) of the Communications Act of 1934 (47 U.S.C. 
        153(52)).
          ``(9) Telecommunications service.--The term 
        `telecommunications service' has the meaning given such term in 
        section 3(53) of the Communications Act of 1934 (47 U.S.C. 
        153(53)).
  ``(i) Effective Date.--The requirements of this section shall take 
effect on the date that is 90 days after the date of the enactment of 
this Act and shall apply to--
          ``(1) contracts awarded on or after such date; and
          ``(2) task and delivery orders issued on or after such date 
        pursuant to contracts awarded before, on, or after such 
        date.''.
  (b) Rulemaking.--Section 553 of title 5, United States Code, and 
section 1707 of title 41, United States Code, shall not apply to the 
Secretary of Homeland Security when carrying out the authorities and 
responsibilities under section 836 of the Homeland Security Act of 
2002, as added by subsection (a).
  (c) Clerical Amendment.--The table of contents in section 1(b) of the 
Homeland Security Act of 2002 is amended by inserting after the item 
relating to section 835 the following new item:

``Sec. 836. Requirements for information relating to supply chain 
risk.''.

SEC. 3. REPORT ON THREATS POSED BY FOREIGN STATE-OWNED ENTITIES TO DHS 
                    INFORMATION TECHNOLOGY AND COMMUNICATIONS SYSTEMS.

  Not later than 180 days after the date of the enactment of this Act, 
the Under Secretary for Management of the Department of Homeland 
Security, in coordination with the national risk management center of 
the Cybersecurity and Infrastructure Security Agency of the Department, 
shall submit to the Committee on Homeland Security of the House of 
Representatives and the Committee on Homeland Security and Governmental 
Affairs of the Senate a report on cybersecurity threats posed by 
terrorist actors and foreign state-owned entities to the information 
technology and communications systems of Department of Homeland 
Security, including information relating to the following:
          (1) The use of foreign state-owned entities' information and 
        communications technology by the Department of Homeland 
        Security, listed by component.
          (2) The threats, in consultation with the Department's Office 
        of Intelligence and Analysis, of foreign state-owned entities' 
        information and communications technology equipment that could 
        impact the Department.

                          Purpose and Summary

    The purpose of H.R. 3320, the ``Securing the Homeland 
Security Supply Chain Act of 2019,'' is to provide the 
Secretary of Homeland Security with the authority to restrict 
certain procurements related to information technology and 
associated products if, following a risk assessment, it is 
determined the vendor poses a threat to the Department of 
Homeland Security supply chain. If such a determination is 
made, the Secretary is permitted to limit the amount of 
information disclosed about the decision-making process.

                  Background and Need for Legislation

    Federal agencies rely on vendors to provide them with 
products and services to carry out their missions and the 
Department of Homeland Security (DHS or Department) is no 
exception. This reliance could put DHS at risk if the products 
and services supplied are exploited to introduce 
vulnerabilities into the Department's supply chain. Recent 
reports about potential supply chain threats linked to foreign-
based firms, especially ones in China and Russia, highlight the 
pervasive and growing threats to the federal supply chain.
    Chinese companies, a number of whom are state-owned or have 
extensive ties to the Chinese state, are leaders in a number of 
advanced technology fields. For years, the Intelligence 
Community has warned that information and communication 
technology (ICT) produced by certain Chinese companies, most 
notably the two largest Chinese telecommunications equipment 
manufacturers, ZTE Corporation and Huawei, could be used to 
carry out cyber theft, spying, and espionage.\1\ Some companies 
with ties to the Russian government also pose national security 
risks. The U.S. government has particularly highlighted 
concerns about Kaspersky labs.\2\ According to DHS, Kaspersky 
anti-virus products could be exploited by malicious cyber 
actors to compromise information systems, and the Russian 
government could use Kaspersky to compromise federal 
information systems, directly implicating U.S. national 
security.\3\ In September 2017, DHS issued a Binding 
Operational Directive (BOD) requiring Federal agencies to 
remove all Kaspersky products from their networks due to 
Russia-related supply chain concerns.\4\
---------------------------------------------------------------------------
    \1\U.S. House of Representatives Permanent Select Committee on 
Intelligence, Investigative Report on the U.S. National Security Issues 
Posed by Chinese Telecommunications Companies Huawei and ZTE, 112th 
Cong. (Oct. 8, 2012), available at https://intelligence.house.gov/
sites/intelligence.house.gov/files/documents/huawei-
zte%20investigative%20report%20(final).pdf.
    \2\DHS Statement on the Issuance of Binding Operational Directive 
17-01, U.S. Department of Homeland Security, (Sept. 13, 2017), 
available at https://www.dhs.gov/news/2017/09/13/dhs-statement-
issuance-binding-operational-directive-17-01.
    \3\Ibid.
    \4\See 82 Fed. Reg. 42782.
---------------------------------------------------------------------------
    In response to these supply chain concerns, H.R. 3320 would 
provide the Secretary of Homeland Security with the authority 
to restrict certain procurements related to information 
technology and associated products if, following a risk 
assessment, it is determined the vendor poses a threat to the 
DHS supply chain.

                                Hearings

    For the purposes of section 103(i) of H. Res. 6 of the 
116th Congress, the following hearing was used to develop or 
consider H.R. 3320:
    On Thursday, July 12, 2018, the Subcommittee on 
Counterterrorism and Intelligence and the Subcommittee on 
Oversight and Management Efficiency of the Committee on 
Homeland Security held a hearing entitled ``Access Denied: 
Keeping Adversaries Away from the Homeland Security Supply 
Chain''. The Subcommittees received testimony from Ms. Soraya 
Correa, Chief Procurement Officer; Dr. John Zangardi, Chief 
Information Officer; Ms. Jeanette Manfra, Assistant Secretary 
in the Office of Cybersecurity and Communications, National 
Protection and Programs Directorate; Ms. Tina W. Gabbrielli, 
Acting Deputy Under Secretary for Intelligence Enterprise 
Operations; and Mr. Gregory Wilshusen, Director of Information 
Security Issues, Government Accountability Office.

                        Committee Consideration

    The Committee met on July 17, 2019, with a quorum being 
present, to consider H.R. 3320 and ordered the measure to be 
reported to the House with a favorable recommendation, with 
amendment, by unanimous consent.
    The following Amendments were offered and accepted by 
unanimous consent:
    An amendment offered by Ms. Jackson Lee.
    Page 3, line 2, insert ``including the national risk 
management center at the Cybersecurity and Infrastructure 
Security Agency,'' after ``tity''. Add at the end the 
following:

SEC. 3. REPORT ON THREATS POSED BY FOREIGN STATE-OWNED ENTITIES TO DHS 
                    INFORMATION TECHNOLOGY AND COMMUNICATIONS SYSTEMS.

                            Committee Votes

    Clause 3(b) of rule XIII of the Rules of the House of 
Representatives requires the Committee to list the recorded 
votes on the motion to report legislation and amendments 
thereto.
    No recorded votes were requested during consideration of 
H.R. 3320.

                      Committee Oversight Findings

    In compliance with clause 3(c)(1) of rule XIII of the Rules 
of the House of Representatives, the Committee advises that the 
findings and recommendations of the Committee, based on 
oversight activities under clause 2(b)(1) of rule X of the 
Rules of the House of Representatives, are incorporated in the 
descriptive portions of this report.

Congressional Budget Office Estimate, New Budget Authority, Entitlement 
                    Authority, and Tax Expenditures

    With respect to the requirements of clause 3(c)(2) of rule 
XIII of the Rules of the House of Representatives and section 
308(a) of the Congressional Budget Act of 1974 and with respect 
to requirements of clause (3)(c)(3) of rule XIII of the Rules 
of the House of Representatives and section 402 of the 
Congressional Budget Act of 1974, The Committee adopts as its 
own the cost estimate prepared by the Director of the 
Congressional Budget Office.

                                     U.S. Congress,
                               Congressional Budget Office,
                                     Washington, DC, July 30, 2019.
Hon. Bennie G. Thompson,
Chairman, Committee on Homeland Security,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for Department of Homeland 
Security Legislation.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Mark 
Grabowicz.
            Sincerely,
                                         Phillip L. Swagel,
                                                          Director.
    Enclosure.
    
    

    On July 17, 2019, the House Committee on Homeland Security 
ordered reported the following bills:
           H.R. 3320, the Securing the Homeland 
        Security Supply Chain Act of 2019, which would 
        authorize the Department of Homeland Security (DHS) to 
        take certain actions to improve the security of 
        information and telecommunications systems acquired by 
        the department;
           H.R. 3413, DHS Acquisition Reform Act of 
        2019, which would specify which offices in DHS 
        headquarters have responsibility for acquisition 
        programs;
           H.R. 3526, the Counter Terrorist Network 
        Act, which would authorize Customs and Border 
        Protection to assign personnel to other agencies to 
        support partnerships for sharing global information to 
        enhance border security; and
           H.R. 3722, the Joint Task Force to Combat 
        Opioid Trafficking Act of 2019, which would confirm the 
        authority of DHS to establish a task force to disrupt 
        drug trafficking.
    DHS is currently carrying out activities similar to those 
required by the bills listed above, and any new activities 
required under the legislation would not require substantial 
action by the department. Thus, CBO estimates that implementing 
each bill would not have a significant cost; any spending would 
be subject to the availability of appropriated funds.
    The CBO staff contact for this estimate is Mark Grabowicz. 
The estimate was reviewed by H. Samuel Papenfuss, Deputy 
Assistant Director for Budget Analysis.

                       Federal Mandates Statement

    The Committee adopts as its own the cost estimate prepared 
by the Director of the Congressional Budget Office.

                      Duplicative Federal Programs

    Pursuant to clause 3(c) of rule XIII, the Committee finds 
that H.R. 3320 does not contain any provision that establishes 
or reauthorizes a program known to be duplicative of another 
Federal program.

                    Performance Goals and Objectives

    The Committee states that pursuant to clause 3(c)(4) of 
rule XIII of the Rules of the House of Representatives, H.R. 
3320 would amend the Homeland Security Act of 2002 to authorize 
the Secretary of Homeland Security to restrict certain 
procurements related to information technology and associated 
products if it is determined that the procurement poses a 
national security risk. The bill requires the Secretary to 
notify the appropriate Committees of the Senate and House of 
Representatives, as well as the Office of Management and Budget 
and the vendor of the risk determination. The bill also 
requires the Secretary to review existing procedures and 
guidelines used by the Department of Defense when developing 
the procedures and guidelines for the Department of Homeland 
Security. Lastly, the bill requires the Secretary to review any 
supply chain restrictions determined under the Act on an annual 
basis.

                          Advisory on Earmarks

    In compliance with rule XXI of the Rules of the House of 
Representatives, this bill, as reported, contains no 
congressional earmarks, limited tax benefits, or limited tariff 
benefits as defined in clause 9(d), 9(e), or 9(f) of the rule 
XXI.

             Section-by-Section Analysis of the Legislation


Section 1. Short title

    This section provides that this bill may be cited as the 
``Securing the Homeland Security Supply Chain Act of 2019''.

Sec. 2. Department of Homeland Security requirements for information 
        relating to supply chain risk

    This section establishes a new Section 836 in the Homeland 
Security Act as follows:
          Subsection (a) authorizes the Secretary of Homeland 
        Security to take the following actions related to the 
        procurement of a covered article, which includes 
        information technology, telecommunications equipment, 
        telecommunication services, and associated hardware, 
        software, and services: exclude a source from the 
        procurement process if the source fails to meet 
        established supply chain risk standards or is 
        determined not to be a responsible source; and direct a 
        contractor to exclude a particular source for a 
        subcontract; limit the information disclosed, including 
        classified information, about the basis for carrying 
        out a covered procurement action; and exclude a source, 
        if identified to be a threat, from procurements or 
        contracts across the Department.
          Subsection (b) authorizes the DHS Secretary to take 
        the action permitted in subsection (a) only after: 
        obtaining a joint recommendation from the Department's 
        Chief Acquisition Officer and Chief Information Officer 
        that there is a significant supply chain risk in a 
        covered procurement; providing notice of the 
        recommendation to any source named in such 
        recommendation and allowing that source 30 days to 
        submit information in response; notifying the relevant 
        Departmental components of the risk; documenting in 
        writing the determination that the use of the authority 
        is necessary; there are no less intrusive measures 
        available to reduce the risk; that disclosing 
        information about the risk and the procurement would 
        pose a greater risk to national security; and whether 
        the exclusion will apply to a single covered 
        procurement or a class of covered procurements; 
        providing notice of the determination to the Committee 
        on Homeland Security of the House and the Committee on 
        Homeland Security and Governmental Affairs of the 
        Senate; notifying the Director of the Office of 
        Management and Budget, and other appropriate Federal 
        agencies; and taking steps necessary to maintain the 
        confidentiality of any notifications made under this 
        subsection.
          Subsection (c) allows the Secretary to delay the 
        notification requirements in subsection (b) to the 
        source named in the recommendation, Congress, and the 
        Office of Management and Budget, and still make a 
        determination to exclude a source under subsection 
        (b)(4) if there is an urgent national security reason 
        for an immediate use of the authorities in subsection 
        (a). Once the national security issue has been 
        addressed, the DHS Secretary must take action to 
        complete the notification requirements.
          Subsection (d) requires the Secretary to review all 
        of the exclusion determinations made pursuant to 
        subsection (b) on an annual basis.
          Subsection (e) prohibits the Secretary from 
        delegating the authority in subsection (a) or 
        subsection (d) to any Departmental official below the 
        Deputy Secretary level.
          Subsection (f) exempts any action taken under 
        subsection (a) from review under a bid protest through 
        the Government Accountability Office or in Federal 
        court.
          Subsection (g) requires the Secretary to review 
        similar procedures and guidelines used by the 
        Department of Defense when developing the procedures 
        and guidelines for the Department of Homeland Security.
          Subsection (h) defines the following terms: ``covered 
        article,'' ``covered procurement,'' ``covered 
        procurement action,'' ``information technology,'' 
        ``responsible source,'' ``supply chain risk,'' 
        ``telecommunications equipment,'' and 
        ``telecommunications service.''
          Subsection (i) sets 90 days after enactment as the 
        effective date for the authorities described in this 
        section. In addition, this section exempts the 
        Secretary from public notice and meeting requirements 
        related to the Federal rulemaking procedures 
        established under section 553 of Title 5 and section 
        1707 of Title 41.

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (new matter is 
printed in italic and existing law in which no change is 
proposed is shown in roman):

                     HOMELAND SECURITY ACT OF 2002


SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

  (a) Short Title.--This Act may be cited as the ``Homeland 
Security Act of 2002''.
  (b) Table of Contents.--The table of contents for this Act is 
as follows:

Sec. 1. Short title; table of contents.
     * * * * * * *

 TITLE VIII--COORDINATION WITH NON-FEDERAL ENTITIES; INSPECTOR GENERAL; 
      UNITED STATES SECRET SERVICE; COAST GUARD; GENERAL PROVISIONS

     * * * * * * *

                        Subtitle D--Acquisitions

     * * * * * * *
Sec. 836. Requirements for information relating to supply chain risk.

           *       *       *       *       *       *       *


TITLE VIII--COORDINATION WITH NON-FEDERAL ENTITIES; INSPECTOR GENERAL; 
UNITED STATES SECRET SERVICE; COAST GUARD; GENERAL PROVISIONS

           *       *       *       *       *       *       *


Subtitle D--Acquisitions

           *       *       *       *       *       *       *


SEC. 836. REQUIREMENTS FOR INFORMATION RELATING TO SUPPLY CHAIN RISK.

  (a) Authority.--Subject to subsection (b), the Secretary 
may--
          (1) carry out a covered procurement action;
          (2) limit, notwithstanding any other provision of 
        law, in whole or in part, the disclosure of 
        information, including classified information, relating 
        to the basis for carrying out such an action; and
          (3) exclude, in whole or in part, a source carried 
        out in the course of such an action applicable to a 
        covered procurement of the Department.
  (b) Determination and Notification.--Except as authorized by 
subsection (c) to address an urgent national security interest, 
the Secretary may exercise the authority provided in subsection 
(a) only after--
          (1) obtaining a joint recommendation, in unclassified 
        or classified form, from the Chief Acquisition Officer 
        and the Chief Information Officer of the Department, 
        including a review of any risk assessment made 
        available by an appropriate person or entity, including 
        the national risk management center at the 
        Cybersecurity and Infrastructure Security Agency, that 
        there is a significant supply chain risk in a covered 
        procurement;
          (2) notifying any source named in the joint 
        recommendation described in paragraph (1) advising--
                  (A) that a recommendation has been obtained;
                  (B) to the extent consistent with the 
                national security and law enforcement 
                interests, the basis for such recommendation;
                  (C) that, within 30 days after receipt of 
                notice, such source may submit information and 
                argument in opposition to such recommendation; 
                and
                  (D) of the procedures governing the 
                consideration of such submission and the 
                possible exercise of the authority provided in 
                subsection (a);
          (3) notifying the relevant components of the 
        Department that such risk assessment has demonstrated 
        significant supply chain risk to a covered procurement;
          (4) making a determination in writing, in 
        unclassified or classified form, that after considering 
        any information submitted by a source under paragraph 
        (2), and in consultation with the Chief Information 
        Officer of the Department, that--
                  (A) use of authority under subsection (a)(1) 
                is necessary to protect national security by 
                reducing supply chain risk;
                  (B) less intrusive measures are not 
                reasonably available to reduce such risk;
                  (C) a decision to limit disclosure of 
                information under subsection (a)(2) is 
                necessary to protect national security 
                interest; and
                  (D) the use of such authorities will apply to 
                a single covered procurement or a class of 
                covered procurements, and otherwise specifies 
                the scope of such determination;
          (5) providing to the Committee on Homeland Security 
        of the House of Representatives and the Committee on 
        Homeland Security and Governmental Affairs of the 
        Senate a classified or unclassified notice of the 
        determination made under paragraph (4) that includes--
                  (A) the joint recommendation described in 
                paragraph (1);
                  (B) a summary of any risk assessment reviewed 
                in support of such joint recommendation; and
                  (C) a summary of the basis for such 
                determination, including a discussion of less 
                intrusive measures that were considered and why 
                such measures were not reasonably available to 
                reduce supply chain risk;
          (6) notifying the Director of the Office of 
        Management and Budget, and the heads of other Federal 
        agencies as appropriate, in a manner and to the extent 
        consistent with the requirements of national security; 
        and
          (7) taking steps to maintain the confidentiality of 
        any notifications under this subsection.
  (c) Procedures to Address Urgent National Security 
Interests.--In any case in which the Secretary determines that 
national security interests require the immediate exercise of 
the authorities under subsection (a), the Secretary--
          (1) may, to the extent necessary to address any such 
        national security interest, and subject to the 
        conditions specified in paragraph (2)--
                  (A) temporarily delay the notice required by 
                subsection (b)(2);
                  (B) make the determination required by 
                subsection (b)(4), regardless of whether the 
                notice required by subsection (b)(2) has been 
                provided or whether the notified source at 
                issue has submitted any information in response 
                to such notice;
                  (C) temporarily delay the notice required by 
                subsections (b)(4) and (b)(5); and
                  (D) exercise the authority provided in 
                subsection (a) in accordance with such 
                determination; and
          (2) shall take actions necessary to comply with all 
        requirements of subsection (b) as soon as practicable 
        after addressing the urgent national security interest 
        that is the subject of paragraph (1), including--
                  (A) providing the notice required by 
                subsection (b)(2);
                  (B) promptly considering any information 
                submitted by the source at issue in response to 
                such notice, and making any appropriate 
                modifications to the determination required by 
                subsection (b)(4) based on such information; 
                and
                  (C) providing the notice required by 
                subsections (b)(5) and (b)(6), including a 
                description of such urgent national security, 
                and any modifications to such determination 
                made in accordance with subparagraph (B).
  (d) Annual Review of Determinations.--The Secretary shall 
annually review all determinations made under subsection (b).
  (e) Delegation.--The Secretary may not delegate the authority 
provided in subsection (a) or the responsibility identified in 
subsection (d) to an official below the Deputy Secretary.
  (f) Limitation of Review.--Notwithstanding any other 
provision of law, no action taken by the Secretary under 
subsection (a) may be subject to review in a bid protest before 
the Government Accountability Office or in any Federal court.
  (g) Consultation.--In developing procedures and guidelines 
for the implementation of the authorities described in this 
section, the Secretary shall review the procedures and 
guidelines utilized by the Department of Defense to carry out 
similar authorities.
  (h) Definitions.--In this section:
          (1) Covered article.--The term ``covered article'' 
        means:
                  (A) Information technology, including cloud 
                computing services of all types.
                  (B) Telecommunications equipment.
                  (C) Telecommunications services.
                  (D) The processing of information on a 
                Federal or non-Federal information system, 
                subject to the requirements of the Controlled 
                Unclassified Information program of the 
                Department.
                  (E) Hardware, systems, devices, software, or 
                services that include embedded or incidental 
                information technology.
          (2) Covered procurement.--The term ``covered 
        procurement'' means--
                  (A) a source selection for a covered article 
                involving either a performance specification, 
                as provided in subsection (a)(3)(B) of section 
                3306 of title 41, United States Code, or an 
                evaluation factor, as provided in subsection 
                (c)(1)(A) of such section, relating to supply 
                chain risk, or with respect to which supply 
                chain risk considerations are included in the 
                Department's determination of whether a source 
                is a responsible source as defined in section 
                113 of such title;
                  (B) the consideration of proposals for and 
                issuance of a task or delivery order for a 
                covered article, as provided in section 
                4106(d)(3) of title 41, United States Code, 
                with respect to which the task or delivery 
                order contract includes a contract clause 
                establishing a requirement relating to supply 
                chain risk;
                  (C) any contract action involving a contract 
                for a covered article with respect to which 
                such contract includes a clause establishing 
                requirements relating to supply chain risk; or
                  (D) any procurement made via Government 
                Purchase Care for a covered article when supply 
                chain risk has been identified as a concern.
          (3) Covered procurement action.--The term ``covered 
        procurement action'' means any of the following 
        actions, if such action takes place in the course of 
        conducting a covered procurement:
                  (A) The exclusion of a source that fails to 
                meet qualification requirements established 
                pursuant to section 3311 of title 41, United 
                States Code, for the purpose of reducing supply 
                chain risk in the acquisition or use of a 
                covered article.
                  (B) The exclusion of a source that fails to 
                achieve an acceptable rating with regard to an 
                evaluation factor providing for the 
                consideration of supply chain risk in the 
                evaluation of proposals for the award of a 
                contract or the issuance of a task or delivery 
                order.
                  (C) The determination that a source is not a 
                responsible source based on considerations of 
                supply chain risk.
                  (D) The decision to withhold consent for a 
                contractor to subcontract with a particular 
                source or to direct a contractor to exclude a 
                particular source from consideration for a 
                subcontract.
          (4) Information system.--The term ``information 
        system'' has the meaning given such term in section 
        3502 of title 44, United States Code.
          (5) Information technology.--The term ``information 
        technology'' has the meaning given such term in section 
        11101 of title 40, United States Code.
          (6) Responsible source.--The term ``responsible 
        source'' has the meaning given such term in section 113 
        of title 41, United States Code.
          (7) Supply chain risk.--The term ``supply chain 
        risk'' means the risk that a malicious actor may 
        sabotage, maliciously introduce an unwanted function, 
        extract or modify data, or otherwise manipulate the 
        design, integrity, manufacturing, production, 
        distribution, installation, operation, or maintenance 
        of a covered article so as to surveil, deny, disrupt, 
        or otherwise manipulate the function, use, or operation 
        of the information technology or information stored or 
        transmitted on the covered articles.
          (8) Telecommunications equipment.--The term 
        ``telecommunications equipment'' has the meaning given 
        such term in section 3(52) of the Communications Act of 
        1934 (47 U.S.C. 153(52)).
          (9) Telecommunications service.--The term 
        ``telecommunications service'' has the meaning given 
        such term in section 3(53) of the Communications Act of 
        1934 (47 U.S.C. 153(53)).
  (i) Effective Date.--The requirements of this section shall 
take effect on the date that is 90 days after the date of the 
enactment of this Act and shall apply to--
          (1) contracts awarded on or after such date; and
          (2) task and delivery orders issued on or after such 
        date pursuant to contracts awarded before, on, or after 
        such date.

           *       *       *       *       *       *       *