[Senate Report 116-87]
[From the U.S. Government Publishing Office]


                                                      Calendar No. 191

116th Congress  }                                            {  Report
                                  SENATE
 1st Session    }                                            {  116-87                                      
                                                                
_______________________________________________________________________

 
                   SUPPLY CHAIN COUNTERINTELLIGENCE 
                          TRAINING ACT OF 2019

                               __________

                               R E P O R T

                                 OF THE

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              TO ACCOMPANY

                                S. 1388

 TO MANAGE SUPPLY CHAIN RISK THROUGH COUNTERINTELLIGENCE TRAINING, AND 
                           FOR OTHER PURPOSES

                  
                [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


               September 10, 2019.--Ordered to be printed
               
                               _________
                               
                  U.S. GOVERNMENT PUBLISHING OFFICE
                            WASHINGTON: 2019
               
               


        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio                    GARY C. PETERS, Michigan
RAND PAUL, Kentucky                  THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma             MAGGIE HASSAN, New Hampshire
MITT ROMNEY, Utah                    KAMALA D. HARRIS, California
RICK SCOTT, Florida                  KYRSTEN SINEMA, Arizona
MICHAEL B. ENZI, Wyoming             JACKY ROSEN, Nevada
JOSH HAWLEY, Missouri

                Gabrielle D'Adamo Singer, Staff Director
                   Joseph C. Folio III, Chief Counsel
       Patrick J. Bailey, Chief Counsel for Governmental Affairs
               David M. Weinberg, Minority Staff Director
               Zachary I. Schram, Minority Chief Counsel
                  Jeffrey D. Rothblum, Minority Fellow
                     Laura W. Kilbride, Chief Clerk
                     
                     
                     

                                                       Calendar No. 191
116th Congress  }                                           {  Report
                                 SENATE
 1st Session    }                                           {  116-87

======================================================================

 
         SUPPLY CHAIN COUNTERINTELLIGENCE TRAINING ACT OF 2019

                                _______
                                

               September 10, 2019.--Ordered to be printed

                                _______
                                

 Mr. Johnson, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 1388]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 1388) to manage 
supply chain risk through counterintelligence training, and for 
other purposes, having considered the same, reports favorably 
thereon without amendment and recommends that the bill do pass.


                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and Need for the Legislation..........................2
III. Legislative History..............................................2
 IV. Section-by-Section Analysis......................................3
  V. Evaluation of Regulatory Impact..................................3
 VI. Congressional Budget Office Cost Estimate........................4
VII. Changes in Existing Law Made by the Bill, as Reported............6

                         I. PURPOSE AND SUMMARY

    S. 1388, the Supply Chain Counterintelligence Training Act 
of 2019, requires the Director of the Office of Management and 
Budget (OMB), in coordination with the Director of National 
Intelligence (DNI), the Secretary of the Department of Homeland 
Security (DHS), and the Administrator of the General Services 
Administration (GSA), to develop and implement a 
counterintelligence training program for Federal Government 
officials with supply chain risk management responsibilities at 
Federal agencies. The applicable officials include those with 
programmatic, information communications technology, and 
acquisition responsibilities.

              II. BACKGROUND AND THE NEED FOR LEGISLATION

    Foreign adversaries have a long history of hacking into 
Federal information technology systems to steal information and 
cause other disruptions.\1\ A growing area of concern is the 
infiltration by adversaries of the sprawling Federal supply 
chain, which could create a backdoor into Federal systems 
through more difficult to detect means.\2\ In response to this 
growing threat, this Committee approved S. 3085, the Federal 
Acquisition Supply Chain Security Act of 2018, which was later 
signed into law by President Trump as part of the SECURE 
Act.\3\ This law established the Federal Acquisition Security 
Council to coordinate Federal efforts related to supply chain 
security and to establish a process to exclude bad actors from 
the Federal supply chain.\4\
---------------------------------------------------------------------------
    \1\See, e.g., Ellen Nakashima, Chinese Breach Data of 4 Million 
Federal Workers, Wash. Post (June 4, 2015), https://
www.washingtonpost.com/world/national-security/chinese-hackers-breach-
federal-governments-personnel-office/2015/06/04/889c0e52-0af7-11e5-
95fd-d580f1c5d44e_story. html?noredirect=on&utm_term=.70a790564974.
    \2\Tara Benny et al., Interos Solutions, Inc., Supply Chain 
Vulnerabilities from China in U.S. Federal Information and 
Communications Technology, https://docs.house.gov/meetings/IF/IF16/
20180516/108301/HHRG-115-IF16-20180516-SD105-U105.pdf.
    \3\Strengthening and Enhancing Cyber-Capabilities by Utilizing Risk 
Exposure Technology Act, Pub. L. No. 115-39, 132 Stat. 5173 (2018).
    \4\Id.
---------------------------------------------------------------------------
    Meanwhile, there have been new concerns raised that Federal 
acquisition officials, while well-trained in aspects of the 
Federal Acquisition Regulation and the general process for 
acquiring information technology goods and services, have 
little to no training regarding the potential 
counterintelligence risks that could be posed by acquiring 
those same goods and services.\5\
---------------------------------------------------------------------------
    \5\Bridget Johnson, Evanina: Root Out Supply Chain's Weak Links in 
Private Sector, Procuement Departments, Homeland Sec. Today (Apr. 7, 
2019), https://www.hstoday.us/subject-matter-areas/cybersecurity/
evanina-root-out-supply-chains-weak-links-in-private-sector-
procurement-departments/.
---------------------------------------------------------------------------
    Recognizing this threat to Federal systems, S. 1388 
requires OMB--in coordination with DHS, DNI, and GSA, to 
establish a counterintelligence training program for officials 
with supply chain risk management responsibilities, including 
program staff, information communications technologists, and 
acquisition officials at Executive agencies. It provides broad 
authority regarding the development of this training program to 
provide flexibility to ensure it meets the needs of the 
agencies and can be adapted as threats change and emerge. The 
legislation also requires binannual reports to Congress for the 
three years following its enactment.

                        III. LEGISLATIVE HISTORY

    Ranking Member Gary Peters (D-MI) introduced S. 1388, the 
Supply Chain Counterintelligence Act of 2019, on May 9, 2019, 
with Chairman Ron Johnson (R-WI) and Senator Maggie Hassan (D-
NH). The bill was referred to the Committee on Homeland 
Security and Governmental Affairs.
    The Committee considered S. 1388 at a business meeting on 
May 15, 2019. The bill was ordered reported favorably en bloc 
by voice vote. Senators Johnson, Paul, Lankford, Scott, Peters, 
Carper, Hassan, and Rosen were present for the vote.

        IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED

Section 1. Short title

    This section provides the bill's short title, the Supply 
Chain Counterintelligence Training Act of 2019''.

Section 2. Counterintelligence Training Program to manage supply chain 
        risk

    This section tasks the Director of OMB, DNI, Secretary of 
DHS, and Administrator of GSA to create and implement a program 
centered on counterintelligence for officials with supply chain 
risk management policies at Executive agencies within 180 
days.\6\ The bill also dictates the program prepare personnel 
to identify and mitigate counterintelligence threats that arise 
from the use and acquisition of information and communication 
technology.
---------------------------------------------------------------------------
    \6\This includes ``programmatic, information communications 
technology, and acquisition officials''.
---------------------------------------------------------------------------

Section 3. Reports on Implementation of the Program

    This section requires the Director of the OMB consult with 
the executive officials tasked in Section 2 to brief 
appropriate congressional leadership and committees on the 
implementation of the program no later than 18 days after 
enactment of this bill. The Director of the OMB is to continue 
these briefings every 180 for the next three years.

Section 4. Definitions

    The first subsection stipulates ``appropriate Congressional 
Committees and leadership'' and ``information and 
communications technology'' is given the meaning of the same 
terms as in 41 U.S.C. Sec. 4713(k).
    The second subsection gives ``executive agency'' the same 
meaning as that used in 41 U.S.C Sec. 133.

                   V. EVALUATION OF REGULATORY IMPACT

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act (UMRA) and would impose no costs 
on state, local, or tribal governments.

             VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE

                                     U.S. Congress,
                               Congressional Budget Office,
                                     Washington, DC, June 28, 2019.
Hon. Ron Johnson,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S. 
        Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 1388, the Supply 
Chain Counterintelligence Training Act of 2019.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is William Ma.
            Sincerely,
                                         Phillip L. Swagel,
                                                          Director.
    Enclosure.

         
         [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    

    S. 1388 would require the Office of Management and Budget 
(OMB) to establish a program to train federal employees to 
identify and defend against counterintelligence threats to the 
federal supply chain. Acquisition officials at all federal 
agencies who are involved with managing the supply chain for 
information and communications technology programs would be 
required to attend that training. The bill also would require 
OMB to report to the Congress on the implementation of that 
training program. CBO estimates that implementing the bill 
would cost $27 million over the 2020-2024 period (see Table 1); 
that spending would be subject to the availability of 
appropriated funds.
    The Department of Defense (DoD) has about 150,000 employees 
in its acquisition workforce and DoD's contracts account for 
about 60 percent of all federal contracts. On that basis, CBO 
estimates that the acquisition workforce of the federal 
government totals about 250,000 people. CBO expects that 10 
percent of them would require training every two years under 
the bill and that training for the first group of employees 
would begin in 2021. Using information on the costs of other 
federal training programs, CBO estimates that delivering that 
training to an average of 12,500 individuals each year would 
cost $10 million over the 2020-2024 period.
    CBO expects that some of the information provided in that 
training would be classified; thus, trainees would be required 
to hold security clearances. The number of acquisition 
employees in the federal government who have security 
clearances is unknown. Given that lack of information, CBO 
assumes that 50 percent of the people who would receive 
training as a result of S. 1388 already possess clearances at 
the secret level or higher. Thus, 12,500 people would require 
new clearances initially and about 600 additional clearances 
would be processed each year beginning in 2022 as a result of 
personnel turnover. Background investigations for a secret 
clearance cost about $800. On that basis, CBO estimates that it 
would cost $12 million to conduct background investigations on 
those trainees over the 2020-2024 period.
    In addition to the above costs, CBO estimates that it would 
cost $1 million to develop the training curriculum and $1 
million annually thereafter to continually update it to 
incorporate information on the latest counterintelligence 
threats.
    Using information about the costs of similar reports, CBO 
estimates that satisfying the reporting requirements in S. 1388 
would cost less than $500,000.

                TABLE 1.--ESTIMATED INCREASES IN SPENDING SUBJECT TO APPROPRIATION UNDER S. 1388
----------------------------------------------------------------------------------------------------------------
                                                           By fiscal year, millions of dollars--
                                          ----------------------------------------------------------------------
                                             2019      2020      2021      2022      2023      2024    2019-2024
----------------------------------------------------------------------------------------------------------------
Training:
    Estimated Authorization Level........         0         5         8         3         3         3         22
    Estimated Outlays....................         0         3         8         5         3         3         22
Course Development and Update:
    Estimated Authorization Level........         0         1         1         1         1         1          5
    Estimated Outlays....................         0         1         1         1         1         1          5
    Totals:
        Estimated Authorization Level....         0         6         9         4         4         4         27
        Estimated Outlays................         0         4         9         6         4         4         27
----------------------------------------------------------------------------------------------------------------

    Enacting S. 1388 also would increase expenses for agencies 
not funded through annual appropriations. Such spending is 
considered direct spending. However, because those agencies are 
able to increase the fees that provide their funding as 
necessary to cover their costs, CBO estimates that the net 
difference in spending from those agencies would be 
insignificant over the 2020-2029 period.
    This estimate is uncertain primarily because the bill would 
give OMB broad latitude in designing the training program. The 
frequency of the training, the number of acquisition employees 
who would be trained, and the number of personnel who would 
require new security clearances could differ significantly from 
CBO's estimate.
    The CBO staff contact for this estimate is William Ma. The 
estimate was reviewed by Leo Lex, Deputy Assistant Director for 
Budget Analysis.

       VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED

    Because this legislation would not repeal or amend any 
provision of current law, it would not make changes in existing 
law within the meaning of clauses (a) and (b) of paragraph 12 
of rule XXVI of the Standing Rules of the Senate.