[115th Congress Public Law 390]
[From the U.S. Government Publishing Office]
[[Page 132 STAT. 5173]]
Public Law 115-390
115th Congress
An Act
To require the Secretary of Homeland Security to establish a security
vulnerability disclosure policy, to establish a bug bounty program for
the Department of Homeland Security, to amend title 41, United States
Code, to provide for Federal acquisition supply chain security, and for
other purposes. <<NOTE: Dec. 21, 2018 - [H.R. 7327]>>
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled, <<NOTE: Strengthening
and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology
Act.>>
SECTION 1. <<NOTE: 41 USC 101 note.>> SHORT TITLE; TABLE OF
CONTENTS.
(a) Short Title.--This Act may be cited as the ``Strengthening and
Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act''
or the ``SECURE Technology Act''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
TITLE I--DEPARTMENT OF HOMELAND SECURITY INFORMATION SECURITY AND OTHER
MATTERS
Sec. 101. Department of Homeland Security disclosure of security
vulnerabilities.
Sec. 102. Department of Homeland Security bug bounty pilot program.
Sec. 103. Congressional submittal of reports relating to certain special
access programs and similar programs.
TITLE II--FEDERAL ACQUISITION SUPPLY CHAIN SECURITY
Sec. 201. Short title.
Sec. 202. Federal acquisition supply chain security.
Sec. 203. Authorities of executive agencies relating to mitigating
supply chain risks in the procurement of covered articles.
Sec. 204. Federal Information Security Modernization Act.
Sec. 205. Effective date.
TITLE I--DEPARTMENT OF HOMELAND SECURITY INFORMATION SECURITY AND OTHER
MATTERS
SEC. 101. <<NOTE: 6 USC 663 note.>> DEPARTMENT OF HOMELAND
SECURITY DISCLOSURE OF SECURITY
VULNERABILITIES.
(a) Vulnerability Disclosure Policy.--The Secretary of Homeland
Security shall establish a policy applicable to individuals,
organizations, and companies that report security vulnerabilities on
appropriate information systems of Department of Homeland Security. Such
policy shall include each of the following:
[[Page 132 STAT. 5174]]
(1) The appropriate information systems of the Department
that individuals, organizations, and companies may use to
discover and report security vulnerabilities on appropriate
information systems.
(2) <<NOTE: Criteria.>> The conditions and criteria under
which individuals, organizations, and companies may operate to
discover and report security vulnerabilities.
(3) How individuals, organizations, and companies may
disclose to the Department security vulnerabilities discovered
on appropriate information systems of the Department.
(4) The ways in which the Department may communicate with
individuals, organizations, and companies that report security
vulnerabilities.
(5) The process the Department shall use for public
disclosure of reported security vulnerabilities.
(b) Remediation Process.--The Secretary of Homeland Security shall
develop a process for the Department of Homeland Security to address the
mitigation or remediation of the security vulnerabilities reported
through the policy developed in subsection (a).
(c) Consultation.--
(1) In general.--In developing the security vulnerability
disclosure policy under subsection (a), the Secretary of
Homeland Security shall consult with each of the following:
(A) The Attorney General regarding how to ensure
that individuals, organizations, and companies that
comply with the requirements of the policy developed
under subsection (a) are protected from prosecution
under section 1030 of title 18, United States Code,
civil lawsuits, and similar provisions of law with
respect to specific activities authorized under the
policy.
(B) The Secretary of Defense and the Administrator
of General Services regarding lessons that may be
applied from existing vulnerability disclosure policies.
(C) Non-governmental security researchers.
(2) Nonapplicability of faca.--The Federal Advisory
Committee Act (5 U.S.C. App.) shall not apply to any
consultation under this section.
(d) Public Availability.--The Secretary of Homeland Security shall
make the policy developed under subsection (a) publicly available.
(e) Submission to Congress.--
(1) <<NOTE: Deadline. Records.>> Disclosure policy and
remediation process.--Not later than 90 days after the date of
the enactment of this Act, the Secretary of Homeland Security
shall submit to the appropriate congressional committees a copy
of the policy required under subsection (a) and the remediation
process required under subsection (b).
(2) Report and briefing.--
(A) Report.--Not later than one year after
establishing the policy required under subsection (a),
the Secretary of Homeland Security shall submit to the
appropriate congressional committees a report on such
policy and the remediation process required under
subsection (b).
(B) Annual briefings.--One year after the date of
the submission of the report under subparagraph (A), and
annually thereafter for each of the next three years,
the
[[Page 132 STAT. 5175]]
Secretary of Homeland Security shall provide to the
appropriate congressional committees a briefing on the
policy required under subsection (a) and the process
required under subsection (b).
(C) Matters for inclusion.--The report required
under subparagraph (A) and the briefings required under
subparagraph (B) shall include each of the following
with respect to the policy required under subsection (a)
and the process required under subsection (b) for the
period covered by the report or briefing, as the case
may be:
(i) The number of unique security
vulnerabilities reported.
(ii) The number of previously unknown security
vulnerabilities mitigated or remediated.
(iii) The number of unique individuals,
organizations, and companies that reported
security vulnerabilities.
(iv) The average length of time between the
reporting of security vulnerabilities and
mitigation or remediation of such vulnerabilities.
(f) Definitions.--In this section:
(1) The term ``security vulnerability'' has the meaning
given that term in section 102(17) of the Cybersecurity
Information Sharing Act of 2015 (6 U.S.C. 1501(17)), in
information technology.
(2) The term ``information system'' has the meaning given
that term by section 3502 of title 44, United States Code.
(3) The term ``appropriate information system'' means an
information system that the Secretary of Homeland Security
selects for inclusion under the vulnerability disclosure policy
required by subsection (a).
(4) The term ``appropriate congressional committees''
means--
(A) the Committee on Homeland Security, the
Committee on Armed Services, the Committee on Energy and
Commerce, and the Permanent Select Committee on
Intelligence of the House of Representatives; and
(B) the Committee on Homeland Security and
Governmental Affairs, the Committee on Armed Services,
the Committee on Commerce, Science, and Transportation,
and the Select Committee on Intelligence of the Senate.
SEC. 102. <<NOTE: 6 USC 663 note.>> DEPARTMENT OF HOMELAND
SECURITY BUG BOUNTY PILOT PROGRAM.
(a) Definitions.--In this section:
(1) The term ``appropriate congressional committees''
means--
(A) the Committee on Homeland Security and
Governmental Affairs of the Senate;
(B) the Select Committee on Intelligence of the
Senate;
(C) the Committee on Homeland Security of the House
of Representatives; and
(D) Permanent Select Committee on Intelligence of
the House of Representatives.
(2) The term ``bug bounty program'' means a program under
which--
[[Page 132 STAT. 5176]]
(A) individuals, organizations, and companies are
temporarily authorized to identify and report
vulnerabilities of appropriate information systems of
the Department; and
(B) eligible individuals, organizations, and
companies receive compensation in exchange for such
reports.
(3) <<NOTE: 6 USC 651 note.>> The term ``Department'' means
the Department of Homeland Security.
(4) The term ``eligible individual, organization, or
company'' means an individual, organization, or company that
meets such criteria as the Secretary determines in order to
receive compensation in compliance with Federal laws.
(5) The term ``information system'' has the meaning given
the term in section 3502 of title 44, United States Code.
(6) The term ``pilot program'' means the bug bounty pilot
program required to be established under subsection (b)(1).
(7) The term ``Secretary'' means the Secretary of Homeland
Security.
(b) Bug Bounty Pilot Program.--
(1) <<NOTE: Deadline.>> Establishment.--Not later than 180
days after the date of enactment of this Act, the Secretary
shall establish, within the Office of the Chief Information
Officer, a bug bounty pilot program to minimize vulnerabilities
of appropriate information systems of the Department.
(2) Responsibilities of secretary.--In establishing and
conducting the pilot program, the Secretary shall--
(A) designate appropriate information systems to be
included in the pilot program;
(B) provide compensation to eligible individuals,
organizations, and companies for reports of previously
unidentified security vulnerabilities within the
information systems designated under subparagraph (A);
(C) <<NOTE: Criteria.>> establish criteria for
individuals, organizations, and companies to be
considered eligible for compensation under the pilot
program in compliance with Federal laws;
(D) <<NOTE: Consultation.>> consult with the
Attorney General on how to ensure that approved
individuals, organizations, or companies that comply
with the requirements of the pilot program are protected
from prosecution under section 1030 of title 18, United
States Code, and similar provisions of law, and civil
lawsuits for specific activities authorized under the
pilot program;
(E) <<NOTE: Consultation.>> consult with the
Secretary of Defense and the heads of other departments
and agencies that have implemented programs to provide
compensation for reports of previously undisclosed
vulnerabilities in information systems, regarding
lessons that may be applied from such programs; and
(F) develop an expeditious process by which an
individual, organization, or company can register with
the Department, submit to a background check as
determined by the Department, and receive a
determination as to eligibility; and
(G) engage qualified interested persons, including
non-government sector representatives, about the
structure of the pilot program as constructive and to
the extent practicable.
[[Page 132 STAT. 5177]]
(3) Contract authority.--In establishing the pilot program,
the Secretary, subject to the availability of appropriations,
may award 1 or more competitive contracts to an entity, as
necessary, to manage the pilot program.
(c) Report to Congress.--Not later than 180 days after the date on
which the pilot program is completed, the Secretary shall submit to the
appropriate congressional committees a report on the pilot program,
which shall include--
(1) the number of individuals, organizations, or companies
that participated in the pilot program, broken down by the
number of individuals, organizations, or companies that--
(A) registered;
(B) were determined eligible;
(C) submitted security vulnerabilities; and
(D) received compensation;
(2) the number and severity of vulnerabilities reported as
part of the pilot program;
(3) the number of previously unidentified security
vulnerabilities remediated as a result of the pilot program;
(4) the current number of outstanding previously
unidentified security vulnerabilities and Department remediation
plans;
(5) the average length of time between the reporting of
security vulnerabilities and remediation of the vulnerabilities;
(6) the types of compensation provided under the pilot
program; and
(7) the lessons learned from the pilot program.
(d) Authorization of Appropriations.--There is authorized to be
appropriated to the Department $250,000 for fiscal year 2019 to carry
out this section.
SEC. 103. CONGRESSIONAL SUBMITTAL OF REPORTS RELATING TO CERTAIN
SPECIAL ACCESS PROGRAMS AND SIMILAR
PROGRAMS.
The National Defense Authorization Act for Fiscal Year 1994 (50
U.S.C. 3348) is amended--
(1) by striking ``Congress'' each place it appears and
inserting ``the congressional oversight committees'';
(2) in subsection (f)(1), by striking ``appropriate
oversight committees'' and inserting ``congressional oversight
committees''; and
(3) in subsection (g)--
(A) by redesignating paragraphs (1) and (2) as
paragraphs (2) and (3), respectively; and
(B) by inserting before paragraph (2), as so
redesignated, the following:
``(1) Congressional oversight
committees <<NOTE: Definition.>> .--The term `congressional
oversight committees' means--
``(A) congressional leadership and authorizing and
appropriations congressional committees with
jurisdiction or shared jurisdiction over a department or
agency;
``(B) the Committee on Homeland Security and
Governmental Affairs of the Senate; and
``(C) the Committee on Oversight and Government
Reform of the House of Representatives.''.
[[Page 132 STAT. 5178]]
TITLE II <<NOTE: Federal Acquisition Supply Chain Security Act of
2018.>> --FEDERAL ACQUISITION SUPPLY CHAIN SECURITY
SEC. 201. <<NOTE: 41 USC 101 note.>> SHORT TITLE.
This title may be cited as the ``Federal Acquisition Supply Chain
Security Act of 2018''.
SEC. 202. FEDERAL ACQUISITION SUPPLY CHAIN SECURITY.
(a) In General.--Chapter 13 of title 41, United States Code, is
amended by adding <<NOTE: 41 USC 1321 prec.>> at the end the following
new subchapter:
``SUBCHAPTER III--FEDERAL ACQUISITION SUPPLY CHAIN SECURITY
``Sec. 1321. <<NOTE: 41 USC 1321.>> Definitions
``In this subchapter:
``(1) Appropriate congressional committees and leadership.--
The term `appropriate congressional committees and leadership'
means--
``(A) the Committee on Homeland Security and
Governmental Affairs, the Committee on the Judiciary,
the Committee on Appropriations, the Committee on Armed
Services, the Committee on Commerce, Science, and
Transportation, the Select Committee on Intelligence,
and the majority and minority leader of the Senate; and
``(B) the Committee on Oversight and Government
Reform, the Committee on the Judiciary, the Committee on
Appropriations, the Committee on Homeland Security, the
Committee on Armed Services, the Committee on Energy and
Commerce, the Permanent Select Committee on
Intelligence, and the Speaker and minority leader of the
House of Representatives.
``(2) Council.--The term `Council' means the Federal
Acquisition Security Council established under section 1322(a)
of this title.
``(3) Covered article.--The term `covered article' has the
meaning given that term in section 4713 of this title.
``(4) Covered procurement action.--The term `covered
procurement action' has the meaning given that term in section
4713 of this title.
``(5) Information and communications technology.--The term
`information and communications technology' has the meaning
given that term in section 4713 of this title.
``(6) Intelligence community.--The term `intelligence
community' has the meaning given that term in section 3(4) of
the National Security Act of 1947 (50 U.S.C. 3003(4)).
``(7) National security system.--The term `national security
system' has the meaning given that term in section 3552 of title
44.
``(8) Supply chain risk.--The term `supply chain risk' has
the meaning given that term in section 4713 of this title.
``Sec. 1322. <<NOTE: 41 USC 1322.>> Federal Acquisition Security
Council establishment and membership
``(a) Establishment.--There is established in the executive branch a
Federal Acquisition Security Council.
[[Page 132 STAT. 5179]]
``(b) Membership.--
``(1) In general.--The following agencies shall be
represented on the Council:
``(A) The Office of Management and Budget.
``(B) The General Services Administration.
``(C) The Department of Homeland Security, including
the Cybersecurity and Infrastructure Security Agency.
``(D) The Office of the Director of National
Intelligence, including the National Counterintelligence
and Security Center.
``(E) The Department of Justice, including the
Federal Bureau of Investigation.
``(F) The Department of Defense, including the
National Security Agency.
``(G) The Department of Commerce, including the
National Institute of Standards and Technology.
``(H) Such other executive agencies as determined by
the Chairperson of the Council.
``(2) Lead representatives.--
``(A) Designation.--
``(i) In general <<NOTE: Deadline.>> .--Not
later than 45 days after the date of the enactment
of the Federal Acquisition Supply Chain Security
Act of 2018, the head of each agency represented
on the Council shall designate a representative of
that agency as the lead representative of the
agency on the Council.
``(ii) Requirements.--The representative of an
agency designated under clause (i) shall have
expertise in supply chain risk management,
acquisitions, or information and communications
technology.
``(B) Functions.--The lead representative of an
agency designated under subparagraph (A) shall ensure
that appropriate personnel, including leadership and
subject matter experts of the agency, are aware of the
business of the Council.
``(c) Chairperson.--
``(1) Designation <<NOTE: Deadline.>> .--Not later than 45
days after the date of the enactment of the Federal Acquisition
Supply Chain Security Act of 2018, the Director of the Office of
Management and Budget shall designate a senior-level official
from the Office of Management and Budget to serve as the
Chairperson of the Council.
``(2) Functions.--The Chairperson shall perform functions
that include--
``(A) subject to subsection (d), developing a
schedule for meetings of the Council;
``(B) designating executive agencies to be
represented on the Council under subsection (b)(1)(H);
``(C) <<NOTE: Consultation.>> in consultation with
the lead representative of each agency represented on
the Council, developing a charter for the Council; and
``(D) <<NOTE: Deadline.>> not later than 7 days
after completion of the charter, submitting the charter
to the appropriate congressional committees and
leadership.
``(d) Meetings <<NOTE: Deadline.>> .--The Council shall meet not
later than 60 days after the date of the enactment of the Federal
Acquisition Supply
[[Page 132 STAT. 5180]]
Chain Security Act of 2018 and not less frequently than quarterly
thereafter.
``Sec. 1323. <<NOTE: 41 USC 1323.>> Functions and authorities
``(a) In General.--The Council shall perform functions that include
the following:
``(1) <<NOTE: Recommenda- tions.>> Identifying and
recommending development by the National Institute of Standards
and Technology of supply chain risk management standards,
guidelines, and practices for executive agencies to use when
assessing and developing mitigation strategies to address supply
chain risks, particularly in the acquisition and use of covered
articles under section 1326(a) of this title.
``(2) <<NOTE: Criteria.>> Identifying or developing
criteria for sharing information with executive agencies, other
Federal entities, and non-Federal entities with respect to
supply chain risk, including information related to the exercise
of authorities provided under this section and sections 1326 and
4713 of this title. At a minimum, such criteria shall address--
``(A) the content to be shared;
``(B) the circumstances under which sharing is
mandated or voluntary; and
``(C) the circumstances under which it is
appropriate for an executive agency to rely on
information made available through such sharing in
exercising the responsibilities and authorities provided
under this section and section 4713 of this title.
``(3) Identifying an appropriate executive agency to--
``(A) accept information submitted by executive
agencies based on the criteria established under
paragraph (2);
``(B) facilitate the sharing of information received
under subparagraph (A) to support supply chain risk
analyses under section 1326 of this title,
recommendations under this section, and covered
procurement actions under section 4713 of this title;
``(C) share with the Council information regarding
covered procurement actions by executive agencies taken
under section 4713 of this title; and
``(D) inform the Council of orders issued under this
section.
``(4) Identifying, as appropriate, executive agencies to
provide--
``(A) shared services, such as support for making
risk assessments, validation of products that may be
suitable for acquisition, and mitigation activities; and
``(B) common contract solutions to support supply
chain risk management activities, such as subscription
services or machine-learning-enhanced analysis
applications to support informed decision making.
``(5) <<NOTE: Guidance.>> Identifying and issuing guidance
on additional steps that may be necessary to address supply
chain risks arising in the course of executive agencies
providing shared services, common contract solutions,
acquisitions vehicles, or assisted acquisitions.
``(6) Engaging with the private sector and other
nongovernmental stakeholders in performing the functions
described in
[[Page 132 STAT. 5181]]
paragraphs (1) and (2) and on issues relating to the management
of supply chain risks posed by the acquisition of covered
articles.
``(7) Carrying out such other actions, as determined by the
Council, that are necessary to reduce the supply chain risks
posed by acquisitions and use of covered articles.
``(b) Program Office and Committees.--The Council may establish a
program office and any committees, working groups, or other constituent
bodies the Council deems appropriate, in its sole and unreviewable
discretion, to carry out its functions.
``(c) Authority for Exclusion or Removal Orders.--
``(1) Criteria <<NOTE: Procedures.>> .--To reduce supply
chain risk, the Council shall establish criteria and procedures
for--
``(A) recommending orders applicable to executive
agencies requiring the exclusion of sources or covered
articles from executive agency procurement actions (in
this section referred to as `exclusion orders');
``(B) recommending orders applicable to executive
agencies requiring the removal of covered articles from
executive agency information systems (in this section
referred to as `removal orders');
``(C) requesting and approving exceptions to an
issued exclusion or removal order when warranted by
circumstances, including alternative mitigation actions
or other findings relating to the national interest,
including national security reviews, national security
investigations, or national security agreements; and
``(D) ensuring that recommended orders do not
conflict with standards and guidelines issued under
section 11331 of title 40 and that the Council consults
with the Director of the National Institute of Standards
and Technology regarding any recommended orders that
would implement standards and guidelines developed by
the National Institute of Standards and Technology.
``(2) Recommendations.--The Council shall use the criteria
established under paragraph (1), information made available
under subsection (a)(3), and any other information the Council
determines appropriate to issue recommendations, for application
to executive agencies or any subset thereof, regarding the
exclusion of sources or covered articles from any executive
agency procurement action, including source selection and
consent for a contractor to subcontract, or the removal of
covered articles from executive agency information systems. Such
recommendations shall include--
``(A) information necessary to positively identify
the sources or covered articles recommended for
exclusion or removal;
``(B) information regarding the scope and
applicability of the recommended exclusion or removal
order;
``(C) <<NOTE: Summary.>> a summary of any risk
assessment reviewed or conducted in support of the
recommended exclusion or removal order;
``(D) <<NOTE: Summary.>> a summary of the basis for
the recommendation, including a discussion of less
intrusive measures that were considered and why such
measures were not reasonably available to reduce supply
chain risk;
[[Page 132 STAT. 5182]]
``(E) a description of the actions necessary to
implement the recommended exclusion or removal order;
and
``(F) where practicable, in the Council's sole and
unreviewable discretion, a description of mitigation
steps that could be taken by the source that may result
in the Council rescinding a recommendation.
``(3) Notice of recommendation and review.--A notice of the
Council's recommendation under paragraph (2) shall be issued to
any source named in the recommendation advising--
``(A) that a recommendation has been made;
``(B) of the criteria the Council relied upon under
paragraph (1) and, to the extent consistent with
national security and law enforcement interests, of
information that forms the basis for the recommendation;
``(C) <<NOTE: Deadline.>> that, within 30 days
after receipt of notice, the source may submit
information and argument in opposition to the
recommendation;
``(D) of the procedures governing the review and
possible issuance of an exclusion or removal order
pursuant to paragraph (5); and
``(E) where practicable, in the Council's sole and
unreviewable discretion, a description of mitigation
steps that could be taken by the source that may result
in the Council rescinding the recommendation.
``(4) Confidentiality.--Any notice issued to a source under
paragraph (3) shall be kept confidential until--
``(A) an exclusion or removal order is issued
pursuant to paragraph (5); and
``(B) the source has been notified pursuant to
paragraph (6).
``(5) Exclusion and removal orders.--
``(A) Order issuance.--Recommendations of the
Council under paragraph (2), together with any
information submitted by a source under paragraph (3)
related to such a recommendation, shall be reviewed by
the following officials, who may issue exclusion and
removal orders based upon such recommendations:
``(i) The Secretary of Homeland Security, for
exclusion and removal orders applicable to
civilian agencies, to the extent not covered by
clause (ii) or (iii).
``(ii) The Secretary of Defense, for exclusion
and removal orders applicable to the Department of
Defense and national security systems other than
sensitive compartmented information systems.
``(iii) The Director of National Intelligence,
for exclusion and removal orders applicable to the
intelligence community and sensitive compartmented
information systems, to the extent not covered by
clause (ii).
``(B) Delegation.--The officials identified in
subparagraph (A) may not delegate any authority under
this subparagraph to an official below the level one
level below the Deputy Secretary or Principal Deputy
Director, except that the Secretary of Defense may
delegate authority for removal orders to the Commander
of the United States Cyber Command, who may not
redelegate such authority
[[Page 132 STAT. 5183]]
to an official below the level one level below the
Deputy Commander.
``(C) Facilitation of exclusion orders.--If
officials identified under this paragraph from the
Department of Homeland Security, the Department of
Defense, and the Office of the Director of National
Intelligence issue orders collectively resulting in a
governmentwide exclusion, the Administrator for General
Services and officials at other executive agencies
responsible for management of the Federal Supply
Schedules, governmentwide acquisition contracts and
multi-agency contracts shall help facilitate
implementation of such orders by removing the covered
articles or sources identified in the orders from such
contracts.
``(D) Review of exclusion and removal orders.--The
officials identified under this paragraph shall review
all exclusion and removal orders issued under
subparagraph (A) not less frequently than annually
pursuant to procedures established by the Council.
``(E) Rescission.--Orders issued pursuant to
subparagraph (A) may be rescinded by an authorized
official from the relevant issuing agency.
``(6) Notifications.--Upon issuance of an exclusion or
removal order pursuant to paragraph (5)(A), the official
identified under that paragraph who issued the order shall--
``(A) notify any source named in the order of--
``(i) the exclusion or removal order; and
``(ii) to the extent consistent with national
security and law enforcement interests,
information that forms the basis for the order;
``(B) provide classified or unclassified notice of
the exclusion or removal order to the appropriate
congressional committees and leadership; and
``(C) provide the exclusion or removal order to the
agency identified in subsection (a)(3).
``(7) Compliance.--Executive agencies shall comply with
exclusion and removal orders issued pursuant to paragraph (5).
``(d) Authority To Request Information.--The Council may request
such information from executive agencies as is necessary for the Council
to carry out its functions.
``(e) Relationship to Other
Councils <<NOTE: Consultation. Coordination.>> .--The Council shall
consult and coordinate, as appropriate, with other relevant councils and
interagency committees, including the Chief Information Officers
Council, the Chief Acquisition Officers Council, the Federal Acquisition
Regulatory Council, and the Committee on Foreign Investment in the
United States, with respect to supply chain risks posed by the
acquisition and use of covered articles.
``(f) Rules of Construction.--Nothing in this section shall be
construed--
``(1) to limit the authority of the Office of Federal
Procurement Policy to carry out the responsibilities of that
Office under any other provision of law; or
``(2) to authorize the issuance of an exclusion or removal
order based solely on the fact of foreign ownership of a
potential procurement source that is otherwise qualified to
enter into procurement contracts with the Federal Government.
[[Page 132 STAT. 5184]]
``Sec. 1324. <<NOTE: 41 USC 1324.>> Strategic plan
``(a) In General.-- <<NOTE: Deadline.>> Not later than 180 days
after the date of the enactment of the Federal Acquisition Supply Chain
Security Act of 2018, the Council shall develop a strategic plan for
addressing supply chain risks posed by the acquisition of covered
articles and for managing such risks that includes--
``(1) <<NOTE: Criteria.>> the criteria and processes
required under section 1323(a) of this title, including a
threshold and requirements for sharing relevant information
about such risks with all executive agencies and, as
appropriate, with other Federal entities and non-Federal
entities;
``(2) an identification of existing authorities for
addressing such risks;
``(3) an identification and promulgation of best practices
and procedures and available resources for executive agencies to
assess and mitigate such risks;
``(4) <<NOTE: Recommenda- tions.>> recommendations for any
legislative, regulatory, or other policy changes to improve
efforts to address such risks;
``(5) <<NOTE: Recommenda- tions.>> recommendations for any
legislative, regulatory, or other policy changes to incentivize
the adoption of best practices for supply chain risk management
by the private sector;
``(6) <<NOTE: Evaluation.>> an evaluation of the effect of
implementing new policies or procedures on existing contracts
and the procurement process;
``(7) a plan for engaging with executive agencies, the
private sector, and other nongovernmental stakeholders to
address such risks;
``(8) a plan for identification, assessment, mitigation, and
vetting of supply chain risks from existing and prospective
information and communications technology made available by
executive agencies to other executive agencies through common
contract solutions, shared services, acquisition vehicles, or
other assisted acquisition services; and
``(9) plans to strengthen the capacity of all executive
agencies to conduct assessments of--
``(A) the supply chain risk posed by the acquisition
of covered articles; and
``(B) compliance with the requirements of this
subchapter.
``(b) Submission to Congress <<NOTE: Deadline.>> .--Not later than 7
calendar days after completion of the strategic plan required by
subsection (a), the Chairperson of the Council shall submit the plan to
the appropriate congressional committees and leadership.
``Sec. 1325. <<NOTE: 41 USC 1325.>> Annual report
``Not later than December 31 of each year, the Chairperson of the
Council shall submit to the appropriate congressional committees and
leadership a report on the activities of the Council during the
preceding 12-month period.
``Sec. 1326. <<NOTE: 41 USC 1326.>> Requirements for executive
agencies
``(a) In General.--The head of each executive agency shall be
responsible for--
``(1) <<NOTE: Assessment.>> assessing the supply chain risk
posed by the acquisition and use of covered articles and
avoiding, mitigating, accepting, or transferring that risk, as
appropriate and consistent with
[[Page 132 STAT. 5185]]
the standards, guidelines, and practices identified by the
Council under section 1323(a)(1); and
``(2) prioritizing supply chain risk assessments conducted
under paragraph (1) based on the criticality of the mission,
system, component, service, or asset.
``(b) Inclusions.--The responsibility for assessing supply chain
risk described in subsection (a) includes--
``(1) <<NOTE: Strategy. Plan. Policy. Processes.>>
developing an overall supply chain risk management strategy and
implementation plan and policies and processes to guide and
govern supply chain risk management activities;
``(2) integrating supply chain risk management practices
throughout the life cycle of the system, component, service, or
asset;
``(3) limiting, avoiding, mitigating, accepting, or
transferring any identified risk;
``(4) sharing relevant information with other executive
agencies as determined appropriate by the Council in a manner
consistent with section 1323(a) of this title;
``(5) reporting on progress and effectiveness of the
agency's supply chain risk management consistent with guidance
issued by the Office of Management and Budget and the Council;
and
``(6) ensuring that all relevant information, including
classified information, with respect to acquisitions of covered
articles that may pose a supply chain risk, consistent with
section 1323(a) of this title, is incorporated into existing
processes of the agency for conducting assessments described in
subsection (a) and ongoing management of acquisition programs,
including any identification, investigation, mitigation, or
remediation needs.
``(c) Interagency Acquisitions.--
``(1) In general.--Except as provided in paragraph (2), in
the case of an interagency acquisition, subsection (a) shall be
carried out by the head of the executive agency whose funds are
being used to procure the covered article.
``(2) Assisted acquisitions <<NOTE: Determination.>> .--In
an assisted acquisition, the parties to the acquisition shall
determine, as part of the interagency agreement governing the
acquisition, which agency is responsible for carrying out
subsection (a).
``(3) Definitions.--In this subsection, the terms `assisted
acquisition' and `interagency acquisition' have the meanings
given those terms in section 2.101 of title 48, Code of Federal
Regulations (or any corresponding similar regulation or ruling).
``(d) Assistance.--The Secretary of Homeland Security may--
``(1) assist executive agencies in conducting risk
assessments described in subsection (a) and implementing
mitigation requirements for information and communications
technology; and
``(2) provide such additional guidance or tools as are
necessary to support actions taken by executive agencies.
``Sec. 1327. <<NOTE: 41 USC 1327.>> Judicial review procedures
``(a) In General.--Except as provided in subsection (b) and chapter
71 of this title, and notwithstanding any other provision of law, an
action taken under section 1323 or 4713 of this title, or any action
taken by an executive agency to implement such an action, shall not be
subject to administrative review or judicial
[[Page 132 STAT. 5186]]
review, including bid protests before the Government Accountability
Office or in any Federal court.
``(b) Petitions.--
``(1) <<NOTE: Deadline.>> In general.--Not later than 60
days after a party is notified of an exclusion or removal order
under section 1323(c)(6) of this title or a covered procurement
action under section 4713 of this title, the party may file a
petition for judicial review in the United States Court of
Appeals for the District of Columbia Circuit claiming that the
issuance of the exclusion or removal order or covered
procurement action is unlawful.
``(2) Standard of review.--The Court shall hold unlawful a
covered action taken under sections 1323 or 4713 of this title,
in response to a petition that the court finds to be--
``(A) arbitrary, capricious, an abuse of discretion,
or otherwise not in accordance with law;
``(B) contrary to constitutional right, power,
privilege, or immunity;
``(C) in excess of statutory jurisdiction,
authority, or limitation, or short of statutory right;
``(D) lacking substantial support in the
administrative record taken as a whole or in classified
information submitted to the court under paragraph (3);
or
``(E) not in accord with procedures required by law.
``(3) Exclusive jurisdiction.--The United States Court of
Appeals for the District of Columbia Circuit shall have
exclusive jurisdiction over claims arising under sections
1323(c)(5) or 4713 of this title against the United States, any
United States department or agency, or any component or official
of any such department or agency, subject to review by the
Supreme Court of the United States under section 1254 of title
28.
``(4) Administrative record and procedures.--
``(A) <<NOTE: Applicability.>> In general.--The
procedures described in this paragraph shall apply to
the review of a petition under this section.
``(B) Administrative record.--
``(i) Filing of record.--The United States
shall file with the court an administrative
record, which shall consist of the information
that the appropriate official relied upon in
issuing an exclusion or removal order under
section 1323(c)(5) or a covered procurement action
under section 4713 of this title.
``(ii) Unclassified, nonprivileged
information.--All unclassified information
contained in the administrative record that is not
otherwise privileged or subject to statutory
protections shall be provided to the petitioner
with appropriate protections for any privileged or
confidential trade secrets and commercial or
financial information.
``(iii) In camera and ex parte.--The following
information may be included in the administrative
record and shall be submitted only to the court ex
parte and in camera:
``(I) Classified information.
[[Page 132 STAT. 5187]]
``(II) Sensitive security
information, as defined by section
1520.5 of title 49, Code of Federal
Regulations.
``(III) Privileged law enforcement
information.
``(IV) Information obtained or
derived from any activity authorized
under the Foreign Intelligence
Surveillance Act of 1978 (50 U.S.C. 1801
et seq.), except that, with respect to
such information, subsections (c), (e),
(f), (g), and (h) of section 106 (50
U.S.C. 1806), subsections (d), (f), (g),
(h), and (i) of section 305 (50 U.S.C.
1825), subsections (c), (e), (f), (g),
and (h) of section 405 (50 U.S.C. 1845),
and section 706 (50 U.S.C. 1881e) of
that Act shall not apply.
``(V) Information subject to
privilege or protections under any other
provision of law.
``(iv) Under seal.--Any information that is
part of the administrative record filed ex parte
and in camera under clause (iii), or cited by the
court in any decision, shall be treated by the
court consistent with the provisions of this
subparagraph and shall remain under seal and
preserved in the records of the court to be made
available consistent with the above provisions in
the event of further proceedings. In no event
shall such information be released to the
petitioner or as part of the public record.
``(v) Return.--After the expiration of the
time to seek further review, or the conclusion of
further proceedings, the court shall return the
administrative record, including any and all
copies, to the United States.
``(C) Exclusive remedy <<NOTE: Determination.>> .--A
determination by the court under this subsection shall
be the exclusive judicial remedy for any claim described
in this section against the United States, any United
States department or agency, or any component or
official of any such department or agency.
``(D) Rule of construction.--Nothing in this section
shall be construed as limiting, superseding, or
preventing the invocation of, any privileges or defenses
that are otherwise available at law or in equity to
protect against the disclosure of information.
``(c) Definition.--In this section, the term `classified
information'--
``(1) has the meaning given that term in section 1(a) of the
Classified Information Procedures Act (18 U.S.C. App.); and
``(2) includes--
``(A) any information or material that has been
determined by the United States Government pursuant to
an Executive order, statute, or regulation to require
protection against unauthorized disclosure for reasons
of national security; and
``(B) any restricted data, as defined in section 11
of the Atomic Energy Act of 1954 (42 U.S.C. 2014).
[[Page 132 STAT. 5188]]
``Sec. 1328. <<NOTE: 41 USC 1328.>> Termination
``This subchapter shall terminate on the date that is 5 years after
the date of the enactment of the Federal Acquisition Supply Chain
Security Act of 2018.''.
(b) Clerical Amendment.--The table of sections at the beginning of
chapter 13 of such title <<NOTE: 41 USC 1301 prec.>> is amended by
adding at the end the following new items:
``subchapter iii--federal acquisition supply chain security
``Sec.
``1321. Definitions.
``1322. Federal Acquisition Security Council establishment and
membership.
``1323. Functions and authorities.
``1324. Strategic plan.
``1325. Annual report.
``1326. Requirements for executive agencies.
``1327. Judicial review procedures.
``1328. Termination.''.
(c) Effective Date <<NOTE: Applicability. 41 USC 1321 note.>> .--The
amendments made by this section shall take effect on the date that is 90
days after the date of the enactment of this Act and shall apply to
contracts that are awarded before, on, or after that date.
(d) <<NOTE: Deadlines. 41 USC 1321 note.>> Implementation.--
(1) Interim final rule.--Not later than one year after the
date of the enactment of this Act, the Federal Acquisition
Security Council shall prescribe an interim final rule to
implement subchapter III of chapter 13 of title 41, United
States Code, as added by subsection (a).
(2) Final rule <<NOTE: Public comments.>> .--Not later than
one year after prescribing the interim final rule under
paragraph (1) and considering public comments with respect to
such interim final rule, the Council shall prescribe a final
rule to implement subchapter III of chapter 13 of title 41,
United States Code, as added by subsection (a).
(3) Failure to act.--
(A) In general <<NOTE: Reports. Estimate.>> .--If
the Council does not issue a final rule in accordance
with paragraph (2) on or before the last day of the one-
year period referred to in that paragraph, the Council
shall submit to the appropriate congressional committees
and leadership, not later than 10 days after such last
day and every 90 days thereafter until the final rule is
issued, a report explaining why the final rule was not
timely issued and providing an estimate of the earliest
date on which the final rule will be issued.
(B) Appropriate congressional committees and
leadership defined.--In this paragraph, the term
``appropriate congressional committees and leadership''
has the meaning given that term in section 1321 of title
41, United States Code, as added by subsection (a).
SEC. 203. AUTHORITIES OF EXECUTIVE AGENCIES RELATING TO MITIGATING
SUPPLY CHAIN RISKS IN THE PROCUREMENT OF
COVERED ARTICLES.
(a) In General.--Chapter 47 of title 41, United States Code, is
amended by adding at the end the following new section:
[[Page 132 STAT. 5189]]
``Sec. 4713. <<NOTE: 41 USC 4713.>> Authorities relating to
mitigating supply chain risks in the procurement
of covered articles
``(a) Authority.--Subject to subsection (b), the head of an
executive agency may carry out a covered procurement action.
``(b) Determination and Notification.--Except as authorized by
subsection (c) to address an urgent national security interest, the head
of an executive agency may exercise the authority provided in subsection
(a) only after--
``(1) <<NOTE: Recommenda- tions. Review.>> obtaining a
joint recommendation, in unclassified or classified form, from
the chief acquisition officer and the chief information officer
of the agency, or officials performing similar functions in the
case of executive agencies that do not have such officials,
which includes a review of any risk assessment made available by
the executive agency identified under section 1323(a)(3) of this
title, that there is a significant supply chain risk in a
covered procurement;
``(2) providing notice of the joint recommendation described
in paragraph (1) to any source named in the joint recommendation
advising--
``(A) that a recommendation is being considered or
has been obtained;
``(B) to the extent consistent with the national
security and law enforcement interests, of information
that forms the basis for the recommendation;
``(C) <<NOTE: Deadline.>> that, within 30 days
after receipt of the notice, the source may submit
information and argument in opposition to the
recommendation; and
``(D) of the procedures governing the consideration
of the submission and the possible exercise of the
authority provided in subsection (a);
``(3) <<NOTE: Consultation.>> making a determination in
writing, in unclassified or classified form, after considering
any information submitted by a source under paragraph (2) and in
consultation with the chief information security officer of the
agency, that--
``(A) use of the authority under subsection (a) is
necessary to protect national security by reducing
supply chain risk;
``(B) less intrusive measures are not reasonably
available to reduce such supply chain risk; and
``(C) the use of such authorities will apply to a
single covered procurement or a class of covered
procurements, and otherwise specifies the scope of the
determination; and
``(4) <<NOTE: Summaries.>> providing a classified or
unclassified notice of the determination made under paragraph
(3) to the appropriate congressional committees and leadership
that includes--
``(A) the joint recommendation described in
paragraph (1);
``(B) a summary of any risk assessment reviewed in
support of the joint recommendation required by
paragraph (1); and
``(C) a summary of the basis for the determination,
including a discussion of less intrusive measures that
were considered and why such measures were not
reasonably available to reduce supply chain risk.
``(c) Procedures To Address Urgent National Security Interests.--In
any case in which the head of an executive agency
[[Page 132 STAT. 5190]]
determines that an urgent national security interest requires the
immediate exercise of the authority provided in subsection (a), the head
of the agency--
``(1) may, to the extent necessary to address such national
security interest, and subject to the conditions in paragraph
(2)--
``(A) temporarily delay the notice required by
subsection (b)(2);
``(B) make the determination required by subsection
(b)(3), regardless of whether the notice required by
subsection (b)(2) has been provided or whether the
notified source has submitted any information in
response to such notice;
``(C) temporarily delay the notice required by
subsection (b)(4); and
``(D) <<NOTE: Deadline.>> exercise the authority
provided in subsection (a) in accordance with such
determination within 60 calendar days after the day the
determination is made; and
``(2) shall take actions necessary to comply with all
requirements of subsection (b) as soon as practicable after
addressing the urgent national security interest, including--
``(A) providing the notice required by subsection
(b)(2);
``(B) promptly considering any information submitted
by the source in response to such notice, and making any
appropriate modifications to the determination based on
such information;
``(C) providing the notice required by subsection
(b)(4), including a description of the urgent national
security interest, and any modifications to the
determination made in accordance with subparagraph (B);
and
``(D) <<NOTE: Notice. Deadline.>> providing notice
to the appropriate congressional committees and
leadership within 7 calendar days of the covered
procurement actions taken under this section.
``(d) Confidentiality.--The notice required by subsection (b)(2)
shall be kept confidential until a determination with respect to a
covered procurement action has been made pursuant to subsection (b)(3).
``(e) Delegation.--The head of an executive agency may not delegate
the authority provided in subsection (a) or the responsibility
identified in subsection (f) to an official below the level one level
below the Deputy Secretary or Principal Deputy Director.
``(f) Annual Review of Determinations.--The head of an executive
agency shall conduct an annual review of all determinations made by such
head under subsection (b) and promptly amend any covered procurement
action as appropriate.
``(g) Regulations.--The Federal Acquisition Regulatory Council shall
prescribe such regulations as may be necessary to carry out this
section.
``(h) Reports Required.--Not less frequently than annually, the head
of each executive agency that exercised the authority provided in
subsection (a) or (c) during the preceding 12-month period shall submit
to the appropriate congressional committees and leadership a report
summarizing the actions taken by the agency under this section during
that 12-month period.
``(i) Rule of Construction.--Nothing in this section shall be
construed to authorize the head of an executive agency to carry out a
covered procurement action based solely on the fact of foreign
[[Page 132 STAT. 5191]]
ownership of a potential procurement source that is otherwise qualified
to enter into procurement contracts with the Federal Government.
``(j) Termination.--The authority provided under subsection (a)
shall terminate on the date that is 5 years after the date of the
enactment of the Federal Acquisition Supply Chain Security Act of 2018.
``(k) Definitions.--In this section:
``(1) Appropriate congressional committees and leadership.--
The term `appropriate congressional committees and leadership'
means--
``(A) the Committee on Homeland Security and
Governmental Affairs, the Committee on the Judiciary,
the Committee on Appropriations, the Committee on Armed
Services, the Committee on Commerce, Science, and
Transportation, the Select Committee on Intelligence,
and the majority and minority leader of the Senate; and
``(B) the Committee on Oversight and Government
Reform, the Committee on the Judiciary, the Committee on
Appropriations, the Committee on Homeland Security, the
Committee on Armed Services, the Committee on Energy and
Commerce, the Permanent Select Committee on
Intelligence, and the Speaker and minority leader of the
House of Representatives.
``(2) Covered article.--The term `covered article' means--
``(A) information technology, as defined in section
11101 of title 40, including cloud computing services of
all types;
``(B) telecommunications equipment or
telecommunications service, as those terms are defined
in section 3 of the Communications Act of 1934 (47
U.S.C. 153);
``(C) the processing of information on a Federal or
non-Federal information system, subject to the
requirements of the Controlled Unclassified Information
program; or
``(D) hardware, systems, devices, software, or
services that include embedded or incidental information
technology.
``(3) Covered procurement.--The term `covered procurement'
means--
``(A) a source selection for a covered article
involving either a performance specification, as
provided in subsection (a)(3)(B) of section 3306 of this
title, or an evaluation factor, as provided in
subsection (b)(1)(A) of such section, relating to a
supply chain risk, or where supply chain risk
considerations are included in the agency's
determination of whether a source is a responsible
source as defined in section 113 of this title;
``(B) the consideration of proposals for and
issuance of a task or delivery order for a covered
article, as provided in section 4106(d)(3) of this
title, where the task or delivery order contract
includes a contract clause establishing a requirement
relating to a supply chain risk;
``(C) any contract action involving a contract for a
covered article where the contract includes a clause
establishing requirements relating to a supply chain
risk; or
``(D) any other procurement in a category of
procurements determined appropriate by the Federal
Acquisition
[[Page 132 STAT. 5192]]
Regulatory Council, with the advice of the Federal
Acquisition Security Council.
``(4) Covered procurement action.--The term `covered
procurement action' means any of the following actions, if the
action takes place in the course of conducting a covered
procurement:
``(A) The exclusion of a source that fails to meet
qualification requirements established under section
3311 of this title for the purpose of reducing supply
chain risk in the acquisition or use of covered
articles.
``(B) The exclusion of a source that fails to
achieve an acceptable rating with regard to an
evaluation factor providing for the consideration of
supply chain risk in the evaluation of proposals for the
award of a contract or the issuance of a task or
delivery order.
``(C) The determination that a source is not a
responsible source as defined in section 113 of this
title based on considerations of supply chain risk.
``(D) The decision to withhold consent for a
contractor to subcontract with a particular source or to
direct a contractor to exclude a particular source from
consideration for a subcontract under the contract.
``(5) Information and communications technology.--The term
`information and communications technology' means--
``(A) information technology, as defined in section
11101 of title 40;
``(B) information systems, as defined in section
3502 of title 44; and
``(C) telecommunications equipment and
telecommunications services, as those terms are defined
in section 3 of the Communications Act of 1934 (47
U.S.C. 153).
``(6) Supply chain risk.--The term `supply chain risk' means
the risk that any person may sabotage, maliciously introduce
unwanted function, extract data, or otherwise manipulate the
design, integrity, manufacturing, production, distribution,
installation, operation, maintenance, disposition, or retirement
of covered articles so as to surveil, deny, disrupt, or
otherwise manipulate the function, use, or operation of the
covered articles or information stored or transmitted on the
covered articles.
``(7) Executive agency.--Notwithstanding section 3101(c)(1),
this section applies to the Department of Defense, the Coast
Guard, and the National Aeronautics and Space Administration.''.
(b) Clerical Amendment.--The table of sections at the beginning of
chapter 47 of such title <<NOTE: 41 USC 4701 prec.>> is amended by
adding at the end the following new item:
``4713. Authorities relating to mitigating supply chain risks in the
procurement of covered articles.''.
(c) Effective Date <<NOTE: 41 USC 4713 note.>> .--The amendments
made by this section shall take effect on the date that is 90 days after
the date of the enactment of this Act and shall apply to contracts that
are awarded before, on, or after that date.
SEC. 204. FEDERAL INFORMATION SECURITY MODERNIZATION ACT.
(a) In General.--Title 44, United States Code, is amended--
[[Page 132 STAT. 5193]]
(1) in section 3553(a)(5), by inserting ``and section 1326
of title 41'' after ``compliance with the requirements of this
subchapter''; and
(2) in section 3554(a)(1)(B)--
(A) by inserting ``, subchapter III of chapter 13 of
title 41,'' after ``complying with the requirements of
this subchapter'';
(B) in clause (iv), by striking ``; and'' and
inserting a semicolon; and
(C) by adding at the end the following new clause:
``(vi) responsibilities relating to assessing
and avoiding, mitigating, transferring, or
accepting supply chain risks under section 1326 of
title 41, and complying with exclusion and removal
orders issued under section 1323 of such title;
and''.
(b) Rule of Construction <<NOTE: 44 USC 3553 note.>> .--Nothing in
this title shall be construed to alter or impede any authority or
responsibility under section 3553 of title 44, United States Code.
SEC. 205. <<NOTE: 41 USC 1321 note.>> EFFECTIVE DATE.
This title shall take effect on the date that is 90 days after the
date of the enactment of this Act.
Approved December 21, 2018.
LEGISLATIVE HISTORY--H.R. 7327:
---------------------------------------------------------------------------
CONGRESSIONAL RECORD, Vol. 164 (2018):
Dec. 19, considered and passed House and Senate.
<all>