41 U.S.C.
United States Code, 2022 Edition
Title 41 - PUBLIC CONTRACTS
Subtitle I - Federal Procurement Policy
Division C - Procurement
CHAPTER 47 - MISCELLANEOUS
Sec. 4713 - Authorities relating to mitigating supply chain risks in the procurement of covered articles
From the U.S. Government Publishing Office, www.gpo.gov

§4713. Authorities relating to mitigating supply chain risks in the procurement of covered articles

(a) Authority.—Subject to subsection (b), the head of an executive agency may carry out a covered procurement action.

(b) Determination and Notification.—Except as authorized by subsection (c) to address an urgent national security interest, the head of an executive agency may exercise the authority provided in subsection (a) only after—

(1) obtaining a joint recommendation, in unclassified or classified form, from the chief acquisition officer and the chief information officer of the agency, or officials performing similar functions in the case of executive agencies that do not have such officials, which includes a review of any risk assessment made available by the executive agency identified under section 1323(a)(3) of this title, that there is a significant supply chain risk in a covered procurement;

(2) providing notice of the joint recommendation described in paragraph (1) to any source named in the joint recommendation advising—

(A) that a recommendation is being considered or has been obtained;

(B) to the extent consistent with the national security and law enforcement interests, of information that forms the basis for the recommendation;

(C) that, within 30 days after receipt of the notice, the source may submit information and argument in opposition to the recommendation; and

(D) of the procedures governing the consideration of the submission and the possible exercise of the authority provided in subsection (a);


(3) making a determination in writing, in unclassified or classified form, after considering any information submitted by a source under paragraph (2) and in consultation with the chief information security officer of the agency, that—

(A) use of the authority under subsection (a) is necessary to protect national security by reducing supply chain risk;

(B) less intrusive measures are not reasonably available to reduce such supply chain risk; and

(C) the use of such authorities will apply to a single covered procurement or a class of covered procurements, and otherwise specifies the scope of the determination; and


(4) providing a classified or unclassified notice of the determination made under paragraph (3) to the appropriate congressional committees and leadership that includes—

(A) the joint recommendation described in paragraph (1);

(B) a summary of any risk assessment reviewed in support of the joint recommendation required by paragraph (1); and

(C) a summary of the basis for the determination, including a discussion of less intrusive measures that were considered and why such measures were not reasonably available to reduce supply chain risk.


(c) Procedures To Address Urgent National Security Interests.—In any case in which the head of an executive agency determines that an urgent national security interest requires the immediate exercise of the authority provided in subsection (a), the head of the agency—

(1) may, to the extent necessary to address such national security interest, and subject to the conditions in paragraph (2)—

(A) temporarily delay the notice required by subsection (b)(2);

(B) make the determination required by subsection (b)(3), regardless of whether the notice required by subsection (b)(2) has been provided or whether the notified source has submitted any information in response to such notice;

(C) temporarily delay the notice required by subsection (b)(4); and

(D) exercise the authority provided in subsection (a) in accordance with such determination within 60 calendar days after the day the determination is made; and


(2) shall take actions necessary to comply with all requirements of subsection (b) as soon as practicable after addressing the urgent national security interest, including—

(A) providing the notice required by subsection (b)(2);

(B) promptly considering any information submitted by the source in response to such notice, and making any appropriate modifications to the determination based on such information;

(C) providing the notice required by subsection (b)(4), including a description of the urgent national security interest, and any modifications to the determination made in accordance with subparagraph (B); and

(D) providing notice to the appropriate congressional committees and leadership within 7 calendar days of the covered procurement actions taken under this section.


(d) Confidentiality.—The notice required by subsection (b)(2) shall be kept confidential until a determination with respect to a covered procurement action has been made pursuant to subsection (b)(3).

(e) Delegation.—The head of an executive agency may not delegate the authority provided in subsection (a) or the responsibility identified in subsection (f) to an official below the level one level below the Deputy Secretary or Principal Deputy Director.

(f) Annual Review of Determinations.—The head of an executive agency shall conduct an annual review of all determinations made by such head under subsection (b) and promptly amend any covered procurement action as appropriate.

(g) Regulations.—The Federal Acquisition Regulatory Council shall prescribe such regulations as may be necessary to carry out this section.

(h) Reports Required.—Not less frequently than annually, the head of each executive agency that exercised the authority provided in subsection (a) or (c) during the preceding 12-month period shall submit to the appropriate congressional committees and leadership a report summarizing the actions taken by the agency under this section during that 12-month period.

(i) Rule of Construction.—Nothing in this section shall be construed to authorize the head of an executive agency to carry out a covered procurement action based solely on the fact of foreign ownership of a potential procurement source that is otherwise qualified to enter into procurement contracts with the Federal Government.

(j) Termination.—The authority provided under subsection (a) shall terminate on December 31, 2033.

(k) Definitions.—In this section:

(1) Appropriate congressional committees and leadership.—The term "appropriate congressional committees and leadership" means—

(A) the Committee on Homeland Security and Governmental Affairs, the Committee on the Judiciary, the Committee on Appropriations, the Committee on Armed Services, the Committee on Commerce, Science, and Transportation, the Select Committee on Intelligence, and the majority and minority leader of the Senate; and

(B) the Committee on Oversight and Government Reform, the Committee on the Judiciary, the Committee on Appropriations, the Committee on Homeland Security, the Committee on Armed Services, the Committee on Energy and Commerce, the Permanent Select Committee on Intelligence, and the Speaker and minority leader of the House of Representatives.


(2) Covered article.—The term "covered article" means—

(A) information technology, as defined in section 11101 of title 40, including cloud computing services of all types;

(B) telecommunications equipment or telecommunications service, as those terms are defined in section 3 of the Communications Act of 1934 (47 U.S.C. 153);

(C) the processing of information on a Federal or non-Federal information system, subject to the requirements of the Controlled Unclassified Information program; or

(D) hardware, systems, devices, software, or services that include embedded or incidental information technology.


(3) Covered procurement.—The term "covered procurement" means—

(A) a source selection for a covered article involving either a performance specification, as provided in subsection (a)(3)(B) of section 3306 of this title, or an evaluation factor, as provided in subsection (b)(1)(A) of such section, relating to a supply chain risk, or where supply chain risk considerations are included in the agency's determination of whether a source is a responsible source as defined in section 113 of this title;

(B) the consideration of proposals for and issuance of a task or delivery order for a covered article, as provided in section 4106(d)(3) of this title, where the task or delivery order contract includes a contract clause establishing a requirement relating to a supply chain risk;

(C) any contract action involving a contract for a covered article where the contract includes a clause establishing requirements relating to a supply chain risk; or

(D) any other procurement in a category of procurements determined appropriate by the Federal Acquisition Regulatory Council, with the advice of the Federal Acquisition Security Council.


(4) Covered procurement action.—The term "covered procurement action" means any of the following actions, if the action takes place in the course of conducting a covered procurement:

(A) The exclusion of a source that fails to meet qualification requirements established under section 3311 of this title for the purpose of reducing supply chain risk in the acquisition or use of covered articles.

(B) The exclusion of a source that fails to achieve an acceptable rating with regard to an evaluation factor providing for the consideration of supply chain risk in the evaluation of proposals for the award of a contract or the issuance of a task or delivery order.

(C) The determination that a source is not a responsible source as defined in section 113 of this title based on considerations of supply chain risk.

(D) The decision to withhold consent for a contractor to subcontract with a particular source or to direct a contractor to exclude a particular source from consideration for a subcontract under the contract.


(5) Information and communications technology.—The term "information and communications technology" means—

(A) information technology, as defined in section 11101 of title 40;

(B) information systems, as defined in section 3502 of title 44; and

(C) telecommunications equipment and telecommunications services, as those terms are defined in section 3 of the Communications Act of 1934 (47 U.S.C. 153).


(6) Supply chain risk.—The term "supply chain risk" means the risk that any person may sabotage, maliciously introduce unwanted function, extract data, or otherwise manipulate the design, integrity, manufacturing, production, distribution, installation, operation, maintenance, disposition, or retirement of covered articles so as to surveil, deny, disrupt, or otherwise manipulate the function, use, or operation of the covered articles or information stored or transmitted on the covered articles.

(7) Executive agency.—Notwithstanding section 3101(c)(1), this section applies to the Department of Defense, the Coast Guard, and the National Aeronautics and Space Administration.

(Added Pub. L. 115–390, title II, §203(a), Dec. 21, 2018, 132 Stat. 5189; amended Pub. L. 117–263, div. E, title LIX, §5949(k)(2), Dec. 23, 2022, 136 Stat. 3492.)


Editorial Notes

References in Text

Section 3101(c)(1), referred to in subsec. (k)(7), probably means section 3101(c)(1) of this title, which excepts the Department of Defense, the Coast Guard, and the National Aeronautics and Space Administration from applicability of the Procurement procedures and regulations of the Administrator of General Services.

Amendments

2022—Subsec. (j). Pub. L. 117–263 substituted "December 31, 2033" for "the date that is 5 years after the date of the enactment of the Federal Acquisition Supply Chain Security Act of 2018".


Statutory Notes and Related Subsidiaries

Change of Name

Committee on Oversight and Government Reform of House of Representatives changed to Committee on Oversight and Reform of House of Representatives by House Resolution No. 6, One Hundred Sixteenth Congress, Jan. 9, 2019.

Effective Date

Pub. L. 115–390, title II, §203(c), Dec. 21, 2018, 132 Stat. 5192, provided that: "The amendments made by this section [enacting this section] shall take effect on the date that is 90 days after the date of the enactment of this Act [Dec. 21, 2018] and shall apply to contracts that are awarded before, on, or after that date."

Title II of Pub. L. 115–390 effective 90 days after Dec. 21, 2018, see section 205 of Pub. L. 115–390, set out as a note under section 1321 of this title.

Prohibition on Certain Semiconductor Products and Services

Pub. L. 117–263, div. E, title LIX, §5949, Dec. 23, 2022, 136 Stat. 3485, provided that:

"(a) Prohibition on Use or Procurement.—

"(1) In general.—The head of an executive agency may not—

"(A) procure or obtain, or extend or renew a contract to procure or obtain, any electronic parts, products, or services that include covered semiconductor products or services; or

"(B) enter into a contract (or extend or renew a contract) with an entity to procure or obtain electronic parts or products that use any electronic parts or products that include covered semiconductor products or services.

"(2) Rule of construction.—

"(A) In general.—Nothing in paragraph (1) shall be construed—

"(i) to require any covered semiconductor products or services resident in equipment, systems, or services as of the day before the applicable effective date specified in subsection (c) to be removed or replaced;

"(ii) to prohibit or limit the utilization of such covered semiconductor products or services throughout the lifecycle of such existing equipment;

"(iii) to require the recipient of a Federal contract, grant, loan, or loan guarantee to replace covered semiconductor products or services resident in equipment, systems, or services before the effective date specified in subsection (c); or

"(iv) to require the Federal Communications Commission to designate covered semiconductor products or services to its Covered Communications Equipment or Services List maintained under section 2 of the Secured and Trusted Communications Networks Act of 2019 (47 U.S.C. 1603) [probably should be "(47 U.S.C. 1601)"].

"(B) Contracting prohibition.—Nothing in paragraph (1)(B) shall be construed to cover products or services that include covered semiconductor products or services in a system that is not a critical system.

"(b) Waiver Authority.—

"(1) Secretary of defense.—The Secretary of Defense may provide a waiver on a date later than the effective date described in subsection (c) if the Secretary determines the waiver is in the critical national security interests of the United States.

"(2) Director of national intelligence.—The Director of National Intelligence may provide a waiver on a date later than the effective date described in subsection (c) if the Director determines the waiver is in the critical national security interests of the United States.

"(3) Secretary of commerce.—The Secretary of Commerce, in consultation with the Director of National Intelligence or the Secretary of Defense, may provide a waiver on a date later than the effective date described in subsection (c) if the Secretary determines the waiver is in the critical national security interests of the United States.

"(4) Secretary of homeland security.—The Secretary of Homeland Security, in consultation with the Director of National Intelligence or the Secretary of Defense, may provide a waiver on a date later than the effective date described in subsection (c) if the Secretary determines the waiver is in the critical national security interests of the United States.

"(5) Secretary of energy.—The Secretary of Energy, in consultation with the Director of National Intelligence or the Secretary of Defense, may provide a waiver on a date later than the effective date described in subsection (c) if the Secretary determines the waiver is in the critical national security interests of the United States.

"(6) Executive agencies.—The head of an executive agency may waive, for a renewable period of not more than two years per waiver, the prohibitions under subsection (a) if—

"(A) the head of the agency, in consultation with the Secretary of Commerce, determines that no compliant product or service is available to be procured as, and when, needed at United States market prices or a price that is not considered prohibitively expensive; and

"(B) the head of the agency, in consultation with the Secretary of Defense or the Director of National Intelligence, determines that such waiver could not reasonably be expected to compromise the critical national security interests of the United States.

"(7) Report to congress.—Not later than 30 days after granting a waiver under this subsection, the head of the executive agency granting such waiver shall submit to the appropriate committees of Congress and leadership a report with a notification of such waiver, including a justification for the waiver.

"(c) Effective Dates and Regulations.—

"(1) Effective date.—The prohibitions under subsection (a) shall take effect five years after the date of the enactment of this Act [Dec. 23, 2022].

"(2) Regulations.—Not later than three years after the date of the enactment of this Act, the Federal Acquisition Regulatory Council shall prescribe regulations implementing the prohibitions under subsection (a), including a requirement for prime contractors to incorporate the substance of such prohibitions and applicable implementing contract clauses into contracts for the supply of electronic parts or products.

"(d) Office of Management and Budget Report and Briefing.—Not later than 270 days after the effective date described in subsection (c)(1), the Director of the Office of Management and Budget, in coordination with the Director of National Intelligence and the National Cyber Director, shall provide to the appropriate committees of Congress and leadership a report and briefing on—

"(1) the implementation of the prohibitions under subsection (a), including any challenges in the implementation; and

"(2) the effectiveness and utility of the waiver authority under subsection (b).

"(e) Analysis, Assessment, and Strategy.—Not later than 180 days after the date of the enactment of this Act, the Secretary of Commerce, in coordination with the Secretary of Defense, the Secretary of Homeland Security, the Director of National Intelligence, and the Secretary of Energy and, to the greatest extent practicable, leveraging relevant previous analyses and assessments, shall—

"(1) conduct an analysis of semiconductor design and production capacity domestically and by allied or partner countries required to meet the needs of the Federal Government, including analyses regarding—

"(A) semiconductors critical to national security, as determined by the Secretary of Commerce, in consultation with the Secretary of Defense and the Director of National Intelligence, in accordance with section 9902(a)(6)(A)(i) of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (Public Law 116–283) [15 U.S.C. 4652(a)(6)(A)(i)]; and

"(B) semiconductors classified as legacy semiconductors pursuant to section 9902(a)(6)(A)(i) of William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (Public Law 116–283);

"(2) assess the risk posed by the presence of covered semiconductor products or services in Federal systems;

"(3) assess the risk posed by the presence of covered semiconductor products or services in the supply chains of Federal contractors and subcontractors, including for non-Federal systems;

"(4) develop a strategy to—

"(A) improve the availability of domestic semiconductor design and production capacity required to meet the requirements of the Federal Government;

"(B) support semiconductor product and service suppliers seeking to contract with domestic, allied, or partner semiconductor producers and to improve supply chain traceability, including to meet the prohibitions under subsection (a); and

"(C) either certify the feasibility of implementing such prohibitions or exercising waiver authorities under subsection (b), to ensure uninterrupted Federal Government access to required semiconductor products and services; and

"(5) provide the results of the analysis, assessment, and strategy developed under paragraphs (1) through (4) to the Federal Acquisition Security Council.

"(f) Governmentwide Traceability and Diversification Initiative.—

"(1) In general.—Not later than two years after the date of the enactment of this Act [Dec. 23, 2022], the Secretary of Commerce, in coordination with the Secretary of Homeland Security, the Secretary of Defense, the Director of National Intelligence, the Director of the Office of Management and Budget, and the Director of the Office of Science and Technology Policy, and in consultation with industry, shall establish a microelectronics traceability and diversification initiative to coordinate analysis of and response to the Federal Government microelectronics supply chain vulnerabilities.

"(2) Elements.—The initiative established under paragraph (1) shall include the following elements:

"(A) Sharing best practices, refining microelectronics standards, such as those established pursuant to section 224 of the National Defense Authorization Act for Fiscal Year 2020 (Public Law 116–92) [10 U.S.C. 4501 note prec.], and developing recommendations to identify and mitigate, through diversification efforts, microelectronics supply chain concerns.

"(B) Developing an assessment framework to inform Federal decisions on sourcing microelectronics, considering—

"(i) chain of custody and traceability, including origin and location of design, manufacturing, distribution, shipping, and quantities;

"(ii) confidentiality, including protection, verification, and validation of intellectual property included in microelectronics;

"(iii) integrity, including—

     "(I) security weaknesses and vulnerabilities that include potential supply chain attacks;

     "(II) risk analysis and consequence to system;

     "(III) risk of intentional or unintentional modification or tampering; and

     "(IV) risk of insider threats, including integrity of people and processes involved in the design and manufacturing of microelectronics; and

"(iv) availability, including—

     "(I) potential supply chain disruptions, including due to natural disasters or geopolitical events;

     "(II) prioritization of parts designed and manufactured in the United States and in allied or partner countries to support and sustain the defense and technology industrial base;

     "(III) risk associated with sourcing parts from suppliers outside of the United States and allied and partner countries, including long-term impacts on availability of microelectronics produced domestically or in allied or partner countries; and

     "(IV) obsolescence management and counterfeit avoidance and detection.

"(C) Developing a process for provenance and traceability from design to disposal of microelectronics components and intellectual property contained therein implementable across the Federal acquisition system to improve reporting, data analysis, and tracking.

"(D) Developing and implementing policies and plans to support the following:

"(i) Development of domestic design and manufacturing capabilities to replace covered semiconductor products or services.

"(ii) Utilization of the assessment framework developed under subparagraph (B).

"(iii) Implementation of the strategy required under subsection (e)(4) as applicable.

"(iv) Identification of and integration with existing information reporting and data visualization systems in the Federal Government, including modification to such systems to track the information.

"(v) A requirement to document microelectronics used in systems and subsystems, including origin and location of design and manufacturing, technologies used, and quantities procured.

"(vi) Elimination from Federal Government supply chains of microelectronics from entities included on the Consolidated Screening List maintained by the International Trade Administration of the Department of Commerce.

"(3) Coordination required.—In carrying out this subsection, the Secretary of Commerce shall coordinate, as necessary, with the following entities:

"(A) The National Science and Technology Council Subcommittee on Microelectronics Leadership.

"(B) The Department of Commerce semiconductor industrial advisory committee established under subsection 9906(b) of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (Public Law 116–283) [15 U.S.C. 4656(b)].

"(C) The White House Coordinator for CHIPS Implementation.

"(D) The Federal Acquisition Security Council (FASC).

"(E) The Government-Industry Working Group on Microelectronics.

"(F) The Joint Defense Manufacturing Technology Panel (JDMTP).

"(G) Standards development organizations.

"(g) Federal Acquisition Security Council.—Not later than two years after the date of the enactment of this Act [Dec. 23, 2022], the Federal Acquisition Security Council, in consultation with the Secretary of Commerce, the Secretary of Defense, the Secretary of Homeland Security, the Director of National Intelligence, and the Secretary of Energy, and after engagement with the private sector and other nongovernmental stakeholders in accordance with section 1323 of title 41, United States Code, shall—

"(1) issue recommendations to mitigate supply chain risks relevant to Federal Government acquisition of semiconductor products and services, considering—

"(A) the analysis, assessment, and strategy developed under subsection (e) and any related updates;

"(B) the standards provided under section 224 of the National Defense Authorization Act for Fiscal Year 2020 (Public Law 116–92) [10 U.S.C. 4501 note prec.], including any tiers of trust, levels of security, or risk-based approaches established under such section;

"(C) the extent to which such recommendations would enhance the security of critical systems;

"(D) the extent to which such recommendations would impact Federal access to commercial technologies; and

"(E) any risks to the Federal Government from contracting with microelectronics suppliers that include covered semiconductor products or services in non-Federal supply chains; and

"(2) make recommendations to the Federal Acquisition Regulatory Council and the heads of executive agencies for any needed regulations to mitigate supply chain risks.

"(h) Applicability and Responsibilities of Covered Entities and Contractors.—The regulations prescribed pursuant to subsection (c)(2) shall—

"(1) provide that contractors who supply a Federal agency with electronic parts or products are responsible for—

"(A) certifying to the non-use of covered semiconductor products or services in such parts or products;

"(B) detecting and avoiding the use or inclusion of such covered semiconductor products or services in such parts or products; and

"(C) any rework or corrective action that may be required to remedy the use or inclusion of such covered semiconductor products or services in such parts or products;

"(2) require covered entities to disclose to direct customers the inclusion of a covered semiconductor product or service in electronic parts, products, or services included in electronic parts, products, or services subject to the contracting prohibition under subsection (a) as to whether such supplied parts, products, or services include covered semiconductors products or services;

"(3) provide that a covered entity that fails to disclose the inclusion to direct customers of a covered semiconductor product or service in electronic parts, products, or services procured or obtained by an executive agency in contravention of subsection (a) shall be responsible for any rework or corrective action that may be required to remedy the use or inclusion of such covered semiconductor product or service;

"(4) provide that the costs of covered semiconductor products or services, suspect semiconductor products, and any rework or corrective action that may be required to remedy the use or inclusion of such products are not allowable costs for Federal contracts;

"(5) provide that—

"(A) any covered entity or Federal contractor or subcontractor who becomes aware, or has reason to suspect, that any end item, component, or part of a critical system purchased by the Federal Government, or purchased by a Federal contractor or subcontractor for delivery to the Federal Government for any critical system, that contains covered semiconductor products or services shall notify appropriate Federal authorities in writing within 60 days; and

"(B) the Federal authorities shall report such information to the appropriate committees of Congress and leadership within 120 days;

"(6) provide that Federal bidders and contractors—

"(A) may reasonably rely on the certifications of compliance from covered entities and subcontractors who supply electronic parts, products, or services when providing proposals to the Federal Government; and

"(B) are not required to conduct independent third party audits or other formal reviews related to such certifications;

"(7) provide that a Federal contractor or subcontractor that provides a notification under paragraph (5) that does not regard electronic parts or products manufactured or assembled by such Federal contractor or subcontractor shall not be subject to civil liability nor determined to not be a presently responsible contractor on the basis of such notification; and

"(8) provide that a Federal contractor or subcontractor that provides a notification under paragraph (5) that regards electronic parts or products manufactured or assembled by such Federal contractor or subcontractor shall not be subject to civil liability nor determined to not be a presently responsible contractor on the basis of such notification if the Federal contractor or subcontractor makes a comprehensive and documentable effort to identify and remove covered semiconductor products or services from the Federal supply.

"(i) Reports.—

"(1) Secretary of commerce.—Not later than 60 days after completing the assessment required under subsection (e), the Secretary of Commerce shall submit to the appropriate committees of Congress and leadership—

"(A) a report of the findings and recommendations of the analyses, assessment, and strategy developed under such subsection; and

"(B) a report on development of the microelectronics traceability and diversification initiative under subsection (f)(1).

"(2) Federal acquisition security council.—Not later than one year after the date of the enactment of this Act [Dec. 23, 2022], and annually thereafter for ten years, the Federal Acquisition Security Council shall include in the annual report submitted under section 1325 of title 41, United States Code, a description of—

"(A) the development of recommendations under subsection (g), including the considerations described in paragraph (1) of such subsection; and

"(B) as applicable, the impact of any recommendations or regulations implemented.

"(j) Definitions.—In this section:

"(1) Appropriate committees of congress and leadership.—The term 'appropriate committees of Congress and leadership' means—

"(A) the Committee on Armed Services, the Committee on Commerce, Science, and Transportation, the Committee on Homeland Security and Governmental Affairs, the Committee on Energy and Natural Resources, the Committee on Foreign Relations, the Committee on Banking, Housing, and Urban Affairs, the Select Committee on Intelligence, and the majority and minority leaders of the Senate; and

"(B) the Committee on Armed Services, the Committee on Energy and Commerce, the Committee on Science, Space, and Technology, the Committee on Oversight and Reform, the Committee on Foreign Affairs, the Committee on Homeland Security, the Permanent Select Committee on Intelligence, and the Speaker, the majority leader, and the minority leader of the of the House of Representatives.

"(2) Covered entity.—The term 'covered entity' means an entity that—

"(A) develops, domestically or abroad, a design of a semiconductor that is the direct product of United States origin technology or software; and

"(B) purchases covered semiconductor products or services from an entity described in subparagraph (A) or (C) of paragraph (3).

"(3) Covered semiconductor product or services.—The term 'covered semiconductor product or services' means any of the following:

"(A) A semiconductor, a semiconductor product, a product that incorporates a semiconductor product, or a service that utilizes such a product, that is designed, produced or provided by, Semiconductor Manufacturing International Corporation (SMIC) (or any subsidiary, affiliate, or successor of such entity).

"(B) A semiconductor, a semiconductor product, a product that incorporates a semiconductor product, or a service that utilizes such a product, that is designed, produced, or provided by ChangXin Memory Technologies (CXMT) or Yangtze Memory Technologies Corp (YMTC) (or any subsidiary, affiliate, or successor of such entities).

"(C) A semiconductor, semiconductor product, or semiconductor service produced or provided by an entity that the Secretary of Defense or the Secretary of Commerce, in consultation with the Director of the National Intelligence or the Director of the Federal Bureau of Investigation, determines to be an entity owned or controlled by, or otherwise connected to, the government of a foreign country of concern, provided that the determination with respect to such entity is published in the Federal Register.

"(4) Critical system.—The term 'critical system'—

"(A) has the meaning given the term 'national security system' in section 11103(a)(1) of title 40, United States Code;

"(B) shall include additional systems identified by the Federal Acquisition Security Council;

"(C) shall include additional systems identified by the Department of Defense, consistent with guidance provided under section 224 of the National Defense Authorization Act for Fiscal Year 2020 (Public Law 116–92) [10 U.S.C. 4501 note prec.]; and

"(D) shall not include a system to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications).

"(5) Foreign country of concern.—The term 'foreign country of concern' has the meaning given the term in paragraph (7) of section 9901 of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (15 U.S.C. 4651), as added by section 103(a)(4) of the CHIPS Act of 2022 (division A of Public Law 117–167).

"(k) Extension of Federal Acquisition Security Supply Chain Act of 2018.—

"(1) Subchapter iii of chapter 13 of title 41, united states code.—[Amended section 1328 of this title.]

"(2)—[Amended this section.]

"(l) Authorization of Appropriations for Federal Acquisition Security Council.—

"(1) In general.—There is authorized to be appropriated $3,000,000 for each of fiscal years 2023 through 2033 for the Office of Management and Budget to support the activities of the Federal Acquisition Security Council.

"(2) Transfer authority.—The Director of the Office of Management and Budget may transfer funds authorized to be appropriated under paragraph (1) to other Federal agencies for the performance of work for which the funds were authorized."