[Congressional Bills 115th Congress] [From the U.S. Government Publishing Office] [S. 3085 Introduced in Senate (IS)] <DOC> 115th CONGRESS 2d Session S. 3085 To establish a Federal Acquisition Security Council and to provide executive agencies with authorities relating to mitigating supply chain risks in the procurement of information technology, and for other purposes. _______________________________________________________________________ IN THE SENATE OF THE UNITED STATES June 19, 2018 Mrs. McCaskill (for herself and Mr. Lankford) introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental Affairs _______________________________________________________________________ A BILL To establish a Federal Acquisition Security Council and to provide executive agencies with authorities relating to mitigating supply chain risks in the procurement of information technology, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Federal Acquisition Supply Chain Security Act of 2018''. SEC. 2. FEDERAL ACQUISITION SECURITY COUNCIL. (a) In General.--Chapter 13 of title 41, United States Code, is amended by adding at the end the following new subchapter: ``Subchapter III--Federal Acquisition Security Council ``Sec. 1321. Definitions ``In this subchapter: ``(1) Appropriate congressional committees.--The term `appropriate congressional committees' means-- ``(A) the Committee on Homeland Security and Governmental Affairs, the Committee on the Judiciary, the Committee on Armed Services, the Committee on Appropriations, the Select Committee on Intelligence, and the majority and minority leader of the Senate; and ``(B) the Committee on Oversight and Government Reform, the Committee on the Judiciary, the Committee on Armed Services, the Committee on Appropriations, the Committee on Homeland Security, the Permanent Select Committee on Intelligence, and the Speaker and minority leader of the House of Representatives. ``(2) Council.--The term `Council' means the Federal Acquisition Security Council established under section 1322(a). ``(3) Information technology.--The term `information technology' has the meaning given that term in section 11101 of title 40. ``(4) Supply chain risk.--The term `supply chain risk' has the meaning given that term in section 4713. ``Sec. 1322. Establishment and membership ``(a) Establishment.--There is established in the executive branch a Federal Acquisition Security Council. ``(b) Membership.-- ``(1) In general.--The following agencies shall be represented on the Council: ``(A) The Office of Management and Budget. ``(B) The General Services Administration. ``(C) The Department of Homeland Security. ``(D) The Office of the Director of National Intelligence. ``(E) The Federal Bureau of Investigation. ``(F) The Department of Defense. ``(G) The National Institute of Standards and Technology. ``(H) Such other executive agencies as determined by the Chairperson of the Council. ``(2) Lead representatives.-- ``(A) Designation.-- ``(i) In general.--The head of each agency represented on the Council shall designate a representative of that agency as the lead representative of the agency on the Council not later than 90 days after the date of the enactment of the Federal Acquisition Supply Chain Security Act of 2018. ``(ii) Requirements.--The representative of an agency designated under clause (i) shall have expertise in supply chain risk management, acquisitions, or information technology. ``(B) Functions.--The lead representative of an agency designated under subparagraph (A) shall ensure that appropriate personnel, including leadership and subject matter experts of the agency, are aware of the business of the Council. ``(c) Chairperson.-- ``(1) Designation.--The Director of the Office of Management and Budget shall designate a senior-level official from the Office of Management and Budget to serve as the Chairperson of the Council not later than 90 days after the date of the enactment of the Federal Acquisition Supply Chain Security Act of 2018. ``(2) Functions.--The Chairperson shall perform functions that include-- ``(A) subject to subsection (d), developing a schedule for meetings of the Council; ``(B) designating executive agencies to be represented on the Council under subsection (b)(1)(H); ``(C) in consultation with the lead representative of each agency represented on the Council, developing a charter for the Council; and ``(D) not later than 7 days after completion of the charter, submitting the charter to the appropriate congressional committees. ``(d) Meetings.--The Council shall meet not later than 180 days after the date of the enactment of the Federal Acquisition Supply Chain Security Act of 2018 and not less frequently than quarterly thereafter. ``Sec. 1323. Functions ``(a) In General.--The Council shall perform functions that include the following: ``(1) Developing criteria and processes-- ``(A) for assessing threats and vulnerabilities relating to supply chain risk posed by the acquisition of information technology to national security and the public interest; and ``(B) for sharing information among executive agencies, including the intelligence community, and the private sector where appropriate, with respect to assessments of that risk. ``(2) Defining the responsibilities of executive agencies, consistent with existing law, for management of such assessments. ``(3) Issuing guidance to executive agencies for incorporating information relating to supply chain risks and other relevant information into procurement decisions for the protection of national security and the public interest. ``(4) Developing standards and measures for supply chain risk management, including assessments, evaluations, mitigation, and response that take into consideration national security and other factors relevant to the public interest. ``(5) Consulting, as appropriate, with the private sector and other nongovernmental stakeholders on issues relating to the management of supply chain risks posed by the acquisition of information technology. ``(6) Determining whether the exclusion of a source made by one executive agency should apply to all executive agencies upon receiving a notification under section 4713 and carrying out such other actions as are agreed upon by the Council. ``(b) Authority To Request Information.--The Council may request such information from executive agencies as is necessary for the Council to carry out its functions under subsection (a). ``(c) Program Office.--The Council may establish a program office to assist the Council in carrying out its functions under subsection (a). ``(d) Relationship to Other Councils.--The Council shall consult and coordinate with other relevant councils to the maximum extent practicable. ``(e) Rule of Construction.--Nothing in this section shall limit the authority of the Office of Federal Procurement Policy to carry out the responsibilities of that Office under any other provision of law. ``Sec. 1324. Strategic plan ``(a) In General.--Not later than 180 days after the date of the enactment of the Federal Acquisition Supply Chain Security Act of 2018, the Council shall develop a strategic plan for addressing supply chain risks posed by the acquisition of information technology and for managing such risks that includes-- ``(1) the criteria and processes required under section 1323(a)(1), including a threshold and requirements for sharing relevant information about such risks with all executive agencies; ``(2) an identification of existing authorities for addressing such risks; ``(3) an identification and promulgation of best practices and procedures and available resources for executive agencies to assess and mitigate such risks; ``(4) recommendations for any legislative, regulatory, or other policy changes to improve efforts to address such risks; ``(5) an evaluation of the effect of implementing new policies or procedures on existing contracts and the procurement process; ``(6) a plan for engaging with executive agencies, the private sector, and other nongovernmental stakeholders to address such risks; and ``(7) plans to strengthen the capacity of all executive agencies to conduct assessments of-- ``(A) the supply chain risk posed by the acquisition of information technology; and ``(B) compliance with the requirements of this subchapter. ``(b) Submission to Congress.--Not later than 7 days after completion of the strategic plan required by subsection (a), the Chairperson of the Council shall submit the plan to the appropriate congressional committees. ``Sec. 1325. Annual report ``Not later than December 31 of each year, the Chairperson of the Council shall submit to the appropriate congressional committees a report on the activities of the Council during the preceding 12-month period. ``Sec. 1326. Requirements for executive agencies ``(a) In General.--The head of each executive agency shall-- ``(1) be responsible for conducting assessments of the supply chain risks posed by the acquisition of information technology by that agency, developing mitigation and response requirements, and ensuring ongoing management of such risks; ``(2) share relevant information with other executive agencies as determined appropriate by the Administrator in a manner consistent with section 1323; and ``(3) ensure that all relevant information, including classified information, with respect to acquisitions of information technology that may pose a supply chain risk, consistent with section 1323(a)(1), is incorporated into existing processes of the agency for conducting assessments described in paragraph (1) and ongoing management of acquisition programs, including any identification, investigation, mitigation, or remediation needs. ``(b) Interagency Acquisitions.-- ``(1) In general.--Except as provided in paragraph (2), in the case of an interagency acquisition, subsection (a) shall be carried out by the head of the executive agency the funds of which are obligated or expended to conduct the acquisition. ``(2) Assisted acquisitions.--In an assisted acquisition, the parties to the acquisition shall determine, as part of the interagency agreement governing the acquisition, which agency is responsible for carrying out subsection (a). ``(3) Definitions.--In this subsection, the terms `assisted acquisition' and `interagency acquisition' have the meanings given those terms in section 2.101 of title 48, Code of Federal Regulations (or any corresponding similar regulation or ruling). ``Sec. 1327. Termination ``This subchapter shall terminate on the date that is 5 years after the date of the enactment of the Federal Acquisition Supply Chain Security Act of 2018.''. (b) Clerical Amendment.--The table of sections at the beginning of chapter 13 of such title is amended by adding at the end the following new items: ``subchapter iii--federal acquisition security council ``Sec. ``1321. Definitions. ``1322. Establishment and membership. ``1323. Functions. ``1324. Strategic plan. ``1325. Annual report. ``1326. Requirements for executive agencies. ``1327. Termination.''. (c) Effective Date.--The amendments made by this section shall take effect on the date that is 90 days after the date of the enactment of this Act. SEC. 3. RISK ASSESSMENTS FOR INFORMATION TECHNOLOGY MADE AVAILABLE TO OTHER AGENCIES. (a) In General.--Not later than one year after the date of the enactment of this Act, the head of any executive agency that makes information technology available for procurement by other executive agencies shall-- (1) identify information technology products made available to other agencies that pose the greatest risk to national security or the public interest; (2) complete a risk assessment of information technology products identified under paragraph (1); (3) in each case in which the head of the executive agency identifies a significant supply chain risk posed by information technology-- (A) make the risk assessment with respect to that information technology available to all executive agencies through the Federal Acquisition Security Council established under subchapter III of chapter 13 of title 41, United States Code, as added by section 2; and (B) develop a plan to mitigate that risk; and (4) develop a vetting process for conducting supply chain risk assessments with respect to prospective providers of information technology and make the process available to all executive agencies. (b) Assistance.--The Secretary of Homeland Security may-- (1) assist executive agencies in conducting risk assessments described in subsection (a) and implementing mitigation requirements for information technology; and (2) provide such additional guidance or tools as are necessary to support actions taken by executive agencies under subsection (a). (c) Definitions.--In this section: (1) Executive agency.--The term ``executive agency'' has the meaning given that term in section 133 of title 41, United States Code. (2) Information technology.--The term ``information technology'' has the meaning given that term in section 11101 of title 40, United States Code. (3) Supply chain risk.--The term ``supply chain risk'' has the meaning given that term in section 4713 of title 41, United States Code, as added by section 4. SEC. 4. AUTHORITIES OF EXECUTIVE AGENCIES RELATING TO MITIGATING SUPPLY CHAIN RISKS IN THE PROCUREMENT OF INFORMATION TECHNOLOGY. (a) In General.--Chapter 47 of title 41, United States Code, is amended by adding at the end the following new section: ``Sec. 4713. Authorities relating to mitigating supply chain risks in the procurement of information technology ``(a) Authority.--Subject to subsection (b), the head of an executive agency may-- ``(1) carry out a covered procurement action; and ``(2) limit, notwithstanding any other provision of law, in whole or in part, the disclosure of information relating to the basis for carrying out a covered procurement action. ``(b) Determination and Notification.--The head of an executive agency may exercise the authority provided in subsection (a) only after-- ``(1) obtaining a joint recommendation by the senior procurement executive and chief information officer of the agency, or such other officials of the agency as the head of the agency considers appropriate, that there is a significant supply chain risk in a covered procurement; ``(2) making a determination in writing, in unclassified or classified form, that-- ``(A) use of the authority under subsection (a)(1) is necessary to protect national security or the public interest by reducing supply chain risk; and ``(B) in a case where the head of the agency plans to limit disclosure of information under subsection (a)(2), the risk to national security due to the disclosure of such information outweighs the risk due to not disclosing such information; and ``(3) providing a classified or unclassified notice of the determination made under paragraph (2) not later than 30 days after making that determination to the Federal Acquisition Security Council that includes-- ``(A) a summary of the information required for the purchase of property or services under this title and any other applicable law relating to procurement; and ``(B) a summary of the basis for the determination, including a discussion of less intrusive measures that were considered and why such measures were not reasonably available to reduce supply chain risk. ``(c) Limitation on Disclosure.--If the head of an executive agency has exercised the authority provided in subsection (a)(2) to limit disclosure of information-- ``(1) no procurement action undertaken by the head of the agency under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court; and ``(2) the head of the agency shall-- ``(A) notify appropriate parties of a covered procurement action and the basis for the action only to the extent necessary to effectuate the covered procurement action; ``(B) notify and follow notification protocols as directed by the Federal Acquisition Security Council; and ``(C) ensure the confidentiality of any such notifications. ``(d) Regulations.--The Federal Acquisition Regulatory Council shall prescribe such regulations as may be necessary to carry out this section. ``(e) Reports Required.--Not less frequently than annually, the head of each executive agency shall submit to the appropriate congressional committees a report summarizing the actions taken by the agency under this section during the preceding 12-month period. ``(f) Termination.--The authority provided under subsection (a) shall terminate on the date that is 5 years after the date of the enactment of the Federal Acquisition Supply Chain Security Act of 2018. ``(g) Definitions.--In this section: ``(1) Appropriate congressional committees.--The term `appropriate congressional committees' means-- ``(A) the Committee on Homeland Security and Governmental Affairs, the Committee on the Judiciary, the Committee on Appropriations, the Select Committee on Intelligence, and the majority and minority leader of the Senate; and ``(B) the Committee on Oversight and Government Reform, the Committee on the Judiciary, the Committee on Appropriations, the Committee on Homeland Security, the Permanent Select Committee on Intelligence, and the Speaker and minority leader of the House of Representatives. ``(2) Covered procurement.--The term `covered procurement' means-- ``(A) a source selection for information technology involving either a performance specification, as provided in subsection (a)(3)(B) of section 3306 of this title, or an evaluation factor, as provided in subsection (b)(1)(A) of that section, relating to a supply chain risk; ``(B) the consideration of proposals for and issuance of a task or delivery order for information technology, as provided in section 4106(d)(3) of this title, where the task or delivery order contract includes a contract clause establishing a requirement relating to a supply chain risk; ``(C) any contract action involving a contract for information technology where the contract includes a clause establishing requirements relating to a supply chain risk; or ``(D) any other procurement in a category of procurements determined appropriate by the Federal Acquisition Regulatory Council, with the advice of the Federal Acquisition Security Council. ``(3) Covered procurement action.--The term `covered procurement action' means any of the following actions, if the action takes place in the course of conducting a covered procurement: ``(A) The exclusion of a source that fails to meet qualification requirements established under section 3311 of this title for the purpose of reducing supply chain risk in the acquisition of information technology. ``(B) The exclusion of a source that fails to achieve an acceptable rating with regard to an evaluation factor providing for the consideration of supply chain risk in the evaluation of proposals for the award of a contract or the issuance of a task or delivery order. ``(C) The decision to withhold consent for a contractor to subcontract with a particular source or to direct a contractor to exclude a particular source from consideration for a subcontract under the contract. ``(4) Information technology.--The term `information technology' has the meaning given that term in section 11101 of title 40. ``(5) Supply chain risk.--The term `supply chain risk' means the risk that any person may sabotage, maliciously introduce unwanted function, extract data, or otherwise manipulate the design, integrity, manufacturing, production, distribution, installation, operation, maintenance, disposition, or retirement of information technology so as to surveil, deny, disrupt, or otherwise manipulate the function, use, or operation of the information technology.''. (b) Clerical Amendment.--The table of sections at the beginning of chapter 47 of such title is amended by adding at the end the following new item: ``4713. Authorities relating to mitigating supply chain risks in the procurement of information technology.''. (c) Effective Date.--The amendments made by this section shall take effect on the date that is 180 days after the date of the enactment of this Act and shall apply to contracts that are awarded before, on, or after that date. <all>