Federal Acquisition Supply Chain Security Act of 2018
This bill establishes in the executive branch a Federal Acquisition Security Council. The Office of Management and Budget shall designate a senior-level official to serve as the chairperson of the council. The council shall perform functions that include developing: (1) criteria and processes for assessing threats and vulnerabilities relating to supply chain risk posed by the acquisition of information technology to national security and the public interest, and (2) standards and measures for supply chain risk management.
The chairperson shall report annually to Congress on the council's activities.
Any agency that makes information technology available for procurement by other agencies shall:
The Department of Homeland Security may: (1) assist agencies in conducting risk assessments and implementing mitigation requirements for information technology, and (2) provide such additional guidance or tools as necessary to support actions taken by agencies.
[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 3085 Introduced in Senate (IS)]
<DOC>
115th CONGRESS
2d Session
S. 3085
To establish a Federal Acquisition Security Council and to provide
executive agencies with authorities relating to mitigating supply chain
risks in the procurement of information technology, and for other
purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
June 19, 2018
Mrs. McCaskill (for herself and Mr. Lankford) introduced the following
bill; which was read twice and referred to the Committee on Homeland
Security and Governmental Affairs
_______________________________________________________________________
A BILL
To establish a Federal Acquisition Security Council and to provide
executive agencies with authorities relating to mitigating supply chain
risks in the procurement of information technology, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Federal Acquisition Supply Chain
Security Act of 2018''.
SEC. 2. FEDERAL ACQUISITION SECURITY COUNCIL.
(a) In General.--Chapter 13 of title 41, United States Code, is
amended by adding at the end the following new subchapter:
``Subchapter III--Federal Acquisition Security Council
``Sec. 1321. Definitions
``In this subchapter:
``(1) Appropriate congressional committees.--The term
`appropriate congressional committees' means--
``(A) the Committee on Homeland Security and
Governmental Affairs, the Committee on the Judiciary,
the Committee on Armed Services, the Committee on
Appropriations, the Select Committee on Intelligence,
and the majority and minority leader of the Senate; and
``(B) the Committee on Oversight and Government
Reform, the Committee on the Judiciary, the Committee
on Armed Services, the Committee on Appropriations, the
Committee on Homeland Security, the Permanent Select
Committee on Intelligence, and the Speaker and minority
leader of the House of Representatives.
``(2) Council.--The term `Council' means the Federal
Acquisition Security Council established under section 1322(a).
``(3) Information technology.--The term `information
technology' has the meaning given that term in section 11101 of
title 40.
``(4) Supply chain risk.--The term `supply chain risk' has
the meaning given that term in section 4713.
``Sec. 1322. Establishment and membership
``(a) Establishment.--There is established in the executive branch
a Federal Acquisition Security Council.
``(b) Membership.--
``(1) In general.--The following agencies shall be
represented on the Council:
``(A) The Office of Management and Budget.
``(B) The General Services Administration.
``(C) The Department of Homeland Security.
``(D) The Office of the Director of National
Intelligence.
``(E) The Federal Bureau of Investigation.
``(F) The Department of Defense.
``(G) The National Institute of Standards and
Technology.
``(H) Such other executive agencies as determined
by the Chairperson of the Council.
``(2) Lead representatives.--
``(A) Designation.--
``(i) In general.--The head of each agency
represented on the Council shall designate a
representative of that agency as the lead
representative of the agency on the Council not
later than 90 days after the date of the
enactment of the Federal Acquisition Supply
Chain Security Act of 2018.
``(ii) Requirements.--The representative of
an agency designated under clause (i) shall
have expertise in supply chain risk management,
acquisitions, or information technology.
``(B) Functions.--The lead representative of an
agency designated under subparagraph (A) shall ensure
that appropriate personnel, including leadership and
subject matter experts of the agency, are aware of the
business of the Council.
``(c) Chairperson.--
``(1) Designation.--The Director of the Office of
Management and Budget shall designate a senior-level official
from the Office of Management and Budget to serve as the
Chairperson of the Council not later than 90 days after the
date of the enactment of the Federal Acquisition Supply Chain
Security Act of 2018.
``(2) Functions.--The Chairperson shall perform functions
that include--
``(A) subject to subsection (d), developing a
schedule for meetings of the Council;
``(B) designating executive agencies to be
represented on the Council under subsection (b)(1)(H);
``(C) in consultation with the lead representative
of each agency represented on the Council, developing a
charter for the Council; and
``(D) not later than 7 days after completion of the
charter, submitting the charter to the appropriate
congressional committees.
``(d) Meetings.--The Council shall meet not later than 180 days
after the date of the enactment of the Federal Acquisition Supply Chain
Security Act of 2018 and not less frequently than quarterly thereafter.
``Sec. 1323. Functions
``(a) In General.--The Council shall perform functions that include
the following:
``(1) Developing criteria and processes--
``(A) for assessing threats and vulnerabilities
relating to supply chain risk posed by the acquisition
of information technology to national security and the
public interest; and
``(B) for sharing information among executive
agencies, including the intelligence community, and the
private sector where appropriate, with respect to
assessments of that risk.
``(2) Defining the responsibilities of executive agencies,
consistent with existing law, for management of such
assessments.
``(3) Issuing guidance to executive agencies for
incorporating information relating to supply chain risks and
other relevant information into procurement decisions for the
protection of national security and the public interest.
``(4) Developing standards and measures for supply chain
risk management, including assessments, evaluations,
mitigation, and response that take into consideration national
security and other factors relevant to the public interest.
``(5) Consulting, as appropriate, with the private sector
and other nongovernmental stakeholders on issues relating to
the management of supply chain risks posed by the acquisition
of information technology.
``(6) Determining whether the exclusion of a source made by
one executive agency should apply to all executive agencies
upon receiving a notification under section 4713 and carrying
out such other actions as are agreed upon by the Council.
``(b) Authority To Request Information.--The Council may request
such information from executive agencies as is necessary for the
Council to carry out its functions under subsection (a).
``(c) Program Office.--The Council may establish a program office
to assist the Council in carrying out its functions under subsection
(a).
``(d) Relationship to Other Councils.--The Council shall consult
and coordinate with other relevant councils to the maximum extent
practicable.
``(e) Rule of Construction.--Nothing in this section shall limit
the authority of the Office of Federal Procurement Policy to carry out
the responsibilities of that Office under any other provision of law.
``Sec. 1324. Strategic plan
``(a) In General.--Not later than 180 days after the date of the
enactment of the Federal Acquisition Supply Chain Security Act of 2018,
the Council shall develop a strategic plan for addressing supply chain
risks posed by the acquisition of information technology and for
managing such risks that includes--
``(1) the criteria and processes required under section
1323(a)(1), including a threshold and requirements for sharing
relevant information about such risks with all executive
agencies;
``(2) an identification of existing authorities for
addressing such risks;
``(3) an identification and promulgation of best practices
and procedures and available resources for executive agencies
to assess and mitigate such risks;
``(4) recommendations for any legislative, regulatory, or
other policy changes to improve efforts to address such risks;
``(5) an evaluation of the effect of implementing new
policies or procedures on existing contracts and the
procurement process;
``(6) a plan for engaging with executive agencies, the
private sector, and other nongovernmental stakeholders to
address such risks; and
``(7) plans to strengthen the capacity of all executive
agencies to conduct assessments of--
``(A) the supply chain risk posed by the
acquisition of information technology; and
``(B) compliance with the requirements of this
subchapter.
``(b) Submission to Congress.--Not later than 7 days after
completion of the strategic plan required by subsection (a), the
Chairperson of the Council shall submit the plan to the appropriate
congressional committees.
``Sec. 1325. Annual report
``Not later than December 31 of each year, the Chairperson of the
Council shall submit to the appropriate congressional committees a
report on the activities of the Council during the preceding 12-month
period.
``Sec. 1326. Requirements for executive agencies
``(a) In General.--The head of each executive agency shall--
``(1) be responsible for conducting assessments of the
supply chain risks posed by the acquisition of information
technology by that agency, developing mitigation and response
requirements, and ensuring ongoing management of such risks;
``(2) share relevant information with other executive
agencies as determined appropriate by the Administrator in a
manner consistent with section 1323; and
``(3) ensure that all relevant information, including
classified information, with respect to acquisitions of
information technology that may pose a supply chain risk,
consistent with section 1323(a)(1), is incorporated into
existing processes of the agency for conducting assessments
described in paragraph (1) and ongoing management of
acquisition programs, including any identification,
investigation, mitigation, or remediation needs.
``(b) Interagency Acquisitions.--
``(1) In general.--Except as provided in paragraph (2), in
the case of an interagency acquisition, subsection (a) shall be
carried out by the head of the executive agency the funds of
which are obligated or expended to conduct the acquisition.
``(2) Assisted acquisitions.--In an assisted acquisition,
the parties to the acquisition shall determine, as part of the
interagency agreement governing the acquisition, which agency
is responsible for carrying out subsection (a).
``(3) Definitions.--In this subsection, the terms `assisted
acquisition' and `interagency acquisition' have the meanings
given those terms in section 2.101 of title 48, Code of Federal
Regulations (or any corresponding similar regulation or
ruling).
``Sec. 1327. Termination
``This subchapter shall terminate on the date that is 5 years after
the date of the enactment of the Federal Acquisition Supply Chain
Security Act of 2018.''.
(b) Clerical Amendment.--The table of sections at the beginning of
chapter 13 of such title is amended by adding at the end the following
new items:
``subchapter iii--federal acquisition security council
``Sec.
``1321. Definitions.
``1322. Establishment and membership.
``1323. Functions.
``1324. Strategic plan.
``1325. Annual report.
``1326. Requirements for executive agencies.
``1327. Termination.''.
(c) Effective Date.--The amendments made by this section shall take
effect on the date that is 90 days after the date of the enactment of
this Act.
SEC. 3. RISK ASSESSMENTS FOR INFORMATION TECHNOLOGY MADE AVAILABLE TO
OTHER AGENCIES.
(a) In General.--Not later than one year after the date of the
enactment of this Act, the head of any executive agency that makes
information technology available for procurement by other executive
agencies shall--
(1) identify information technology products made available
to other agencies that pose the greatest risk to national
security or the public interest;
(2) complete a risk assessment of information technology
products identified under paragraph (1);
(3) in each case in which the head of the executive agency
identifies a significant supply chain risk posed by information
technology--
(A) make the risk assessment with respect to that
information technology available to all executive
agencies through the Federal Acquisition Security
Council established under subchapter III of chapter 13
of title 41, United States Code, as added by section 2;
and
(B) develop a plan to mitigate that risk; and
(4) develop a vetting process for conducting supply chain
risk assessments with respect to prospective providers of
information technology and make the process available to all
executive agencies.
(b) Assistance.--The Secretary of Homeland Security may--
(1) assist executive agencies in conducting risk
assessments described in subsection (a) and implementing
mitigation requirements for information technology; and
(2) provide such additional guidance or tools as are
necessary to support actions taken by executive agencies under
subsection (a).
(c) Definitions.--In this section:
(1) Executive agency.--The term ``executive agency'' has
the meaning given that term in section 133 of title 41, United
States Code.
(2) Information technology.--The term ``information
technology'' has the meaning given that term in section 11101
of title 40, United States Code.
(3) Supply chain risk.--The term ``supply chain risk'' has
the meaning given that term in section 4713 of title 41, United
States Code, as added by section 4.
SEC. 4. AUTHORITIES OF EXECUTIVE AGENCIES RELATING TO MITIGATING SUPPLY
CHAIN RISKS IN THE PROCUREMENT OF INFORMATION TECHNOLOGY.
(a) In General.--Chapter 47 of title 41, United States Code, is
amended by adding at the end the following new section:
``Sec. 4713. Authorities relating to mitigating supply chain risks in
the procurement of information technology
``(a) Authority.--Subject to subsection (b), the head of an
executive agency may--
``(1) carry out a covered procurement action; and
``(2) limit, notwithstanding any other provision of law, in
whole or in part, the disclosure of information relating to the
basis for carrying out a covered procurement action.
``(b) Determination and Notification.--The head of an executive
agency may exercise the authority provided in subsection (a) only
after--
``(1) obtaining a joint recommendation by the senior
procurement executive and chief information officer of the
agency, or such other officials of the agency as the head of
the agency considers appropriate, that there is a significant
supply chain risk in a covered procurement;
``(2) making a determination in writing, in unclassified or
classified form, that--
``(A) use of the authority under subsection (a)(1)
is necessary to protect national security or the public
interest by reducing supply chain risk; and
``(B) in a case where the head of the agency plans
to limit disclosure of information under subsection
(a)(2), the risk to national security due to the
disclosure of such information outweighs the risk due
to not disclosing such information; and
``(3) providing a classified or unclassified notice of the
determination made under paragraph (2) not later than 30 days
after making that determination to the Federal Acquisition
Security Council that includes--
``(A) a summary of the information required for the
purchase of property or services under this title and
any other applicable law relating to procurement; and
``(B) a summary of the basis for the determination,
including a discussion of less intrusive measures that
were considered and why such measures were not
reasonably available to reduce supply chain risk.
``(c) Limitation on Disclosure.--If the head of an executive agency
has exercised the authority provided in subsection (a)(2) to limit
disclosure of information--
``(1) no procurement action undertaken by the head of the
agency under such authority shall be subject to review in a bid
protest before the Government Accountability Office or in any
Federal court; and
``(2) the head of the agency shall--
``(A) notify appropriate parties of a covered
procurement action and the basis for the action only to
the extent necessary to effectuate the covered
procurement action;
``(B) notify and follow notification protocols as
directed by the Federal Acquisition Security Council;
and
``(C) ensure the confidentiality of any such
notifications.
``(d) Regulations.--The Federal Acquisition Regulatory Council
shall prescribe such regulations as may be necessary to carry out this
section.
``(e) Reports Required.--Not less frequently than annually, the
head of each executive agency shall submit to the appropriate
congressional committees a report summarizing the actions taken by the
agency under this section during the preceding 12-month period.
``(f) Termination.--The authority provided under subsection (a)
shall terminate on the date that is 5 years after the date of the
enactment of the Federal Acquisition Supply Chain Security Act of 2018.
``(g) Definitions.--In this section:
``(1) Appropriate congressional committees.--The term
`appropriate congressional committees' means--
``(A) the Committee on Homeland Security and
Governmental Affairs, the Committee on the Judiciary,
the Committee on Appropriations, the Select Committee
on Intelligence, and the majority and minority leader
of the Senate; and
``(B) the Committee on Oversight and Government
Reform, the Committee on the Judiciary, the Committee
on Appropriations, the Committee on Homeland Security,
the Permanent Select Committee on Intelligence, and the
Speaker and minority leader of the House of
Representatives.
``(2) Covered procurement.--The term `covered procurement'
means--
``(A) a source selection for information technology
involving either a performance specification, as
provided in subsection (a)(3)(B) of section 3306 of
this title, or an evaluation factor, as provided in
subsection (b)(1)(A) of that section, relating to a
supply chain risk;
``(B) the consideration of proposals for and
issuance of a task or delivery order for information
technology, as provided in section 4106(d)(3) of this
title, where the task or delivery order contract
includes a contract clause establishing a requirement
relating to a supply chain risk;
``(C) any contract action involving a contract for
information technology where the contract includes a
clause establishing requirements relating to a supply
chain risk; or
``(D) any other procurement in a category of
procurements determined appropriate by the Federal
Acquisition Regulatory Council, with the advice of the
Federal Acquisition Security Council.
``(3) Covered procurement action.--The term `covered
procurement action' means any of the following actions, if the
action takes place in the course of conducting a covered
procurement:
``(A) The exclusion of a source that fails to meet
qualification requirements established under section
3311 of this title for the purpose of reducing supply
chain risk in the acquisition of information
technology.
``(B) The exclusion of a source that fails to
achieve an acceptable rating with regard to an
evaluation factor providing for the consideration of
supply chain risk in the evaluation of proposals for
the award of a contract or the issuance of a task or
delivery order.
``(C) The decision to withhold consent for a
contractor to subcontract with a particular source or
to direct a contractor to exclude a particular source
from consideration for a subcontract under the
contract.
``(4) Information technology.--The term `information
technology' has the meaning given that term in section 11101 of
title 40.
``(5) Supply chain risk.--The term `supply chain risk'
means the risk that any person may sabotage, maliciously
introduce unwanted function, extract data, or otherwise
manipulate the design, integrity, manufacturing, production,
distribution, installation, operation, maintenance,
disposition, or retirement of information technology so as to
surveil, deny, disrupt, or otherwise manipulate the function,
use, or operation of the information technology.''.
(b) Clerical Amendment.--The table of sections at the beginning of
chapter 47 of such title is amended by adding at the end the following
new item:
``4713. Authorities relating to mitigating supply chain risks in the
procurement of information technology.''.
(c) Effective Date.--The amendments made by this section shall take
effect on the date that is 180 days after the date of the enactment of
this Act and shall apply to contracts that are awarded before, on, or
after that date.
<all>
Introduced in Senate
Read twice and referred to the Committee on Homeland Security and Governmental Affairs.
Committee on Homeland Security and Governmental Affairs. Hearings held. Hearings printed: S.Hrg. 115-588.
Committee on Homeland Security and Governmental Affairs. Ordered to be reported with an amendment in the nature of a substitute favorably.
Committee on Homeland Security and Governmental Affairs. Reported by Senator Johnson with an amendment in the nature of a substitute. Without written report.
Committee on Homeland Security and Governmental Affairs. Reported by Senator Johnson with an amendment in the nature of a substitute. Without written report.
Placed on Senate Legislative Calendar under General Orders. Calendar No. 666.
By Senator Johnson from Committee on Homeland Security and Governmental Affairs filed written report. Report No. 115-408.
By Senator Johnson from Committee on Homeland Security and Governmental Affairs filed written report. Report No. 115-408.
Measure laid before Senate by unanimous consent. (consideration: CR S7809-7817; text of measure as reported in Senate: CR S7809-7813)
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line
The committee substitute withdrawn by Unanimous Consent.
Passed/agreed to in Senate: Passed Senate with an amendment by Unanimous Consent.
Passed Senate with an amendment by Unanimous Consent.
Message on Senate action sent to the House.
Received in the House.
Held at the desk.