Securing the Homeland Security Supply Chain Act of 2019
This bill authorizes the Department of Homeland Security (DHS) to restrict procurement of information technology, telecommunications equipment and services, and related products or services from a vendor that poses a risk to the DHS supply chain. A vendor poses a risk if a malicious actor may manipulate the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a vendor's covered article.
DHS must report to specified congressional committees on cybersecurity threats posed by terrorist actors and foreign state-owned entities to the information technology and communications systems of DHS.
[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3320 Introduced in House (IH)]
<DOC>
116th CONGRESS
1st Session
H. R. 3320
To amend the Homeland Security Act of 2002 to authorize the Secretary
of Homeland Security to implement certain requirements for information
relating to supply chain risk, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
June 18, 2019
Mr. King of New York (for himself, Mr. Thompson of Mississippi, Miss
Rice of New York, Mr. Correa, Mr. Rogers of Alabama, Mr. Rose of New
York, and Mr. Payne) introduced the following bill; which was referred
to the Committee on Homeland Security
_______________________________________________________________________
A BILL
To amend the Homeland Security Act of 2002 to authorize the Secretary
of Homeland Security to implement certain requirements for information
relating to supply chain risk, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Securing the Homeland Security
Supply Chain Act of 2019''.
SEC. 2. DEPARTMENT OF HOMELAND SECURITY REQUIREMENTS FOR INFORMATION
RELATING TO SUPPLY CHAIN RISK.
(a) In General.--Subtitle D of title VIII of the Homeland Security
Act of 2002 (6 U.S.C. 391 et seq.) is amended by adding at the end the
following new section:
``SEC. 836. REQUIREMENTS FOR INFORMATION RELATING TO SUPPLY CHAIN RISK.
``(a) Authority.--Subject to subsection (b), the Secretary may--
``(1) carry out a covered procurement action;
``(2) limit, notwithstanding any other provision of law, in
whole or in part, the disclosure of information, including
classified information, relating to the basis for carrying out
such an action; and
``(3) exclude, in whole or in part, a source carried out in
the course of such an action applicable to a covered
procurement of the Department.
``(b) Determination and Notification.--Except as authorized by
subsection (c) to address an urgent national security interest, the
Secretary may exercise the authority provided in subsection (a) only
after--
``(1) obtaining a joint recommendation, in unclassified or
classified form, from the Chief Acquisition Officer and the
Chief Information Officer of the Department, including a review
of any risk assessment made available by an appropriate person
or entity, that there is a significant supply chain risk in a
covered procurement;
``(2) notifying any source named in the joint
recommendation described in paragraph (1) advising--
``(A) that a recommendation has been obtained;
``(B) to the extent consistent with the national
security and law enforcement interests, the basis for
such recommendation;
``(C) that, within 30 days after receipt of notice,
such source may submit information and argument in
opposition to such recommendation; and
``(D) of the procedures governing the consideration
of such submission and the possible exercise of the
authority provided in subsection (a);
``(3) notifying the relevant components of the Department
that such risk assessment has demonstrated significant supply
chain risk to a covered procurement;
``(4) making a determination in writing, in unclassified or
classified form, that after considering any information
submitted by a source under paragraph (2), and in consultation
with the Chief Information Officer of the Department, that--
``(A) use of authority under subsection (a)(1) is
necessary to protect national security by reducing
supply chain risk;
``(B) less intrusive measures are not reasonably
available to reduce such risk;
``(C) a decision to limit disclosure of information
under subsection (a)(2) is necessary to protect
national security interest; and
``(D) the use of such authorities will apply to a
single covered procurement or a class of covered
procurements, and otherwise specifies the scope of such
determination;
``(5) providing to the Committee on Homeland Security of
the House of Representatives and the Committee on Homeland
Security and Governmental Affairs of the Senate a classified or
unclassified notice of the determination made under paragraph
(4) that includes--
``(A) the joint recommendation described in
paragraph (1);
``(B) a summary of any risk assessment reviewed in
support of such joint recommendation; and
``(C) a summary of the basis for such
determination, including a discussion of less intrusive
measures that were considered and why such measures
were not reasonably available to reduce supply chain
risk;
``(6) notifying the Director of the Office of Management
and Budget, and the heads of other Federal agencies as
appropriate, in a manner and to the extent consistent with the
requirements of national security; and
``(7) taking steps to maintain the confidentiality of any
notifications under this subsection.
``(c) Procedures To Address Urgent National Security Interests.--In
any case in which the Secretary determines that national security
interests require the immediate exercise of the authorities under
subsection (a), the Secretary--
``(1) may, to the extent necessary to address any such
national security interest, and subject to the conditions
specified in paragraph (2)--
``(A) temporarily delay the notice required by
subsection (b)(2);
``(B) make the determination required by subsection
(b)(4), regardless of whether the notice required by
subsection (b)(2) has been provided or whether the
notified source at issue has submitted any information
in response to such notice;
``(C) temporarily delay the notice required by
subsections (b)(4) and (b)(5); and
``(D) exercise the authority provided in subsection
(a) in accordance with such determination; and
``(2) shall take actions necessary to comply with all
requirements of subsection (b) as soon as practicable after
addressing the urgent national security interest that is the
subject of paragraph (1), including--
``(A) providing the notice required by subsection
(b)(2);
``(B) promptly considering any information
submitted by the source at issue in response to such
notice, and making any appropriate modifications to the
determination required by subsection (b)(4) based on
such information; and
``(C) providing the notice required by subsections
(b)(5) and (b)(6), including a description of such
urgent national security, and any modifications to such
determination made in accordance with subparagraph (B).
``(d) Annual Review of Determinations.--The Secretary shall
annually review all determinations made under subsection (b).
``(e) Delegation.--The Secretary may not delegate the authority
provided in subsection (a) or the responsibility identified in
subsection (d) to an official below the Deputy Secretary.
``(f) Limitation of Review.--Notwithstanding any other provision of
law, no action taken by the Secretary under subsection (a) may be
subject to review in a bid protest before the Government Accountability
Office or in any Federal court.
``(g) Consultation.--In developing procedures and guidelines for
the implementation of the authorities described in this section, the
Secretary shall review the procedures and guidelines utilized by the
Department of Defense to carry out similar authorities.
``(h) Definitions.--In this section:
``(1) Covered article.--The term `covered article' means:
``(A) Information technology, including cloud
computing services of all types.
``(B) Telecommunications equipment.
``(C) Telecommunications services.
``(D) The processing of information on a Federal or
non-Federal information system, subject to the
requirements of the Controlled Unclassified Information
program of the Department.
``(E) Hardware, systems, devices, software, or
services that include embedded or incidental
information technology.
``(2) Covered procurement.--The term `covered procurement'
means--
``(A) a source selection for a covered article
involving either a performance specification, as
provided in subsection (a)(3)(B) of section 3306 of
title 41, United States Code, or an evaluation factor,
as provided in subsection (c)(1)(A) of such section,
relating to supply chain risk, or with respect to which
supply chain risk considerations are included in the
Department's determination of whether a source is a
responsible source as defined in section 113 of such
title;
``(B) the consideration of proposals for and
issuance of a task or delivery order for a covered
article, as provided in section 4106(d)(3) of title 41,
United States Code, with respect to which the task or
delivery order contract includes a contract clause
establishing a requirement relating to supply chain
risk;
``(C) any contract action involving a contract for
a covered article with respect to which such contract
includes a clause establishing requirements relating to
supply chain risk; or
``(D) any procurement made via Government Purchase
Care for a covered article when supply chain risk has
been identified as a concern.
``(3) Covered procurement action.--The term `covered
procurement action' means any of the following actions, if such
action takes place in the course of conducting a covered
procurement:
``(A) The exclusion of a source that fails to meet
qualification requirements established pursuant to
section 3311 of title 41, United States Code, for the
purpose of reducing supply chain risk in the
acquisition or use of a covered article.
``(B) The exclusion of a source that fails to
achieve an acceptable rating with regard to an
evaluation factor providing for the consideration of
supply chain risk in the evaluation of proposals for
the award of a contract or the issuance of a task or
delivery order.
``(C) The determination that a source is not a
responsible source based on considerations of supply
chain risk.
``(D) The decision to withhold consent for a
contractor to subcontract with a particular source or
to direct a contractor to exclude a particular source
from consideration for a subcontract.
``(4) Information system.--The term `information system'
has the meaning given such term in section 3502 of title 44,
United States Code.
``(5) Information technology.--The term `information
technology' has the meaning given such term in section 11101 of
title 40, United States Code.
``(6) Responsible source.--The term `responsible source'
has the meaning given such term in section 113 of title 41,
United States Code.
``(7) Supply chain risk.--The term `supply chain risk'
means the risk that a malicious actor may sabotage, maliciously
introduce an unwanted function, extract or modify data, or
otherwise manipulate the design, integrity, manufacturing,
production, distribution, installation, operation, or
maintenance of a covered article so as to surveil, deny,
disrupt, or otherwise manipulate the function, use, or
operation of the information technology or information stored
or transmitted on the covered articles.
``(8) Telecommunications equipment.--The term
`telecommunications equipment' has the meaning given such term
in section 3(52) of the Communications Act of 1934 (47 U.S.C.
153(52)).
``(9) Telecommunications service.--The term
`telecommunications service' has the meaning given such term in
section 3(53) of the Communications Act of 1934 (47 U.S.C.
153(53)).
``(i) Effective Date.--The requirements of this section shall take
effect on the date that is 90 days after the date of the enactment of
this Act and shall apply to--
``(1) contracts awarded on or after such date; and
``(2) task and delivery orders issued on or after such date
pursuant to contracts awarded before, on, or after such
date.''.
(b) Rulemaking.--Section 553 of title 5, United States Code, and
section 1707 of title 41, United States Code, shall not apply to the
Secretary of Homeland Security when carrying out the authorities and
responsibilities under section 836 of the Homeland Security Act of
2002, as added by subsection (a).
(c) Clerical Amendment.--The table of contents in section 1(b) of
the Homeland Security Act of 2002 is amended by inserting after the
item relating to section 835 the following new item:
``Sec. 836. Requirements for information relating to supply chain
risk.''.
<all>
Introduced in House
Introduced in House
Referred to the House Committee on Homeland Security.
Referred to the Subcommittee on Oversight, Management, and Accountability.
Subcommittee on Oversight, Management, and Accountability Discharged.
Committee Consideration and Mark-up Session Held.
Ordered to be Reported (Amended) by Unanimous Consent.
Reported (Amended) by the Committee on Homeland Security. H. Rept. 116-188.
Reported (Amended) by the Committee on Homeland Security. H. Rept. 116-188.
Placed on the Union Calendar, Calendar No. 146.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line