Union Calendar No. 146
116th CONGRESS 1st Session |
[Report No. 116–188]
To amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to implement certain requirements for information relating to supply chain risk, and for other purposes.
June 18, 2019
Mr. King of New York (for himself, Mr. Thompson of Mississippi, Miss Rice of New York, Mr. Correa, Mr. Rogers of Alabama, Mr. Rose of New York, and Mr. Payne) introduced the following bill; which was referred to the Committee on Homeland Security
August 27, 2019
Additional sponsors: Mr. McCaul and Mr. Hagedorn
August 27, 2019
Reported with an amendment, committed to the Committee of the Whole House on the State of the Union, and ordered to be printed
[Strike out all after the enacting clause and insert the part printed in italic]
[For text of introduced bill, see copy of bill as introduced on June 18, 2019]
To amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to implement certain requirements for information relating to supply chain risk, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
This Act may be cited as the “Securing the Homeland Security Supply Chain Act of 2019”.
SEC. 2. Department of Homeland Security requirements for information relating to supply chain risk.
(a) In general.—Subtitle D of title VIII of the Homeland Security Act of 2002 (6 U.S.C. 391 et seq.) is amended by adding at the end the following new section:
“SEC. 836. Requirements for information relating to supply chain risk.
“(a) Authority.—Subject to subsection (b), the Secretary may—
“(b) Determination and notification.—Except as authorized by subsection (c) to address an urgent national security interest, the Secretary may exercise the authority provided in subsection (a) only after—
“(1) obtaining a joint recommendation, in unclassified or classified form, from the Chief Acquisition Officer and the Chief Information Officer of the Department, including a review of any risk assessment made available by an appropriate person or entity, including the national risk management center at the Cybersecurity and Infrastructure Security Agency, that there is a significant supply chain risk in a covered procurement;
“(2) notifying any source named in the joint recommendation described in paragraph (1) advising—
“(B) to the extent consistent with the national security and law enforcement interests, the basis for such recommendation;
“(3) notifying the relevant components of the Department that such risk assessment has demonstrated significant supply chain risk to a covered procurement;
“(4) making a determination in writing, in unclassified or classified form, that after considering any information submitted by a source under paragraph (2), and in consultation with the Chief Information Officer of the Department, that—
“(A) use of authority under subsection (a)(1) is necessary to protect national security by reducing supply chain risk;
“(5) providing to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a classified or unclassified notice of the determination made under paragraph (4) that includes—
“(c) Procedures To address urgent national security interests.—In any case in which the Secretary determines that national security interests require the immediate exercise of the authorities under subsection (a), the Secretary—
“(1) may, to the extent necessary to address any such national security interest, and subject to the conditions specified in paragraph (2)—
“(2) shall take actions necessary to comply with all requirements of subsection (b) as soon as practicable after addressing the urgent national security interest that is the subject of paragraph (1), including—
“(d) Annual review of determinations.—The Secretary shall annually review all determinations made under subsection (b).
“(e) Delegation.—The Secretary may not delegate the authority provided in subsection (a) or the responsibility identified in subsection (d) to an official below the Deputy Secretary.
“(f) Limitation of review.—Notwithstanding any other provision of law, no action taken by the Secretary under subsection (a) may be subject to review in a bid protest before the Government Accountability Office or in any Federal court.
“(g) Consultation.—In developing procedures and guidelines for the implementation of the authorities described in this section, the Secretary shall review the procedures and guidelines utilized by the Department of Defense to carry out similar authorities.
“(h) Definitions.—In this section:
“(1) COVERED ARTICLE.—The term ‘covered article’ means:
“(2) COVERED PROCUREMENT.—The term ‘covered procurement’ means—
“(A) a source selection for a covered article involving either a performance specification, as provided in subsection (a)(3)(B) of section 3306 of title 41, United States Code, or an evaluation factor, as provided in subsection (c)(1)(A) of such section, relating to supply chain risk, or with respect to which supply chain risk considerations are included in the Department’s determination of whether a source is a responsible source as defined in section 113 of such title;
“(B) the consideration of proposals for and issuance of a task or delivery order for a covered article, as provided in section 4106(d)(3) of title 41, United States Code, with respect to which the task or delivery order contract includes a contract clause establishing a requirement relating to supply chain risk;
“(3) COVERED PROCUREMENT ACTION.—The term ‘covered procurement action’ means any of the following actions, if such action takes place in the course of conducting a covered procurement:
“(A) The exclusion of a source that fails to meet qualification requirements established pursuant to section 3311 of title 41, United States Code, for the purpose of reducing supply chain risk in the acquisition or use of a covered article.
“(B) The exclusion of a source that fails to achieve an acceptable rating with regard to an evaluation factor providing for the consideration of supply chain risk in the evaluation of proposals for the award of a contract or the issuance of a task or delivery order.
“(4) INFORMATION SYSTEM.—The term ‘information system’ has the meaning given such term in section 3502 of title 44, United States Code.
“(5) INFORMATION TECHNOLOGY.—The term ‘information technology’ has the meaning given such term in section 11101 of title 40, United States Code.
“(6) RESPONSIBLE SOURCE.—The term ‘responsible source’ has the meaning given such term in section 113 of title 41, United States Code.
“(7) SUPPLY CHAIN RISK.—The term ‘supply chain risk’ means the risk that a malicious actor may sabotage, maliciously introduce an unwanted function, extract or modify data, or otherwise manipulate the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered article so as to surveil, deny, disrupt, or otherwise manipulate the function, use, or operation of the information technology or information stored or transmitted on the covered articles.
“(8) TELECOMMUNICATIONS EQUIPMENT.—The term ‘telecommunications equipment’ has the meaning given such term in section 3(52) of the Communications Act of 1934 (47 U.S.C. 153(52)).
“(9) TELECOMMUNICATIONS SERVICE.—The term ‘telecommunications service’ has the meaning given such term in section 3(53) of the Communications Act of 1934 (47 U.S.C. 153(53)).
(b) Rulemaking.—Section 553 of title 5, United States Code, and section 1707 of title 41, United States Code, shall not apply to the Secretary of Homeland Security when carrying out the authorities and responsibilities under section 836 of the Homeland Security Act of 2002, as added by subsection (a).
SEC. 3. Report on threats posed by foreign state-owned entities to DHS information technology and communications systems.
Not later than 180 days after the date of the enactment of this Act, the Under Secretary for Management of the Department of Homeland Security, in coordination with the national risk management center of the Cybersecurity and Infrastructure Security Agency of the Department, shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report on cybersecurity threats posed by terrorist actors and foreign state-owned entities to the information technology and communications systems of Department of Homeland Security, including information relating to the following:
Union Calendar No. 146 | |||||
| |||||
[Report No. 116–188] | |||||
A BILL | |||||
To amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to implement certain requirements for information relating to supply chain risk, and for other purposes. | |||||
August 27, 2019 | |||||
Reported with an amendment, committed to the Committee of the Whole House on the State of the Union, and ordered to be printed |