This Act may be cited as the “Federal Acquisition Security Council Improvement Act of 2024”.

(a) Definition of source of concern, covered source of concern, recommended order, and designated order.—Section 1321 of title 41, United States Code, is amended—

(1) by redesignating paragraphs (5) through (8) as paragraphs (7) through (10);

(2) by inserting after paragraph (4) the following:

“(5) COVERED SOURCE OF CONCERN.—The term ‘covered source of concern’ means a source of concern that is specifically designated as a ‘covered source of concern’ by a statute that states that such designation is for the purposes of this subchapter.

“(6) DESIGNATED ORDER.—The term ‘designated order’ means an order described under section 1323(c)(3).”; and

(3) by adding at the end the following:

“(11) RECOMMENDED ORDER.—The term ‘recommended order’ means an order recommended under section 1323(c)(2).

“(12) SOURCE OF CONCERN.—

“(A) IN GENERAL.—The term ‘source of concern’ means a source—

“(i) subject to the jurisdiction, direction, or control of the government of a foreign adversary, or operates on behalf of the government of a foreign adversary; or

“(ii) that poses a risk to the national security of the United States based on collaboration with, whole or partial ownership or control by, or being affiliated with a military, internal security force, or intelligence agency of a foreign adversary.

“(B) FOREIGN ADVERSARY DEFINED.—In this paragraph, the term ‘foreign adversary’ has the meaning given the term ‘covered nation’ in section 4872(d) of title 10.”.

(b) Establishment and members of council.—Section 1322 of title 41, United States Code, is amended—

(1) in subsection (a), by striking “executive branch” and inserting “Executive Office of the President”;

(2) in subsection (b)—

(A) by amending paragraph (1) to read as follows:

“(1) IN GENERAL.—The members of the Council shall be as follows:

“(A) The Administrator for Federal Procurement Policy.

“(B) The Deputy Director for Management of the Office of Management and Budget.

“(C) The following officials, each of whom shall occupy a position at the level of Assistant Secretary or Deputy Assistant Secretary (or equivalent):

“(i) Two officials from the Office of the Director of National Intelligence, one of which shall be from the National Counterintelligence and Security Center.

“(ii) Two officials from the Department of Defense, one of which shall be one from the National Security Agency.

“(iii) Two officials from the Department of Homeland Security, one of which shall be one from the Cybersecurity and Infrastructure Security Agency.

“(iv) An official from the General Services Administration.

“(v) An official from the Office of the National Cyber Director.

“(vi) Two officials from the Department of Justice, one of which shall be one from the Federal Bureau of Investigation.

“(vii) Two officials from the Department of Commerce, one of which shall be from the National Institute of Standards and Technology and one of which shall be from the Bureau of Industry and Security.

“(viii) An official from any executive agency not listed under clauses (i) through (vii) whose temporary or permanent participation is determined by the Chairperson of the Council to be necessary to carry out the functions of the Council while maintaining the intended balance in subject matter expertise.”; and

(B) in paragraph (2)—

(i) in the heading, by striking “Lead representatives” and inserting “Members”;

(ii) by amending subparagraph (A)(i) to read as follows:

“(i) IN GENERAL.—The head of each executive agency listed under paragraph (1)(C) shall designate the official or officials from that agency who shall serve on the Council in accordance with such paragraph.”;

(iii) by amending subparagraph (A)(ii) to read as follows:

“(ii) REQUIREMENTS.—To the extent feasible, any official designated under clause (i) shall have expertise in supply chain risk management, acquisitions, law, or information and communications technology.”;

(iv) by amending subparagraph (B) to read as follows:

“(B) FUNCTIONS.—A member of the Council shall—

“(i) regularly participate in the activities of the Council;

“(ii) ensure that any information requested by the Council from the agency represented by the member is provided to the Council; and

“(iii) ensure that the head of the agency represented by the member and other appropriate personnel of the agency are aware of the activities of the Council.”;

(3) in subsection (c)—

(A) by amending paragraph (1) to read as follows:

“(1) IN GENERAL.—The Chairperson of the Council shall be—

“(A) the National Cyber Director; or

“(B) another member of the Council designated by the National Cyber Director.”; and

(B) in paragraph (2)—

(i) in subparagraph (B), by striking “(b)(1)(H)” and inserting “(b)(1)(C)(viii)”; and

(ii) in subparagraph (C), by striking “lead representative of each agency represented on the Council” and inserting “members of the Council”; and

(4) in subsection (d)—

(A) by striking “The Council” and inserting the following:

“(1) COUNCIL MEETINGS.—The Council”; and

(B) by adding at the end the following:

“(2) OTHER MEETINGS.—The Chairperson of the Council shall meet, not less frequently than semiannually, with—

“(A) the Secretary of Homeland Security, Secretary of Defense, and Director of National Intelligence; or

“(B) in the case that any of the officials under subparagraph (A) delegated authority to an official under section 1323(c)(6)(C), with the delegated official.”.

(c) Functions and authorities.—Section 1323 of title 41, United States Code is amended—

(1) in subsection (a)—

(A) by striking “supply chain” each place it appears and inserting “acquisition security and supply chain”;

(B) in paragraph (1), as amended by subparagraph (A), by striking “, particularly” and inserting “that arise”;

(C) in paragraph (2), as amended by subparagraph (A), by inserting “associated with the acquisition and use of covered articles” after “risk”;

(D) in paragraph (6), as amended by subparagraph (A)—

(i) by striking “posed by” and inserting “associated with”; and

(ii) by inserting “and use” before “of covered articles”;

(E) in paragraph (7), by striking “posed by acquisitions” and inserting “associated with the acquisition”;

(F) by redesignating paragraph (7) as paragraph (12); and

(G) by inserting after paragraph (6) the following:

“(7) Implementing a prioritization scheme for evaluating the security risks associated with the acquisition and use of covered articles provided or produced by a covered source of concern.

“(8) Evaluating each covered source of concern to determine whether to issue a designated order with respect to the covered source of concern or a covered article produced or provided by the covered source of concern.

“(9) Evaluating sources of concern to determine whether to issue a recommended order with respect to the source of concern, or any covered article produced or provided by the source of concern.

“(10) Monitoring and evaluating compliance by the Secretary of Homeland Security, Secretary of Defense, and Director of National Intelligence with the requirement to issue designated orders under subsection (c)(6)(B).

“(11) Reporting to Congress annually on the security risks associated with the acquisition and use of covered articles produced or provided by sources of concern.”;

(2) in subsection (b)—

(A) by striking “The Council” and inserting the following:

“(1) IN GENERAL.—The Council”; and

(B) in paragraph (1), as so redesignated, by striking “a program office and”; and

(C) by adding at the end the following:

“(2) FEDERAL ACQUISITION SECURITY COUNCIL PROGRAM OFFICE.—

“(A) ESTABLISHMENT.—The Council shall establish a Federal Acquisition Security Council Program Office (referred to in this paragraph as the ‘Program Office’) within the Office of the National Cyber Director to carry out the functions of the Council duties described under subparagraph (B).

“(B) DUTIES.—The Program Office shall provide to the Council, including any committees, working groups, or other constituent bodies established by the Council under paragraph (1)—

“(i) administrative, legal, and policy support; and

“(ii) analysis and subject matter expertise on information communications technology, acquisition security, and supply chain risk.

“(C) STRUCTURE.—The head of the Program Office shall be a senior official from the Office of the National Cyber Director that occupies a position at the level of Assistant Secretary or Deputy Assistant Secretary (or equivalent).

“(D) PROHIBITION.—The Program Office may not provide administrative support to the Council for any activities of the Council carried out pursuant to a provision of law other than a provision of law under this subchapter.

“(E) FUNDING AND RESOURCES.—The Program Office may use the staff and resources of the Office of the National Cyber Director or maintain dedicated staff and resources, as appropriate, in the performance of the duties of the Office.

“(F) SHARED STAFFING AUTHORITY.—

“(i) IN GENERAL.—The Program Office may accept officers or employees of the United States or members of the Armed Forces on a detail from an element of the intelligence community (as such term is defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)) or from another element of the Federal Government on a nonreimbursable basis, as jointly agreed to by the heads of the receiving and detailing elements, for a period not to exceed three years.

“(ii) RULE OF CONSTRUCTION.—Nothing in this subparagraph may be construed as imposing any limitation on any other authority for reimbursable or nonreimbursable details.

“(iii) NONREIMBURSABLE DETAIL.—A nonreimbursable detail made under this subparagraph shall not be considered an augmentation of the appropriations of the receiving element of the Program Office or the Office of the National Cyber Director.

“(G) SUNSET.—The Program Office shall terminate on the date described under section 1328.”;

(3) in subsection (c)—

(A) in paragraph (1)—

(i) in the matter preceding subparagraph (A), by striking “supply chain risk” and inserting “acquisition security and supply chain risk associated with the acquisition of covered articles”;

(ii) in subparagraph (A), by inserting “recommended” before “exclusion orders”;

(iii) in subparagraph (B), by inserting “recommended” before “removal orders”;

(iv) in subparagraph (C), by striking “; and” and inserting a semicolon;

(v) in subparagraph (D), by striking the period at the end and inserting “; and”; and

(vi) by adding at the end the following:

“(E) issuing designated orders.”;

(B) in paragraph (2)—

(i) in the heading, by striking “Recommendations” and inserting “Recommended Orders”;

(ii) by striking “use” and inserting “, using”;

(iii) by striking “subsection (a)(3)” and inserting “subsection (a)(4)”;

(iv) by striking “to issue recommendations” and inserting “, recommend orders”;

(v) by striking “Such recommendations” and inserting “Any such order recommended”;

(vi) by inserting “to the officials described under clause (iii) of paragraph (6)(A) for issuance under such paragraph” after “thereof,”;

(vii) in subparagraph (D), by striking “supply chain risk” and inserting “acquisition security and supply chain risk associated with the acquisition of covered articles”; and

(viii) in subparagraph (E), by striking “exclusion or removal”;

(C) by redesignating paragraphs (3) through (7) as paragraphs (4) through (8);

(D) by inserting after paragraph (2) the following:

“(3) DESIGNATED ORDERS.—

“(A) EXCLUSION OR REMOVAL OF COVERED SOURCES OF CONCERN.—

“(i) IN GENERAL.—Not later than 270 days after a source of concern is designated as a covered source of concern, the Council—

“(I) shall provide to the officials described under clause (iii) of paragraph (6)(B) for issuance under such paragraph orders requiring—

“(aa) the exclusion of the covered source of concern from any executive agency procurement action, including source selection and consent for a contractor; or

“(bb) the removal of covered articles produced or provided by the covered source of concern from the information system of executive agencies; or

“(II) report to Congress why the Council has determined to not issue an order described under subclause (I) with respect to the covered source of concern or covered articles produced or provided by the covered source of concern.

“(ii) CONTENTS OF ORDER.—Any order provided under clause (i) shall include—

“(I) information regarding the scope and applicability of the order, including any information necessary to positively identify the covered source of concern or covered articles produced or provided by the covered source of concern required to be excluded or removed under the order;

“(II) a summary of any risk assessment reviewed or conducted in support of the order;

“(III) a summary of the basis for the order, including a discussion of less intrusive measures that were considered and why such measures were not reasonably available to reduce security risk;

“(IV) a description of the actions necessary to implement the order; and

“(V) where practicable, in the Council’s sole and unreviewable discretion, a description of mitigation steps that could be taken by the covered source of concern that may result in the Council rescinding the order.

“(B) EXCLUSION OR REMOVAL OF SECOND ORDER SOURCES OR COVERED ARTICLES.—

“(i) ISSUANCE.—In the case that the Council provides an order under subparagraph (A), the Council may also provide an order to the officials described under paragraph (6)(A)(iii) requiring the exclusion of sources or covered articles from executive agency procurement actions or removal of covered articles from executive agency information systems if—

“(I) such covered articles or such sources use a covered source of concern in the performance of a contract with the executive agency; or

“(II) such sources enter into a contract, the performance of which such source knows or has reason to believe will require, in the performance of a contract with the executive agency, the use of a covered source of concern or the use of a covered article produced or provided by a covered source of concern.

“(ii) EFFECTIVE DATE CONSIDERATIONS.—Any effective date prescribed by the Council for an order issued pursuant to clause (i) shall take into account—

“(I) the risk posed by the covered source of concern or the covered article produced or provided by the covered source of concern to the national security of the United States;

“(II) the likelihood of the covered source of concern or the covered article produced or provided by the covered source of concern causing imminent threat to public health and safety;

“(III) the availability of an alternative source or covered article produced or provided by an alternative source; and

“(IV) an assessment of the potential direct or quantifiable costs that may be incurred by the Federal Government, a State, local, or Tribal government, or by the private sector, as a result of compliance by the head of an executive agency with such an exclusion or removal order.”;

(E) in paragraph (4), as so redesignated—

(i) in the heading, by striking “of recommendation and review” and inserting “and review of recommended and designated orders”;

(ii) by striking “ the recommendation” each place the term appears, and inserting “ the order”;

(iii) in the matter preceding subparagraph (A), by striking “A notice of the Council’s recommendation under paragraph (2)” and inserting “Before the Council recommends an order under paragraph (2) or issues an order under paragraph (3), a notice”;

(iv) in subparagraph (A), by striking “a recommendation has been made” and inserting “the order will be recommended or issued”;

(v) in subparagraph (D), by striking “paragraph (5)” and inserting “paragraph (6)”; and

(vi) by inserting a new subparagraph to read as follows:

“(F) Until an order is issued pursuant to paragraph (6), information collected under this paragraph shall be exempt from public disclosure and shall be exempt from disclosure under section 552(b)(3)(B) of title 5, United States Code (commonly referred to as the ‘Freedom of Information Act’).”;

(F) in paragraph (5), as so redesignated—

(i) by striking “paragraph (3)” and inserting “paragraph (4)”;

(ii) in subparagraph (A), by striking “paragraph (5)” and inserting “paragraph (6)”; and

(iii) in subparagraph (B), by striking “paragraph (6)” and inserting “paragraph (7)”;

(G) in paragraph (6), as so redesignated—

(i) by amending subparagraph (A) to read as follows:

“(A) ISSUANCE OF RECOMMENDED ORDERS.—

“(i) MODIFICATIONS TO ORDER.—After considering any response properly submitted by a source under paragraph (4) related to an order to be recommended under paragraph (2), the Council shall—

“(I) make such modifications to the order as the Council considers appropriate; and

“(II) provide the order (together with any information submitted by a source under paragraph (4) related to such order) to the officials described under clause (iii).

“(ii) ORDER.—Not later than 90 days after receiving a recommended order, the officials described under clause (iii) shall—

“(I) issue the order to the heads of the applicable agencies; or

“(II) submit a notification to the Council that the order will not be issued, that includes in the notification to the Council, all the reasons for why the order will not be issued.

“(iii) OFFICIALS.—The officials described in this clause are as follows:

“(I) The Secretary of Homeland Security, for exclusion and removal orders applicable to civilian agencies, to the extent not covered by subclause (II) or (III).

“(II) The Secretary of Defense, for exclusion and removal orders applicable to the Department of Defense and national security systems other than sensitive compartmented information systems.

“(III) The Director of National Intelligence, for exclusion and removal orders applicable to the intelligence community and sensitive compartmented information systems, to the extent not covered by subclause (II).”;

(ii) by redesignating subparagraphs (B) through (E) as subparagraphs (C) through (F), respectively;

(iii) by inserting after subparagraph (A) the following:

“(B) ISSUANCE OF DESIGNATED ORDER.—

“(i) MODIFICATIONS.—After considering any response properly submitted by a source under paragraph (4) related to a designated order, the Council shall—

“(I) (aa) make any such modifications to the order as the Council considers appropriate; or

“(bb) if the Council determines that the issuance of a designated order is not warranted, rescind the designated order and notify the source of the rescission; and

“(II) except in the case that the Council rescinds the designated order under subclause (I)(bb), provide the designated order (including any modifications made to such order by the Council) to the officials described in clause (iii).

“(ii) ISSUANCE.—The officials described in clause (iii) shall, not later than 90 days after receiving a designated order, issue the order to the heads of the applicable agencies.

“(iii) OFFICIALS.—The officials described in this clause are as follows:

“(I) The Secretary of Homeland Security, for exclusion and removal orders applicable to civilian agencies, to the extent not covered by subclause (II) or (III).

“(II) The Secretary of Defense, for exclusion and removal orders applicable to the Department of Defense and national security systems other than sensitive compartmented information systems.

“(III) The Director of National Intelligence, for exclusion and removal orders applicable to the intelligence community and sensitive compartmented information systems, to the extent not covered by subclause (II).

“(iv) WAIVER.—An official described under clause (iii) may waive for a period of not more than 365 days the application of an order issued by such official under clause (ii) with respect to a covered source of concern or a covered article produced or provided by a covered source of concern if the official submits, not later than 30 days after making such waiver, a written notification to the Council, appropriate congressional committees, and leadership that contains the justification for such waiver.

“(v) RENEWAL OF WAIVER.—An official described under clause (iii) may renew a waiver under clause (iv) for an additional period of not more than 180 days if—

“(I) the renewal of the waiver is in the national security interests of the United States; and

“(II) the official submits, not later than 30 days after renewing such waiver, a written notification to the Council, appropriate congressional committees, and leadership that includes the justification for renewing the wavier.

“(vi) NATIONAL SECURITY WAIVER.—An official described under clause (iii) may waive the application of an order issued by such official under clause (ii) with respect to a covered source of concern or a covered article produced or provided by a covered source of concern for any activity subject to the reporting requirements under title V of the National Security Act of 1947 (50 U.S.C. 3091 et seq.) or any authorized intelligence activities of the United States.

“(vii) RESCISSION OF ORDER.—An exclusion or removal order issued under this subparagraph by an official may be rescinded only by the Council.”.

(iv) in subparagraph (C), as so redesignated—

(I) by striking “subparagraph (A)” and inserting “subparagraph (A)(iii) or (B)(iii)”;

(II) by striking “this subparagraph” and inserting “subparagraph (A)(iii) or (B)(iii)”; and

(III) by striking “, except” and all that follows before the period at the end;

(v) in subparagraph (D), as so redesignated—

(I) by striking “this paragraph” and inserting “subparagraph (A)(iii) or (B)(iii)”; and

(II) by striking “help”;

(vi) in subparagraph (E), as so redesignated, by striking “this paragraph” and inserting “subparagraph (A)”; and

(vii) by adding after subparagraph (F), as so redesignated, the following:

“(G) EFFECTIVE DATE OF ORDERS.—The effective date of an order issued under this paragraph may not be more than 365 days after the order is issued.”;

(H) in paragraph (7), as so redesignated, by striking “paragraph (5)(A)” and inserting “subparagraph (A) or (B) of paragraph (6)”; and

(I) in paragraph (8), as so redesignated, by striking “paragraph (5)” and inserting “paragraph (6)”;

(4) in subsection (e), by inserting “the Chief Data Officers Council,” before “the Chief Acquisition”; and

(5) in subsection (f)(2), by striking the period at the end and inserting “unless such source is specifically designated by statute as a covered source of concern for the purposes of this subchapter.”.

(d) Strategic plan.—Section 1324(a) of title 41, United States Code, is amended—

(1) by inserting “, and periodically thereafter” after “2018”;

(2) in the matter preceding paragraph (1), by inserting “acquisition security and” before “supply chain risks”;

(3) in paragraph (8), by inserting “acquisition security and” before “supply chain risks”; and

(4) in paragraph (9)(A), by inserting “acquisition security and” before “supply chain risk”.

(e) Requirements for executive agencies.—Section 1326 of title 41, United States Code, is amended—

(1) in subsection (a)—

(A) in paragraph (1), by striking “; and” and inserting a semicolon;

(B) in paragraph (2), by striking the period at the end and inserting “; and”; and

(C) by adding at the end the following:

“(3) providing any information requested by the Chairperson of the Council for the purpose of carrying out activities of this subchapter, subject to applicable law or policy on the control and handling of classified, sensitive, or proprietary information.””;

(2) by striking “supply chain” each place such term appears and inserting “security and supply chain”; and

(3) in subsection (b)(6), by striking “supply chain” and inserting “security or supply chain”.

(f) Judicial procedure.—Section 1327(b) of title 41, United States Code, is amended—

(1) in paragraph (1), by striking “section 1323(c)(6)” and inserting “section 1323(c)(7)”;

(2) in paragraph (3), by striking “section 1323(c)(5)” and inserting “sections 1323(c)(6)”; and

(3) in paragraph (4), by amending subparagraph (B)(i) to read as follows:

“(i) FILING OF RECORD.—The United States shall file with the court an administrative record, which shall consist of—

“(I) the information the Council relied upon in issuing a designated order under 1323(c)(6); and

“(II) the information that the appropriate official relied upon in issuing an exclusion or removal order under section 1323(c)(6) or a covered procurement action under section 4713.”.

(g) Additional provisions.—Subchapter III of chapter 13 of title 41, United States Code, is amended by adding at the end the following:

(h) Technical and conforming changes.—Subchapter III of chapter 13 of title 41, United States Code, is amended—

(1) in the table of sections for the subchapter by adding after the item related to section 1328 the following:

“1329. Additional provisions.”;

(2) in section 1321(1)(B), by striking “Government Reform” and inserting “Accountability”; and

(3) by striking “of this title” each place the term appears.

Section 5949(l) of the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 (Public Law 117–263) is amended—