Authorities relating to mitigating supply chain risks in the procurement of covered articles
Determination and Notification.—
Except as authorized by subsection (c) to address an urgent national security interest, the head of an executive agency may exercise the authority provided in subsection (a) only after—
(1) obtaining a joint recommendation, in unclassified or classified form, from the chief acquisition officer and the chief information officer of the agency, or officials performing similar functions in the case of executive agencies that do not have such officials, which includes a review of any risk assessment made available by the executive agency identified under section 1323(a)(3) of this title, that there is a significant supply chain risk in a covered procurement;
providing notice of the joint recommendation described in paragraph (1) to any source named in the joint recommendation advising—
(A) that a recommendation is being considered or has been obtained;
(B) to the extent consistent with the national security and law enforcement interests, of information that forms the basis for the recommendation;
(C) that, within 30 days after receipt of the notice, the source may submit information and argument in opposition to the recommendation; and
(D) of the procedures governing the consideration of the submission and the possible exercise of the authority provided in subsection (a);
making a determination in writing, in unclassified or classified form, after considering any information submitted by a source under paragraph (2) and in consultation with the chief information security officer of the agency, that—
(A) use of the authority under subsection (a) is necessary to protect national security by reducing supply chain risk;
(B) less intrusive measures are not reasonably available to reduce such supply chain risk; and
(C) the use of such authorities will apply to a single covered procurement or a class of covered procurements, and otherwise specifies the scope of the determination; and
providing a classified or unclassified notice of the determination made under paragraph (3) to the appropriate congressional committees and leadership that includes—
(A) the joint recommendation described in paragraph (1);
(B) a summary of any risk assessment reviewed in support of the joint recommendation required by paragraph (1); and
(C) a summary of the basis for the determination, including a discussion of less intrusive measures that were considered and why such measures were not reasonably available to reduce supply chain risk.
Procedures To Address Urgent National Security Interests.—
In any case in which the head of an executive agency determines that an urgent national security interest requires the immediate exercise of the authority provided in subsection (a), the head of the agency—
may, to the extent necessary to address such national security interest, and subject to the conditions in paragraph (2)—
(A) temporarily delay the notice required by subsection (b)(2);
(B) make the determination required by subsection (b)(3), regardless of whether the notice required by subsection (b)(2) has been provided or whether the notified source has submitted any information in response to such notice;
(C) temporarily delay the notice required by subsection (b)(4); and
(D) exercise the authority provided in subsection (a) in accordance with such determination within 60 calendar days after the day the determination is made; and
shall take actions necessary to comply with all requirements of subsection (b) as soon as practicable after addressing the urgent national security interest, including—
(A) providing the notice required by subsection (b)(2);
(B) promptly considering any information submitted by the source in response to such notice, and making any appropriate modifications to the determination based on such information;
(C) providing the notice required by subsection (b)(4), including a description of the urgent national security interest, and any modifications to the determination made in accordance with subparagraph (B); and
(D) providing notice to the appropriate congressional committees and leadership within 7 calendar days of the covered procurement actions taken under this section.
In this section:
Appropriate congressional committees and leadership.—
The term “appropriate congressional committees and leadership” means—
(A) the Committee on Homeland Security and Governmental Affairs, the Committee on the Judiciary, the Committee on Appropriations, the Committee on Armed Services, the Committee on Commerce, Science, and Transportation, the Select Committee on Intelligence, and the majority and minority leader of the Senate; and
(B) the Committee on Oversight and Government Reform, the Committee on the Judiciary, the Committee on Appropriations, the Committee on Homeland Security, the Committee on Armed Services, the Committee on Energy and Commerce, the Permanent Select Committee on Intelligence, and the Speaker and minority leader of the House of Representatives.
The term “covered article” means—
(A) information technology, as defined in section 11101 of title 40, including cloud computing services of all types;
(B) telecommunications equipment or telecommunications service, as those terms are defined in section 3 of the Communications Act of 1934 (47 U.S.C. 153);
(C) the processing of information on a Federal or non-Federal information system, subject to the requirements of the Controlled Unclassified Information program; or
(D) hardware, systems, devices, software, or services that include embedded or incidental information technology.
The term “covered procurement” means—
(A) a source selection for a covered article involving either a performance specification, as provided in subsection (a)(3)(B) of section 3306 of this title, or an evaluation factor, as provided in subsection (b)(1)(A) of such section, relating to a supply chain risk, or where supply chain risk considerations are included in the agency’s determination of whether a source is a responsible source as defined in section 113 of this title;
(B) the consideration of proposals for and issuance of a task or delivery order for a covered article, as provided in section 4106(d)(3) of this title, where the task or delivery order contract includes a contract clause establishing a requirement relating to a supply chain risk;
(C) any contract action involving a contract for a covered article where the contract includes a clause establishing requirements relating to a supply chain risk; or
(D) any other procurement in a category of procurements determined appropriate by the Federal Acquisition Regulatory Council, with the advice of the Federal Acquisition Security Council.
Covered procurement action.—
The term “covered procurement action” means any of the following actions, if the action takes place in the course of conducting a covered procurement:
(A) The exclusion of a source that fails to meet qualification requirements established under section 3311 of this title for the purpose of reducing supply chain risk in the acquisition or use of covered articles.
(B) The exclusion of a source that fails to achieve an acceptable rating with regard to an evaluation factor providing for the consideration of supply chain risk in the evaluation of proposals for the award of a contract or the issuance of a task or delivery order.
(C) The determination that a source is not a responsible source as defined in section 113 of this title based on considerations of supply chain risk.
(D) The decision to withhold consent for a contractor to subcontract with a particular source or to direct a contractor to exclude a particular source from consideration for a subcontract under the contract.
Information and communications technology.—
The term “information and communications technology” means—
(A) information technology, as defined in section 11101 of title 40;
(B) information systems, as defined in section 3502 of title 44; and
(C) telecommunications equipment and telecommunications services, as those terms are defined in section 3 of the Communications Act of 1934 (47 U.S.C. 153). (6)
Supply chain risk.—The term “supply chain risk” means the risk that any person may sabotage, maliciously introduce unwanted function, extract data, or otherwise manipulate the design, integrity, manufacturing, production, distribution, installation, operation, maintenance, disposition, or retirement of covered articles so as to surveil, deny, disrupt, or otherwise manipulate the function, use, or operation of the covered articles or information stored or transmitted on the covered articles.
Executive agency.—Notwithstanding section 3101(c)(1), this section applies to the Department of Defense, the Coast Guard, and the National Aeronautics and Space Administration.
(Added Pub. L. 115–390, title II, § 203(a), Dec. 21, 2018, 132 Stat. 5189.)