View all text of Chapter 223 [§ 3241 - § 3252]

§ 3252. Requirements for information relating to supply chain risk
(a)Authority.—Subject to subsection (b), the head of a covered agency may—
(1) carry out a covered procurement action; and
(2) limit, notwithstanding any other provision of law, in whole or in part, the disclosure of information relating to the basis for carrying out a covered procurement action.
(b)Determination and Notification.—The head of a covered agency may exercise the authority provided in subsection (a) only after—
(1) obtaining a joint recommendation by the Under Secretary of Defense for Acquisition and Sustainment and the Chief Information Officer of the Department of Defense, on the basis of a risk assessment by the Under Secretary of Defense for Intelligence and Security, that there is a significant supply chain risk to a covered system;
(2) making a determination in writing, in unclassified or classified form, with the concurrence of the Under Secretary of Defense for Acquisition and Sustainment, that—
(A) use of the authority in subsection (a)(1) is necessary to protect national security by reducing supply chain risk;
(B) less intrusive measures are not reasonably available to reduce such supply chain risk; and
(C) in a case where the head of the covered agency plans to limit disclosure of information under subsection (a)(2), the risk to national security due to the disclosure of such information outweighs the risk due to not disclosing such information; and
(3) providing a classified or unclassified notice of the determination made under paragraph (2) to the appropriate congressional committees, which notice shall include—
(A) the information required by section 3204(e)(2) of this title;
(B) the joint recommendation by the Under Secretary of Defense for Acquisition and Sustainment and the Chief Information Officer of the Department of Defense as specified in paragraph (1);
(C) a summary of the risk assessment by the Under Secretary of Defense for Intelligence 1
1 See Change of Name note below.
that serves as the basis for the joint recommendation specified in paragraph (1); and
(D) a summary of the basis for the determination, including a discussion of less intrusive measures that were considered and why they were not reasonably available to reduce supply chain risk.
(c)Delegation.—The head of a covered agency may not delegate the authority provided in subsection (a) or the responsibility to make a determination under subsection (b) to an official below the level of the service acquisition executive for the agency concerned.
(d)Limitation on Disclosure.—If the head of a covered agency has exercised the authority provided in subsection (a)(2) to limit disclosure of information—
(1) no action undertaken by the agency head under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court; and
(2) the agency head shall—
(A) notify appropriate parties of a covered procurement action and the basis for such action only to the extent necessary to effectuate the covered procurement action;
(B) notify other Department of Defense components or other Federal agencies responsible for procurements that may be subject to the same or similar supply chain risk, in a manner and to the extent consistent with the requirements of national security; and
(C) ensure the confidentiality of any such notifications.
(e)Definitions.—In this section:
(1)Head of a covered agency.—The term “head of a covered agency” means each of the following:
(A) The Secretary of Defense.
(B) The Secretary of the Army.
(C) The Secretary of the Navy.
(D) The Secretary of the Air Force.
(2)Covered procurement action.—The term “covered procurement action” means any of the following actions, if the action takes place in the course of conducting a covered procurement:
(A) The exclusion of a source that fails to meet qualification standards established in accordance with the requirements of section 3243 of this title for the purpose of reducing supply chain risk in the acquisition of covered systems.
(B) The exclusion of a source that fails to achieve an acceptable rating with regard to an evaluation factor providing for the consideration of supply chain risk in the evaluation of proposals for the award of a contract or the issuance of a task or delivery order.
(C) The decision to withhold consent for a contractor to subcontract with a particular source or to direct a contractor for a covered system to exclude a particular source from consideration for a subcontract under the contract.
(3)Covered procurement.—The term “covered procurement” means—
(A) a source selection for a covered system or a covered item of supply involving either a performance specification, as provided in section 3206(a)(3)(B) of this title, or an evaluation factor, as provided in section 3206(b)(1) of this title, relating to supply chain risk;
(B) the consideration of proposals for and issuance of a task or delivery order for a covered system or a covered item of supply, as provided in section 3406(d)(3) of this title, where the task or delivery order contract concerned includes a contract clause establishing a requirement relating to supply chain risk; or
(C) any contract action involving a contract for a covered system or a covered item of supply where such contract includes a clause establishing requirements relating to supply chain risk.
(4)Supply chain risk.—The term “supply chain risk” means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.
(5)Covered system.—The term “covered system” means a national security system, as that term is defined in section 3552(b)(6) of title 44.
(6)Covered item of supply.—The term “covered item of supply” means an item of information technology (as that term is defined in section 11101 of title 40) that is purchased for inclusion in a covered system, and the loss of integrity of which could result in a supply chain risk for a covered system.
(7)Appropriate congressional committees.—The term “appropriate congressional committees” means—
(A) in the case of a covered system included in the National Intelligence Program or the Military Intelligence Program, the Select Committee on Intelligence of the Senate, the Permanent Select Committee on Intelligence of the House of Representatives, and the congressional defense committees; and
(B) in the case of a covered system not otherwise included in subparagraph (A), the congressional defense committees.
(Added Pub. L. 115–232, div. A, title VIII, § 881(a)(1), Aug. 13, 2018, 132 Stat. 1910, § 2339a; amended Pub. L. 116–92, div. A, title XVII, § 1731(a)(43), Dec. 20, 2019, 133 Stat. 1814; renumbered § 3252 and amended Pub. L. 116–283, div. A, title X, § 1081(a)(36), title XVIII, § 1813(g), Jan. 1, 2021, 134 Stat. 3872, 4181.)