Polling is a powerful tool to help our elected officials determine how they should vote.
Standard polling methods don't give you the control that you deserve. With BetterDistricts you can show your representative exactly how strongly a bill is supported in your community.
Send a clear signal on how you want your government to work.
Securing the Homeland Security Supply Chain Act of 2018
This bill amends the Homeland Security Act of 2002 to authorize the Department of Homeland Security (DHS) to restrict procurement of information technology, telecommunications equipment and services, and and related products or services (covered articles), if it determines that a vendor of such products and services poses a risk to the DHS supply chain. After determining that such a risk exists, DHS may limit the disclosure of information relating to the basis for restricting a procurement and may exclude a vendor from the procurement process. The bill requires DHS to make certain security-related determinations and provide notifications before it can exercise the authority to restrict procurement of any covered article.
The bill defines "supply chain risk" as the risk that a malicious actor may sabotage, maliciously introduce an unwanted function, extract or modify data, or otherwise manipulate the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered article.
Received; read twice and referred to the Committee on Homeland Security and Governmental Affairs
To amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to implement certain requirements for information relating to supply chain risk, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
This Act may be cited as the “Securing the Homeland Security Supply Chain Act of 2018”.
(a) In general.—Subtitle D of title VIII of the Homeland Security Act of 2002 (6 U.S.C. 391 et seq.) is amended by adding at the end the following new section:
“(1) carry out a covered procurement action;
“(2) limit, notwithstanding any other provision of law, in whole or in part, the disclosure of information, including classified information, relating to the basis for carrying out such an action; and
“(3) exclude, in whole or in part, a source carried out in the course of such an action applicable to a covered procurement of the Department.
“(b) Determination and notification.—Except as authorized by subsection (c) to address an urgent national security interest, the Secretary may exercise the authority provided in subsection (a) only after—
“(1) obtaining a joint recommendation, in unclassified or classified form, from the Chief Acquisition Officer and the Chief Information Officer of Department, including a review of any risk assessment made available by an appropriate person or entity, that there is a significant supply chain risk in a covered procurement;
“(A) that a recommendation has been obtained;
“(B) to the extent consistent with the national security and law enforcement interests, the basis for such recommendation;
“(C) that, within 30 days after receipt of notice, such source may submit information and argument in opposition to such recommendation; and
“(D) of the procedures governing the consideration of such submission and the possible exercise of the authority provided in subsection (a);
“(3) notifying the relevant components of the Department that such risk assessment has demonstrated significant supply chain risk to a covered procurement; and
“(4) making a determination in writing, in unclassified or classified form, that after considering any information submitted by a source under paragraph (2), and in consultation with the Chief Information Officer of the Department, that—
“(A) use of authority under subsection (a)(1) is necessary to protect national security by reducing supply chain risk;
“(B) less intrusive measures are not reasonably available to reduce such risk;
“(C) a decision to limit disclosure of information under subsection (a)(2) is necessary to protect national security interest; and
“(D) the use of such authorities will apply to a single covered procurement or a class of covered procurements, and otherwise specifies the scope of such determination;
“(5) providing to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a classified or unclassified notice of the determination made under paragraph (4) that includes—
“(A) the joint recommendation described in paragraph (1);
“(B) a summary of any risk assessment reviewed in support of such joint recommendation; and
“(C) a summary of the basis for such determination, including a discussion of less intrusive measures that were considered and why such measures were not reasonably available to reduce supply chain risk;
“(6) notifying the Director of the Office of Management and Budget, and the heads of other Federal agencies as appropriate, in a manner and to the extent consistent with the requirements of national security; and
“(7) taking steps to maintain the confidentiality of any notifications under this subsection.
“(c) Procedures To address urgent national security interests.—In any case in which the Secretary determines that national security interests require the immediate exercise of the authorities under subsection (a), the Secretary—
“(A) temporarily delay the notice required by subsection (b)(2);
“(B) make the determination required by subsection (b)(4), regardless of whether the notice required by subsection (b)(2) has been provided or whether the notified source at issue has submitted any information in response to such notice;
“(C) temporarily delay the notice required by subsections (b)(4) and (b)(5); and
“(D) exercise the authority provided in subsection (a) in accordance with such determination; and
“(2) shall take actions necessary to comply with all requirements of subsection (b) as soon as practicable after addressing the urgent national security interest that is the subject of paragraph (1), including—
“(A) providing the notice required by subsection (b)(2);
“(B) promptly considering any information submitted by the source at issue in response to such notice, and making any appropriate modifications to the determination required by subsection (b)(4) based on such information; and
“(C) providing the notice required by subsections (b)(5) and (b)(6), including a description of such urgent national security, and any modifications to such determination made in accordance with subparagraph (B).
“(d) Annual review of determinations.—The Secretary shall annually review all determinations made under subsection (b).
“(e) Delegation.—The Secretary may not delegate the authority provided in subsection (a) or the responsibility identified in subsection (d) to an official below the Deputy Secretary.
“(f) Limitation of review.—Notwithstanding any other provision of law, no action taken by the Secretary under subsection (a) may be subject to review in a bid protest before the Government Accountability Office or in any Federal court.
“(g) Consultation.—In developing procedures and guidelines for the implementation of the authorities described in this section, the Secretary shall review the procedures and guidelines utilized by the Department of Defense to carry out similar authorities.
“(A) Information technology, including cloud computing services of all types.
“(B) Telecommunications equipment.
“(C) Telecommunications services.
“(D) The processing of information on a Federal or non-Federal information system, subject to the requirements of the Controlled Unclassified Information program of the Department.
“(E) Hardware, systems, devices, software, or services that include embedded or incidental information technology.
“(A) a source selection for a covered article involving either a performance specification, as provided in subsection (a)(3)(B) of section 3306 of title 41, United States Code, or an evaluation factor, as provided in subsection (c)(1)(A) of such section, relating to supply chain risk, or with respect to which supply chain risk considerations are included in the Department’s determination of whether a source is a responsible source as defined in section 113 of such title;
“(B) the consideration of proposals for and issuance of a task or delivery order for a covered article, as provided in section 4106(d)(3) of title 41, United States Code, with respect to which the task or delivery order contract includes a contract clause establishing a requirement relating to supply chain risk;
“(C) any contract action involving a contract for a covered article with respect to which such contract includes a clause establishing requirements relating to supply chain risk; or
“(D) any procurement made via Government Purchase Care for a covered article when supply chain risk has been identified as a concern.
“(A) The exclusion of a source that fails to meet qualification requirements established pursuant to section 3311 of title 41, United States Code, for the purpose of reducing supply chain risk in the acquisition or use of a covered article.
“(B) The exclusion of a source that fails to achieve an acceptable rating with regard to an evaluation factor providing for the consideration of supply chain risk in the evaluation of proposals for the award of a contract or the issuance of a task or delivery order.
“(C) The determination that a source is not a responsible source based on considerations of supply chain risk.
“(D) The decision to withhold consent for a contractor to subcontract with a particular source or to direct a contractor to exclude a particular source from consideration for a subcontract.
“(4) INFORMATION SYSTEM.—The term ‘information system’ has the meaning given such term in section 3502 of title 44, United States Code.
“(5) INFORMATION TECHNOLOGY.—The term ‘information technology’ has the meaning given such term in section 11101 of title 40, United States Code.
“(6) RESPONSIBLE SOURCE.—The term ‘responsible source’ has the meaning given such term in section 113 of title 41, United States Code.
“(7) SUPPLY CHAIN RISK.—The term ‘supply chain risk’ means the risk that a malicious actor may sabotage, maliciously introduce an unwanted function, extract or modify data, or otherwise manipulate the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered article so as to surveil, deny, disrupt, or otherwise manipulate the function, use, or operation of the information technology or information stored or transmitted on the covered articles.
“(8) TELECOMMUNICATIONS EQUIPMENT.—The term ‘telecommunications equipment’ has the meaning given such term in section 153(52) of title 47, United States Code.
“(9) TELECOMMUNICATIONS SERVICE.—The term ‘telecommunications service’ has the meaning given such term in section 153(53) of title 47, United States Code.
“(1) contracts awarded on or after such date; and
“(2) task and delivery orders issued on or after such date pursuant to contracts awarded before, on, or after such date.”.
(b) Rulemaking.—Section 553 of title 5, United States Code, and section 1707 of title 41, United States Code, shall not apply to the Secretary of Homeland Security when carrying out the authorities and responsibilities under section 836 of the Homeland Security Act of 2002, as added by subsection (a).
(c) Clerical amendment.—The table of contents in section 1(b) of the Homeland Security Act of 2002 is amended by inserting after the item relating to section 835 the following new item:
Passed the House of Representatives September 4, 2018.
|Attest:||karen l. haas,|