Bill Summary
The "Securing the Homeland Security Supply Chain Act of 2019" is a bill that seeks to amend the Homeland Security Act of 2002 in order to give the Secretary of Homeland Security the authority to implement certain requirements for information related to supply chain risk. This legislation aims to protect national security by reducing the risk of malicious actors manipulating or disrupting the function of information technology or telecommunications equipment used by the Department of Homeland Security. The bill also requires the Secretary to annually review all determinations made in relation to supply chain risk and consult with the Department of Defense in developing procedures and guidelines for implementing these authorities. Additionally, the bill requires a report to be submitted to Congress on the cybersecurity threats posed by terrorist actors and foreign state-owned entities to the Department of Homeland Security's information technology and communications systems. The bill will take effect 90 days after its enactment and will apply to contracts awarded or task and delivery orders issued on or after that date.
Possible Impacts
1. The "Securing the Homeland Security Supply Chain Act of 2019" could affect businesses and organizations that provide information technology or telecommunications equipment to the Department of Homeland Security. These companies may face stricter requirements and regulations in order to secure their supply chains and prevent potential risks from foreign state-owned entities.
2. The legislation may also have an impact on the cost and availability of certain products or services for the Department of Homeland Security. Companies that are deemed to have a higher risk of supply chain vulnerability may face restrictions or be excluded from providing equipment or services to the Department, potentially leading to higher costs or limited options for the agency.
3. The legislation could also affect the national security of the United States by addressing concerns about potential cybersecurity threats from foreign state-owned entities. By implementing stricter requirements and procedures for the acquisition of certain equipment and services, the Department of Homeland Security may be better equipped to protect its information and communications systems from potential sabotage or manipulation by malicious actors. This could ultimately help safeguard sensitive government information and operations.
[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3320 Reported in House (RH)]
<DOC>
Union Calendar No. 146
116th CONGRESS
1st Session
H. R. 3320
[Report No. 116-188]
To amend the Homeland Security Act of 2002 to authorize the Secretary
of Homeland Security to implement certain requirements for information
relating to supply chain risk, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
June 18, 2019
Mr. King of New York (for himself, Mr. Thompson of Mississippi, Miss
Rice of New York, Mr. Correa, Mr. Rogers of Alabama, Mr. Rose of New
York, and Mr. Payne) introduced the following bill; which was referred
to the Committee on Homeland Security
August 27, 2019
Additional sponsors: Mr. McCaul and Mr. Hagedorn
August 27, 2019
Reported with an amendment, committed to the Committee of the Whole
House on the State of the Union, and ordered to be printed
[Strike out all after the enacting clause and insert the part printed
in italic]
[For text of introduced bill, see copy of bill as introduced on June
18, 2019]
_______________________________________________________________________
A BILL
To amend the Homeland Security Act of 2002 to authorize the Secretary
of Homeland Security to implement certain requirements for information
relating to supply chain risk, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Securing the Homeland Security
Supply Chain Act of 2019''.
SEC. 2. DEPARTMENT OF HOMELAND SECURITY REQUIREMENTS FOR INFORMATION
RELATING TO SUPPLY CHAIN RISK.
(a) In General.--Subtitle D of title VIII of the Homeland Security
Act of 2002 (6 U.S.C. 391 et seq.) is amended by adding at the end the
following new section:
``SEC. 836. REQUIREMENTS FOR INFORMATION RELATING TO SUPPLY CHAIN RISK.
``(a) Authority.--Subject to subsection (b), the Secretary may--
``(1) carry out a covered procurement action;
``(2) limit, notwithstanding any other provision of law, in
whole or in part, the disclosure of information, including
classified information, relating to the basis for carrying out
such an action; and
``(3) exclude, in whole or in part, a source carried out in
the course of such an action applicable to a covered
procurement of the Department.
``(b) Determination and Notification.--Except as authorized by
subsection (c) to address an urgent national security interest, the
Secretary may exercise the authority provided in subsection (a) only
after--
``(1) obtaining a joint recommendation, in unclassified or
classified form, from the Chief Acquisition Officer and the
Chief Information Officer of the Department, including a review
of any risk assessment made available by an appropriate person
or entity, including the national risk management center at the
Cybersecurity and Infrastructure Security Agency, that there is
a significant supply chain risk in a covered procurement;
``(2) notifying any source named in the joint
recommendation described in paragraph (1) advising--
``(A) that a recommendation has been obtained;
``(B) to the extent consistent with the national
security and law enforcement interests, the basis for
such recommendation;
``(C) that, within 30 days after receipt of notice,
such source may submit information and argument in
opposition to such recommendation; and
``(D) of the procedures governing the consideration
of such submission and the possible exercise of the
authority provided in subsection (a);
``(3) notifying the relevant components of the Department
that such risk assessment has demonstrated significant supply
chain risk to a covered procurement;
``(4) making a determination in writing, in unclassified or
classified form, that after considering any information
submitted by a source under paragraph (2), and in consultation
with the Chief Information Officer of the Department, that--
``(A) use of authority under subsection (a)(1) is
necessary to protect national security by reducing
supply chain risk;
``(B) less intrusive measures are not reasonably
available to reduce such risk;
``(C) a decision to limit disclosure of information
under subsection (a)(2) is necessary to protect
national security interest; and
``(D) the use of such authorities will apply to a
single covered procurement or a class of covered
procurements, and otherwise specifies the scope of such
determination;
``(5) providing to the Committee on Homeland Security of
the House of Representatives and the Committee on Homeland
Security and Governmental Affairs of the Senate a classified or
unclassified notice of the determination made under paragraph
(4) that includes--
``(A) the joint recommendation described in
paragraph (1);
``(B) a summary of any risk assessment reviewed in
support of such joint recommendation; and
``(C) a summary of the basis for such
determination, including a discussion of less intrusive
measures that were considered and why such measures
were not reasonably available to reduce supply chain
risk;
``(6) notifying the Director of the Office of Management
and Budget, and the heads of other Federal agencies as
appropriate, in a manner and to the extent consistent with the
requirements of national security; and
``(7) taking steps to maintain the confidentiality of any
notifications under this subsection.
``(c) Procedures To Address Urgent National Security Interests.--In
any case in which the Secretary determines that national security
interests require the immediate exercise of the authorities under
subsection (a), the Secretary--
``(1) may, to the extent necessary to address any such
national security interest, and subject to the conditions
specified in paragraph (2)--
``(A) temporarily delay the notice required by
subsection (b)(2);
``(B) make the determination required by subsection
(b)(4), regardless of whether the notice required by
subsection (b)(2) has been provided or whether the
notified source at issue has submitted any information
in response to such notice;
``(C) temporarily delay the notice required by
subsections (b)(4) and (b)(5); and
``(D) exercise the authority provided in subsection
(a) in accordance with such determination; and
``(2) shall take actions necessary to comply with all
requirements of subsection (b) as soon as practicable after
addressing the urgent national security interest that is the
subject of paragraph (1), including--
``(A) providing the notice required by subsection
(b)(2);
``(B) promptly considering any information
submitted by the source at issue in response to such
notice, and making any appropriate modifications to the
determination required by subsection (b)(4) based on
such information; and
``(C) providing the notice required by subsections
(b)(5) and (b)(6), including a description of such
urgent national security, and any modifications to such
determination made in accordance with subparagraph (B).
``(d) Annual Review of Determinations.--The Secretary shall
annually review all determinations made under subsection (b).
``(e) Delegation.--The Secretary may not delegate the authority
provided in subsection (a) or the responsibility identified in
subsection (d) to an official below the Deputy Secretary.
``(f) Limitation of Review.--Notwithstanding any other provision of
law, no action taken by the Secretary under subsection (a) may be
subject to review in a bid protest before the Government Accountability
Office or in any Federal court.
``(g) Consultation.--In developing procedures and guidelines for
the implementation of the authorities described in this section, the
Secretary shall review the procedures and guidelines utilized by the
Department of Defense to carry out similar authorities.
``(h) Definitions.--In this section:
``(1) Covered article.--The term `covered article' means:
``(A) Information technology, including cloud
computing services of all types.
``(B) Telecommunications equipment.
``(C) Telecommunications services.
``(D) The processing of information on a Federal or
non-Federal information system, subject to the
requirements of the Controlled Unclassified Information
program of the Department.
``(E) Hardware, systems, devices, software, or
services that include embedded or incidental
information technology.
``(2) Covered procurement.--The term `covered procurement'
means--
``(A) a source selection for a covered article
involving either a performance specification, as
provided in subsection (a)(3)(B) of section 3306 of
title 41, United States Code, or an evaluation factor,
as provided in subsection (c)(1)(A) of such section,
relating to supply chain risk, or with respect to which
supply chain risk considerations are included in the
Department's determination of whether a source is a
responsible source as defined in section 113 of such
title;
``(B) the consideration of proposals for and
issuance of a task or delivery order for a covered
article, as provided in section 4106(d)(3) of title 41,
United States Code, with respect to which the task or
delivery order contract includes a contract clause
establishing a requirement relating to supply chain
risk;
``(C) any contract action involving a contract for
a covered article with respect to which such contract
includes a clause establishing requirements relating to
supply chain risk; or
``(D) any procurement made via Government Purchase
Care for a covered article when supply chain risk has
been identified as a concern.
``(3) Covered procurement action.--The term `covered
procurement action' means any of the following actions, if such
action takes place in the course of conducting a covered
procurement:
``(A) The exclusion of a source that fails to meet
qualification requirements established pursuant to
section 3311 of title 41, United States Code, for the
purpose of reducing supply chain risk in the
acquisition or use of a covered article.
``(B) The exclusion of a source that fails to
achieve an acceptable rating with regard to an
evaluation factor providing for the consideration of
supply chain risk in the evaluation of proposals for
the award of a contract or the issuance of a task or
delivery order.
``(C) The determination that a source is not a
responsible source based on considerations of supply
chain risk.
``(D) The decision to withhold consent for a
contractor to subcontract with a particular source or
to direct a contractor to exclude a particular source
from consideration for a subcontract.
``(4) Information system.--The term `information system'
has the meaning given such term in section 3502 of title 44,
United States Code.
``(5) Information technology.--The term `information
technology' has the meaning given such term in section 11101 of
title 40, United States Code.
``(6) Responsible source.--The term `responsible source'
has the meaning given such term in section 113 of title 41,
United States Code.
``(7) Supply chain risk.--The term `supply chain risk'
means the risk that a malicious actor may sabotage, maliciously
introduce an unwanted function, extract or modify data, or
otherwise manipulate the design, integrity, manufacturing,
production, distribution, installation, operation, or
maintenance of a covered article so as to surveil, deny,
disrupt, or otherwise manipulate the function, use, or
operation of the information technology or information stored
or transmitted on the covered articles.
``(8) Telecommunications equipment.--The term
`telecommunications equipment' has the meaning given such term
in section 3(52) of the Communications Act of 1934 (47 U.S.C.
153(52)).
``(9) Telecommunications service.--The term
`telecommunications service' has the meaning given such term in
section 3(53) of the Communications Act of 1934 (47 U.S.C.
153(53)).
``(i) Effective Date.--The requirements of this section shall take
effect on the date that is 90 days after the date of the enactment of
this Act and shall apply to--
``(1) contracts awarded on or after such date; and
``(2) task and delivery orders issued on or after such date
pursuant to contracts awarded before, on, or after such
date.''.
(b) Rulemaking.--Section 553 of title 5, United States Code, and
section 1707 of title 41, United States Code, shall not apply to the
Secretary of Homeland Security when carrying out the authorities and
responsibilities under section 836 of the Homeland Security Act of
2002, as added by subsection (a).
(c) Clerical Amendment.--The table of contents in section 1(b) of
the Homeland Security Act of 2002 is amended by inserting after the
item relating to section 835 the following new item:
``Sec. 836. Requirements for information relating to supply chain
risk.''.
SEC. 3. REPORT ON THREATS POSED BY FOREIGN STATE-OWNED ENTITIES TO DHS
INFORMATION TECHNOLOGY AND COMMUNICATIONS SYSTEMS.
Not later than 180 days after the date of the enactment of this
Act, the Under Secretary for Management of the Department of Homeland
Security, in coordination with the national risk management center of
the Cybersecurity and Infrastructure Security Agency of the Department,
shall submit to the Committee on Homeland Security of the House of
Representatives and the Committee on Homeland Security and Governmental
Affairs of the Senate a report on cybersecurity threats posed by
terrorist actors and foreign state-owned entities to the information
technology and communications systems of Department of Homeland
Security, including information relating to the following:
(1) The use of foreign state-owned entities' information
and communications technology by the Department of Homeland
Security, listed by component.
(2) The threats, in consultation with the Department's
Office of Intelligence and Analysis, of foreign state-owned
entities' information and communications technology equipment
that could impact the Department.
Union Calendar No. 146
116th CONGRESS
1st Session
H. R. 3320
[Report No. 116-188]
_______________________________________________________________________
A BILL
To amend the Homeland Security Act of 2002 to authorize the Secretary
of Homeland Security to implement certain requirements for information
relating to supply chain risk, and for other purposes.
_______________________________________________________________________
August 27, 2019
Reported with an amendment, committed to the Committee of the Whole
House on the State of the Union, and ordered to be printed