[House Report 117-120]
[From the U.S. Government Publishing Office]
117th Congress } { Report
HOUSE OF REPRESENTATIVES
1st Session } { 117-120
======================================================================
DHS SOFTWARE SUPPLY CHAIN RISK MANAGEMENT ACT OF 2021
_______
September 14, 2021.--Committed to the Committee of the Whole House on
the State of the Union and ordered to be printed
_______
Mr. Thompson of Mississippi, from the Committee on Homeland Security,
submitted the following
R E P O R T
[To accompany H.R. 4611]
The Committee on Homeland Security, to whom was referred
the bill (H.R. 4611) to direct the Secretary of Homeland
Security to issue guidance with respect to certain information
and communications technology or services contracts, and for
other purposes, having considered the same, reports favorably
thereon with an amendment and recommends that the bill as
amended do pass.
CONTENTS
Page
Purpose and Summary.............................................. 3
Background and Need for Legislation.............................. 3
Hearings......................................................... 4
Committee Consideration.......................................... 4
Committee Votes.................................................. 5
Committee Oversight Findings..................................... 5
C.B.O. Estimate, New Budget Authority, Entitlement Authority, and
Tax Expenditures............................................... 5
Federal Mandates Statement....................................... 5
Duplicative Federal Programs..................................... 5
Statement of General Performance Goals and Objectives............ 5
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff
Benefits Advisory Committee Statement.......................... 5
Applicability to Legislative Branch.............................. 6
Section-by-Section Analysis of the Legislation................... 6
The amendment is as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``DHS Software Supply Chain Risk
Management Act of 2021''.
SEC. 2. DEPARTMENT OF HOMELAND SECURITY GUIDANCE WITH RESPECT TO
CERTAIN INFORMATION AND COMMUNICATIONS TECHNOLOGY
OR SERVICES CONTRACTS.
(a) Guidance.--The Secretary of Homeland Security, acting through the
Under Secretary, shall issue guidance with respect to new and existing
covered contracts.
(b) New Covered Contracts.--In developing guidance under subsection
(a), with respect to each new covered contract, as a condition on the
award of such a contract, each contractor responding to a solicitation
for such a contract shall submit to the covered officer--
(1) a planned bill of materials when submitting a bid
proposal; and
(2) the certification and notifications described in
subsection (e).
(c) Existing Covered Contracts.--In developing guidance under
subsection (a), with respect to each existing covered contract, each
contractor with an existing covered contract shall submit to the
covered officer--
(1) the bill of materials used for such contract, upon the
request of such officer; and
(2) the certification and notifications described in
subsection (e).
(d) Updating Bill of Materials.--With respect to a covered contract,
in the case of a change to the information included in a bill of
materials submitted pursuant to subsections (b)(1) and (c)(1), each
contractor shall submit to the covered officer the update to such bill
of materials, in a timely manner.
(e) Certification and Notifications.--The certification and
notifications referred to in subsections (b)(2) and (c)(2), with
respect to a covered contract, are the following:
(1) A certification that each item listed on the submitted
bill of materials is free from all known vulnerabilities or
defects affecting the security of the end product or service
identified in--
(A) the National Institute of Standards and
Technology National Vulnerability Database; and
(B) any database designated by the Under Secretary,
in coordination with the Director of the Cybersecurity
and Infrastructure Security Agency, that tracks
security vulnerabilities and defects in open source or
third-party developed software.
(2) A notification of each vulnerability or defect affecting
the security of the end product or service, if identified,
through--
(A) the certification of such submitted bill of
materials required under paragraph (1); or
(B) any other manner of identification.
(3) A notification relating to the plan to mitigate, repair,
or resolve each security vulnerability or defect listed in the
notification required under paragraph (2).
(f) Enforcement.--In developing guidance under subsection (a), the
Secretary shall instruct covered officers with respect to--
(1) the processes available to such officers enforcing
subsections (b) and (c); and
(2) when such processes should be used.
(g) Effective Date.--The guidance required under subsection (a) shall
take effect on the date that is 180 days after the date of the
enactment of this section.
(h) GAO Report.--Not later than 1 year after the date of the
enactment of this Act, the Comptroller General of the United States
shall submit to the Secretary, the Committee on Homeland Security of
the House of Representatives, and the Committee on Homeland Security
and Governmental Affairs of the Senate a report that includes--
(1) a review of the implementation of this section;
(2) information relating to the engagement of the Department
of Homeland Security with industry;
(3) an assessment of how the guidance issued pursuant to
subsection (a) complies with Executive Order 14208 (86 Fed.
Reg. 26633; relating to improving the nation's cybersecurity);
and
(4) any recommendations relating to improving the supply
chain with respect to covered contracts.
(i) Definitions.--In this section:
(1) Bill of materials.--The term ``bill of materials'' means
a list of the parts and components (whether new or reused) of
an end product or service, including, with respect to each part
and component, information relating to the origin, composition,
integrity, and any other information as determined appropriate
by the Under Secretary.
(2) Covered contract.--The term ``covered contract'' means a
contract relating to the procurement of covered information and
communications technology or services for the Department of
Homeland Security.
(3) Covered information and communications technology or
services.--The term ``covered information and communications
technology or services'' means the terms--
(A) ``information technology'' (as such term is
defined in section 11101(6) of title 40, United States
Code);
(B) ``information system'' (as such term is defined
in section 3502(8) of title 44, United States Code);
(C) ``telecommunications equipment'' (as such term is
defined in section 3(52) of the Communications Act of
1934 (47 U.S.C. 153(52))); and
(D) ``telecommunications service'' (as such term is
defined in section 3(53) of the Communications Act of
1934 (47 U.S.C. 153(53))).
(4) Covered officer.--The term ``covered officer'' means--
(A) a contracting officer of the Department; and
(B) any other official of the Department as
determined appropriate by the Under Secretary.
(5) Software.--The term ``software'' means computer programs
and associated data that may be dynamically written or modified
during execution.
(6) Under secretary.--The term ``Under Secretary'' means the
Under Secretary for Management of the Department of Homeland
Security.
PURPOSE AND SUMMARY
H.R. 4611, the ``DHS Software Supply Chain Risk Management
Act of 2021,'' seeks to enhance the Department of Homeland
Security's (DHS) ability to protect its networks from malicious
cyberattacks by modernizing how the Department procures
information and communications technology or services (ICT(S)).
The bill would require the Under Secretary for Management (USM)
to issue Department-wide guidance to improve DHS's insight into
the software it purchases from new and existing ICT(S)
contractors. Specifically, contractors are to provide DHS with
a software bill of materials that identifies key information,
such as the origin of each part or component of new or reused
software supplied to the Department. Contractors are also
required to certify that each item listed on the software bill
of materials is free from all known vulnerabilities or defects
that affect the security of supplied ICT(S) capabilities and to
notify DHS of any identified issues and plans for addressing
them. The Comptroller General, in turn, is required to report
to Congress on DHS's implementation of the guidance required by
this Act, engagement with industry, and compliance with
Executive Order 14208 related to improving the Nation's
cybersecurity, among other things.
BACKGROUND AND NEED FOR LEGISLATION
Cyberattacks against the United States are becoming
increasingly more frequent and sophisticated, posing a
significant threat to homeland security and the U.S. economy.
The SolarWinds cyber espionage campaign discovered in 2020
demonstrated that the Federal Government is not immune to such
attacks. During this campaign, hackers were able to add
malicious code to a commercial software product that was
downloaded by several Federal agencies, including DHS, and gain
unfettered access inside Federal information systems.
Unfortunately, the SolarWinds cyber espionage campaign was
not the first to compromise sensitive software supply chains.
The Atlantic Council identified 115 instances, since 2010, of
publicly reported attacks on the software supply chain or
disclosure of high-impact vulnerabilities likely to be
exploited in such attacks.\1\
---------------------------------------------------------------------------
\1\Dr. Trey Herr, William Loomis, Stewart Scott, and June Lee,
Breaking Trust: Shades of Crisis across an Insecure Software Supply
Chain, Atlantic Council, (July 26, 2020), Available at https://
www.atlanticcouncil.org/in-depth-research-reports/report/breaking-
trust-shades-of-crisis-across-an-insecure-software-supply-chain/.
---------------------------------------------------------------------------
As the lead Federal agency for cybersecurity, DHS's
Cybersecurity and Infrastructure Security Agency (CISA) has
taken steps to increase awareness of the top vulnerabilities
routinely exploited by malicious cyber actors.\2\ To identify
and manage these types of vulnerabilities on its own networks,
DHS needs visibility into the supply chains of the ICT(S)
capabilities it procures in support of the Department's many
missions. The guidance required by the ``DHS Software Supply
Chain Risk Management Act of 2021'' would assure such
visibility.
---------------------------------------------------------------------------
\2\Cybersecurity and Infrastructure Security Agency, ``Top
Routinely Exploited Vulnerabilities,'' Alert (AA21-209A), (July 28,
2020), Available at https://us-cert.cisa.gov/ncas/alerts/aa21-209a.
---------------------------------------------------------------------------
The Committee recognizes H.R. 4611 places new requirements
on industry. As DHS develops the guidance, the Department may
consider phasing-in the requirements for small businesses and
prioritizing existing ICT(S) contracts that are high-risk or
high-value. Ultimately, full implementation of the requirements
regardless of contractor type or size is necessary for DHS to
effectively manage potential cyber threats facing the
Department.
HEARINGS
For the purposes of clause 3(c)(6) of rule XIII of the
Rules of the House of Representatives, the following hearings
were used to develop H.R. 4611:
On February 10, 2021, the Committee held a hearing entitled
``Homeland Cybersecurity: Assessing Cyber Threats and Building
Resilience.'' The Committee received testimony from Mr. Chris
Krebs, former Director of the Cybersecurity and Infrastructure
Security Agency, DHS; Ms. Sue Gordon, former Principal Deputy
Director of National Intelligence, Office of the Director of
National Intelligence; Mr. Michael Daniel, President and Chief
Executive Officer, Cyber Threat Alliance; and Mr. Dmitri
Alperovitch, Executive Chairman, Silverado Policy Accelerator.
On February 26, 2021, the Committee held a hearing entitled
``Weathering the Storm: The Role of Private Tech in the
SolarWinds Breach and the Ongoing Campaign.'' The Committee
received testimony from Mr. Sudhakar Ramakrishna, President and
Chief Executive Officer, SolarWinds Corporation; Mr. Kevin B.
Thompson, former Chief Executive Officer, SolarWinds
Corporation; Mr. Kevin Mandia, Chief Executive Officer,
FireEye, Inc.; Mr. Bradford L. Smith, President and Chief Legal
Officer, Microsoft Corporation.
COMMITTEE CONSIDERATION
The Committee met on July 28, 2021, a quorum being present,
to consider H.R. 4611 and ordered the measure to be favorably
reported to the House, as amended, by voice vote.
COMMITTEE VOTES
Clause 3(b) of rule XIII requires the Committee to list the
recorded votes on the motion to report legislation and
amendments thereto.
No recorded votes were requested during consideration of
H.R. 4611.
COMMITTEE OVERSIGHT FINDINGS
In compliance with clause 3(c)(1) of rule XIII, the
Committee advises that the findings and recommendations of the
Committee, based on oversight activities under clause 2(b)(1)
of rule X, are incorporated in the descriptive portions of this
report.
CONGRESSIONAL BUDGET OFFICE ESTIMATE, NEW BUDGET AUTHORITY, ENTITLEMENT
AUTHORITY, AND TAX EXPENDITURES
With respect to the requirements of clause 3(c)(2) of rule
XIII and section 308(a) of the Congressional Budget Act of
1974, and with respect to the requirements of clause 3(c)(3) of
rule XIII and section 402 of the Congressional Budget Act of
1974, the Committee has requested but not received from the
Director of the Congressional Budget Office a statement as to
whether this bill contains any new budget authority, spending
authority, credit authority, or an increase or decrease in
revenues or tax expenditures.
FEDERAL MANDATES STATEMENT
An estimate of Federal mandates prepared by the Director of
the Congressional Budget Office pursuant to section 423 of the
Unfunded Mandates Reform Act was not made available to the
Committee in time for the filing of this report. The Chairman
of the Committee shall cause such estimate to be printed in the
Congressional Record upon its receipt by the Committee.
DUPLICATIVE FEDERAL PROGRAMS
Pursuant to clause 3(c) of rule XIII, the Committee finds
that H.R. 4611 does not contain any provision that establishes
or reauthorizes a program known to be duplicative of another
Federal program.
STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES
Pursuant to clause 3(c)(4) of rule XIII, the objective of
H.R. 4611 is to enhance DHS's ability to protect its networks
from malicious cyberattacks by improving the Department's
insight into the software purchased for ICT(S) in support of
its management and operational functions.
CONGRESSIONAL EARMARKS, LIMITED TAX BENEFITS, AND LIMITED TARIFF
BENEFITS ADVISORY COMMITTEE STATEMENT
In compliance with rule XXI, this bill, as reported,
contains no congressional earmarks, limited tax benefits, or
limited tariff benefits as defined in clause 9(d), 9(e), or
9(f) of rule XXI.
APPLICABILITY TO LEGISLATIVE BRANCH
The Committee finds that H.R. 4611 does not relate to the
terms and conditions of employment or access to public services
or accommodations within the meaning of section 102(b)(3) of
the Congressional Accountability Act.
SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION
Section 1. Short Title.
This section states that the Act may be cited as the ``DHS
Software Supply Chain Risk Management Act of 2021''.
Sec. 2. Department of Homeland Security Guidance with Respect to
Certain Information and Communications Technology or Services
Contracts.
Subsection 2(a) directs the Secretary of Homeland Security,
acting through the USM, to issue guidance with respect to new
and existing covered ICT(S) contracts.
Subsection 2(b) outlines what content the USM's guidance is
to include related to new covered contracts. Specifically, the
guidance requires that, as a condition for the award of a new
ICT(S) contract, each contractor submits a planned bill of
materials as a part of its bid proposal and the certifications
and notifications described in subsection 2(e).
Subsection 2(c) outlines what content the guidance is to
include related to existing covered contracts. Specifically,
the guidance requires that, at the request of the Department,
an existing ICT(S) contractor submit a bill of materials and
the certifications and notifications described in subsection
2(e).
Subsection 2(d) directs new or existing contractors to
provide the Department with an updated bill of materials in a
timely manner if any changes are made subsequent to a bill of
materials having already been submitted to the Department.
Subsection 2(e) outlines the certification and notification
requirements new and existing contractors are to make with
respect to covered ICT(S) contracts. Specifically, contractors
are required to provide a certification to the Department that
each item listed on a submitted bill of materials is free from
all known vulnerabilities or defects affecting the security of
the end product or service supplied to DHS. In doing so,
contractors are required to consult the National Institute of
Standards and Technology National Vulnerability Database and
any other database identified by the USM, in coordination with
the Director of CISA, that tracks security vulnerabilities and
defects in open source or third-party developed software.
Contractors are required to provide a notification to the
Department of each vulnerability or defect affecting the
security of the end product or service supplied to DHS
identified through the certification process or any other
manner. Additionally, contractors are to provide a notification
to the Department outlining how they will mitigate, repair, or
resolve each identified vulnerability or defect.
Subsection 2(f) directs the Secretary to include
instructions in the guidance related to how and when Department
officials are to enforce the requirements outlined in the
guidance for new and existing covered contracts.
Subsection 2(g) establishes that the guidance is to take
effect 180 days after the enactment of the section.
Subsection 2(h) directs the Comptroller General of the
United States to submit a report to Congress no later than 1
year after the enactment of the Act. The report is to include a
review of DHS's implementation of the requirements outlined in
the Act; information related to DHS's engagement with industry;
an assessment of how the Department's guidance complies with
Executive Order 14208 related to improving the Nation's
cybersecurity; and any recommendations related to improving the
supply chain with respect to covered ICT(S) contracts.
Subsection 2(i) defines key terms, including ``bill of
materials,'' ``covered contract,'' ``covered information and
communications technology or services,'' and ``software.''
[all]