[115th Congress Public Law 390]
[From the U.S. Government Publishing Office]



[[Page 132 STAT. 5173]]

Public Law 115-390
115th Congress

                                 An Act


 
 To require the Secretary of Homeland Security to establish a security 
 vulnerability disclosure policy, to establish a bug bounty program for 
 the Department of Homeland Security, to amend title 41, United States 
Code, to provide for Federal acquisition supply chain security, and for 
         other purposes. <<NOTE: Dec. 21, 2018 -  [H.R. 7327]>> 

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled, <<NOTE: Strengthening 
and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology 
Act.>> 
SECTION 1. <<NOTE: 41 USC 101 note.>>  SHORT TITLE; TABLE OF 
                              CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Strengthening and 
Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act'' 
or the ``SECURE Technology Act''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.

TITLE I--DEPARTMENT OF HOMELAND SECURITY INFORMATION SECURITY AND OTHER 
                                 MATTERS

Sec. 101. Department of Homeland Security disclosure of security 
           vulnerabilities.
Sec. 102. Department of Homeland Security bug bounty pilot program.
Sec. 103. Congressional submittal of reports relating to certain special 
           access programs and similar programs.

           TITLE II--FEDERAL ACQUISITION SUPPLY CHAIN SECURITY

Sec. 201. Short title.
Sec. 202. Federal acquisition supply chain security.
Sec. 203. Authorities of executive agencies relating to mitigating 
           supply chain risks in the procurement of covered articles.
Sec. 204. Federal Information Security Modernization Act.
Sec. 205. Effective date.

TITLE I--DEPARTMENT OF HOMELAND SECURITY INFORMATION SECURITY AND OTHER 
                                 MATTERS

SEC. 101. <<NOTE: 6 USC 663 note.>>  DEPARTMENT OF HOMELAND 
                        SECURITY DISCLOSURE OF SECURITY 
                        VULNERABILITIES.

    (a) Vulnerability Disclosure Policy.--The Secretary of Homeland 
Security shall establish a policy applicable to individuals, 
organizations, and companies that report security vulnerabilities on 
appropriate information systems of Department of Homeland Security. Such 
policy shall include each of the following:

[[Page 132 STAT. 5174]]

            (1) The appropriate information systems of the Department 
        that individuals, organizations, and companies may use to 
        discover and report security vulnerabilities on appropriate 
        information systems.
            (2) <<NOTE: Criteria.>>  The conditions and criteria under 
        which individuals, organizations, and companies may operate to 
        discover and report security vulnerabilities.
            (3) How individuals, organizations, and companies may 
        disclose to the Department security vulnerabilities discovered 
        on appropriate information systems of the Department.
            (4) The ways in which the Department may communicate with 
        individuals, organizations, and companies that report security 
        vulnerabilities.
            (5) The process the Department shall use for public 
        disclosure of reported security vulnerabilities.

    (b) Remediation Process.--The Secretary of Homeland Security shall 
develop a process for the Department of Homeland Security to address the 
mitigation or remediation of the security vulnerabilities reported 
through the policy developed in subsection (a).
    (c) Consultation.--
            (1) In general.--In developing the security vulnerability 
        disclosure policy under subsection (a), the Secretary of 
        Homeland Security shall consult with each of the following:
                    (A) The Attorney General regarding how to ensure 
                that individuals, organizations, and companies that 
                comply with the requirements of the policy developed 
                under subsection (a) are protected from prosecution 
                under section 1030 of title 18, United States Code, 
                civil lawsuits, and similar provisions of law with 
                respect to specific activities authorized under the 
                policy.
                    (B) The Secretary of Defense and the Administrator 
                of General Services regarding lessons that may be 
                applied from existing vulnerability disclosure policies.
                    (C) Non-governmental security researchers.
            (2) Nonapplicability of faca.--The Federal Advisory 
        Committee Act (5 U.S.C. App.) shall not apply to any 
        consultation under this section.

    (d) Public Availability.--The Secretary of Homeland Security shall 
make the policy developed under subsection (a) publicly available.
    (e) Submission to Congress.--
            (1) <<NOTE: Deadline. Records.>>  Disclosure policy and 
        remediation process.--Not later than 90 days after the date of 
        the enactment of this Act, the Secretary of Homeland Security 
        shall submit to the appropriate congressional committees a copy 
        of the policy required under subsection (a) and the remediation 
        process required under subsection (b).
            (2) Report and briefing.--
                    (A) Report.--Not later than one year after 
                establishing the policy required under subsection (a), 
                the Secretary of Homeland Security shall submit to the 
                appropriate congressional committees a report on such 
                policy and the remediation process required under 
                subsection (b).
                    (B) Annual briefings.--One year after the date of 
                the submission of the report under subparagraph (A), and 
                annually thereafter for each of the next three years, 
                the

[[Page 132 STAT. 5175]]

                Secretary of Homeland Security shall provide to the 
                appropriate congressional committees a briefing on the 
                policy required under subsection (a) and the process 
                required under subsection (b).
                    (C) Matters for inclusion.--The report required 
                under subparagraph (A) and the briefings required under 
                subparagraph (B) shall include each of the following 
                with respect to the policy required under subsection (a) 
                and the process required under subsection (b) for the 
                period covered by the report or briefing, as the case 
                may be:
                          (i) The number of unique security 
                      vulnerabilities reported.
                          (ii) The number of previously unknown security 
                      vulnerabilities mitigated or remediated.
                          (iii) The number of unique individuals, 
                      organizations, and companies that reported 
                      security vulnerabilities.
                          (iv) The average length of time between the 
                      reporting of security vulnerabilities and 
                      mitigation or remediation of such vulnerabilities.

    (f) Definitions.--In this section:
            (1) The term ``security vulnerability'' has the meaning 
        given that term in section 102(17) of the Cybersecurity 
        Information Sharing Act of 2015 (6 U.S.C. 1501(17)), in 
        information technology.
            (2) The term ``information system'' has the meaning given 
        that term by section 3502 of title 44, United States Code.
            (3) The term ``appropriate information system'' means an 
        information system that the Secretary of Homeland Security 
        selects for inclusion under the vulnerability disclosure policy 
        required by subsection (a).
            (4) The term ``appropriate congressional committees'' 
        means--
                    (A) the Committee on Homeland Security, the 
                Committee on Armed Services, the Committee on Energy and 
                Commerce, and the Permanent Select Committee on 
                Intelligence of the House of Representatives; and
                    (B) the Committee on Homeland Security and 
                Governmental Affairs, the Committee on Armed Services, 
                the Committee on Commerce, Science, and Transportation, 
                and the Select Committee on Intelligence of the Senate.
SEC. 102. <<NOTE: 6 USC 663 note.>>  DEPARTMENT OF HOMELAND 
                        SECURITY BUG BOUNTY PILOT PROGRAM.

    (a) Definitions.--In this section:
            (1) The term ``appropriate congressional committees'' 
        means--
                    (A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                    (B) the Select Committee on Intelligence of the 
                Senate;
                    (C) the Committee on Homeland Security of the House 
                of Representatives; and
                    (D) Permanent Select Committee on Intelligence of 
                the House of Representatives.
            (2) The term ``bug bounty program'' means a program under 
        which--

[[Page 132 STAT. 5176]]

                    (A) individuals, organizations, and companies are 
                temporarily authorized to identify and report 
                vulnerabilities of appropriate information systems of 
                the Department; and
                    (B) eligible individuals, organizations, and 
                companies receive compensation in exchange for such 
                reports.
            (3) <<NOTE: 6 USC 651 note.>>  The term ``Department'' means 
        the Department of Homeland Security.
            (4) The term ``eligible individual, organization, or 
        company'' means an individual, organization, or company that 
        meets such criteria as the Secretary determines in order to 
        receive compensation in compliance with Federal laws.
            (5) The term ``information system'' has the meaning given 
        the term in section 3502 of title 44, United States Code.
            (6) The term ``pilot program'' means the bug bounty pilot 
        program required to be established under subsection (b)(1).
            (7) The term ``Secretary'' means the Secretary of Homeland 
        Security.

    (b) Bug Bounty Pilot Program.--
            (1) <<NOTE: Deadline.>>  Establishment.--Not later than 180 
        days after the date of enactment of this Act, the Secretary 
        shall establish, within the Office of the Chief Information 
        Officer, a bug bounty pilot program to minimize vulnerabilities 
        of appropriate information systems of the Department.
            (2) Responsibilities of secretary.--In establishing and 
        conducting the pilot program, the Secretary shall--
                    (A) designate appropriate information systems to be 
                included in the pilot program;
                    (B) provide compensation to eligible individuals, 
                organizations, and companies for reports of previously 
                unidentified security vulnerabilities within the 
                information systems designated under subparagraph (A);
                    (C) <<NOTE: Criteria.>>  establish criteria for 
                individuals, organizations, and companies to be 
                considered eligible for compensation under the pilot 
                program in compliance with Federal laws;
                    (D) <<NOTE: Consultation.>>  consult with the 
                Attorney General on how to ensure that approved 
                individuals, organizations, or companies that comply 
                with the requirements of the pilot program are protected 
                from prosecution under section 1030 of title 18, United 
                States Code, and similar provisions of law, and civil 
                lawsuits for specific activities authorized under the 
                pilot program;
                    (E) <<NOTE: Consultation.>>  consult with the 
                Secretary of Defense and the heads of other departments 
                and agencies that have implemented programs to provide 
                compensation for reports of previously undisclosed 
                vulnerabilities in information systems, regarding 
                lessons that may be applied from such programs; and
                    (F) develop an expeditious process by which an 
                individual, organization, or company can register with 
                the Department, submit to a background check as 
                determined by the Department, and receive a 
                determination as to eligibility; and
                    (G) engage qualified interested persons, including 
                non-government sector representatives, about the 
                structure of the pilot program as constructive and to 
                the extent practicable.

[[Page 132 STAT. 5177]]

            (3) Contract authority.--In establishing the pilot program, 
        the Secretary, subject to the availability of appropriations, 
        may award 1 or more competitive contracts to an entity, as 
        necessary, to manage the pilot program.

    (c) Report to Congress.--Not later than 180 days after the date on 
which the pilot program is completed, the Secretary shall submit to the 
appropriate congressional committees a report on the pilot program, 
which shall include--
            (1) the number of individuals, organizations, or companies 
        that participated in the pilot program, broken down by the 
        number of individuals, organizations, or companies that--
                    (A) registered;
                    (B) were determined eligible;
                    (C) submitted security vulnerabilities; and
                    (D) received compensation;
            (2) the number and severity of vulnerabilities reported as 
        part of the pilot program;
            (3) the number of previously unidentified security 
        vulnerabilities remediated as a result of the pilot program;
            (4) the current number of outstanding previously 
        unidentified security vulnerabilities and Department remediation 
        plans;
            (5) the average length of time between the reporting of 
        security vulnerabilities and remediation of the vulnerabilities;
            (6) the types of compensation provided under the pilot 
        program; and
            (7) the lessons learned from the pilot program.

    (d) Authorization of Appropriations.--There is authorized to be 
appropriated to the Department $250,000 for fiscal year 2019 to carry 
out this section.
SEC. 103. CONGRESSIONAL SUBMITTAL OF REPORTS RELATING TO CERTAIN 
                        SPECIAL ACCESS PROGRAMS AND SIMILAR 
                        PROGRAMS.

    The National Defense Authorization Act for Fiscal Year 1994 (50 
U.S.C. 3348) is amended--
            (1) by striking ``Congress'' each place it appears and 
        inserting ``the congressional oversight committees'';
            (2) in subsection (f)(1), by striking ``appropriate 
        oversight committees'' and inserting ``congressional oversight 
        committees''; and
            (3) in subsection (g)--
                    (A) by redesignating paragraphs (1) and (2) as 
                paragraphs (2) and (3), respectively; and
                    (B) by inserting before paragraph (2), as so 
                redesignated, the following:
            ``(1) Congressional oversight 
        committees <<NOTE: Definition.>> .--The term `congressional 
        oversight committees' means--
                    ``(A) congressional leadership and authorizing and 
                appropriations congressional committees with 
                jurisdiction or shared jurisdiction over a department or 
                agency;
                    ``(B) the Committee on Homeland Security and 
                Governmental Affairs of the Senate; and
                    ``(C) the Committee on Oversight and Government 
                Reform of the House of Representatives.''.

[[Page 132 STAT. 5178]]

   TITLE II <<NOTE: Federal Acquisition Supply Chain Security Act of 
2018.>> --FEDERAL ACQUISITION SUPPLY CHAIN SECURITY
SEC. 201. <<NOTE: 41 USC 101 note.>>  SHORT TITLE.

    This title may be cited as the ``Federal Acquisition Supply Chain 
Security Act of 2018''.
SEC. 202. FEDERAL ACQUISITION SUPPLY CHAIN SECURITY.

    (a) In General.--Chapter 13 of title 41, United States Code, is 
amended by adding <<NOTE: 41 USC 1321 prec.>>  at the end the following 
new subchapter:

       ``SUBCHAPTER III--FEDERAL ACQUISITION SUPPLY CHAIN SECURITY

``Sec. 1321. <<NOTE: 41 USC 1321.>>  Definitions

    ``In this subchapter:
            ``(1) Appropriate congressional committees and leadership.--
        The term `appropriate congressional committees and leadership' 
        means--
                    ``(A) the Committee on Homeland Security and 
                Governmental Affairs, the Committee on the Judiciary, 
                the Committee on Appropriations, the Committee on Armed 
                Services, the Committee on Commerce, Science, and 
                Transportation, the Select Committee on Intelligence, 
                and the majority and minority leader of the Senate; and
                    ``(B) the Committee on Oversight and Government 
                Reform, the Committee on the Judiciary, the Committee on 
                Appropriations, the Committee on Homeland Security, the 
                Committee on Armed Services, the Committee on Energy and 
                Commerce, the Permanent Select Committee on 
                Intelligence, and the Speaker and minority leader of the 
                House of Representatives.
            ``(2) Council.--The term `Council' means the Federal 
        Acquisition Security Council established under section 1322(a) 
        of this title.
            ``(3) Covered article.--The term `covered article' has the 
        meaning given that term in section 4713 of this title.
            ``(4) Covered procurement action.--The term `covered 
        procurement action' has the meaning given that term in section 
        4713 of this title.
            ``(5) Information and communications technology.--The term 
        `information and communications technology' has the meaning 
        given that term in section 4713 of this title.
            ``(6) Intelligence community.--The term `intelligence 
        community' has the meaning given that term in section 3(4) of 
        the National Security Act of 1947 (50 U.S.C. 3003(4)).
            ``(7) National security system.--The term `national security 
        system' has the meaning given that term in section 3552 of title 
        44.
            ``(8) Supply chain risk.--The term `supply chain risk' has 
        the meaning given that term in section 4713 of this title.
``Sec. 1322. <<NOTE: 41 USC 1322.>>  Federal Acquisition Security 
                  Council establishment and membership

    ``(a) Establishment.--There is established in the executive branch a 
Federal Acquisition Security Council.

[[Page 132 STAT. 5179]]

    ``(b) Membership.--
            ``(1) In general.--The following agencies shall be 
        represented on the Council:
                    ``(A) The Office of Management and Budget.
                    ``(B) The General Services Administration.
                    ``(C) The Department of Homeland Security, including 
                the Cybersecurity and Infrastructure Security Agency.
                    ``(D) The Office of the Director of National 
                Intelligence, including the National Counterintelligence 
                and Security Center.
                    ``(E) The Department of Justice, including the 
                Federal Bureau of Investigation.
                    ``(F) The Department of Defense, including the 
                National Security Agency.
                    ``(G) The Department of Commerce, including the 
                National Institute of Standards and Technology.
                    ``(H) Such other executive agencies as determined by 
                the Chairperson of the Council.
            ``(2) Lead representatives.--
                    ``(A) Designation.--
                          ``(i) In general <<NOTE: Deadline.>> .--Not 
                      later than 45 days after the date of the enactment 
                      of the Federal Acquisition Supply Chain Security 
                      Act of 2018, the head of each agency represented 
                      on the Council shall designate a representative of 
                      that agency as the lead representative of the 
                      agency on the Council.
                          ``(ii) Requirements.--The representative of an 
                      agency designated under clause (i) shall have 
                      expertise in supply chain risk management, 
                      acquisitions, or information and communications 
                      technology.
                    ``(B) Functions.--The lead representative of an 
                agency designated under subparagraph (A) shall ensure 
                that appropriate personnel, including leadership and 
                subject matter experts of the agency, are aware of the 
                business of the Council.

    ``(c) Chairperson.--
            ``(1) Designation <<NOTE: Deadline.>> .--Not later than 45 
        days after the date of the enactment of the Federal Acquisition 
        Supply Chain Security Act of 2018, the Director of the Office of 
        Management and Budget shall designate a senior-level official 
        from the Office of Management and Budget to serve as the 
        Chairperson of the Council.
            ``(2) Functions.--The Chairperson shall perform functions 
        that include--
                    ``(A) subject to subsection (d), developing a 
                schedule for meetings of the Council;
                    ``(B) designating executive agencies to be 
                represented on the Council under subsection (b)(1)(H);
                    ``(C) <<NOTE: Consultation.>>  in consultation with 
                the lead representative of each agency represented on 
                the Council, developing a charter for the Council; and
                    ``(D) <<NOTE: Deadline.>>  not later than 7 days 
                after completion of the charter, submitting the charter 
                to the appropriate congressional committees and 
                leadership.

    ``(d) Meetings <<NOTE: Deadline.>> .--The Council shall meet not 
later than 60 days after the date of the enactment of the Federal 
Acquisition Supply

[[Page 132 STAT. 5180]]

Chain Security Act of 2018 and not less frequently than quarterly 
thereafter.
``Sec. 1323. <<NOTE: 41 USC 1323.>>  Functions and authorities

    ``(a) In General.--The Council shall perform functions that include 
the following:
            ``(1) <<NOTE: Recommenda- tions.>>  Identifying and 
        recommending development by the National Institute of Standards 
        and Technology of supply chain risk management standards, 
        guidelines, and practices for executive agencies to use when 
        assessing and developing mitigation strategies to address supply 
        chain risks, particularly in the acquisition and use of covered 
        articles under section 1326(a) of this title.
            ``(2) <<NOTE: Criteria.>>  Identifying or developing 
        criteria for sharing information with executive agencies, other 
        Federal entities, and non-Federal entities with respect to 
        supply chain risk, including information related to the exercise 
        of authorities provided under this section and sections 1326 and 
        4713 of this title. At a minimum, such criteria shall address--
                    ``(A) the content to be shared;
                    ``(B) the circumstances under which sharing is 
                mandated or voluntary; and
                    ``(C) the circumstances under which it is 
                appropriate for an executive agency to rely on 
                information made available through such sharing in 
                exercising the responsibilities and authorities provided 
                under this section and section 4713 of this title.
            ``(3) Identifying an appropriate executive agency to--
                    ``(A) accept information submitted by executive 
                agencies based on the criteria established under 
                paragraph (2);
                    ``(B) facilitate the sharing of information received 
                under subparagraph (A) to support supply chain risk 
                analyses under section 1326 of this title, 
                recommendations under this section, and covered 
                procurement actions under section 4713 of this title;
                    ``(C) share with the Council information regarding 
                covered procurement actions by executive agencies taken 
                under section 4713 of this title; and
                    ``(D) inform the Council of orders issued under this 
                section.
            ``(4) Identifying, as appropriate, executive agencies to 
        provide--
                    ``(A) shared services, such as support for making 
                risk assessments, validation of products that may be 
                suitable for acquisition, and mitigation activities; and
                    ``(B) common contract solutions to support supply 
                chain risk management activities, such as subscription 
                services or machine-learning-enhanced analysis 
                applications to support informed decision making.
            ``(5) <<NOTE: Guidance.>>  Identifying and issuing guidance 
        on additional steps that may be necessary to address supply 
        chain risks arising in the course of executive agencies 
        providing shared services, common contract solutions, 
        acquisitions vehicles, or assisted acquisitions.
            ``(6) Engaging with the private sector and other 
        nongovernmental stakeholders in performing the functions 
        described in

[[Page 132 STAT. 5181]]

        paragraphs (1) and (2) and on issues relating to the management 
        of supply chain risks posed by the acquisition of covered 
        articles.
            ``(7) Carrying out such other actions, as determined by the 
        Council, that are necessary to reduce the supply chain risks 
        posed by acquisitions and use of covered articles.

    ``(b) Program Office and Committees.--The Council may establish a 
program office and any committees, working groups, or other constituent 
bodies the Council deems appropriate, in its sole and unreviewable 
discretion, to carry out its functions.
    ``(c) Authority for Exclusion or Removal Orders.--
            ``(1) Criteria <<NOTE: Procedures.>> .--To reduce supply 
        chain risk, the Council shall establish criteria and procedures 
        for--
                    ``(A) recommending orders applicable to executive 
                agencies requiring the exclusion of sources or covered 
                articles from executive agency procurement actions (in 
                this section referred to as `exclusion orders');
                    ``(B) recommending orders applicable to executive 
                agencies requiring the removal of covered articles from 
                executive agency information systems (in this section 
                referred to as `removal orders');
                    ``(C) requesting and approving exceptions to an 
                issued exclusion or removal order when warranted by 
                circumstances, including alternative mitigation actions 
                or other findings relating to the national interest, 
                including national security reviews, national security 
                investigations, or national security agreements; and
                    ``(D) ensuring that recommended orders do not 
                conflict with standards and guidelines issued under 
                section 11331 of title 40 and that the Council consults 
                with the Director of the National Institute of Standards 
                and Technology regarding any recommended orders that 
                would implement standards and guidelines developed by 
                the National Institute of Standards and Technology.
            ``(2) Recommendations.--The Council shall use the criteria 
        established under paragraph (1), information made available 
        under subsection (a)(3), and any other information the Council 
        determines appropriate to issue recommendations, for application 
        to executive agencies or any subset thereof, regarding the 
        exclusion of sources or covered articles from any executive 
        agency procurement action, including source selection and 
        consent for a contractor to subcontract, or the removal of 
        covered articles from executive agency information systems. Such 
        recommendations shall include--
                    ``(A) information necessary to positively identify 
                the sources or covered articles recommended for 
                exclusion or removal;
                    ``(B) information regarding the scope and 
                applicability of the recommended exclusion or removal 
                order;
                    ``(C) <<NOTE: Summary.>>  a summary of any risk 
                assessment reviewed or conducted in support of the 
                recommended exclusion or removal order;
                    ``(D) <<NOTE: Summary.>>  a summary of the basis for 
                the recommendation, including a discussion of less 
                intrusive measures that were considered and why such 
                measures were not reasonably available to reduce supply 
                chain risk;

[[Page 132 STAT. 5182]]

                    ``(E) a description of the actions necessary to 
                implement the recommended exclusion or removal order; 
                and
                    ``(F) where practicable, in the Council's sole and 
                unreviewable discretion, a description of mitigation 
                steps that could be taken by the source that may result 
                in the Council rescinding a recommendation.
            ``(3) Notice of recommendation and review.--A notice of the 
        Council's recommendation under paragraph (2) shall be issued to 
        any source named in the recommendation advising--
                    ``(A) that a recommendation has been made;
                    ``(B) of the criteria the Council relied upon under 
                paragraph (1) and, to the extent consistent with 
                national security and law enforcement interests, of 
                information that forms the basis for the recommendation;
                    ``(C) <<NOTE: Deadline.>>  that, within 30 days 
                after receipt of notice, the source may submit 
                information and argument in opposition to the 
                recommendation;
                    ``(D) of the procedures governing the review and 
                possible issuance of an exclusion or removal order 
                pursuant to paragraph (5); and
                    ``(E) where practicable, in the Council's sole and 
                unreviewable discretion, a description of mitigation 
                steps that could be taken by the source that may result 
                in the Council rescinding the recommendation.
            ``(4) Confidentiality.--Any notice issued to a source under 
        paragraph (3) shall be kept confidential until--
                    ``(A) an exclusion or removal order is issued 
                pursuant to paragraph (5); and
                    ``(B) the source has been notified pursuant to 
                paragraph (6).
            ``(5) Exclusion and removal orders.--
                    ``(A) Order issuance.--Recommendations of the 
                Council under paragraph (2), together with any 
                information submitted by a source under paragraph (3) 
                related to such a recommendation, shall be reviewed by 
                the following officials, who may issue exclusion and 
                removal orders based upon such recommendations:
                          ``(i) The Secretary of Homeland Security, for 
                      exclusion and removal orders applicable to 
                      civilian agencies, to the extent not covered by 
                      clause (ii) or (iii).
                          ``(ii) The Secretary of Defense, for exclusion 
                      and removal orders applicable to the Department of 
                      Defense and national security systems other than 
                      sensitive compartmented information systems.
                          ``(iii) The Director of National Intelligence, 
                      for exclusion and removal orders applicable to the 
                      intelligence community and sensitive compartmented 
                      information systems, to the extent not covered by 
                      clause (ii).
                    ``(B) Delegation.--The officials identified in 
                subparagraph (A) may not delegate any authority under 
                this subparagraph to an official below the level one 
                level below the Deputy Secretary or Principal Deputy 
                Director, except that the Secretary of Defense may 
                delegate authority for removal orders to the Commander 
                of the United States Cyber Command, who may not 
                redelegate such authority

[[Page 132 STAT. 5183]]

                to an official below the level one level below the 
                Deputy Commander.
                    ``(C) Facilitation of exclusion orders.--If 
                officials identified under this paragraph from the 
                Department of Homeland Security, the Department of 
                Defense, and the Office of the Director of National 
                Intelligence issue orders collectively resulting in a 
                governmentwide exclusion, the Administrator for General 
                Services and officials at other executive agencies 
                responsible for management of the Federal Supply 
                Schedules, governmentwide acquisition contracts and 
                multi-agency contracts shall help facilitate 
                implementation of such orders by removing the covered 
                articles or sources identified in the orders from such 
                contracts.
                    ``(D) Review of exclusion and removal orders.--The 
                officials identified under this paragraph shall review 
                all exclusion and removal orders issued under 
                subparagraph (A) not less frequently than annually 
                pursuant to procedures established by the Council.
                    ``(E) Rescission.--Orders issued pursuant to 
                subparagraph (A) may be rescinded by an authorized 
                official from the relevant issuing agency.
            ``(6) Notifications.--Upon issuance of an exclusion or 
        removal order pursuant to paragraph (5)(A), the official 
        identified under that paragraph who issued the order shall--
                    ``(A) notify any source named in the order of--
                          ``(i) the exclusion or removal order; and
                          ``(ii) to the extent consistent with national 
                      security and law enforcement interests, 
                      information that forms the basis for the order;
                    ``(B) provide classified or unclassified notice of 
                the exclusion or removal order to the appropriate 
                congressional committees and leadership; and
                    ``(C) provide the exclusion or removal order to the 
                agency identified in subsection (a)(3).
            ``(7) Compliance.--Executive agencies shall comply with 
        exclusion and removal orders issued pursuant to paragraph (5).

    ``(d) Authority To Request Information.--The Council may request 
such information from executive agencies as is necessary for the Council 
to carry out its functions.
    ``(e) Relationship to Other 
Councils <<NOTE: Consultation. Coordination.>> .--The Council shall 
consult and coordinate, as appropriate, with other relevant councils and 
interagency committees, including the Chief Information Officers 
Council, the Chief Acquisition Officers Council, the Federal Acquisition 
Regulatory Council, and the Committee on Foreign Investment in the 
United States, with respect to supply chain risks posed by the 
acquisition and use of covered articles.

    ``(f) Rules of Construction.--Nothing in this section shall be 
construed--
            ``(1) to limit the authority of the Office of Federal 
        Procurement Policy to carry out the responsibilities of that 
        Office under any other provision of law; or
            ``(2) to authorize the issuance of an exclusion or removal 
        order based solely on the fact of foreign ownership of a 
        potential procurement source that is otherwise qualified to 
        enter into procurement contracts with the Federal Government.

[[Page 132 STAT. 5184]]

``Sec. 1324. <<NOTE: 41 USC 1324.>>  Strategic plan

    ``(a) In General.-- <<NOTE: Deadline.>> Not later than 180 days 
after the date of the enactment of the Federal Acquisition Supply Chain 
Security Act of 2018, the Council shall develop a strategic plan for 
addressing supply chain risks posed by the acquisition of covered 
articles and for managing such risks that includes--
            ``(1) <<NOTE: Criteria.>>  the criteria and processes 
        required under section 1323(a) of this title, including a 
        threshold and requirements for sharing relevant information 
        about such risks with all executive agencies and, as 
        appropriate, with other Federal entities and non-Federal 
        entities;
            ``(2) an identification of existing authorities for 
        addressing such risks;
            ``(3) an identification and promulgation of best practices 
        and procedures and available resources for executive agencies to 
        assess and mitigate such risks;
            ``(4) <<NOTE: Recommenda- tions.>>  recommendations for any 
        legislative, regulatory, or other policy changes to improve 
        efforts to address such risks;
            ``(5) <<NOTE: Recommenda- tions.>>  recommendations for any 
        legislative, regulatory, or other policy changes to incentivize 
        the adoption of best practices for supply chain risk management 
        by the private sector;
            ``(6) <<NOTE: Evaluation.>>  an evaluation of the effect of 
        implementing new policies or procedures on existing contracts 
        and the procurement process;
            ``(7) a plan for engaging with executive agencies, the 
        private sector, and other nongovernmental stakeholders to 
        address such risks;
            ``(8) a plan for identification, assessment, mitigation, and 
        vetting of supply chain risks from existing and prospective 
        information and communications technology made available by 
        executive agencies to other executive agencies through common 
        contract solutions, shared services, acquisition vehicles, or 
        other assisted acquisition services; and
            ``(9) plans to strengthen the capacity of all executive 
        agencies to conduct assessments of--
                    ``(A) the supply chain risk posed by the acquisition 
                of covered articles; and
                    ``(B) compliance with the requirements of this 
                subchapter.

    ``(b) Submission to Congress <<NOTE: Deadline.>> .--Not later than 7 
calendar days after completion of the strategic plan required by 
subsection (a), the Chairperson of the Council shall submit the plan to 
the appropriate congressional committees and leadership.
``Sec. 1325. <<NOTE: 41 USC 1325.>>  Annual report

    ``Not later than December 31 of each year, the Chairperson of the 
Council shall submit to the appropriate congressional committees and 
leadership a report on the activities of the Council during the 
preceding 12-month period.
``Sec. 1326. <<NOTE: 41 USC 1326.>>  Requirements for executive 
                  agencies

    ``(a) In General.--The head of each executive agency shall be 
responsible for--
            ``(1) <<NOTE: Assessment.>>  assessing the supply chain risk 
        posed by the acquisition and use of covered articles and 
        avoiding, mitigating, accepting, or transferring that risk, as 
        appropriate and consistent with

[[Page 132 STAT. 5185]]

        the standards, guidelines, and practices identified by the 
        Council under section 1323(a)(1); and
            ``(2) prioritizing supply chain risk assessments conducted 
        under paragraph (1) based on the criticality of the mission, 
        system, component, service, or asset.

    ``(b) Inclusions.--The responsibility for assessing supply chain 
risk described in subsection (a) includes--
            ``(1) <<NOTE: Strategy. Plan. Policy. Processes.>>  
        developing an overall supply chain risk management strategy and 
        implementation plan and policies and processes to guide and 
        govern supply chain risk management activities;
            ``(2) integrating supply chain risk management practices 
        throughout the life cycle of the system, component, service, or 
        asset;
            ``(3) limiting, avoiding, mitigating, accepting, or 
        transferring any identified risk;
            ``(4) sharing relevant information with other executive 
        agencies as determined appropriate by the Council in a manner 
        consistent with section 1323(a) of this title;
            ``(5) reporting on progress and effectiveness of the 
        agency's supply chain risk management consistent with guidance 
        issued by the Office of Management and Budget and the Council; 
        and
            ``(6) ensuring that all relevant information, including 
        classified information, with respect to acquisitions of covered 
        articles that may pose a supply chain risk, consistent with 
        section 1323(a) of this title, is incorporated into existing 
        processes of the agency for conducting assessments described in 
        subsection (a) and ongoing management of acquisition programs, 
        including any identification, investigation, mitigation, or 
        remediation needs.

    ``(c) Interagency Acquisitions.--
            ``(1) In general.--Except as provided in paragraph (2), in 
        the case of an interagency acquisition, subsection (a) shall be 
        carried out by the head of the executive agency whose funds are 
        being used to procure the covered article.
            ``(2) Assisted acquisitions <<NOTE: Determination.>> .--In 
        an assisted acquisition, the parties to the acquisition shall 
        determine, as part of the interagency agreement governing the 
        acquisition, which agency is responsible for carrying out 
        subsection (a).
            ``(3) Definitions.--In this subsection, the terms `assisted 
        acquisition' and `interagency acquisition' have the meanings 
        given those terms in section 2.101 of title 48, Code of Federal 
        Regulations (or any corresponding similar regulation or ruling).

    ``(d) Assistance.--The Secretary of Homeland Security may--
            ``(1) assist executive agencies in conducting risk 
        assessments described in subsection (a) and implementing 
        mitigation requirements for information and communications 
        technology; and
            ``(2) provide such additional guidance or tools as are 
        necessary to support actions taken by executive agencies.
``Sec. 1327. <<NOTE: 41 USC 1327.>>  Judicial review procedures

    ``(a) In General.--Except as provided in subsection (b) and chapter 
71 of this title, and notwithstanding any other provision of law, an 
action taken under section 1323 or 4713 of this title, or any action 
taken by an executive agency to implement such an action, shall not be 
subject to administrative review or judicial

[[Page 132 STAT. 5186]]

review, including bid protests before the Government Accountability 
Office or in any Federal court.
    ``(b) Petitions.--
            ``(1) <<NOTE: Deadline.>>  In general.--Not later than 60 
        days after a party is notified of an exclusion or removal order 
        under section 1323(c)(6) of this title or a covered procurement 
        action under section 4713 of this title, the party may file a 
        petition for judicial review in the United States Court of 
        Appeals for the District of Columbia Circuit claiming that the 
        issuance of the exclusion or removal order or covered 
        procurement action is unlawful.
            ``(2) Standard of review.--The Court shall hold unlawful a 
        covered action taken under sections 1323 or 4713 of this title, 
        in response to a petition that the court finds to be--
                    ``(A) arbitrary, capricious, an abuse of discretion, 
                or otherwise not in accordance with law;
                    ``(B) contrary to constitutional right, power, 
                privilege, or immunity;
                    ``(C) in excess of statutory jurisdiction, 
                authority, or limitation, or short of statutory right;
                    ``(D) lacking substantial support in the 
                administrative record taken as a whole or in classified 
                information submitted to the court under paragraph (3); 
                or
                    ``(E) not in accord with procedures required by law.
            ``(3) Exclusive jurisdiction.--The United States Court of 
        Appeals for the District of Columbia Circuit shall have 
        exclusive jurisdiction over claims arising under sections 
        1323(c)(5) or 4713 of this title against the United States, any 
        United States department or agency, or any component or official 
        of any such department or agency, subject to review by the 
        Supreme Court of the United States under section 1254 of title 
        28.
            ``(4) Administrative record and procedures.--
                    ``(A) <<NOTE: Applicability.>>  In general.--The 
                procedures described in this paragraph shall apply to 
                the review of a petition under this section.
                    ``(B) Administrative record.--
                          ``(i) Filing of record.--The United States 
                      shall file with the court an administrative 
                      record, which shall consist of the information 
                      that the appropriate official relied upon in 
                      issuing an exclusion or removal order under 
                      section 1323(c)(5) or a covered procurement action 
                      under section 4713 of this title.
                          ``(ii) Unclassified, nonprivileged 
                      information.--All unclassified information 
                      contained in the administrative record that is not 
                      otherwise privileged or subject to statutory 
                      protections shall be provided to the petitioner 
                      with appropriate protections for any privileged or 
                      confidential trade secrets and commercial or 
                      financial information.
                          ``(iii) In camera and ex parte.--The following 
                      information may be included in the administrative 
                      record and shall be submitted only to the court ex 
                      parte and in camera:
                                    ``(I) Classified information.

[[Page 132 STAT. 5187]]

                                    ``(II) Sensitive security 
                                information, as defined by section 
                                1520.5 of title 49, Code of Federal 
                                Regulations.
                                    ``(III) Privileged law enforcement 
                                information.
                                    ``(IV) Information obtained or 
                                derived from any activity authorized 
                                under the Foreign Intelligence 
                                Surveillance Act of 1978 (50 U.S.C. 1801 
                                et seq.), except that, with respect to 
                                such information, subsections (c), (e), 
                                (f), (g), and (h) of section 106 (50 
                                U.S.C. 1806), subsections (d), (f), (g), 
                                (h), and (i) of section 305 (50 U.S.C. 
                                1825), subsections (c), (e), (f), (g), 
                                and (h) of section 405 (50 U.S.C. 1845), 
                                and section 706 (50 U.S.C. 1881e) of 
                                that Act shall not apply.
                                    ``(V) Information subject to 
                                privilege or protections under any other 
                                provision of law.
                          ``(iv) Under seal.--Any information that is 
                      part of the administrative record filed ex parte 
                      and in camera under clause (iii), or cited by the 
                      court in any decision, shall be treated by the 
                      court consistent with the provisions of this 
                      subparagraph and shall remain under seal and 
                      preserved in the records of the court to be made 
                      available consistent with the above provisions in 
                      the event of further proceedings. In no event 
                      shall such information be released to the 
                      petitioner or as part of the public record.
                          ``(v) Return.--After the expiration of the 
                      time to seek further review, or the conclusion of 
                      further proceedings, the court shall return the 
                      administrative record, including any and all 
                      copies, to the United States.
                    ``(C) Exclusive remedy <<NOTE: Determination.>> .--A 
                determination by the court under this subsection shall 
                be the exclusive judicial remedy for any claim described 
                in this section against the United States, any United 
                States department or agency, or any component or 
                official of any such department or agency.
                    ``(D) Rule of construction.--Nothing in this section 
                shall be construed as limiting, superseding, or 
                preventing the invocation of, any privileges or defenses 
                that are otherwise available at law or in equity to 
                protect against the disclosure of information.

    ``(c) Definition.--In this section, the term `classified 
information'--
            ``(1) has the meaning given that term in section 1(a) of the 
        Classified Information Procedures Act (18 U.S.C. App.); and
            ``(2) includes--
                    ``(A) any information or material that has been 
                determined by the United States Government pursuant to 
                an Executive order, statute, or regulation to require 
                protection against unauthorized disclosure for reasons 
                of national security; and
                    ``(B) any restricted data, as defined in section 11 
                of the Atomic Energy Act of 1954 (42 U.S.C. 2014).

[[Page 132 STAT. 5188]]

``Sec. 1328. <<NOTE: 41 USC 1328.>>  Termination

    ``This subchapter shall terminate on the date that is 5 years after 
the date of the enactment of the Federal Acquisition Supply Chain 
Security Act of 2018.''.
    (b) Clerical Amendment.--The table of sections at the beginning of 
chapter 13 of such title <<NOTE: 41 USC 1301 prec.>>  is amended by 
adding at the end the following new items:

       ``subchapter iii--federal acquisition supply chain security

``Sec.
``1321. Definitions.
``1322. Federal Acquisition Security Council establishment and 
           membership.
``1323. Functions and authorities.
``1324. Strategic plan.
``1325. Annual report.
``1326. Requirements for executive agencies.
``1327. Judicial review procedures.
``1328. Termination.''.

    (c) Effective Date <<NOTE: Applicability. 41 USC 1321 note.>> .--The 
amendments made by this section shall take effect on the date that is 90 
days after the date of the enactment of this Act and shall apply to 
contracts that are awarded before, on, or after that date.

    (d) <<NOTE: Deadlines. 41 USC 1321 note.>>  Implementation.--
            (1) Interim final rule.--Not later than one year after the 
        date of the enactment of this Act, the Federal Acquisition 
        Security Council shall prescribe an interim final rule to 
        implement subchapter III of chapter 13 of title 41, United 
        States Code, as added by subsection (a).
            (2) Final rule <<NOTE: Public comments.>> .--Not later than 
        one year after prescribing the interim final rule under 
        paragraph (1) and considering public comments with respect to 
        such interim final rule, the Council shall prescribe a final 
        rule to implement subchapter III of chapter 13 of title 41, 
        United States Code, as added by subsection (a).
            (3) Failure to act.--
                    (A) In general <<NOTE: Reports. Estimate.>> .--If 
                the Council does not issue a final rule in accordance 
                with paragraph (2) on or before the last day of the one-
                year period referred to in that paragraph, the Council 
                shall submit to the appropriate congressional committees 
                and leadership, not later than 10 days after such last 
                day and every 90 days thereafter until the final rule is 
                issued, a report explaining why the final rule was not 
                timely issued and providing an estimate of the earliest 
                date on which the final rule will be issued.
                    (B) Appropriate congressional committees and 
                leadership defined.--In this paragraph, the term 
                ``appropriate congressional committees and leadership'' 
                has the meaning given that term in section 1321 of title 
                41, United States Code, as added by subsection (a).
SEC. 203. AUTHORITIES OF EXECUTIVE AGENCIES RELATING TO MITIGATING 
                        SUPPLY CHAIN RISKS IN THE PROCUREMENT OF 
                        COVERED ARTICLES.

    (a) In General.--Chapter 47 of title 41, United States Code, is 
amended by adding at the end the following new section:

[[Page 132 STAT. 5189]]

``Sec. 4713. <<NOTE: 41 USC 4713.>>  Authorities relating to 
                  mitigating supply chain risks in the procurement 
                  of covered articles

    ``(a) Authority.--Subject to subsection (b), the head of an 
executive agency may carry out a covered procurement action.
    ``(b) Determination and Notification.--Except as authorized by 
subsection (c) to address an urgent national security interest, the head 
of an executive agency may exercise the authority provided in subsection 
(a) only after--
            ``(1) <<NOTE: Recommenda- tions. Review.>>  obtaining a 
        joint recommendation, in unclassified or classified form, from 
        the chief acquisition officer and the chief information officer 
        of the agency, or officials performing similar functions in the 
        case of executive agencies that do not have such officials, 
        which includes a review of any risk assessment made available by 
        the executive agency identified under section 1323(a)(3) of this 
        title, that there is a significant supply chain risk in a 
        covered procurement;
            ``(2) providing notice of the joint recommendation described 
        in paragraph (1) to any source named in the joint recommendation 
        advising--
                    ``(A) that a recommendation is being considered or 
                has been obtained;
                    ``(B) to the extent consistent with the national 
                security and law enforcement interests, of information 
                that forms the basis for the recommendation;
                    ``(C) <<NOTE: Deadline.>>  that, within 30 days 
                after receipt of the notice, the source may submit 
                information and argument in opposition to the 
                recommendation; and
                    ``(D) of the procedures governing the consideration 
                of the submission and the possible exercise of the 
                authority provided in subsection (a);
            ``(3) <<NOTE: Consultation.>>  making a determination in 
        writing, in unclassified or classified form, after considering 
        any information submitted by a source under paragraph (2) and in 
        consultation with the chief information security officer of the 
        agency, that--
                    ``(A) use of the authority under subsection (a) is 
                necessary to protect national security by reducing 
                supply chain risk;
                    ``(B) less intrusive measures are not reasonably 
                available to reduce such supply chain risk; and
                    ``(C) the use of such authorities will apply to a 
                single covered procurement or a class of covered 
                procurements, and otherwise specifies the scope of the 
                determination; and
            ``(4) <<NOTE: Summaries.>>  providing a classified or 
        unclassified notice of the determination made under paragraph 
        (3) to the appropriate congressional committees and leadership 
        that includes--
                    ``(A) the joint recommendation described in 
                paragraph (1);
                    ``(B) a summary of any risk assessment reviewed in 
                support of the joint recommendation required by 
                paragraph (1); and
                    ``(C) a summary of the basis for the determination, 
                including a discussion of less intrusive measures that 
                were considered and why such measures were not 
                reasonably available to reduce supply chain risk.

    ``(c) Procedures To Address Urgent National Security Interests.--In 
any case in which the head of an executive agency

[[Page 132 STAT. 5190]]

determines that an urgent national security interest requires the 
immediate exercise of the authority provided in subsection (a), the head 
of the agency--
            ``(1) may, to the extent necessary to address such national 
        security interest, and subject to the conditions in paragraph 
        (2)--
                    ``(A) temporarily delay the notice required by 
                subsection (b)(2);
                    ``(B) make the determination required by subsection 
                (b)(3), regardless of whether the notice required by 
                subsection (b)(2) has been provided or whether the 
                notified source has submitted any information in 
                response to such notice;
                    ``(C) temporarily delay the notice required by 
                subsection (b)(4); and
                    ``(D) <<NOTE: Deadline.>>  exercise the authority 
                provided in subsection (a) in accordance with such 
                determination within 60 calendar days after the day the 
                determination is made; and
            ``(2) shall take actions necessary to comply with all 
        requirements of subsection (b) as soon as practicable after 
        addressing the urgent national security interest, including--
                    ``(A) providing the notice required by subsection 
                (b)(2);
                    ``(B) promptly considering any information submitted 
                by the source in response to such notice, and making any 
                appropriate modifications to the determination based on 
                such information;
                    ``(C) providing the notice required by subsection 
                (b)(4), including a description of the urgent national 
                security interest, and any modifications to the 
                determination made in accordance with subparagraph (B); 
                and
                    ``(D) <<NOTE: Notice. Deadline.>>  providing notice 
                to the appropriate congressional committees and 
                leadership within 7 calendar days of the covered 
                procurement actions taken under this section.

    ``(d) Confidentiality.--The notice required by subsection (b)(2) 
shall be kept confidential until a determination with respect to a 
covered procurement action has been made pursuant to subsection (b)(3).
    ``(e) Delegation.--The head of an executive agency may not delegate 
the authority provided in subsection (a) or the responsibility 
identified in subsection (f) to an official below the level one level 
below the Deputy Secretary or Principal Deputy Director.
    ``(f) Annual Review of Determinations.--The head of an executive 
agency shall conduct an annual review of all determinations made by such 
head under subsection (b) and promptly amend any covered procurement 
action as appropriate.
    ``(g) Regulations.--The Federal Acquisition Regulatory Council shall 
prescribe such regulations as may be necessary to carry out this 
section.
    ``(h) Reports Required.--Not less frequently than annually, the head 
of each executive agency that exercised the authority provided in 
subsection (a) or (c) during the preceding 12-month period shall submit 
to the appropriate congressional committees and leadership a report 
summarizing the actions taken by the agency under this section during 
that 12-month period.
    ``(i) Rule of Construction.--Nothing in this section shall be 
construed to authorize the head of an executive agency to carry out a 
covered procurement action based solely on the fact of foreign

[[Page 132 STAT. 5191]]

ownership of a potential procurement source that is otherwise qualified 
to enter into procurement contracts with the Federal Government.
    ``(j) Termination.--The authority provided under subsection (a) 
shall terminate on the date that is 5 years after the date of the 
enactment of the Federal Acquisition Supply Chain Security Act of 2018.
    ``(k) Definitions.--In this section:
            ``(1) Appropriate congressional committees and leadership.--
        The term `appropriate congressional committees and leadership' 
        means--
                    ``(A) the Committee on Homeland Security and 
                Governmental Affairs, the Committee on the Judiciary, 
                the Committee on Appropriations, the Committee on Armed 
                Services, the Committee on Commerce, Science, and 
                Transportation, the Select Committee on Intelligence, 
                and the majority and minority leader of the Senate; and
                    ``(B) the Committee on Oversight and Government 
                Reform, the Committee on the Judiciary, the Committee on 
                Appropriations, the Committee on Homeland Security, the 
                Committee on Armed Services, the Committee on Energy and 
                Commerce, the Permanent Select Committee on 
                Intelligence, and the Speaker and minority leader of the 
                House of Representatives.
            ``(2) Covered article.--The term `covered article' means--
                    ``(A) information technology, as defined in section 
                11101 of title 40, including cloud computing services of 
                all types;
                    ``(B) telecommunications equipment or 
                telecommunications service, as those terms are defined 
                in section 3 of the Communications Act of 1934 (47 
                U.S.C. 153);
                    ``(C) the processing of information on a Federal or 
                non-Federal information system, subject to the 
                requirements of the Controlled Unclassified Information 
                program; or
                    ``(D) hardware, systems, devices, software, or 
                services that include embedded or incidental information 
                technology.
            ``(3) Covered procurement.--The term `covered procurement' 
        means--
                    ``(A) a source selection for a covered article 
                involving either a performance specification, as 
                provided in subsection (a)(3)(B) of section 3306 of this 
                title, or an evaluation factor, as provided in 
                subsection (b)(1)(A) of such section, relating to a 
                supply chain risk, or where supply chain risk 
                considerations are included in the agency's 
                determination of whether a source is a responsible 
                source as defined in section 113 of this title;
                    ``(B) the consideration of proposals for and 
                issuance of a task or delivery order for a covered 
                article, as provided in section 4106(d)(3) of this 
                title, where the task or delivery order contract 
                includes a contract clause establishing a requirement 
                relating to a supply chain risk;
                    ``(C) any contract action involving a contract for a 
                covered article where the contract includes a clause 
                establishing requirements relating to a supply chain 
                risk; or
                    ``(D) any other procurement in a category of 
                procurements determined appropriate by the Federal 
                Acquisition

[[Page 132 STAT. 5192]]

                Regulatory Council, with the advice of the Federal 
                Acquisition Security Council.
            ``(4) Covered procurement action.--The term `covered 
        procurement action' means any of the following actions, if the 
        action takes place in the course of conducting a covered 
        procurement:
                    ``(A) The exclusion of a source that fails to meet 
                qualification requirements established under section 
                3311 of this title for the purpose of reducing supply 
                chain risk in the acquisition or use of covered 
                articles.
                    ``(B) The exclusion of a source that fails to 
                achieve an acceptable rating with regard to an 
                evaluation factor providing for the consideration of 
                supply chain risk in the evaluation of proposals for the 
                award of a contract or the issuance of a task or 
                delivery order.
                    ``(C) The determination that a source is not a 
                responsible source as defined in section 113 of this 
                title based on considerations of supply chain risk.
                    ``(D) The decision to withhold consent for a 
                contractor to subcontract with a particular source or to 
                direct a contractor to exclude a particular source from 
                consideration for a subcontract under the contract.
            ``(5) Information and communications technology.--The term 
        `information and communications technology' means--
                    ``(A) information technology, as defined in section 
                11101 of title 40;
                    ``(B) information systems, as defined in section 
                3502 of title 44; and
                    ``(C) telecommunications equipment and 
                telecommunications services, as those terms are defined 
                in section 3 of the Communications Act of 1934 (47 
                U.S.C. 153).
            ``(6) Supply chain risk.--The term `supply chain risk' means 
        the risk that any person may sabotage, maliciously introduce 
        unwanted function, extract data, or otherwise manipulate the 
        design, integrity, manufacturing, production, distribution, 
        installation, operation, maintenance, disposition, or retirement 
        of covered articles so as to surveil, deny, disrupt, or 
        otherwise manipulate the function, use, or operation of the 
        covered articles or information stored or transmitted on the 
        covered articles.
            ``(7) Executive agency.--Notwithstanding section 3101(c)(1), 
        this section applies to the Department of Defense, the Coast 
        Guard, and the National Aeronautics and Space Administration.''.

    (b) Clerical Amendment.--The table of sections at the beginning of 
chapter 47 of such title <<NOTE: 41 USC 4701 prec.>>  is amended by 
adding at the end the following new item:

``4713. Authorities relating to mitigating supply chain risks in the 
           procurement of covered articles.''.

    (c) Effective Date <<NOTE: 41 USC 4713 note.>> .--The amendments 
made by this section shall take effect on the date that is 90 days after 
the date of the enactment of this Act and shall apply to contracts that 
are awarded before, on, or after that date.
SEC. 204. FEDERAL INFORMATION SECURITY MODERNIZATION ACT.

    (a) In General.--Title 44, United States Code, is amended--

[[Page 132 STAT. 5193]]

            (1) in section 3553(a)(5), by inserting ``and section 1326 
        of title 41'' after ``compliance with the requirements of this 
        subchapter''; and
            (2) in section 3554(a)(1)(B)--
                    (A) by inserting ``, subchapter III of chapter 13 of 
                title 41,'' after ``complying with the requirements of 
                this subchapter'';
                    (B) in clause (iv), by striking ``; and'' and 
                inserting a semicolon; and
                    (C) by adding at the end the following new clause:
                          ``(vi) responsibilities relating to assessing 
                      and avoiding, mitigating, transferring, or 
                      accepting supply chain risks under section 1326 of 
                      title 41, and complying with exclusion and removal 
                      orders issued under section 1323 of such title; 
                      and''.

    (b) Rule of Construction <<NOTE: 44 USC 3553 note.>> .--Nothing in 
this title shall be construed to alter or impede any authority or 
responsibility under section 3553 of title 44, United States Code.
SEC. 205. <<NOTE: 41 USC 1321 note.>>  EFFECTIVE DATE.

    This title shall take effect on the date that is 90 days after the 
date of the enactment of this Act.

    Approved December 21, 2018.

LEGISLATIVE HISTORY--H.R. 7327:
---------------------------------------------------------------------------

CONGRESSIONAL RECORD, Vol. 164 (2018):
            Dec. 19, considered and passed House and Senate.

                                  <all>