How To Use the ISNDAA Pages

Back to ISNDAA Contents

TITLE VIII--ACQUISITION POLICY, ACQUISITION MANAGEMENT, AND RELATED MATTERS

Subtitle A--Acquisition Policy and Management

P. L. 111-

Joint Explanatory Statement of the Committees on Armed Services of the U. S. Senate and House of Representatives on H. R. 6523

From H. R. 6523

SEC. 806. REQUIREMENTS FOR INFORMATION RELATING TO SUPPLY CHAIN RISK.

(a) Authority- Subject to subsection (b), the head of a covered agency may--

(1) carry out a covered procurement action; and

(2) limit, notwithstanding any other provision of law, in whole or in part, the disclosure of information relating to the basis for carrying out a covered procurement action.

(b) Determination and Notification- The head of a covered agency may exercise the authority provided in subsection (a) only after--

(1) obtaining a joint recommendation by the Under Secretary of Defense for Acquisition, Technology, and Logistics and the Chief Information Officer of the Department of Defense, on the basis of a risk assessment by the Under Secretary of Defense for Intelligence, that there is a significant supply chain risk to a covered system;

(2) making a determination in writing, in unclassified or classified form, with the concurrence of the Under Secretary of Defense for Acquisition, Technology, and Logistics, that--

(A) use of the authority in subsection (a)(1) is necessary to protect national security by reducing supply chain risk;

(B) less intrusive measures are not reasonably available to reduce such supply chain risk; and

(C) in a case where the head of the covered agency plans to limit disclosure of information under subsection (a)(2), the risk to national security due to the disclosure of such information outweighs the risk due to not disclosing such information; and

(3) providing a classified or unclassified notice of the determination made under paragraph (2) to the appropriate congressional committees, which notice shall include--

(A) the information required by section 2304(f)(3) of title 10, United States Code;

(B) the joint recommendation by the Under Secretary of Defense for Acquisition, Technology, and Logistics and the Chief Information Officer of the Department of Defense as specified in paragraph (1);

(C) a summary of the risk assessment by the Under Secretary of Defense for Intelligence that serves as the basis for the joint recommendation specified in paragraph (1); and

(D) a summary of the basis for the determination, including a discussion of less intrusive measures that were considered and why they were not reasonably available to reduce supply chain risk.

(c) Delegation- The head of a covered agency may not delegate the authority provided in subsection (a) or the responsibility to make a determination under subsection (b) to an official below the level of the service acquisition executive for the agency concerned.

(d) Limitation on Disclosure- If the head of a covered agency has exercised the authority provided in subsection (a)(2) to limit disclosure of information--

(1) no action undertaken by the agency head under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court; and

(2) the agency head shall--

(A) notify appropriate parties of a covered procurement action and the basis for such action only to the extent necessary to effectuate the covered procurement action;

(B) notify other Department of Defense components or other Federal agencies responsible for procurements that may be subject to the same or similar supply chain risk, in a manner and to the extent consistent with the requirements of national security; and

(C) ensure the confidentiality of any such notifications.

(e) Definitions- In this section:

(1) HEAD OF A COVERED AGENCY- The term `head of a covered agency' means each of the following:

(A) The Secretary of Defense.

(B) The Secretary of the Army.

(C) The Secretary of the Navy.

(D) The Secretary of the Air Force.

(2) COVERED PROCUREMENT ACTION- The term `covered procurement action' means any of the following actions, if the action takes place in the course of conducting a covered procurement:

(A) The exclusion of a source that fails to meet qualification standards established in accordance with the requirements of section 2319 of title 10, United States Code, for the purpose of reducing supply chain risk in the acquisition of covered systems.

(B) The exclusion of a source that fails to achieve an acceptable rating with regard to an evaluation factor providing for the consideration of supply chain risk in the evaluation of proposals for the award of a contract or the issuance of a task or delivery order.

(C) The decision to withhold consent for a contractor to subcontract with a particular source or to direct a contractor for a covered system to exclude a particular source from consideration for a subcontract under the contract.

(3) COVERED PROCUREMENT- The term `covered procurement' means--

(A) a source selection for a covered system or a covered item of supply involving either a performance specification, as provided in section 2305(a)(1)(C)(ii) of title 10, United States Code, or an evaluation factor, as provided in section 2305(a)(2)(A) of such title, relating to supply chain risk;

(B) the consideration of proposals for and issuance of a task or delivery order for a covered system or a covered item of supply, as provided in section 2304c(d)(3) of title 10, United States Code, where the task or delivery order contract concerned includes a contract clause establishing a requirement relating to supply chain risk; or

(C) any contract action involving a contract for a covered system or a covered item of supply where such contract includes a clause establishing requirements relating to supply chain risk.

(4) SUPPLY CHAIN RISK- The term `supply chain risk' means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.

(5) COVERED SYSTEM- The term `covered system' means a national security system, as that term is defined in section 3542(b) of title 44, United States Code.

(6) COVERED ITEM OF SUPPLY- The term `covered item of supply' means an item of information technology (as that term is defined in section 11101 of title 40, United States Code) that is purchased for inclusion in a covered system, and the loss of integrity of which could result in a supply chain risk for a covered system.

(7) APPROPRIATE CONGRESSIONAL COMMITTEES- The term `appropriate congressional committees' means--

(A) in the case of a covered system included in the National Intelligence Program or the Military Intelligence Program, the Select Committee on Intelligence of the Senate, the Permanent Select Committee on Intelligence of the House of Representatives, and the congressional defense committees; and

(B) in the case of a covered system not otherwise included in subparagraph (A), the congressional defense committees.

(f) Effective Date- The requirements of this section shall take effect on the date that is 180 days after the date of the enactment of this Act and shall apply to--

(1) contracts that are awarded on or after such date; and

(2) task and delivery orders that are issued on or after such date pursuant to contracts that awarded before, on, or after such date.

(g) Sunset- The authority provided in this section shall expire on the date that is three years after the date of the enactment of this Act.

From S. 3454, National Defense Authorization Act for Fiscal Year 2011

SEC. 815. REDUCTION OF SUPPLY CHAIN RISK IN THE ACQUISITION OF NATIONAL SECURITY SYSTEMS.

(a) Use of Qualification Requirements to Reduce Supply Chain Risk- The head of an agency may, on the basis of a joint recommendation by the Director of the Defense Intelligence Agency and the Assistant Secretary of Defense for Networks and Information Integration--

(1) establish qualification requirements, in accordance with the requirements of section 2319 of title 10, United States Code, for the purpose of reducing supply chain risk in the acquisition of covered systems or covered items of supply; and

(2) restrict the procurement of a covered system or a covered item of supply to sources that meet qualification requirements established pursuant to paragraph (1).

(b) Use of Evaluation Factors to Reduce Supply Chain Risk- The head of an agency may--

(1) provide for the consideration of supply chain risk as a significant factor in the evaluation of proposals for the procurement of a covered system or a covered item of supply; and

(2) utilize the assistance of the Director of the Defense Intelligence Agency and the Assistant Secretary of Defense for Networks and Information Integration in evaluating proposals with regard to such factor.

(c) Exclusion of Certain Sources to Reduce Supply Chain Risk- If the head of an agency determines, on the basis of a joint recommendation by the Director of the Defense Intelligence Agency and the Assistant Secretary of Defense for Networks and Information Integration, that the exclusion of a particular source is necessary to avoid an unacceptable supply chain risk, the head of an agency may--

(1) notwithstanding the requirements of section 2304(a) of title 10, United States Code, provide for the procurement of a covered system or a covered item of supply using competitive procedures, but excluding the particular source;

(2) notwithstanding the requirements of section 2304c(b) of title 10, United States Code, provide for the award of a task or delivery order for a covered system or a covered item of supply under a multiple task or delivery order contract on the basis of a fair opportunity for all contractors to be considered, after excluding the particular source;

(3) withhold consent for a contractor for a covered system or a covered item of supply to subcontract with the particular source; or

(4) direct a contractor for a covered system or a covered item of supply to exclude the particular source from consideration for subcontracts under the contract.

(d) Determinations- A determination under subsection (c) that the exclusion of a particular source is necessary to avoid an unacceptable supply chain risk--

(1) shall be made in writing;

(2) shall include--

(A) the information required by section 2304(f)(3) of title 10, United States Code; and

(B) the joint recommendation by the Director of the Defense Intelligence Agency and the Assistant Secretary of Defense for Networks and Information Integration as specified in subsection (c);

(3) may not be delegated--

(A) in the case of a procurement with an estimated value of $50,000,000 or more (including all options), below the level of head of an agency;

(B) in the case of any other procurement, below the level of senior procurement executive for an agency;

(4) shall not be subject to disclosure under section 552 of title 5, United States Code;

(5) shall be made in the sole discretion of the head of an agency or senior procurement executive of an agency, as the case may be; and

(6) shall not be subject to review in a bid protest before the Government Accountability Office or in any Federal court.

(e) Reports-

(1) IN GENERAL- Not later than 60 days after the end of each fiscal year in which the authority under this section is in effect, the Secretary of Defense shall submit to the congressional defense committees a report on the use of the authority during the previous fiscal year.

(2) ELEMENTS- Each report under this subsection shall include, at a minimum, for the fiscal year covered by such report the following:

(A) A statistical summary of the contracts subject to qualification requirements under subsection (a), including information on numbers of contracts, contract award amounts, and categories of systems or items of supply addressed.

(B) A statistical summary of the contracts subject to determinations under subsection (b), including information on numbers of contracts, contract award amounts, and categories of systems or items of supply addressed.

(C) A statistical summary of the contracts subject to determinations under subsection (c), including information on numbers of contracts, contract award amounts, and categories of systems or items of supply addressed.

(D) A description of each determination under subsection (c), including a summary of the information required by subsection (d)(2).

(f) Definitions- In this section:

(1) The term `covered item of supply' means an item of information technology (as that term is defined in section 11101 of title 40, United States Code), or any other supply item, the loss of integrity of which could result in a supply chain risk for a covered system.

(2) The term `covered system' means a national security system, as that term is defined in section 3542(b) of title 44, United States Code.

(3) The term `head of an agency' has the meaning given that term in section 2302(1) of title 10, United States Code.

(4) The term `supply chain risk' means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system or a covered item of supply so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of the system or item.

(g) Sunset of Authority to Exclude Sources- The authority to exclude sources as provided in subsection (c) shall expire on the date that is five years after the date of the enactment of this Act.

The Senate committee-reported bill contained a provision (sec. 815) that would authorize the head of an agency to take certain actions to address supply chain risk in the acquisition of national security systems.

The House bill contained no similar provision.

The agreement includes the Senate provision with an amendment to clarify the determinations required before the head of an agency may act, the circumstances in which such determinations may be made, and the scope of the actions that may be taken pursuant to such determinations.

From S. Rpt. 111-201, to accompany S. 3454, NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2011

Reduction of supply chain risk in the acquisition of national security systems (sec. 815)

The committee recommends a provision that would authorize the Secretary of Defense to take certain steps in the procurement process to reduce supply chain risk in the acquisition of sensitive information technology systems that are used for intelligence or cryptologic activities; used for command and control of military forces; or form an integral part of a weapons system. In particular, the Secretary would be authorized to: (1) reduce supply risk by establishing qualification requirements in accordance with the requirements of section 2319 of title 10, United States Code; (2) provide for the consideration of supply chain risk as a significant evaluation factor in certain solicitations; and (3) exclude a particular source from consideration where necessary to avoid an unacceptable supply chain risk. The term `supply chain risk' would be defined, as recommended by the Department of Defense, to mean the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of the system.

On December 22, 2009, the Secretary of Defense submitted a report on trusted defense systems, as required by section 254 of the Duncan Hunter National Defense Authorization Act for Fiscal Year 2009 (Public Law 110-417). In that report, the Secretary found that the globalization of the information technology industry has increased the vulnerability of the Department of Defense (DOD) to attacks on its systems and networks. The report found an increasing risk that systems and networks critical to DOD could be exploited through the introduction of counterfeit or malicious code and other defects introduced by suppliers of systems or components. The committee concludes that the Secretary should have the authority needed to address this risk.