How To Use the NDAA Pages

Back to NDAA Contents

TITLE VIII--ACQUISITION POLICY, ACQUISITION MANAGEMENT, AND RELATED MATTERS

Subtitle E—Provisions Relating to Supply Chain Security

P. L. 117-81

Joint Explanatory Statement

Section 2509 of title 10, United States Code is amended--

(1) in subsection (a)--

(A) by striking ``existing''; and

(B) by striking ``across the acquisition process'' and all that follows through ``in the Department'';

(2) by striking subsections (f) and (g);

(3) by redesignating subsections (b) through (e) as subsections (c) through (f), respectively;

(4) by inserting after subsection (a) the following new subsection:

``(b) Objective.--The objective of subsection (a) shall be to employ digital tools, technologies, and approaches to ensure the accessibility of relevant defense industrial base data to key decision-makers in the Department.'';

(5) in subsection (c), as so redesignated--

(A) in paragraph (1), by adding ``in implementing subsections (a) and (b)'' before the period at the end; and

(B) in paragraph (2)--(i) in subparagraph (A)(viii), by inserting ``by the
Secretary of Defense'' before the period at the end; and
(ii) in subparagraph (B)--(I) in the text preceding clause (i), by striking ``constitute'' and inserting ``constitutes or may constitute'' ; and
(II) in clause (vii), by inserting ``by the Secretary of Defense'' before the period at the end;

(6) in subsection (d)(11), as so redesignated, by adding ``as deemed appropriate by the Secretary'' before the period at the end; and

(7) in subsection (e), as so redesignated--

(A) in paragraph (1)--

(i) in subparagraph (A), by striking ``timely''; and

(ii) in subparagraph (B)--(I) by striking clause (ii) and inserting the
following new clause:

``(ii) A description of modern data infrastructure, tools, and applications and an assessment of the extent to which new capabilities would improve the effectiveness and efficiency of mitigating the risks described in subsection (c)(2).''; and (II) in clause (iii), by inserting ``, including the following'' after ``provides data''; and (B) by striking paragraph (2) and inserting the following new paragraph:

``(2)(A) Based on the findings pursuant to paragraph (1), the Secretary of Defense shall develop a unified set of activities to modernize the systems of record, data sources and collection methods, and data exposure mechanisms. The unified set of activities should include--

``(i) the ability to continuously collect data on, assess, and mitigate risks;

``(ii) data analytics and business intelligence tools and methods; and

``(iii) continuous development and continuous delivery of secure software to implement the activities.

``(B) In connection with the assessments described in this section, the Secretary shall develop capabilities to map supply chains and to assess risks to the supply chain for major end items by business sector, vendor, program, part, and other metrics as determined by the Secretary.''.

The House bill contained a provision (sec. 832) that would require the Department of Defense to develop a supply chain risk assessment framework leveraging of supply chain illumination tools.

The Senate amendment contained no similar provision.

The agreement includes the House provision with an amendment that would amend section 2509 of title 10, United States Code, and require the Department to report on the assessment required in the section.

We note that the assessment required under section 2509 of title 10, United States Code, should address potential options for data infrastructure, tools, and applications in which the Department of Defense may invest to develop information systems and data analytics capabilities to support the reduction of risks to the defense supply chain.

We expect the assessment to include the extent to which technologies can provide for a map of supply chains that supports analysis, monitoring, and reporting with respect to high-risk subcontractors and risks to such supply chains; and technologies could assist in the assessment of risks to the supply chains by business sector, vendor, program, part, service, or technology. The assessment should also identify the organizations responsible for implementation of and overall operation of the system and for data collection, management, and analyses; a schedule and milestones for procurement and deployment of technologies; resources required for procurement and deployment of technologies, including personnel and funding; implementation risks for procurement and deployment of
technologies and plans to mitigate risks to the defense industrial base; and identification of any required updates to policy, guidance, or legislation to support efficient and effective execution of activities under this section.

We note the potential for advanced and commercial data  analytics systems and technologies to provide new capabilities to assess and analyze defense supply chains. For example, advances in decision science, commercial data analytics systems, and machine learning techniques may be applied to such an effort.

We recommend that the Secretary of Defense consider the development of a database to integrate the current disparate data systems that contain defense supply chain information, and to help provide for consistent availability, interoperability, and centralized reporting of data to support efficient mitigation and remediation of identified supply chain vulnerabilities. We note that the Secretary should ensure that the systems are scalable so as to support multiple users, include robust cybersecurity capabilities, and are optimized for information-sharing and collaboration.

We support Department efforts to develop the implementation plan and report on implementation of the framework as required by section 845 of the National Defense Authorization Act for Fiscal Year 2020 (Public Law 116–92). We continue to await receipt of the plan and report, which were due March 20, 2020, and March 20, 2021, respectively. We direct the Secretary of Defense to provide a briefing, not later than June 1, 2022, to the congressional defense committees with an update on the framework  implementation as required by section 2509 of title 10, United States Code, and the assessment identified in subsection (e)(B)(ii) of this section.

We further direct the Comptroller General of the United States to submit to the congressional defense committees the two remaining periodic assessments of the Department’s progress in implementing the framework required under subsection (c) of this section, to be provided not later than March 15, 2022, and March 15, 2024, as originally required.

H. R. 4350--House Report 117-118

Section 832--Defense Supply Chain Risk Assessment Framework

This section would require the Department of Defense to develop a supply chain risk assessment framework leveraging of supply chain illumination tools.