|
SEC. 881. PERMANENT SUPPLY CHAIN RISK MANAGEMENT AUTHORITY.
(a) Permanent Extension Of Authority.—
(1) IN GENERAL.—Chapter 137 of title 10, United States Code, is
amended by adding at the end the following new section:
Ҥ 2339a. Requirements for information relating to supply chain
risk
“(a) Authority.—Subject to subsection (b), the head of a covered
agency may—
“(1) carry out a covered procurement action; and
“(2) limit, notwithstanding any other provision of law, in whole
or in part, the disclosure of information relating to the basis
for carrying out a covered procurement action.
“(b) Determination And Notification.—The head of a covered
agency may exercise the authority provided in subsection (a)
only after—
“(1) obtaining a joint recommendation by the Under Secretary of
Defense for Acquisition and Sustainment and the Chief
Information Officer of the Department of Defense, on the basis
of a risk assessment by the Under Secretary of Defense for
Intelligence, that there is a significant supply chain risk to a
covered system;
“(2) making a determination in writing, in unclassified or
classified form, with the concurrence of the Under Secretary of
Defense for Acquisition and Sustainment, that—
“(A) use of the authority in subsection (a)(1) is necessary to
protect national security by reducing supply chain risk;
“(B) less intrusive measures are not reasonably available to
reduce such supply chain risk; and
“(C) in a case where the head of the covered agency plans to
limit disclosure of information under subsection (a)(2), the
risk to national security due to the disclosure of such
information outweighs the risk due to not disclosing such
information; and
“(3) providing a classified or unclassified notice of the
determination made under paragraph (2) to the appropriate
congressional committees, which notice shall include—
“(A) the information required by section 2304(f)(3) of this
title;
“(B) the joint recommendation by the Under Secretary of Defense
for Acquisition and Sustainment and the Chief Information
Officer of the Department of Defense as specified in paragraph
(1);
“(C) a summary of the risk assessment by the Under Secretary of
Defense for Intelligence that serves as the basis for the joint
recommendation specified in paragraph (1); and
“(D) a summary of the basis for the determination, including a
discussion of less intrusive measures that were considered and
why they were not reasonably available to reduce supply chain
risk.
“(c) Delegation.—The head of a covered agency may not delegate
the authority provided in subsection (a) or the responsibility
to make a determination under subsection (b) to an official
below the level of the service acquisition executive for the
agency concerned.
“(d) Limitation On Disclosure.—If the head of a covered agency
has exercised the authority provided in subsection (a)(2) to
limit disclosure of information—
“(1) no action undertaken by the agency head under such
authority shall be subject to review in a bid protest before the
Government Accountability Office or in any Federal court; and
“(2) the agency head shall—
“(A) notify appropriate parties of a covered procurement action
and the basis for such action only to the extent necessary to
effectuate the covered procurement action;
“(B) notify other Department of Defense components or other
Federal agencies responsible for procurements that may be
subject to the same or similar supply chain risk, in a manner
and to the extent consistent with the requirements of national
security; and
“(C) ensure the confidentiality of any such notifications.
“(e) Definitions.—In this section:
“(1) HEAD OF A COVERED AGENCY.—The term ‘head of a covered
agency’ means each of the following:
“(A) The Secretary of Defense.
“(B) The Secretary of the Army.
“(C) The Secretary of the Navy.
“(D) The Secretary of the Air Force.
“(2) COVERED PROCUREMENT ACTION.—The term ‘covered procurement
action’ means any of the following actions, if the action takes
place in the course of conducting a covered procurement:
“(A) The exclusion of a source that fails to meet qualification
standards established in accordance with the requirements of
section 2319 of this title for the purpose of reducing supply
chain risk in the acquisition of covered systems.
“(B) The exclusion of a source that fails to achieve an
acceptable rating with regard to an evaluation factor providing
for the consideration of supply chain risk in the evaluation of
proposals for the award of a contract or the issuance of a task
or delivery order.
“(C) The decision to withhold consent for a contractor to
subcontract with a particular source or to direct a contractor
for a covered system to exclude a particular source from
consideration for a subcontract under the contract.
“(3) COVERED PROCUREMENT.—The term ‘covered procurement’ means—
“(A) a source selection for a covered system or a covered item
of supply involving either a performance specification, as
provided in section 2305(a)(1)(C)(ii) of this title, or an
evaluation factor, as provided in section 2305(a)(2)(A) of this
title, relating to supply chain risk;
“(B) the consideration of proposals for and issuance of a task
or delivery order for a covered system or a covered item of
supply, as provided in section 2304c(d)(3) of this title, where
the task or delivery order contract concerned includes a
contract clause establishing a requirement relating to supply
chain risk; or
“(C) any contract action involving a contract for a covered
system or a covered item of supply where such contract includes
a clause establishing requirements relating to supply chain
risk.
“(4) SUPPLY CHAIN RISK.—The term ‘supply chain risk’ means the
risk that an adversary may sabotage, maliciously introduce
unwanted function, or otherwise subvert the design, integrity,
manufacturing, production, distribution, installation,
operation, or maintenance of a covered system so as to surveil,
deny, disrupt, or otherwise degrade the function, use, or
operation of such system.
“(5) COVERED SYSTEM.—The term ‘covered system’ means a national
security system, as that term is defined in section 3542(b) of
title 44.
“(6) COVERED ITEM OF SUPPLY.—The term ‘covered item of supply’
means an item of information technology (as that term is defined
in section 11101 of title 40) that is purchased for inclusion in
a covered system, and the loss of integrity of which could
result in a supply chain risk for a covered system.
“(7) APPROPRIATE CONGRESSIONAL COMMITTEES.—The term ‘appropriate
congressional committees’ means—
“(A) in the case of a covered system included in the National
Intelligence Program or the Military Intelligence Program, the
Select Committee on Intelligence of the Senate, the Permanent
Select Committee on Intelligence of the House of
Representatives, and the congressional defense committees; and
“(B) in the case of a covered system not otherwise included in
subparagraph (A), the congressional defense committees.”.
(2) CLERICAL AMENDMENT.—The table of sections at the beginning
of such chapter is amended by inserting after the item relating
to section 2339 the following new item:
“2339a. Requirements for information relating to supply chain
risk.”.
(b) Repeal Of Obsolete Authority.—Section 806(g) of the Ike
Skelton National Defense Authorization Act for Fiscal Year 2011
(Public Law 111–383; 10 U.S.C. 2304 note) is hereby repealed.
|
Permanent Supply Chain Risk Management
Authority (sec. 881)
The Senate amendment contained a
provision (sec. 801) that would permanently extend the authority
provided in section 806 of the Ike Skelton National Defense
Authorization Act for Fiscal Year 2011 (Public Law 111–383)
regarding the management of supply chain risk and would clarify
the Secretary of Defense’s ability to make determinations under
the authority to apply throughout the Department of Defense.
The House bill contained no similar
provision.
The House recedes. |
