How To Use the NDAA Pages

Back to NDAA Contents

TITLE VIII--ACQUISITION POLICY, ACQUISITION MANAGEMENT, AND RELATED MATTERS

Subtitle E--Industrial Base Matters

P. L. 116-92

House Conference Report 116-333

(a) In General.--Subchapter II of chapter 148 of title 10, United States Code, is amended by adding at the end the following new section: ``Sec. 2509. Modernization of acquisition processes to ensure integrity of industrial base

``(a) Digitization and Modernization.--The Secretary of Defense shall streamline and digitize the existing Department of Defense approach for identifying and mitigating risks to the defense industrial base across the acquisition process, creating a continuous model that uses digital tools, technologies, and approaches designed to ensure the accessibility of data to key decision-makers in the Department.

``(b) Analytical Framework.--(1) The Under Secretary of Defense for Acquisition and Sustainment, in coordination with the Director of the Defense Counterintelligence and Security Agency and the heads of other elements of the Department of Defense as appropriate, shall develop an analytical framework for risk mitigation across the acquisition process.

``(2) The analytical framework required under paragraph (1) shall include the following elements:

``(A) Characterization and monitoring of supply chain risks,
including--

``(i) material sources and fragility, including the extent to which sources, items, materials, and articles are mined, produced, or manufactured within or outside the United States;

``(ii) telecommunications services or equipment (other than optical transmission components);

``(iii) counterfeit parts;

``(iv) cybersecurity of contractors;

``(v) video surveillance services or equipment;

``(vi) vendor vetting in contingency or operational environments;

``(vii) other electronic or information technology products and services; and

``(viii) other risk areas as determined appropriate.

``(B) Characterization and monitoring of risks posed by contractor behavior that constitute violations of laws or regulations, including those relating to--

``(i) fraud;

``(ii) ownership structures;

``(iii) trafficking in persons;

``(iv) workers' health and safety;

``(v) affiliation with the enemy;

``(vi) foreign influence; and

``(vii) other risk areas as deemed appropriate.

``(C) Characterization and assessment of the acquisition processes and procedures of the Department of Defense, including--

``(i) market research;

``(ii) responsibility determinations, including consideration of the need for special standards of responsibility to address the risks described in subparagraphs (A) and (B);

``(iii) facilities clearances;

``(iv) the development of contract requirements;

``(v) the technical evaluation of offers and contract awards;

``(vi) contractor mobilization, including hiring, training, and establishing facilities;

``(vii) contract administration, contract management, and oversight;

``(viii) contract audit for closeout;

``(ix) suspension and debarment activities and administrative appeals activities;

``(x) contractor business system reviews; and

``(xi) other relevant processes and procedures.

``(D) Characterization and monitoring of the health and activities of the defense industrial base, including those relating to--

``(i) balance sheets, revenues, profitability, and debt;

``(ii) investment, innovation, and technological and manufacturing sophistication;

``(iii) finances, access to capital markets, and cost of
raising capital within those markets;

``(iv) corporate governance, leadership, and culture of performance; and

``(v) history of performance on past Department of Defense and government contracts.

``(c) Roles and Responsibilities.--The Secretary of Defense shall designate the roles and responsibilities of organizations and individuals to execute activities under this section, including--

``(1) the Under Secretary of Defense for Acquisition and Sustainment, including the Office of Defense Pricing and Contracting and the Office of Industrial Policy;

``(2) service acquisition executives;

``(3) program offices and procuring contracting officers;

``(4) administrative contracting officers within the Defense Contract Management Agency and the Supervisor of Shipbuilding;

``(5) the Defense Counterintelligence and Security Agency;

``(6) the Defense Contract Audit Agency;

``(7) each element of the Department of Defense which own or operate systems containing data relevant to contractors of the Department;

``(8) the Under Secretary of Defense for Research and Engineering;

``(9) the suspension and debarment official of the Department;

``(10) the Chief Information Officer; and

``(11) other relevant organizations and individuals.

``(d) Enabling Data, Tools, and Systems.--(1)(A) The Under Secretary of Defense for Acquisition and Sustainment, in consultation with the Chief Data Officer of the Department of Defense and the Director of the Defense Counterintelligence and Security Agency, shall assess the extent to which existing systems of record relevant to risk assessments and contracting are producing, exposing, and timely maintaining valid and reliable data for the purposes of the Department's continuous assessment and mitigation of risks in the defense industrial base.

``(B) The assessment required under subparagraph (A) shall include the following elements:

``(i) Identification of the necessary source data, to include data from contractors, intelligence and security activities, program offices, and commercial research entities.

``(ii) A description of the modern data infrastructure, tools, and applications and what changes would improve the effectiveness and efficiency of mitigating the risks described in subsection (b)(2).

``(iii) An assessment of the following systems owned or operated outside of the Department of Defense that the Department depends upon or to which it provides data:

``(I) The Federal Awardee Performance and Integrity Information System (FAPIIS).

``(II) The System for Award Management (SAM).

``(III) The Federal Procurement Data System-Next Generation (FPDS-NG).

``(IV) The Electronic Data Management Information System.

``(V) Other systems the Secretary of Defense determines appropriate.

``(iv) An assessment of systems owned or operated by the
Department of Defense, including the Defense Counterintelligence and Security Agency and other defense agencies and field activities used to capture and analyze the status and performance (including past performance) of vendors and contractors.

``(2) Based on the findings pursuant to paragraph (1), the
Secretary of Defense shall develop a unified set of activities to
modernize the systems of record, data sources and collection methods,
and data exposure mechanisms. The unified set of activities should
feature--

``(A) the ability to continuously collect data on, assess, and mitigate risks;

``(B) data analytics and business intelligence tools and methods; and

``(C) continuous development and continuous delivery of secure software to implement the activities.

``(e) Rule of Construction.--Nothing in this section shall be construed to limit or modify any other procurement policy, procedure, requirement, or restriction provided by law.

``(f) Implementation and Reporting Requirements.--The Secretary of Defense shall carry out the implementation phases set forth in, and submit to the congressional defense committees the items of information required by, the following paragraphs:

``(1) Phase 1: implementation plan.--Not later than 90 days after the date of the enactment of this section, an implementation plan and schedule for carrying out the framework established pursuant to subsection (b), including--

``(A) a discussion and recommendations for any changes to, or exemptions from, laws necessary for effective implementation, including updating the definitions in section 2339a(e) of this title relating to covered procurement, covered system, and covered item of supply, and any similar terms defined in other law or regulation; and

``(B) a process for an entity to contact the Department
after the entity has taken steps to remediate, mitigate, or
otherwise address the risks identified by the Department in
conducting activities under subsection (b).

``(2) Phase 2: implementation of framework.--Not later than one
year after the date of the submission of the implementation plan
and schedule required under paragraph (1), a report on the actions
taken to implement the framework established pursuant to subsection
(b).

``(g) Comptroller General Reviews.--

``(1) Briefing.--Not later than February 15, 2020, the Comptroller General of the United States shall brief the congressional defense committees on Department of Defense efforts over the previous 5 years to continuously assess and mitigate risks to the defense industrial base across the acquisition process, and a summary of current and planned efforts.

``(2) Periodic assessments.--The Comptroller General shall submit to the congressional defense committees three periodic assessments of Department of Defense progress in implementing the framework required under subsection (b), to be provided not later than October 15, 2020, March 15, 2022, and March 15, 2024.''.

(b) Clerical Amendment.--The table of sections at the beginning of subchapter II of chapter 148 of such title is amended by inserting after the item relating to section 2508 the following new item:

``2509. Modernization of acquisition processes to ensure integrity of
industrial base.''.

The Senate bill contained a provision (sec. 831) that would require the Secretary of Defense to modernize mitigation of risks to the integrity of the supply chain, to include those cited in recent studies on the defense industrial base.

The House amendment contained similar provisions (secs. 853, 855, and 892).

The House recedes with amendments that would establish the requirement for the framework in statute under section 2506 of title 10, United States Code; add certain systems to a list of those being assessed; and provide further detail on phased implementation and reporting on the framework.

The conferees note that contracting is the mechanism by which the Department of Defense operationalizes its relationship with the defense industrial base/national security innovation base. The conferees further note that the Department's ability to maintain awareness of the sources of procured items or materials, including the degree to which the sources are foreign or domestic, are critical elements for understanding supply chain risks. This is particularly the case for items used in critical programs such as major defense acquisition programs. The conferees believe that certain risks to the defense industrial base are not being appropriately considered. These include but are not limited to risks associated with: insufficient insight into ownership structures, fragile sources of supply, and cybersecurity concerns, as well as contractors' violations of law pertaining to fraud, human trafficking, and worker health and safety. The conferees further note that, even where risks may be a high priority, the existing acquisition processes and procedures are not effective or timely in mitigating such risks. As such, the provision would require the Department to rigorously optimize the policy, processes, and procedures throughout the contracting life cycle, beginning with market research, responsibility determination, technical evaluation/award, mobilization, contract administration, contract management and oversight (to include contractor business systems reviews), and contract audit for closeout. It is critical that this optimization incorporate modern sources of data and methods to conduct appropriate and continuous risk assessment for contractors doing business with DOD. The provision would also require the Comptroller General of the United States to coordinate individual reviews in these risk areas, report on them collectively, and begin annual reviews of the Department's progress in this area.

Senate Report 116-48

Modernization of acquisition processes to ensure integrity of industrial base (sec. 831)

The committee recommends a provision that would require the Secretary of Defense to modernize mitigation of risks to the integrity of the supply chain, to include those cited in recent studies on the defense industrial base.

The committee observes that contracting is the mechanism by which the Department of Defense operationalizes its relationship with the defense industrial base/national security innovation base.

The committee notes that certain risks to the defense industrial base are not being appropriately considered. These include but are not limited to risks associated with:
insufficient insight into ownership structures, fragile sources of supply, and cybersecurity concerns, as well as contractors' violations of law pertaining to fraud, human trafficking, and worker health and safety.

The committee further notes that, even where risks may be a high priority, the existing acquisition processes and procedures are not effective or timely in mitigating such risks. As such, the provision would require the Department to rigorously optimize the policy, processes, and procedures throughout the contracting life cycle, beginning with market research, responsibility determination, technical evaluation/award, mobilization, contract administration, contract management and oversight (to include contractor business systems reviews), and contract audit for closeout. It is critical that this optimization incorporate modern sources of data and methods to conduct appropriate and continuous risk assessment for contractors doing business with DOD.

The provision would also require the Comptroller General of the United States to coordinate individual reviews in these risk areas, report on them collectively, and begin annual reviews of the Department's progress in this area.