|
SEC. 847. MITIGATING RISKS RELATED TO
FOREIGN OWNERSHIP, CONTROL, OR INFLUENCE OF DEPARTMENT OF
DEFENSE CONTRACTORS OR SUBCONTRACTORS.
(a) Definitions.--In this section:
(1) Beneficial owner; beneficial
ownership.--The terms ``beneficial owner'' and ``beneficial
ownership'' shall be determined in a manner that is not less
stringent than the manner set forth in section 240.13d-3 of
title 17, Code of Federal Regulations (as in effect on the
date of the enactment of this
Act).
(2) Company.--The term ``company''
means any corporation, company, limited liability company,
limited partnership, business trust, business association, or
other similar entity.
(3) Covered contractor or
subcontractor.--The term ``covered contractor or
subcontractor'' means a company that is an existing or
prospective contractor or subcontractor of the Department of
Defense on a contract or subcontract with a value in excess of
$5,000,000, except as provided in subsection (c).
(4) Foreign ownership, control, or
influence; foci.--The terms ``foreign ownership, control, or
influence'' and ``FOCI'' have the meanings given those terms
in the National Industrial Security Program Operating Manual
(DOD 5220.22-M), or a successor document.
(b) Improved Assessment and Mitigation
of Risks Related to Foreign Ownership, Control, or Influence.--
(1) In general.--In developing and
implementing the analytical framework for mitigating risk
relating to ownership structures, as required by section 2509
of title 10, United States Code, as added by section 845 of
this Act, the Secretary of Defense shall improve the process
and procedures for the assessment and mitigation of risks
related to foreign ownership, control, or influence (FOCI) of
contractors and subcontractors doing business with the
Department of Defense.
(2) Elements.--The process and
procedures for the assessment and mitigation of risk relating
to ownership structures referred to in paragraph (1) shall
include the following elements:
(A) Assessment of foci.--
(i) A requirement for covered
contractors and subcontractors to disclose to the Defense
Counterintelligence and Security Agency, or its successor
organization, their beneficial ownership and whether they
are under FOCI.
(ii) A requirement to update such
disclosures when changes occur to information previously
provided, consistent with or similar to the procedures for
updating FOCI information under the National Industrial
Security Program Operating Manual (DOD 5220.22-M), or a
successor document.
(iii) A requirement for covered
contractors and subcontractors determined to be under FOCI
to disclose contact information for each of its foreign
owners that is a beneficial owner.
(iv) A requirement that, at a
minimum, the disclosures required by this paragraph be
provided at the time the contract or subcontract is
awarded, amended, or renewed, but in no case
later than one year after the Secretary prescribes
regulations
to carry out this subsection.
(B) Responsibility
determination.--Consistent with section 2509 of title 10,
United States Code, as added by section 845 of this Act,
consideration of FOCI risks as part of responsibility
determinations, including--
(i) whether to establish a special
standard of responsibility relating to FOCI risks for
covered contractors or subcontractors, and the extent to
which the policies and procedures consistent with or
similar to those relating to FOCI under the National
Industrial Security Program shall be applied to covered
contractors or subcontractors;
(ii) procedures for contracting
officers making responsibility determinations regarding
whether covered contractors and subcontractors may be
under foreign ownership, control, or influence and for
determining whether there is reason to believe that such
foreign ownership, control, or influence would pose a risk
or potential risk to national security or potential
compromise because of sensitive data, systems, or
processes, such as personally identifiable information,
cybersecurity, or national security systems involved with
the contract or subcontract; and
(iii) modification of policies,
directives, and practices to provide that an assessment
that a covered contractor or subcontractor is under FOCI
may be a sufficient basis for a contracting officer to
determine
that a contractor or subcontractor is not responsible.
(C) Contract requirements,
administration, and oversight
relating to foci.--
(i) Requirements for contract
clauses providing for and enforcing disclosures related to
changes in FOCI or beneficial ownership during performance
of the contract or subcontract, consistent with
subparagraph (A), and necessitating the effective
mitigation of risks related to FOCI throughout the
duration of the contract or subcontract.
(ii) Pursuant to section 831(c),
designation of the appropriate Department of Defense
official responsible to approve and to take actions
relating to award, modification, termination of a
contract, or direction to modify or terminate a
subcontract due to an assessment by the Defense
Counterintelligence and Security Agency, or its successor
organization, that a covered contractor or subcontractor
under FOCI poses a risk to national security or potential
risk of compromise.
(iii) A requirement for the
provision of additional information regarding beneficial
ownership and control of any covered contractor or
subcontractor on the contract or subcontract.
(iv) Other measures as necessary
to be consistent with other relevant practices, policies,
regulations, and actions, including those under the
National Industrial Security Program.
(c) Applicability to Contracts and
Subcontracts for Commercial Products and Services and Other
Forms of Acquisition Agreements.--
(1) Commercial products and
services.--The requirements under subsection (b)(2)(A) and
(b)(2)(C) shall not apply to a contract or subcontract for
commercial products or services, unless a designated senior
Department of Defense official specifically requires the
applicability of subsections (b)(2)(A) and (b)(2)(C) based on
a determination by the designated senior official that the
contract or subcontract involves a risk or potential risk to
national security or potential compromise because of sensitive
data, systems, or processes, such as personally identifiable
information, cybersecurity, or national security systems.
(2) Research and development and
procurement activities.--The Secretary of Defense shall ensure
that the requirements of this section are applied to research
and development and procurement activities, including for the
delivery of services, established through any means including
those under section 2358(b) of title 10, United States Code.
(d) Availability of Resources.--The
Secretary shall ensure that sufficient resources, including
subject matter expertise, are allocated to execute the functions
necessary to carry out this section, including the assessment,
mitigation, contract administration, and oversight functions.
(e) Rule of Construction.--Nothing in
this section shall be construed to limit or modify any other
procurement policy, procedure, requirement, or restriction
provided by law, including section 721 of the Defense Production
Act of 1950 (50 U.S.C. 4565), as amended by the Foreign
Interference Risk Review Modernization Act of 2018 (subtitle A
of title XVII of Public Law 115-232).
(f) Availability of Beneficial Ownership
Data.--
(1) In general.--Not later than 180
days after the date of the enactment of this Act, the
Secretary of Defense shall establish a process to update
systems of record to improve the assessment and mitigation of
risks associated with FOCI through the inclusion and updating
of all appropriate associated uniquely identifying information
about the contracts and contractors and subcontracts and
subcontractors in the Federal Awardee Performance and
Integrity Information System (FAPIIS), administered by the
General Services Administration, and the Commercial and
Government Entity (CAGE) database, administered by the Defense
Logistics Agency.
(2) Limited availability of
information.--The Secretary of Defense shall ensure that the
information required to be disclosed pursuant to this section
is--
(A) not made public;
(B) made available via the FAPIIS
and CAGE databases; and
(C) made available to appropriate
government departments or agencies.
|
Mitigating risks related to foreign
ownership, control, or influence of Department of Defense
contractors or subcontractors (sec. 847)
The Senate bill contained a provision (sec.
833) that would require the Secretary of Defense to amend policy
and regulation to take steps to enhance the process for
assessing and mitigating risks related to foreign ownership,
control, or influence (FOCI).
The House amendment contained no similar
provision.
The House recedes with technical and
clarifying amendments.
The conferees are concerned by the
growing threat to the integrity of the defense industrial base
from strategic competitors, like the Russian Federation, the
People's Republic of China, and their proxies, seeking to gain
access to sensitive defense information or technology through
contractors or subcontractors. The conferees recognize that
there are existing efforts underway to understand and mitigate
some of
these risks as directed by several pilot programs including
section 1048 of the National Defense Authorization Act for
Fiscal Year 2019 and section 1969 of the National Defense
Authorization Act for Fiscal Year 2018. The conferees also
recognize that the Defense Counterintelligence and Security
Agency (DCSA) has transitioned to a new mission and has taken on
additional responsibilities despite resource constraints.
However, the acquisition community must
have greater visibility into all cleared and uncleared potential
contractors and subcontractors seeking to do business with the
Department. The Department must ensure that contractors and
subcontractors do not pose a risk to the security of sensitive
data, systems, or processes such as personally identifiable
information, cybersecurity, or national security systems.
Senate Report
116-48
Mitigating risks related to foreign
ownership, control, or influence of Department of Defense
contractors or subcontractors (sec. 833)
The committee recommends a provision that would require the
Secretary of Defense to amend policy and regulation to take
steps to enhance the process for assessing and mitigating risks
related to foreign ownership, control, or influence (FOCI).
The committee is concerned by the
growing threat to the integrity of the defense industrial base
from strategic competitors, like the Russian Federation, the
People's Republic of China, and their proxies, seeking to gain
access to sensitive defense information or technology through
contractors or subcontractors. The committee recognizes the need
for the Department's acquisition community to have greater
visibility into the potential FOCI of contractors and
subcontractors seeking to do business with the Department to
ensure that they do not pose a risk to the security of sensitive
data, systems, or processes such as personally identifiable
information, cybersecurity systems, or national security
systems.
In order to aid in identifying the
actual individual or individuals owning or controlling each
contractor or subcontractor, the provision would require the
companies to make certain disclosures. Such disclosures would
then be considered in determining the responsibility of the
contractor being considered for a contract or subcontract and
standards under which a contract or subcontract could be
terminated due to unmitigable risks. |
