[House Report 115-907] [From the U.S. Government Publishing Office] 115th Congress } { Report HOUSE OF REPRESENTATIVES 2d Session } { 115-907 ====================================================================== SECURING THE HOMELAND SECURITY SUPPLY CHAIN ACT OF 2018 _______ August 28, 2018.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. McCaul, from the Committee on Homeland Security, submitted the following R E P O R T [To accompany H.R. 6430] [Including cost estimate of the Congressional Budget Office] The Committee on Homeland Security, to whom was referred the bill (H.R. 6430) to amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to implement certain requirements for information relating to supply chain risk, and for other purposes, having considered the same, report favorably thereon without amendment and recommend that the bill do pass. CONTENTS Page Purpose and Summary.............................................. 2 Background and Need for Legislation.............................. 2 Hearings......................................................... 3 Committee Consideration.......................................... 3 Committee Votes.................................................. 3 Committee Oversight Findings..................................... 3 New Budget Authority, Entitlement Authority, and Tax Expenditures 3 Congressional Budget Office Estimate............................. 4 Statement of General Performance Goals and Objectives............ 5 Duplicative Federal Programs..................................... 5 Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits....................................................... 5 Federal Mandates Statement....................................... 5 Preemption Clarification......................................... 5 Disclosure of Directed Rule Makings.............................. 5 Advisory Committee Statement..................................... 6 Applicability to Legislative Branch.............................. 6 Section-by-Section Analysis of the Legislation................... 6 Changes in Existing Law Made by the Bill, as Reported............ 7 Purpose and Summary The purpose of H.R. 6430 is to provide the Secretary of Homeland Security with the authority to restrict certain procurements related to information technology and associated products if, following a risk assessment, it is determined the vendor poses a threat to the DHS supply chain. If such a restriction is made, the Secretary is permitted to limit the amount of information disclosed about the decision-making process. Background and Need for Legislation Federal agencies rely on contractors to provide them with products and services to carry out their missions and the Department of Homeland Security (DHS) is no exception. This could put an agency, such as DHS, at risk if the products and services supplied are exploited to introduce vulnerabilities into the Department's supply chain. The legislation provides the Secretary of Homeland Security with authority to restrict certain procurements related to information technology and associated products if, following a risk assessment, it is determined the vendor poses a threat to the DHS supply chain. If such a restriction is made, the Secretary is permitted to limit the amount of information disclosed about the decision-making process. The complexity of the global supply chain can make identifying threats accurately a challenge. In the words of the Government Accountability Office (GAO), the complicated global economy means that ``. . . agencies may have little visibility into, understanding of, or control over how the technology that they acquire is developed, integrated, and deployed . . .''\1\ Recent public reports about potential supply chain threats linked to foreign-based firms such as Kaspersky, ZTE, and Huawei highlight the pervasive and growing threats to the federal supply chain. --------------------------------------------------------------------------- \1\``State Department Telecommunications: Information on Vendors and Cyber-Threat Nations,'' The Government Accountability Office, July 27, 2017. Accessed at: https://www.gao.gov/assets/690/686197.pdf. --------------------------------------------------------------------------- During a July 2018 hearing, DHS witnesses testified about their lack of authority to assess and mitigate risks to the supply chain during the procurement process and the need for more authority. One witness stated, ``Gaps exist in the Department's authority to use intelligence to support its procurement decisions when a significant supply chain risk cannot be mitigated. . . . [I]n those exceptional cases where mitigation is not possible the Department needs the capability to react swiftly while appropriately restricting the disclosure of other national security sensitive information.''\2\ --------------------------------------------------------------------------- \2\Oral testimony of Dr. John Zangardi, ``Access Denied: Keeping Adversaries Away from the Homeland Security Supply Chain,'' Joint Subcommittee on Counterterrorism and Intelligence and the Subcommittee on Oversight, Management, and Efficiency Hearing, July 12, 2018. --------------------------------------------------------------------------- In 2011, Congress granted the Department of Defense (DOD) special authorities to protect their procurement process. Section 806 of the National Defense Authorization Act (P.L. 111-383) gave DOD the authority to proactively prevent an entity or source from being selected during a procurement process if the Secretary of Defense determines, after a risk assessment, that the use of the source presents a risk to the supply chain. The Intelligence Community has a similar exclusion power.\3\ On June 19, 2018, the Senate Homeland Security and Governmental Affairs Committee released the bipartisan ``Federal Acquisition Supply Chain Security Act (FASCSA) of 2018'' to develop a government-wide SCRM policy. On July 10, 2018, the White House released a draft legislative proposal, similar to the Federal Acquisition Supply Chain Security Act. The authority in H.R. 6430, is based on DOD's Section 806 authority and includes important components from the OMB proposal. --------------------------------------------------------------------------- \3\See Section 309 of the Intelligence Authorization Act for FY 2012 (Pub. L. 112-87), entitled ``Enhanced Procurement Authority to Manage Supply Chain Risk'' and codified at 50 U.S.C. Sec. 3329, note. --------------------------------------------------------------------------- Hearings No hearings were specifically held on H.R. 6430. However, the Committee held an investigative hearing on protecting the Department of Homeland Security's vendor processes. On Thursday, July 12, 2018, the Subcommittee on Counterterrorism and Intelligence and the Subcommittee on Oversight and Management Efficiency of the Committee on Homeland Security held a hearing entitled ``Access Denied: Keeping Adversaries Away from the Homeland Security Supply Chain''. The Subcommittees received testimony from Ms. Soraya Correa, Chief Procurement Officer; Dr. John Zangardi, Chief Information Officer; Ms. Jeanette Manfra, Assistant Secretary in the Office of Cybersecurity and Communications, National Protection and Programs Directorate; Ms. Tina W. Gabbrielli, Acting Deputy Under Secretary for Intelligence Enterprise Operations; and Mr. Gregory Wilshusen, Director of Information Security Issues, Government Accountability Office. Committee Consideration The Committee met on July 24, 2018, to consider H.R. 6430, and ordered the measure to be reported to the House with a favorable recommendation, without amendment, by unanimous consent. Committee Votes Clause 3(b) of rule XIII of the Rules of the House of Representatives requires the Committee to list the recorded votes on the motion to report legislation and amendments thereto. No recorded votes were requested during consideration of H.R. 6430. Committee Oversight Findings Pursuant to clause 3(c)(1) of rule XIII of the Rules of the House of Representatives, the Committee has held oversight hearings and made findings that are reflected in this report. New Budget Authority, Entitlement Authority, and Tax Expenditures In compliance with clause 3(c)(2) of rule XIII of the Rules of the House of Representatives, the Committee finds that H.R. 6430, the Securing the Homeland Security Supply Chain Act of 2018, would result in no new or increased budget authority, entitlement authority, or tax expenditures or revenues. Congressional Budget Office Estimate The Committee adopts as its own the cost estimate prepared by the Director of the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974. U.S. Congress, Congressional Budget Office, Washington, DC, August 6, 2018. Hon. Michael McCaul, Chairman, Committee on Homeland Security, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for Department of Homeland Security legislation ordered reported by the Committee on Homeland Security on July 24, 2018. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Mark Grabowicz. Sincerely, Keith Hall, Director. Enclosure. Department of Homeland Security Legislation On July 24, the House Committee on Homeland Security ordered three bills to be reported. The bills are:H.R. 6400, the United States Ports of Entry Threat and Operational Review Act; H.R. 6430, the Securing the Homeland Security Supply Chain Act of 2018; and H.R. 6438, the DHS Countering Unmanned Aircraft Systems Coordinator Act. H.R. 6400 would require the Department of Homeland Security (DHS) to prepare an analysis of security issues at U.S. ports of entry and a plan to mitigate threats to ports. H.R. 6430 would authorize DHS to take certain actions to improve the security of information and telecommunications systems acquired by the department. H.R. 6438 would direct DHS to designate one of its officials to coordinate the department's efforts to combat threats from unmanned aircraft systems (or drones). CBO estimates that enacting those bills would not significantly affect spending by DHS in any fiscal year because the department could implement each bill with minimal additional personnel. Enacting the bills would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply. CBO estimates that enacting the bills would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2029. None of the bills contain intergovernmental or private- sector mandates as defined in the Unfunded Mandates Reform Act. The CBO staff contact for this estimate is Mark Grabowicz. The estimate was reviewed by H. Samuel Papenfuss, Deputy Assistant Director for Budget Analysis. Statement of General Performance Goals and Objectives Pursuant to clause 3(c)(4) of rule XIII of the Rules of the House of Representatives, H.R. 6430 contains the following general performance goals and objectives, including outcome related goals and objectives authorized. H.R. 6430 authorizes the Secretary of Homeland Security to restrict certain procurements related to information technology and associated products if it is determined that the procurement poses a national security risk. The bill requires the Secretary to notify the appropriate Committees of the Senate and House of Representatives, as well as the Office of Management and Budget and the vendor of the risk determination. The bill also requires the Secretary to review existing procedures and guidelines used by the Department of Defense when developing the procedures and guidelines for the Department of Homeland Security. Lastly, the bill requires the Secretary to review any supply chain restrictions determined under the Act on an annual basis. Duplicative Federal Programs Pursuant to clause 3(c) of rule XIII, the Committee finds that H.R. 6430 does not contain any provision that establishes or reauthorizes a program known to be duplicative of another Federal program. Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits In compliance with rule XXI of the Rules of the House of Representatives, this bill, as reported, contains no congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9(e), 9(f), or 9(g) of the rule XXI. Federal Mandates Statement The Committee adopts as its own the estimate of Federal mandates prepared by the Director of the Congressional Budget Office pursuant to section 423 of the Unfunded Mandates Reform Act. Preemption Clarification In compliance with section 423 of the Congressional Budget Act of 1974, requiring the report of any Committee on a bill or joint resolution to include a statement on the extent to which the bill or joint resolution is intended to preempt State, local, or Tribal law, the Committee finds that H.R. 6430 does not preempt any State, local, or Tribal law. Disclosure of Directed Rule Makings The Committee estimates that H.R. 6430 would require no directed rule makings. Advisory Committee Statement No advisory committees within the meaning of section 5(b) of the Federal Advisory Committee Act were created by this legislation. Applicability to Legislative Branch The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act. Section-by-Section Analysis of the Legislation Section 1. Short title This section provides that this bill may be cited as the ``Securing the Homeland Security Supply Chain Act of 2018''. Sec. 2. Department Of Homeland Security requirements for information relating to supply chain risk This section establishes a new Section 836 in the Homeland Security Act as follows: Subsection (a) authorizes the Secretary of Homeland Security to take the following actions related to the procurement of a covered article, which includes information technology, telecommunications items, databases, and associated hardware and services: 1. exclude a source from the procurement process if the source fails to meet established supply chain risk standards or is determined not to be a responsible source; and direct a contractor to exclude a particular source for a subcontract; 2. limit the information disclosed, including classified information, about the basis for carrying out a covered procurement action; and 3. exclude a source, if identified to be a threat, from procurements or contracts across the Department. Subsection (b) authorizes the Secretary to take the action permitted in subsection (a) only after: 1. obtaining a joint recommendation from the Department's Chief Acquisition Officer and Chief Information Officer that there is a significant supply chain risk in a covered procurement; 2. providing notice of the recommendation to any source named in such recommendation and allowing that source 30 days to submit information in response; 3. notifying the relevant Departmental components of the risk; 4. documenting in writing the determination that the use of the authority is necessary; there are no less intrusive measures available to reduce the risk; that disclosing information about the risk and the procurement would pose a greater risk to national security; and whether the exclusion will apply to a single covered procurement or a class of covered procurements; 5. providing notice of the determination to the Committee on Homeland Security of the House and the Committee on Homeland Security and Governmental Affairs of the Senate; 6. notifying the Director of the Office of Management and Budget, and other appropriate Federal agencies; and 7. taking steps necessary to maintain the confidentiality of any notifications made under this subsection. Subsection (c) allows the Secretary to delay the notification requirements in subsection (b) to the source named in the recommendation, Congress, and the Office of Management and Budget, and still make a determination to exclude a source under subsection (b)(4) if there is an urgent national security reason for an immediate use of the authorities in subsection (a). Once the national security issue has been addressed, the Secretary must take action to complete the notification requirements. Subsection (d) requires the Secretary to review all of the exclusion determinations made pursuant to subsection (b) on an annual basis. Subsection (e) prohibits the Secretary from delegating the authority in subsection (a) or subsection (d) to any Departmental official below the Deputy Secretary level. Subsection (f) exempts any action taken under subsection (a) from review under a bid protest through the Government Accountability Office or in Federal Court. Subsection (g) requires the Secretary to review similar procedures and guidelines used by the Department of Defense when developing the procedures and guidelines for the Department of Homeland Security. Subsection (h) defines the following terms: ``covered article,'' ``covered procurement,'' ``covered procurement action,'' ``information technology,'' ``responsible source,'' ``supply chain risk,'' ``telecommunications equipment,'' and ``telecommunications service.'' Subsection (i) sets 90 days after enactment as the effective date for the authorities described in this section. In addition, this section exempts the Secretary from public notice and meeting requirements related to the Federal rulemaking procedures established under section 553 of Title 5 and section 1707 of Title 41. Changes in Existing Law Made by the Bill, as Reported In compliance with clause 3(e) of rule XIII of the Rules of the House of Representatives, changes in existing law made by the bill, as reported, are shown as follows (new matter is printed in italic and existing law in which no change is proposed is shown in roman): HOMELAND SECURITY ACT OF 2002 SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) Short Title.--This Act may be cited as the ``Homeland Security Act of 2002''. (b) Table of Contents.--The table of contents for this Act is as follows: Sec. 1. Short title; table of contents. * * * * * * * TITLE VIII--COORDINATION WITH NON-FEDERAL ENTITIES; INSPECTOR GENERAL; UNITED STATES SECRET SERVICE; COAST GUARD; GENERAL PROVISIONS * * * * * * * Subtitle D--Acquisitions * * * * * * * Sec. 836. Requirements for information relating to supply chain risk. * * * * * * * TITLE VIII--COORDINATION WITH NON-FEDERAL ENTITIES; INSPECTOR GENERAL; UNITED STATES SECRET SERVICE; COAST GUARD; GENERAL PROVISIONS * * * * * * * Subtitle D--Acquisitions * * * * * * * SEC. 836. REQUIREMENTS FOR INFORMATION RELATING TO SUPPLY CHAIN RISK. (a) Authority.--Subject to subsection (b), the Secretary may-- (1) carry out a covered procurement action; (2) limit, notwithstanding any other provision of law, in whole or in part, the disclosure of information, including classified information, relating to the basis for carrying out such an action; and (3) exclude, in whole or in part, a source carried out in the course of such an action applicable to a covered procurement of the Department. (b) Determination and Notification.--Except as authorized by subsection (c) to address an urgent national security interest, the Secretary may exercise the authority provided in subsection (a) only after-- (1) obtaining a joint recommendation, in unclassified or classified form, from the Chief Acquisition Officer and the Chief Information Officer of Department, including a review of any risk assessment made available by an appropriate person or entity, that there is a significant supply chain risk in a covered procurement; (2) notifying any source named in the joint recommendation described in paragraph (1) advising-- (A) that a recommendation has been obtained; (B) to the extent consistent with the national security and law enforcement interests, the basis for such recommendation; (C) that, within 30 days after receipt of notice, such source may submit information and argument in opposition to such recommendation; and (D) of the procedures governing the consideration of such submission and the possible exercise of the authority provided in subsection (a); (3) notifying the relevant components of the Department that such risk assessment has demonstrated significant supply chain risk to a covered procurement; and (4) making a determination in writing, in unclassified or classified form, that after considering any information submitted by a source under paragraph (2), and in consultation with the Chief Information Officer of the Department, that-- (A) use of authority under subsection (a)(1) is necessary to protect national security by reducing supply chain risk; (B) less intrusive measures are not reasonably available to reduce such risk; (C) a decision to limit disclosure of information under subsection (a)(2) is necessary to protect national security interest; and (D) the use of such authorities will apply to a single covered procurement or a class of covered procurements, and otherwise specifies the scope of such determination; (5) providing to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a classified or unclassified notice of the determination made under paragraph (4) that includes-- (A) the joint recommendation described in paragraph (1); (B) a summary of any risk assessment reviewed in support of such joint recommendation; and (C) a summary of the basis for such determination, including a discussion of less intrusive measures that were considered and why such measures were not reasonably available to reduce supply chain risk; (6) notifying the Director of the Office of Management and Budget, and the heads of other Federal agencies as appropriate, in a manner and to the extent consistent with the requirements of national security; and (7) taking steps to maintain the confidentiality of any notifications under this subsection. (c) Procedures to Address Urgent National Security Interests.--In any case in which the Secretary determines that national security interests require the immediate exercise of the authorities under subsection (a), the Secretary-- (1) may, to the extent necessary to address any such national security interest, and subject to the conditions specified in paragraph (2)-- (A) temporarily delay the notice required by subsection (b)(2); (B) make the determination required by subsection (b)(4), regardless of whether the notice required by subsection (b)(2) has been provided or whether the notified source at issue has submitted any information in response to such notice; (C) temporarily delay the notice required by subsections (b)(4) and (b)(5); and (D) exercise the authority provided in subsection (a) in accordance with such determination; and (2) shall take actions necessary to comply with all requirements of subsection (b) as soon as practicable after addressing the urgent national security interest that is the subject of paragraph (1), including-- (A) providing the notice required by subsection (b)(2); (B) promptly considering any information submitted by the source at issue in response to such notice, and making any appropriate modifications to the determination required by subsection (b)(4) based on such information; and (C) providing the notice required by subsections (b)(5) and (b)(6), including a description of such urgent national security, and any modifications to such determination made in accordance with subparagraph (B). (d) Annual Review of Determinations.--The Secretary shall annually review all determinations made under subsection (b). (e) Delegation.--The Secretary may not delegate the authority provided in subsection (a) or the responsibility identified in subsection (d) to an official below the Deputy Secretary. (f) Limitation of Review.--Notwithstanding any other provision of law, no action taken by the Secretary under subsection (a) may be subject to review in a bid protest before the Government Accountability Office or in any Federal court. (g) Consultation.--In developing procedures and guidelines for the implementation of the authorities described in this section, the Secretary shall review the procedures and guidelines utilized by the Department of Defense to carry out similar authorities. (h) Definitions.--In this section: (1) Covered article.--The term ``covered article'' means: (A) Information technology, including cloud computing services of all types. (B) Telecommunications equipment. (C) Telecommunications services. (D) The processing of information on a Federal or non-Federal information system, subject to the requirements of the Controlled Unclassified Information program of the Department. (E) Hardware, systems, devices, software, or services that include embedded or incidental information technology. (2) Covered procurement.--The term ``covered procurement'' means-- (A) a source selection for a covered article involving either a performance specification, as provided in subsection (a)(3)(B) of section 3306 of title 41, United States Code, or an evaluation factor, as provided in subsection (c)(1)(A) of such section, relating to supply chain risk, or with respect to which supply chain risk considerations are included in the Department's determination of whether a source is a responsible source as defined in section 113 of such title; (B) the consideration of proposals for and issuance of a task or delivery order for a covered article, as provided in section 4106(d)(3) of title 41, United States Code, with respect to which the task or delivery order contract includes a contract clause establishing a requirement relating to supply chain risk; (C) any contract action involving a contract for a covered article with respect to which such contract includes a clause establishing requirements relating to supply chain risk; or (D) any procurement made via Government Purchase Care for a covered article when supply chain risk has been identified as a concern. (3) Covered procurement action.--The term ``covered procurement action'' means any of the following actions, if such action takes place in the course of conducting a covered procurement: (A) The exclusion of a source that fails to meet qualification requirements established pursuant to section 3311 of title 41, United States Code, for the purpose of reducing supply chain risk in the acquisition or use of a covered article. (B) The exclusion of a source that fails to achieve an acceptable rating with regard to an evaluation factor providing for the consideration of supply chain risk in the evaluation of proposals for the award of a contract or the issuance of a task or delivery order. (C) The determination that a source is not a responsible source based on considerations of supply chain risk. (D) The decision to withhold consent for a contractor to subcontract with a particular source or to direct a contractor to exclude a particular source from consideration for a subcontract. (4) Information system.--The term ``information system'' has the meaning given such term in section 3502 of title 44, United States Code. (5) Information technology.--The term ``information technology'' has the meaning given such term in section 11101 of title 40, United States Code. (6) Responsible source.--The term ``responsible source'' has the meaning given such term in section 113 of title 41, United States Code. (7) Supply chain risk.--The term ``supply chain risk'' means the risk that a malicious actor may sabotage, maliciously introduce an unwanted function, extract or modify data, or otherwise manipulate the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered article so as to surveil, deny, disrupt, or otherwise manipulate the function, use, or operation of the information technology or information stored or transmitted on the covered articles. (8) Telecommunications equipment.--The term ``telecommunications equipment'' has the meaning given such term in section 153(52) of title 47, United States Code. (9) Telecommunications service.--The term ``telecommunications service'' has the meaning given such term in section 153(53) of title 47, United States Code. (i) Effective Date.--The requirements of this section shall take effect on the date that is 90 days after the date of the enactment of this Act and shall apply to-- (1) contracts awarded on or after such date; and (2) task and delivery orders issued on or after such date pursuant to contracts awarded before, on, or after such date. * * * * * * * [all]