[House Report 115-907]
[From the U.S. Government Publishing Office]
115th Congress } { Report
HOUSE OF REPRESENTATIVES
2d Session } { 115-907
======================================================================
SECURING THE HOMELAND SECURITY SUPPLY CHAIN ACT OF 2018
_______
August 28, 2018.--Committed to the Committee of the Whole House on the
State of the Union and ordered to be printed
_______
Mr. McCaul, from the Committee on Homeland Security, submitted the
following
R E P O R T
[To accompany H.R. 6430]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security, to whom was referred
the bill (H.R. 6430) to amend the Homeland Security Act of 2002
to authorize the Secretary of Homeland Security to implement
certain requirements for information relating to supply chain
risk, and for other purposes, having considered the same,
report favorably thereon without amendment and recommend that
the bill do pass.
CONTENTS
Page
Purpose and Summary.............................................. 2
Background and Need for Legislation.............................. 2
Hearings......................................................... 3
Committee Consideration.......................................... 3
Committee Votes.................................................. 3
Committee Oversight Findings..................................... 3
New Budget Authority, Entitlement Authority, and Tax Expenditures 3
Congressional Budget Office Estimate............................. 4
Statement of General Performance Goals and Objectives............ 5
Duplicative Federal Programs..................................... 5
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff
Benefits....................................................... 5
Federal Mandates Statement....................................... 5
Preemption Clarification......................................... 5
Disclosure of Directed Rule Makings.............................. 5
Advisory Committee Statement..................................... 6
Applicability to Legislative Branch.............................. 6
Section-by-Section Analysis of the Legislation................... 6
Changes in Existing Law Made by the Bill, as Reported............ 7
Purpose and Summary
The purpose of H.R. 6430 is to provide the Secretary of
Homeland Security with the authority to restrict certain
procurements related to information technology and associated
products if, following a risk assessment, it is determined the
vendor poses a threat to the DHS supply chain. If such a
restriction is made, the Secretary is permitted to limit the
amount of information disclosed about the decision-making
process.
Background and Need for Legislation
Federal agencies rely on contractors to provide them with
products and services to carry out their missions and the
Department of Homeland Security (DHS) is no exception. This
could put an agency, such as DHS, at risk if the products and
services supplied are exploited to introduce vulnerabilities
into the Department's supply chain.
The legislation provides the Secretary of Homeland Security
with authority to restrict certain procurements related to
information technology and associated products if, following a
risk assessment, it is determined the vendor poses a threat to
the DHS supply chain. If such a restriction is made, the
Secretary is permitted to limit the amount of information
disclosed about the decision-making process.
The complexity of the global supply chain can make
identifying threats accurately a challenge. In the words of the
Government Accountability Office (GAO), the complicated global
economy means that ``. . . agencies may have little visibility
into, understanding of, or control over how the technology that
they acquire is developed, integrated, and deployed . . .''\1\
Recent public reports about potential supply chain threats
linked to foreign-based firms such as Kaspersky, ZTE, and
Huawei highlight the pervasive and growing threats to the
federal supply chain.
---------------------------------------------------------------------------
\1\``State Department Telecommunications: Information on Vendors
and Cyber-Threat Nations,'' The Government Accountability Office, July
27, 2017. Accessed at: https://www.gao.gov/assets/690/686197.pdf.
---------------------------------------------------------------------------
During a July 2018 hearing, DHS witnesses testified about
their lack of authority to assess and mitigate risks to the
supply chain during the procurement process and the need for
more authority. One witness stated, ``Gaps exist in the
Department's authority to use intelligence to support its
procurement decisions when a significant supply chain risk
cannot be mitigated. . . . [I]n those exceptional cases where
mitigation is not possible the Department needs the capability
to react swiftly while appropriately restricting the disclosure
of other national security sensitive information.''\2\
---------------------------------------------------------------------------
\2\Oral testimony of Dr. John Zangardi, ``Access Denied: Keeping
Adversaries Away from the Homeland Security Supply Chain,'' Joint
Subcommittee on Counterterrorism and Intelligence and the Subcommittee
on Oversight, Management, and Efficiency Hearing, July 12, 2018.
---------------------------------------------------------------------------
In 2011, Congress granted the Department of Defense (DOD)
special authorities to protect their procurement process.
Section 806 of the National Defense Authorization Act (P.L.
111-383) gave DOD the authority to proactively prevent an
entity or source from being selected during a procurement
process if the Secretary of Defense determines, after a risk
assessment, that the use of the source presents a risk to the
supply chain. The Intelligence Community has a similar
exclusion power.\3\ On June 19, 2018, the Senate Homeland
Security and Governmental Affairs Committee released the
bipartisan ``Federal Acquisition Supply Chain Security Act
(FASCSA) of 2018'' to develop a government-wide SCRM policy. On
July 10, 2018, the White House released a draft legislative
proposal, similar to the Federal Acquisition Supply Chain
Security Act. The authority in H.R. 6430, is based on DOD's
Section 806 authority and includes important components from
the OMB proposal.
---------------------------------------------------------------------------
\3\See Section 309 of the Intelligence Authorization Act for FY
2012 (Pub. L. 112-87), entitled ``Enhanced Procurement Authority to
Manage Supply Chain Risk'' and codified at 50 U.S.C. Sec. 3329, note.
---------------------------------------------------------------------------
Hearings
No hearings were specifically held on H.R. 6430. However,
the Committee held an investigative hearing on protecting the
Department of Homeland Security's vendor processes. On
Thursday, July 12, 2018, the Subcommittee on Counterterrorism
and Intelligence and the Subcommittee on Oversight and
Management Efficiency of the Committee on Homeland Security
held a hearing entitled ``Access Denied: Keeping Adversaries
Away from the Homeland Security Supply Chain''. The
Subcommittees received testimony from Ms. Soraya Correa, Chief
Procurement Officer; Dr. John Zangardi, Chief Information
Officer; Ms. Jeanette Manfra, Assistant Secretary in the Office
of Cybersecurity and Communications, National Protection and
Programs Directorate; Ms. Tina W. Gabbrielli, Acting Deputy
Under Secretary for Intelligence Enterprise Operations; and Mr.
Gregory Wilshusen, Director of Information Security Issues,
Government Accountability Office.
Committee Consideration
The Committee met on July 24, 2018, to consider H.R. 6430,
and ordered the measure to be reported to the House with a
favorable recommendation, without amendment, by unanimous
consent.
Committee Votes
Clause 3(b) of rule XIII of the Rules of the House of
Representatives requires the Committee to list the recorded
votes on the motion to report legislation and amendments
thereto.
No recorded votes were requested during consideration of
H.R. 6430.
Committee Oversight Findings
Pursuant to clause 3(c)(1) of rule XIII of the Rules of the
House of Representatives, the Committee has held oversight
hearings and made findings that are reflected in this report.
New Budget Authority, Entitlement Authority, and Tax Expenditures
In compliance with clause 3(c)(2) of rule XIII of the Rules
of the House of Representatives, the Committee finds that H.R.
6430, the Securing the Homeland Security Supply Chain Act of
2018, would result in no new or increased budget authority,
entitlement authority, or tax expenditures or revenues.
Congressional Budget Office Estimate
The Committee adopts as its own the cost estimate prepared
by the Director of the Congressional Budget Office pursuant to
section 402 of the Congressional Budget Act of 1974.
U.S. Congress,
Congressional Budget Office,
Washington, DC, August 6, 2018.
Hon. Michael McCaul,
Chairman, Committee on Homeland Security,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for Department of Homeland
Security legislation ordered reported by the Committee on
Homeland Security on July 24, 2018.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Mark
Grabowicz.
Sincerely,
Keith Hall,
Director.
Enclosure.
Department of Homeland Security Legislation
On July 24, the House Committee on Homeland Security
ordered three bills to be reported. The bills are:
H.R. 6400, the United States Ports of Entry
Threat and Operational Review Act;
H.R. 6430, the Securing the Homeland
Security Supply Chain Act of 2018; and
H.R. 6438, the DHS Countering Unmanned
Aircraft Systems Coordinator Act.
H.R. 6400 would require the Department of Homeland Security
(DHS) to prepare an analysis of security issues at U.S. ports
of entry and a plan to mitigate threats to ports. H.R. 6430
would authorize DHS to take certain actions to improve the
security of information and telecommunications systems acquired
by the department. H.R. 6438 would direct DHS to designate one
of its officials to coordinate the department's efforts to
combat threats from unmanned aircraft systems (or drones).
CBO estimates that enacting those bills would not
significantly affect spending by DHS in any fiscal year because
the department could implement each bill with minimal
additional personnel.
Enacting the bills would not affect direct spending or
revenues; therefore, pay-as-you-go procedures do not apply.
CBO estimates that enacting the bills would not increase
net direct spending or on-budget deficits in any of the four
consecutive 10-year periods beginning in 2029.
None of the bills contain intergovernmental or private-
sector mandates as defined in the Unfunded Mandates Reform Act.
The CBO staff contact for this estimate is Mark Grabowicz.
The estimate was reviewed by H. Samuel Papenfuss, Deputy
Assistant Director for Budget Analysis.
Statement of General Performance Goals and Objectives
Pursuant to clause 3(c)(4) of rule XIII of the Rules of the
House of Representatives, H.R. 6430 contains the following
general performance goals and objectives, including outcome
related goals and objectives authorized. H.R. 6430 authorizes
the Secretary of Homeland Security to restrict certain
procurements related to information technology and associated
products if it is determined that the procurement poses a
national security risk. The bill requires the Secretary to
notify the appropriate Committees of the Senate and House of
Representatives, as well as the Office of Management and Budget
and the vendor of the risk determination. The bill also
requires the Secretary to review existing procedures and
guidelines used by the Department of Defense when developing
the procedures and guidelines for the Department of Homeland
Security. Lastly, the bill requires the Secretary to review any
supply chain restrictions determined under the Act on an annual
basis.
Duplicative Federal Programs
Pursuant to clause 3(c) of rule XIII, the Committee finds
that H.R. 6430 does not contain any provision that establishes
or reauthorizes a program known to be duplicative of another
Federal program.
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff
Benefits
In compliance with rule XXI of the Rules of the House of
Representatives, this bill, as reported, contains no
congressional earmarks, limited tax benefits, or limited tariff
benefits as defined in clause 9(e), 9(f), or 9(g) of the rule
XXI.
Federal Mandates Statement
The Committee adopts as its own the estimate of Federal
mandates prepared by the Director of the Congressional Budget
Office pursuant to section 423 of the Unfunded Mandates Reform
Act.
Preemption Clarification
In compliance with section 423 of the Congressional Budget
Act of 1974, requiring the report of any Committee on a bill or
joint resolution to include a statement on the extent to which
the bill or joint resolution is intended to preempt State,
local, or Tribal law, the Committee finds that H.R. 6430 does
not preempt any State, local, or Tribal law.
Disclosure of Directed Rule Makings
The Committee estimates that H.R. 6430 would require no
directed rule makings.
Advisory Committee Statement
No advisory committees within the meaning of section 5(b)
of the Federal Advisory Committee Act were created by this
legislation.
Applicability to Legislative Branch
The Committee finds that the legislation does not relate to
the terms and conditions of employment or access to public
services or accommodations within the meaning of section
102(b)(3) of the Congressional Accountability Act.
Section-by-Section Analysis of the Legislation
Section 1. Short title
This section provides that this bill may be cited as the
``Securing the Homeland Security Supply Chain Act of 2018''.
Sec. 2. Department Of Homeland Security requirements for information
relating to supply chain risk
This section establishes a new Section 836 in the Homeland
Security Act as follows:
Subsection (a) authorizes the Secretary of Homeland
Security to take the following actions related to the
procurement of a covered article, which includes information
technology, telecommunications items, databases, and associated
hardware and services:
1. exclude a source from the procurement process if
the source fails to meet established supply chain risk
standards or is determined not to be a responsible
source; and direct a contractor to exclude a particular
source for a subcontract;
2. limit the information disclosed, including
classified information, about the basis for carrying
out a covered procurement action; and
3. exclude a source, if identified to be a threat,
from procurements or contracts across the Department.
Subsection (b) authorizes the Secretary to take the action
permitted in subsection (a) only after:
1. obtaining a joint recommendation from the
Department's Chief Acquisition Officer and Chief
Information Officer that there is a significant supply
chain risk in a covered procurement;
2. providing notice of the recommendation to any
source named in such recommendation and allowing that
source 30 days to submit information in response;
3. notifying the relevant Departmental components of
the risk;
4. documenting in writing the determination that the
use of the authority is necessary; there are no less
intrusive measures available to reduce the risk; that
disclosing information about the risk and the
procurement would pose a greater risk to national
security; and whether the exclusion will apply to a
single covered procurement or a class of covered
procurements;
5. providing notice of the determination to the
Committee on Homeland Security of the House and the
Committee on Homeland Security and Governmental Affairs
of the Senate;
6. notifying the Director of the Office of Management
and Budget, and other appropriate Federal agencies; and
7. taking steps necessary to maintain the
confidentiality of any notifications made under this
subsection.
Subsection (c) allows the Secretary to delay the
notification requirements in subsection (b) to the source named
in the recommendation, Congress, and the Office of Management
and Budget, and still make a determination to exclude a source
under subsection (b)(4) if there is an urgent national security
reason for an immediate use of the authorities in subsection
(a). Once the national security issue has been addressed, the
Secretary must take action to complete the notification
requirements.
Subsection (d) requires the Secretary to review all of the
exclusion determinations made pursuant to subsection (b) on an
annual basis.
Subsection (e) prohibits the Secretary from delegating the
authority in subsection (a) or subsection (d) to any
Departmental official below the Deputy Secretary level.
Subsection (f) exempts any action taken under subsection
(a) from review under a bid protest through the Government
Accountability Office or in Federal Court.
Subsection (g) requires the Secretary to review similar
procedures and guidelines used by the Department of Defense
when developing the procedures and guidelines for the
Department of Homeland Security.
Subsection (h) defines the following terms: ``covered
article,'' ``covered procurement,'' ``covered procurement
action,'' ``information technology,'' ``responsible source,''
``supply chain risk,'' ``telecommunications equipment,'' and
``telecommunications service.''
Subsection (i) sets 90 days after enactment as the
effective date for the authorities described in this section.
In addition, this section exempts the Secretary from public
notice and meeting requirements related to the Federal
rulemaking procedures established under section 553 of Title 5
and section 1707 of Title 41.
Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (new matter is
printed in italic and existing law in which no change is
proposed is shown in roman):
HOMELAND SECURITY ACT OF 2002
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Homeland
Security Act of 2002''.
(b) Table of Contents.--The table of contents for this Act is
as follows:
Sec. 1. Short title; table of contents.
* * * * * * *
TITLE VIII--COORDINATION WITH NON-FEDERAL ENTITIES; INSPECTOR GENERAL;
UNITED STATES SECRET SERVICE; COAST GUARD; GENERAL PROVISIONS
* * * * * * *
Subtitle D--Acquisitions
* * * * * * *
Sec. 836. Requirements for information relating to supply chain risk.
* * * * * * *
TITLE VIII--COORDINATION WITH NON-FEDERAL ENTITIES; INSPECTOR GENERAL;
UNITED STATES SECRET SERVICE; COAST GUARD; GENERAL PROVISIONS
* * * * * * *
Subtitle D--Acquisitions
* * * * * * *
SEC. 836. REQUIREMENTS FOR INFORMATION RELATING TO SUPPLY CHAIN RISK.
(a) Authority.--Subject to subsection (b), the Secretary
may--
(1) carry out a covered procurement action;
(2) limit, notwithstanding any other provision of
law, in whole or in part, the disclosure of
information, including classified information, relating
to the basis for carrying out such an action; and
(3) exclude, in whole or in part, a source carried
out in the course of such an action applicable to a
covered procurement of the Department.
(b) Determination and Notification.--Except as authorized by
subsection (c) to address an urgent national security interest,
the Secretary may exercise the authority provided in subsection
(a) only after--
(1) obtaining a joint recommendation, in unclassified
or classified form, from the Chief Acquisition Officer
and the Chief Information Officer of Department,
including a review of any risk assessment made
available by an appropriate person or entity, that
there is a significant supply chain risk in a covered
procurement;
(2) notifying any source named in the joint
recommendation described in paragraph (1) advising--
(A) that a recommendation has been obtained;
(B) to the extent consistent with the
national security and law enforcement
interests, the basis for such recommendation;
(C) that, within 30 days after receipt of
notice, such source may submit information and
argument in opposition to such recommendation;
and
(D) of the procedures governing the
consideration of such submission and the
possible exercise of the authority provided in
subsection (a);
(3) notifying the relevant components of the
Department that such risk assessment has demonstrated
significant supply chain risk to a covered procurement;
and
(4) making a determination in writing, in
unclassified or classified form, that after considering
any information submitted by a source under paragraph
(2), and in consultation with the Chief Information
Officer of the Department, that--
(A) use of authority under subsection (a)(1)
is necessary to protect national security by
reducing supply chain risk;
(B) less intrusive measures are not
reasonably available to reduce such risk;
(C) a decision to limit disclosure of
information under subsection (a)(2) is
necessary to protect national security
interest; and
(D) the use of such authorities will apply to
a single covered procurement or a class of
covered procurements, and otherwise specifies
the scope of such determination;
(5) providing to the Committee on Homeland Security
of the House of Representatives and the Committee on
Homeland Security and Governmental Affairs of the
Senate a classified or unclassified notice of the
determination made under paragraph (4) that includes--
(A) the joint recommendation described in
paragraph (1);
(B) a summary of any risk assessment reviewed
in support of such joint recommendation; and
(C) a summary of the basis for such
determination, including a discussion of less
intrusive measures that were considered and why
such measures were not reasonably available to
reduce supply chain risk;
(6) notifying the Director of the Office of
Management and Budget, and the heads of other Federal
agencies as appropriate, in a manner and to the extent
consistent with the requirements of national security;
and
(7) taking steps to maintain the confidentiality of
any notifications under this subsection.
(c) Procedures to Address Urgent National Security
Interests.--In any case in which the Secretary determines that
national security interests require the immediate exercise of
the authorities under subsection (a), the Secretary--
(1) may, to the extent necessary to address any such
national security interest, and subject to the
conditions specified in paragraph (2)--
(A) temporarily delay the notice required by
subsection (b)(2);
(B) make the determination required by
subsection (b)(4), regardless of whether the
notice required by subsection (b)(2) has been
provided or whether the notified source at
issue has submitted any information in response
to such notice;
(C) temporarily delay the notice required by
subsections (b)(4) and (b)(5); and
(D) exercise the authority provided in
subsection (a) in accordance with such
determination; and
(2) shall take actions necessary to comply with all
requirements of subsection (b) as soon as practicable
after addressing the urgent national security interest
that is the subject of paragraph (1), including--
(A) providing the notice required by
subsection (b)(2);
(B) promptly considering any information
submitted by the source at issue in response to
such notice, and making any appropriate
modifications to the determination required by
subsection (b)(4) based on such information;
and
(C) providing the notice required by
subsections (b)(5) and (b)(6), including a
description of such urgent national security,
and any modifications to such determination
made in accordance with subparagraph (B).
(d) Annual Review of Determinations.--The Secretary shall
annually review all determinations made under subsection (b).
(e) Delegation.--The Secretary may not delegate the authority
provided in subsection (a) or the responsibility identified in
subsection (d) to an official below the Deputy Secretary.
(f) Limitation of Review.--Notwithstanding any other
provision of law, no action taken by the Secretary under
subsection (a) may be subject to review in a bid protest before
the Government Accountability Office or in any Federal court.
(g) Consultation.--In developing procedures and guidelines
for the implementation of the authorities described in this
section, the Secretary shall review the procedures and
guidelines utilized by the Department of Defense to carry out
similar authorities.
(h) Definitions.--In this section:
(1) Covered article.--The term ``covered article''
means:
(A) Information technology, including cloud
computing services of all types.
(B) Telecommunications equipment.
(C) Telecommunications services.
(D) The processing of information on a
Federal or non-Federal information system,
subject to the requirements of the Controlled
Unclassified Information program of the
Department.
(E) Hardware, systems, devices, software, or
services that include embedded or incidental
information technology.
(2) Covered procurement.--The term ``covered
procurement'' means--
(A) a source selection for a covered article
involving either a performance specification,
as provided in subsection (a)(3)(B) of section
3306 of title 41, United States Code, or an
evaluation factor, as provided in subsection
(c)(1)(A) of such section, relating to supply
chain risk, or with respect to which supply
chain risk considerations are included in the
Department's determination of whether a source
is a responsible source as defined in section
113 of such title;
(B) the consideration of proposals for and
issuance of a task or delivery order for a
covered article, as provided in section
4106(d)(3) of title 41, United States Code,
with respect to which the task or delivery
order contract includes a contract clause
establishing a requirement relating to supply
chain risk;
(C) any contract action involving a contract
for a covered article with respect to which
such contract includes a clause establishing
requirements relating to supply chain risk; or
(D) any procurement made via Government
Purchase Care for a covered article when supply
chain risk has been identified as a concern.
(3) Covered procurement action.--The term ``covered
procurement action'' means any of the following
actions, if such action takes place in the course of
conducting a covered procurement:
(A) The exclusion of a source that fails to
meet qualification requirements established
pursuant to section 3311 of title 41, United
States Code, for the purpose of reducing supply
chain risk in the acquisition or use of a
covered article.
(B) The exclusion of a source that fails to
achieve an acceptable rating with regard to an
evaluation factor providing for the
consideration of supply chain risk in the
evaluation of proposals for the award of a
contract or the issuance of a task or delivery
order.
(C) The determination that a source is not a
responsible source based on considerations of
supply chain risk.
(D) The decision to withhold consent for a
contractor to subcontract with a particular
source or to direct a contractor to exclude a
particular source from consideration for a
subcontract.
(4) Information system.--The term ``information
system'' has the meaning given such term in section
3502 of title 44, United States Code.
(5) Information technology.--The term ``information
technology'' has the meaning given such term in section
11101 of title 40, United States Code.
(6) Responsible source.--The term ``responsible
source'' has the meaning given such term in section 113
of title 41, United States Code.
(7) Supply chain risk.--The term ``supply chain
risk'' means the risk that a malicious actor may
sabotage, maliciously introduce an unwanted function,
extract or modify data, or otherwise manipulate the
design, integrity, manufacturing, production,
distribution, installation, operation, or maintenance
of a covered article so as to surveil, deny, disrupt,
or otherwise manipulate the function, use, or operation
of the information technology or information stored or
transmitted on the covered articles.
(8) Telecommunications equipment.--The term
``telecommunications equipment'' has the meaning given
such term in section 153(52) of title 47, United States
Code.
(9) Telecommunications service.--The term
``telecommunications service'' has the meaning given
such term in section 153(53) of title 47, United States
Code.
(i) Effective Date.--The requirements of this section shall
take effect on the date that is 90 days after the date of the
enactment of this Act and shall apply to--
(1) contracts awarded on or after such date; and
(2) task and delivery orders issued on or after such
date pursuant to contracts awarded before, on, or after
such date.
* * * * * * *
[all]