Federal Acquisition Security Council Improvement Act of 2024

Section 1321 of title 41, United States Code, is amended—

(1) by redesignating paragraphs (5) through (8) as paragraphs (7) through (10);

(2) by inserting after paragraph (4) the following:

The term covered source of concern means a source of concern that is specifically designated as a covered source of concern by a statute that states that such designation is for the purposes of this subchapter.

The term designated order means an order described under section 1323(c)(3).

(2) ; and

(3) by adding at the end the following:

The term recommended order means an order recommended under section 1323(c)(2).

The term source of concern means a source—

(i) subject to the jurisdiction, direction, or control of the government of a foreign adversary, or operates on behalf of the government of a foreign adversary; or

(ii) that poses a risk to the national security of the United States based on collaboration with, whole or partial ownership or control by, or being affiliated with a military, internal security force, or intelligence agency of a foreign adversary.

In this paragraph, the term foreign adversary has the meaning given the term covered nation in section 4872(d) of title 10.

Section 1322 of title 41, United States Code, is amended—

(1) in subsection (a), by striking executive branch and inserting Executive Office of the President;

(2) in subsection (b)—

(A) by amending paragraph (1) to read as follows:

The members of the Council shall be as follows:

(A) The Administrator for Federal Procurement Policy.

(B) The Deputy Director for Management of the Office of Management and Budget.

(C) The following officials, each of whom shall occupy a position at the level of Assistant Secretary or Deputy Assistant Secretary (or equivalent):

(i) Two officials from the Office of the Director of National Intelligence, one of which shall be from the National Counterintelligence and Security Center.

(ii) Two officials from the Department of Defense, one of which shall be one from the National Security Agency.

(iii) Two officials from the Department of Homeland Security, one of which shall be one from the Cybersecurity and Infrastructure Security Agency.

(iv) An official from the General Services Administration.

(v) An official from the Office of the National Cyber Director.

(vi) Two officials from the Department of Justice, one of which shall be one from the Federal Bureau of Investigation.

(vii) Two officials from the Department of Commerce, one of which shall be from the National Institute of Standards and Technology and one of which shall be from the Bureau of Industry and Security.

(viii) An official from any executive agency not listed under clauses (i) through (vii) whose temporary or permanent participation is determined by the Chairperson of the Council to be necessary to carry out the functions of the Council while maintaining the intended balance in subject matter expertise.

(A) ; and

(B) in paragraph (2)—

(i) in the heading, by striking Lead representatives and inserting Members;

(ii) by amending subparagraph (A)(i) to read as follows:

The head of each executive agency listed under paragraph (1)(C) shall designate the official or officials from that agency who shall serve on the Council in accordance with such paragraph.

(iii) by amending subparagraph (A)(ii) to read as follows:

To the extent feasible, any official designated under clause (i) shall have expertise in supply chain risk management, acquisitions, law, or information and communications technology.

(iv) by amending subparagraph (B) to read as follows:

A member of the Council shall—

(i) regularly participate in the activities of the Council;

(ii) ensure that any information requested by the Council from the agency represented by the member is provided to the Council; and

(iii) ensure that the head of the agency represented by the member and other appropriate personnel of the agency are aware of the activities of the Council.

(3) in subsection (c)—

(A) by amending paragraph (1) to read as follows:

The Chairperson of the Council shall be—

(A) the National Cyber Director; or

(B) another member of the Council designated by the National Cyber Director.

(A) ; and

(B) in paragraph (2)—

(i) in subparagraph (B), by striking (b)(1)(H) and inserting (b)(1)(C)(viii); and

(ii) in subparagraph (C), by striking lead representative of each agency represented on the Council and inserting members of the Council; and

(4) in subsection (d)—

(A) by striking The Council and inserting the following:

The Council

(A) ; and

(B) by adding at the end the following:

The Chairperson of the Council shall meet, not less frequently than semiannually, with—

(A) the Secretary of Homeland Security, Secretary of Defense, and Director of National Intelligence; or

(B) in the case that any of the officials under subparagraph (A) delegated authority to an official under section 1323(c)(6)(C), with the delegated official.

Section 1323 of title 41, United States Code is amended—

(1) in subsection (a)—

(A) by striking supply chain each place it appears and inserting acquisition security and supply chain;

(B) in paragraph (1), as amended by subparagraph (A), by striking, particularly and inserting that arise;

(C) in paragraph (2), as amended by subparagraph (A), by inserting associated with the acquisition and use of covered articles after risk;

(D) in paragraph (6), as amended by subparagraph (A)—

(i) by striking posed by and inserting associated with; and

(ii) by inserting and use before of covered articles;

(E) in paragraph (7), by striking posed by acquisitions and inserting associated with the acquisition;

(F) by redesignating paragraph (7) as paragraph (12); and

(G) by inserting after paragraph (6) the following:

(7) Implementing a prioritization scheme for evaluating the security risks associated with the acquisition and use of covered articles provided or produced by a covered source of concern.

(8) Evaluating each covered source of concern to determine whether to issue a designated order with respect to the covered source of concern or a covered article produced or provided by the covered source of concern.

(9) Evaluating sources of concern to determine whether to issue a recommended order with respect to the source of concern, or any covered article produced or provided by the source of concern.

(10) Monitoring and evaluating compliance by the Secretary of Homeland Security, Secretary of Defense, and Director of National Intelligence with the requirement to issue designated orders under subsection (c)(6)(B).

(11) Reporting to Congress annually on the security risks associated with the acquisition and use of covered articles produced or provided by sources of concern.

(2) in subsection (b)—

(A) by striking The Council and inserting the following:

The Council

(A) ; and

(B) in paragraph (1), as so redesignated, by striking a program office and; and

(C) by adding at the end the following:

The Council shall establish a Federal Acquisition Security Council Program Office (referred to in this paragraph as the Program Office) within the Office of the National Cyber Director to carry out the functions of the Council duties described under subparagraph (B).

The Program Office shall provide to the Council, including any committees, working groups, or other constituent bodies established by the Council under paragraph (1)—

(i) administrative, legal, and policy support; and

(ii) analysis and subject matter expertise on information communications technology, acquisition security, and supply chain risk.

The head of the Program Office shall be a senior official from the Office of the National Cyber Director that occupies a position at the level of Assistant Secretary or Deputy Assistant Secretary (or equivalent).

The Program Office may not provide administrative support to the Council for any activities of the Council carried out pursuant to a provision of law other than a provision of law under this subchapter.

The Program Office may use the staff and resources of the Office of the National Cyber Director or maintain dedicated staff and resources, as appropriate, in the performance of the duties of the Office.

The Program Office may accept officers or employees of the United States or members of the Armed Forces on a detail from an element of the intelligence community (as such term is defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)) or from another element of the Federal Government on a nonreimbursable basis, as jointly agreed to by the heads of the receiving and detailing elements, for a period not to exceed three years.

Nothing in this subparagraph may be construed as imposing any limitation on any other authority for reimbursable or nonreimbursable details.

A nonreimbursable detail made under this subparagraph shall not be considered an augmentation of the appropriations of the receiving element of the Program Office or the Office of the National Cyber Director.

The Program Office shall terminate on the date described under section 1328.

(3) in subsection (c)—

(A) in paragraph (1)—

(i) in the matter preceding subparagraph (A), by striking supply chain risk and inserting acquisition security and supply chain risk associated with the acquisition of covered articles;

(ii) in subparagraph (A), by inserting recommended before exclusion orders;

(iii) in subparagraph (B), by inserting recommended before removal orders;

(iv) in subparagraph (C), by striking; and and inserting a semicolon;

(v) in subparagraph (D), by striking the period at the end and inserting; and; and

(vi) by adding at the end the following:

(E) issuing designated orders.

(B) in paragraph (2)—

(i) in the heading, by striking Recommendations and inserting Recommended Orders;

(ii) by striking use and inserting, using;

(iii) by striking subsection (a)(3) and inserting subsection (a)(4);

(iv) by striking to issue recommendations and inserting, recommend orders;

(v) by striking Such recommendations and inserting Any such order recommended;

(vi) by inserting to the officials described under clause (iii) of paragraph (6)(A) for issuance under such paragraph after thereof,;

(vii) in subparagraph (D), by striking supply chain risk and inserting acquisition security and supply chain risk associated with the acquisition of covered articles; and

(viii) in subparagraph (E), by striking exclusion or removal;

(C) by redesignating paragraphs (3) through (7) as paragraphs (4) through (8);

(D) by inserting after paragraph (2) the following:

Not later than 270 days after a source of concern is designated as a covered source of concern, the Council—

(I) shall provide to the officials described under clause (iii) of paragraph (6)(B) for issuance under such paragraph orders requiring—

(aa) the exclusion of the covered source of concern from any executive agency procurement action, including source selection and consent for a contractor; or

(bb) the removal of covered articles produced or provided by the covered source of concern from the information system of executive agencies; or

(II) report to Congress why the Council has determined to not issue an order described under subclause (I) with respect to the covered source of concern or covered articles produced or provided by the covered source of concern.

Any order provided under clause (i) shall include—

(I) information regarding the scope and applicability of the order, including any information necessary to positively identify the covered source of concern or covered articles produced or provided by the covered source of concern required to be excluded or removed under the order;

(II) a summary of any risk assessment reviewed or conducted in support of the order;

(III) a summary of the basis for the order, including a discussion of less intrusive measures that were considered and why such measures were not reasonably available to reduce security risk;

(IV) a description of the actions necessary to implement the order; and

(V) where practicable, in the Council’s sole and unreviewable discretion, a description of mitigation steps that could be taken by the covered source of concern that may result in the Council rescinding the order.

In the case that the Council provides an order under subparagraph (A), the Council may also provide an order to the officials described under paragraph (6)(A)(iii) requiring the exclusion of sources or covered articles from executive agency procurement actions or removal of covered articles from executive agency information systems if—

(I) such covered articles or such sources use a covered source of concern in the performance of a contract with the executive agency; or

(II) such sources enter into a contract, the performance of which such source knows or has reason to believe will require, in the performance of a contract with the executive agency, the use of a covered source of concern or the use of a covered article produced or provided by a covered source of concern.

Any effective date prescribed by the Council for an order issued pursuant to clause (i) shall take into account—

(I) the risk posed by the covered source of concern or the covered article produced or provided by the covered source of concern to the national security of the United States;

(II) the likelihood of the covered source of concern or the covered article produced or provided by the covered source of concern causing imminent threat to public health and safety;

(III) the availability of an alternative source or covered article produced or provided by an alternative source; and

(IV) an assessment of the potential direct or quantifiable costs that may be incurred by the Federal Government, a State, local, or Tribal government, or by the private sector, as a result of compliance by the head of an executive agency with such an exclusion or removal order.

(E) in paragraph (4), as so redesignated—

(i) in the heading, by striking of recommendation and review and inserting and review of recommended and designated orders;

(ii) by striking the recommendation each place the term appears, and inserting the order;

(iii) in the matter preceding subparagraph (A), by striking A notice of the Council’s recommendation under paragraph (2) and inserting Before the Council recommends an order under paragraph (2) or issues an order under paragraph (3), a notice;

(iv) in subparagraph (A), by striking a recommendation has been made and inserting the order will be recommended or issued;

(v) in subparagraph (D), by striking paragraph (5) and inserting paragraph (6); and

(vi) by inserting a new subparagraph to read as follows:

(F) Until an order is issued pursuant to paragraph (6), information collected under this paragraph shall be exempt from public disclosure and shall be exempt from disclosure under section 552(b)(3)(B) of title 5, United States Code (commonly referred to as the Freedom of Information Act).

(F) in paragraph (5), as so redesignated—

(i) by striking paragraph (3) and inserting paragraph (4);

(ii) in subparagraph (A), by striking paragraph (5) and inserting paragraph (6); and

(iii) in subparagraph (B), by striking paragraph (6) and inserting paragraph (7);

(G) in paragraph (6), as so redesignated—

(i) by amending subparagraph (A) to read as follows:

After considering any response properly submitted by a source under paragraph (4) related to an order to be recommended under paragraph (2), the Council shall—

(I) make such modifications to the order as the Council considers appropriate; and

(II) provide the order (together with any information submitted by a source under paragraph (4) related to such order) to the officials described under clause (iii).

Not later than 90 days after receiving a recommended order, the officials described under clause (iii) shall—

(I) issue the order to the heads of the applicable agencies; or

(II) submit a notification to the Council that the order will not be issued, that includes in the notification to the Council, all the reasons for why the order will not be issued.

The officials described in this clause are as follows:

(I) The Secretary of Homeland Security, for exclusion and removal orders applicable to civilian agencies, to the extent not covered by subclause (II) or (III).

(II) The Secretary of Defense, for exclusion and removal orders applicable to the Department of Defense and national security systems other than sensitive compartmented information systems.

(III) The Director of National Intelligence, for exclusion and removal orders applicable to the intelligence community and sensitive compartmented information systems, to the extent not covered by subclause (II).

(ii) by redesignating subparagraphs (B) through (E) as subparagraphs (C) through (F), respectively;

(iii) by inserting after subparagraph (A) the following:

After considering any response properly submitted by a source under paragraph (4) related to a designated order, the Council shall—

(aa) make any such modifications to the order as the Council considers appropriate; or

(bb) if the Council determines that the issuance of a designated order is not warranted, rescind the designated order and notify the source of the rescission; and

(II) except in the case that the Council rescinds the designated order under subclause (I)(bb), provide the designated order (including any modifications made to such order by the Council) to the officials described in clause (iii).

The officials described in clause (iii) shall, not later than 90 days after receiving a designated order, issue the order to the heads of the applicable agencies.

The officials described in this clause are as follows:

(I) The Secretary of Homeland Security, for exclusion and removal orders applicable to civilian agencies, to the extent not covered by subclause (II) or (III).

(II) The Secretary of Defense, for exclusion and removal orders applicable to the Department of Defense and national security systems other than sensitive compartmented information systems.

(III) The Director of National Intelligence, for exclusion and removal orders applicable to the intelligence community and sensitive compartmented information systems, to the extent not covered by subclause (II).

An official described under clause (iii) may waive for a period of not more than 365 days the application of an order issued by such official under clause (ii) with respect to a covered source of concern or a covered article produced or provided by a covered source of concern if the official submits, not later than 30 days after making such waiver, a written notification to the Council, appropriate congressional committees, and leadership that contains the justification for such waiver.

An official described under clause (iii) may renew a waiver under clause (iv) for an additional period of not more than 180 days if—

(I) the renewal of the waiver is in the national security interests of the United States; and

(II) the official submits, not later than 30 days after renewing such waiver, a written notification to the Council, appropriate congressional committees, and leadership that includes the justification for renewing the wavier.

An official described under clause (iii) may waive the application of an order issued by such official under clause (ii) with respect to a covered source of concern or a covered article produced or provided by a covered source of concern for any activity subject to the reporting requirements under title V of the National Security Act of 1947 (50 U.S.C. 3091 et seq.) or any authorized intelligence activities of the United States.

An exclusion or removal order issued under this subparagraph by an official may be rescinded only by the Council.

(iv) in subparagraph (C), as so redesignated—

(I) by striking subparagraph (A) and inserting subparagraph (A)(iii) or (B)(iii);

(II) by striking this subparagraph and inserting subparagraph (A)(iii) or (B)(iii); and

(III) by striking, except and all that follows before the period at the end;

(v) in subparagraph (D), as so redesignated—

(I) by striking this paragraph and inserting subparagraph (A)(iii) or (B)(iii); and

(II) by striking help;

(vi) in subparagraph (E), as so redesignated, by striking this paragraph and inserting subparagraph (A); and

(vii) by adding after subparagraph (F), as so redesignated, the following:

The effective date of an order issued under this paragraph may not be more than 365 days after the order is issued.

(H) in paragraph (7), as so redesignated, by striking paragraph (5)(A) and inserting subparagraph (A) or (B) of paragraph (6); and

(I) in paragraph (8), as so redesignated, by striking paragraph (5) and inserting paragraph (6);

(4) in subsection (e), by inserting the Chief Data Officers Council, before the Chief Acquisition; and

(5) in subsection (f)(2), by striking the period at the end and inserting unless such source is specifically designated by statute as a covered source of concern for the purposes of this subchapter..

Section 1324(a) of title 41, United States Code, is amended—

(1) by inserting, and periodically thereafter after 2018;

(2) in the matter preceding paragraph (1), by inserting acquisition security and before supply chain risks;

(3) in paragraph (8), by inserting acquisition security and before supply chain risks; and

(4) in paragraph (9)(A), by inserting acquisition security and before supply chain risk.

Section 1326 of title 41, United States Code, is amended—

(1) in subsection (a)—

(A) in paragraph (1), by striking; and and inserting a semicolon;

(B) in paragraph (2), by striking the period at the end and inserting; and; and

(C) by adding at the end the following:

(3) providing any information requested by the Chairperson of the Council for the purpose of carrying out activities of this subchapter, subject to applicable law or policy on the control and handling of classified, sensitive, or proprietary information.”

(2) by striking supply chain each place such term appears and inserting security and supply chain; and

(3) in subsection (b)(6), by striking supply chain and inserting security or supply chain.

Section 1327(b) of title 41, United States Code, is amended—

(1) in paragraph (1), by striking section 1323(c)(6) and inserting section 1323(c)(7);

(2) in paragraph (3), by striking section 1323(c)(5) and inserting sections 1323(c)(6); and

(3) in paragraph (4), by amending subparagraph (B)(i) to read as follows:

The United States shall file with the court an administrative record, which shall consist of—

(I) the information the Council relied upon in issuing a designated order under 1323(c)(6); and

(II) the information that the appropriate official relied upon in issuing an exclusion or removal order under section 1323(c)(6) or a covered procurement action under section 4713.

Subchapter III of chapter 13 of title 41, United States Code, is amended by adding at the end the following:

In implementing this subchapter, the Council shall coordinate, as applicable and practicable, with the head of an agency to assist with compliance by the agency with—

(1) section 889 of the John S. McCain National Defense Authorization Act of 2019 (Public Law 115–232; 41 U.S.C. 3901 note);

(2) section 5949 of the James M. Inhofe National Defense Authorization Act of 2023 (Public Law 117–263; 41 U.S.C. 4713 note); and

(3) sections 1821 through 1833 of the American Security Drone Act of 2023 (Public Law 118–31).

The Federal Acquisition Security Council shall update, within two years after the date of the enactment of this section, any regulations of the Council as necessary.

Subchapter III of chapter 13 of title 41, United States Code, is amended—

(1) in the table of sections for the subchapter by adding after the item related to section 1328 the following:

(2) in section 1321(1)(B), by striking Government Reform and inserting Accountability; and

(3) by striking of this title each place the term appears.

(1) in paragraph (1), by striking Office of Management and Budget and inserting Office of the National Cyber Director; and

(2) in paragraph (2), by striking Office of Management and Budget and inserting Office of the National Cyber Director.