S 3085 Introduced – Supply Chain Risk

Last month Sen. McCaskill (D,MO) introduced S 3085 [oops, added link 08:57 EDT 7-3-18], the Federal Acquisition Supply Chain Security Act of 2018. The bill would amend 41 USC to add a third Acquisition Council to the Office of Federal Procurement Policy. The new Federal Acquisition Security Council (FASC) would be responsible for assessing threats and vulnerabilities relating to supply chain risk posed by the acquisition of information technology.

The Council

The FASC would be led by a representative of the Office of Management and Budget and would consist of representatives from {new §1322(a)}:

• The General Services Administration;

• The Department of Homeland Security;

• The Office of the Director of National Intelligence;

• The Federal Bureau of Investigation;

• The Department of Defense; and

• The National Institute of Standards and Technology.

The FASC would be responsible for developing criteria and processes for {new §1323(a)(1)}:

• For assessing threats and vulnerabilities relating to supply chain risk posed by the acquisition of information technology to national security and the public interest; and

• For sharing information among executive agencies, including the intelligence community, and the private sector where appropriate, with respect to assessments of that risk.

FASC would also be tasked with {new §1323(a)}:

• Defining the responsibilities of executive agencies, consistent with existing law, for management of such assessments.

• Issuing guidance to executive agencies for incorporating information relating to supply chain risks and other relevant information into procurement decisions for the protection of national security and the public interest.

• Developing standards and measures for supply chain risk management, including assessments, evaluations, mitigation, and response that take into consideration national security and other factors relevant to the public interest.

• Consulting, as appropriate, with the private sector and other nongovernmental stakeholders on issues relating to the management of supply chain risks posed by the acquisition of information technology.

• Determining whether the exclusion of a source made by one executive agency should apply to all executive agencies; and

• Carrying out such other actions as are agreed upon by the Council.

Moving Forward

McCaskill is the Ranking Member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. Additionally, her cosponsor, Sen. Lankford (R,OK) is the Chair of the Subcommittee on Regulatory Affairs and Federal Management of that Committee. There is certainly enough influence available between the two of them to have this bill considered in Committee. Whether that influence is sufficient to see the bill make it to the floor of the Senate in the last 180 days of the session remains to be seen.

I do not see anything in the bill that would draw any serious objections to the bill in Committee or on the floor of the Senate.

Commentary

The one major problem with this bill, from my point of view, is that it relies on the IT-restrictive definition of ‘information technology’ from 44 USC 3502 (via 40 USC 11101). Thus, none of the control system technology acquisitions of the Federal government would be covered by the workings of the FASC. This is especially important considering that the Federal government is an important player in setting acquisition standards for electronic equipment, especially commercial off-the-shelf equipment.

Unfortunately, there is no current industrial control system inclusive definition of ‘information technology’ in the US Code. The closest that we see is the definition of ‘information system’ in 6 USC 1501. It would not be difficult to change each instance of ‘information technology’ in the bill to ‘information system’ and then use the §1501 definition.