Federal Acquisition Supply Chain Security Act of 2018
This bill establishes in the executive branch a Federal Acquisition Security Council. The Office of Management and Budget shall designate a senior-level official to serve as the chairperson of the council. The council shall perform functions that include developing: (1) criteria and processes for assessing threats and vulnerabilities relating to supply chain risk posed by the acquisition of information technology to national security and the public interest, and (2) standards and measures for supply chain risk management.
The chairperson shall report annually to Congress on the council's activities.
Any agency that makes information technology available for procurement by other agencies shall:
- identify information technology products made available to other agencies that pose the greatest risk to national security or the public interest;
- complete a risk assessment of such products;
- in each case in which the agency identifies a significant supply chain risk posed by information technology, make the risk assessment available to all agencies through the council and develop a plan to mitigate that risk; and
- develop a vetting process for conducting supply chain risk assessments regarding prospective providers of information technology and make the process available to all agencies.
The Department of Homeland Security may: (1) assist agencies in conducting risk assessments and implementing mitigation requirements for information technology, and (2) provide such additional guidance or tools as necessary to support actions taken by agencies.