“SEC. 836. Requirements for information relating to supply chain risk.

“(a) Authority.—Subject to subsection (b), the Secretary may—

“(1) carry out a covered procurement action;

“(2) limit, notwithstanding any other provision of law, in whole or in part, the disclosure of information, including classified information, relating to the basis for carrying out such an action; and

“(3) exclude, in whole or in part, a source carried out in the course of such an action applicable to a covered procurement of the Department.

“(b) Determination and notification.—Except as authorized by subsection (c) to address an urgent national security interest, the Secretary may exercise the authority provided in subsection (a) only after—

“(1) obtaining a joint recommendation, in unclassified or classified form, from the Chief Acquisition Officer and the Chief Information Officer of Department, including a review of any risk assessment made available by an appropriate person or entity, that there is a significant supply chain risk in a covered procurement;

“(2) notifying any source named in the joint recommendation described in paragraph (1) advising—

“(A) that a recommendation has been obtained;

“(B) to the extent consistent with the national security and law enforcement interests, the basis for such recommendation;

“(C) that, within 30 days after receipt of notice, such source may submit information and argument in opposition to such recommendation; and

“(D) of the procedures governing the consideration of such submission and the possible exercise of the authority provided in subsection (a);

“(3) notifying the relevant components of the Department that such risk assessment has demonstrated significant supply chain risk to a covered procurement; and

“(4) making a determination in writing, in unclassified or classified form, that after considering any information submitted by a source under paragraph (2), and in consultation with the Chief Information Officer of the Department, that—

“(A) use of authority under subsection (a)(1) is necessary to protect national security by reducing supply chain risk;

“(B) less intrusive measures are not reasonably available to reduce such risk;

“(C) a decision to limit disclosure of information under subsection (a)(2) is necessary to protect national security interest; and

“(D) the use of such authorities will apply to a single covered procurement or a class of covered procurements, and otherwise specifies the scope of such determination;

“(5) providing to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a classified or unclassified notice of the determination made under paragraph (4) that includes—

“(A) the joint recommendation described in paragraph (1);

“(B) a summary of any risk assessment reviewed in support of such joint recommendation; and

“(C) a summary of the basis for such determination, including a discussion of less intrusive measures that were considered and why such measures were not reasonably available to reduce supply chain risk;

“(6) notifying the Director of the Office of Management and Budget, and the heads of other Federal agencies as appropriate, in a manner and to the extent consistent with the requirements of national security; and

“(7) taking steps to maintain the confidentiality of any notifications under this subsection.

“(c) Procedures To address urgent national security interests.—In any case in which the Secretary determines that national security interests require the immediate exercise of the authorities under subsection (a), the Secretary—

“(1) may, to the extent necessary to address any such national security interest, and subject to the conditions specified in paragraph (2)—

“(A) temporarily delay the notice required by subsection (b)(2);

“(B) make the determination required by subsection (b)(4), regardless of whether the notice required by subsection (b)(2) has been provided or whether the notified source at issue has submitted any information in response to such notice;

“(C) temporarily delay the notice required by subsections (b)(4) and (b)(5); and

“(D) exercise the authority provided in subsection (a) in accordance with such determination; and

“(2) shall take actions necessary to comply with all requirements of subsection (b) as soon as practicable after addressing the urgent national security interest that is the subject of paragraph (1), including—

“(A) providing the notice required by subsection (b)(2);

“(B) promptly considering any information submitted by the source at issue in response to such notice, and making any appropriate modifications to the determination required by subsection (b)(4) based on such information; and

“(C) providing the notice required by subsections (b)(5) and (b)(6), including a description of such urgent national security, and any modifications to such determination made in accordance with subparagraph (B).

“(d) Annual review of determinations.—The Secretary shall annually review all determinations made under subsection (b).

“(e) Delegation.—The Secretary may not delegate the authority provided in subsection (a) or the responsibility identified in subsection (d) to an official below the Deputy Secretary.

“(f) Limitation of review.—Notwithstanding any other provision of law, no action taken by the Secretary under subsection (a) may be subject to review in a bid protest before the Government Accountability Office or in any Federal court.

“(g) Consultation.—In developing procedures and guidelines for the implementation of the authorities described in this section, the Secretary shall review the procedures and guidelines utilized by the Department of Defense to carry out similar authorities.

“(h) Definitions.—In this section:

“(1) COVERED ARTICLE.—The term ‘covered article’ means:

“(A) Information technology, including cloud computing services of all types.

“(B) Telecommunications equipment.

“(C) Telecommunications services.

“(D) The processing of information on a Federal or non-Federal information system, subject to the requirements of the Controlled Unclassified Information program of the Department.

“(E) Hardware, systems, devices, software, or services that include embedded or incidental information technology.

“(2) COVERED PROCUREMENT.—The term ‘covered procurement’ means—

“(A) a source selection for a covered article involving either a performance specification, as provided in subsection (a)(3)(B) of section 3306 of title 41, United States Code, or an evaluation factor, as provided in subsection (c)(1)(A) of such section, relating to supply chain risk, or with respect to which supply chain risk considerations are included in the Department’s determination of whether a source is a responsible source as defined in section 113 of such title;

“(B) the consideration of proposals for and issuance of a task or delivery order for a covered article, as provided in section 4106(d)(3) of title 41, United States Code, with respect to which the task or delivery order contract includes a contract clause establishing a requirement relating to supply chain risk;

“(C) any contract action involving a contract for a covered article with respect to which such contract includes a clause establishing requirements relating to supply chain risk; or

“(D) any procurement made via Government Purchase Care for a covered article when supply chain risk has been identified as a concern.

“(3) COVERED PROCUREMENT ACTION.—The term ‘covered procurement action’ means any of the following actions, if such action takes place in the course of conducting a covered procurement:

“(A) The exclusion of a source that fails to meet qualification requirements established pursuant to section 3311 of title 41, United States Code, for the purpose of reducing supply chain risk in the acquisition or use of a covered article.

“(B) The exclusion of a source that fails to achieve an acceptable rating with regard to an evaluation factor providing for the consideration of supply chain risk in the evaluation of proposals for the award of a contract or the issuance of a task or delivery order.

“(C) The determination that a source is not a responsible source based on considerations of supply chain risk.

“(D) The decision to withhold consent for a contractor to subcontract with a particular source or to direct a contractor to exclude a particular source from consideration for a subcontract.

“(4) INFORMATION SYSTEM.—The term ‘information system’ has the meaning given such term in section 3502 of title 44, United States Code.

“(5) INFORMATION TECHNOLOGY.—The term ‘information technology’ has the meaning given such term in section 11101 of title 40, United States Code.

“(6) RESPONSIBLE SOURCE.—The term ‘responsible source’ has the meaning given such term in section 113 of title 41, United States Code.

“(7) SUPPLY CHAIN RISK.—The term ‘supply chain risk’ means the risk that a malicious actor may sabotage, maliciously introduce an unwanted function, extract or modify data, or otherwise manipulate the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered article so as to surveil, deny, disrupt, or otherwise manipulate the function, use, or operation of the information technology or information stored or transmitted on the covered articles.

“(8) TELECOMMUNICATIONS EQUIPMENT.—The term ‘telecommunications equipment’ has the meaning given such term in section 153(52) of title 47, United States Code.

“(9) TELECOMMUNICATIONS SERVICE.—The term ‘telecommunications service’ has the meaning given such term in section 153(53) of title 47, United States Code.

“(i) Effective date.—The requirements of this section shall take effect on the date that is 90 days after the date of the enactment of this Act and shall apply to—

“(1) contracts awarded on or after such date; and

“(2) task and delivery orders issued on or after such date pursuant to contracts awarded before, on, or after such date.”.