Collapse to view only § 1327. Judicial review procedures

§ 1321. DefinitionsIn this subchapter:
(1)Appropriate congressional committees and leadership.—The term “appropriate congressional committees and leadership” means—
(A) the Committee on Homeland Security and Governmental Affairs, the Committee on the Judiciary, the Committee on Appropriations, the Committee on Armed Services, the Committee on Commerce, Science, and Transportation, the Select Committee on Intelligence, and the majority and minority leader of the Senate; and
(B) the Committee on Oversight and Government Reform, the Committee on the Judiciary, the Committee on Appropriations, the Committee on Homeland Security, the Committee on Armed Services, the Committee on Energy and Commerce, the Permanent Select Committee on Intelligence, and the Speaker and minority leader of the House of Representatives.
(2)Council.—The term “Council” means the Federal Acquisition Security Council established under section 1322(a) of this title.
(3)Covered article.—The term “covered article” has the meaning given that term in section 4713 of this title.
(4)Covered procurement action.—The term “covered procurement action” has the meaning given that term in section 4713 of this title.
(5)Information and communications technology.—The term “information and communications technology” has the meaning given that term in
(6)Intelligence community.—The term “intelligence community” has the meaning given that term in section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)).
(7)National security system.—The term “national security system” has the meaning given that term in section 3552 of title 44.
(8)Supply chain risk.—The term “supply chain risk” has the meaning given that term in section 4713 of this title.
(Added Pub. L. 115–390, title II, § 202(a), Dec. 21, 2018, 132 Stat. 5178.)
§ 1322. Federal Acquisition Security Council establishment and membership
(a)Establishment.—There is established in the executive branch a Federal Acquisition Security Council.
(b)Membership.—
(1)In general.—The following agencies shall be represented on the Council:
(A) The Office of Management and Budget.
(B) The General Services Administration.
(C) The Department of Homeland Security, including the Cybersecurity and Infrastructure Security Agency.
(D) The Office of the Director of National Intelligence, including the National Counterintelligence and Security Center.
(E) The Department of Justice, including the Federal Bureau of Investigation.
(F) The Department of Defense, including the National Security Agency.
(G) The Department of Commerce, including the National Institute of Standards and Technology.
(H) Such other executive agencies as determined by the Chairperson of the Council.
(2)Lead representatives.—
(A)Designation.—
(i)In general.—Not later than 45 days after the date of the enactment of the Federal Acquisition Supply Chain Security Act of 2018, the head of each agency represented on the Council shall designate a representative of that agency as the lead representative of the agency on the Council.
(ii)Requirements.—The representative of an agency designated under clause (i) shall have expertise in supply chain risk management, acquisitions, or information and communications technology.
(B)Functions.—The lead representative of an agency designated under subparagraph (A) shall ensure that appropriate personnel, including leadership and subject matter experts of the agency, are aware of the business of the Council.
(c)Chairperson.—
(1)Designation.—Not later than 45 days after the date of the enactment of the Federal Acquisition Supply Chain Security Act of 2018, the Director of the Office of Management and Budget shall designate a senior-level official from the Office of Management and Budget to serve as the Chairperson of the Council.
(2)Functions.—The Chairperson shall perform functions that include—
(A) subject to subsection (d), developing a schedule for meetings of the Council;
(B) designating executive agencies to be represented on the Council under subsection (b)(1)(H);
(C) in consultation with the lead representative of each agency represented on the Council, developing a charter for the Council; and
(D) not later than 7 days after completion of the charter, submitting the charter to the appropriate congressional committees and leadership.
(d)Meetings.—The Council shall meet not later than 60 days after the date of the enactment of the Federal Acquisition Supply Chain Security Act of 2018 and not less frequently than quarterly thereafter.
(Added Pub. L. 115–390, title II, § 202(a), Dec. 21, 2018, 132 Stat. 5178.)
§ 1323. Functions and authorities
(a)In General.—The Council shall perform functions that include the following:
(1) Identifying and recommending development by the National Institute of Standards and Technology of supply chain risk management standards, guidelines, and practices for executive agencies to use when assessing and developing mitigation strategies to address supply chain risks, particularly in the acquisition and use of covered articles under section 1326(a) of this title.
(2) Identifying or developing criteria for sharing information with executive agencies, other Federal entities, and non-Federal entities with respect to supply chain risk, including information related to the exercise of authorities provided under this section and sections 1326 and 4713 of this title. At a minimum, such criteria shall address—
(A) the span to be shared;
(B) the circumstances under which sharing is mandated or voluntary; and
(C) the circumstances under which it is appropriate for an executive agency to rely on information made available through such sharing in exercising the responsibilities and authorities provided under this section and section 4713 of this title.
(3) Identifying an appropriate executive agency to—
(A) accept information submitted by executive agencies based on the criteria established under paragraph (2);
(B) facilitate the sharing of information received under subparagraph (A) to support supply chain risk analyses under section 1326 of this title, recommendations under this section, and covered procurement actions under section 4713 of this title;
(C) share with the Council information regarding covered procurement actions by executive agencies taken under section 4713 of this title; and
(D) inform the Council of orders issued under this section.
(4) Identifying, as appropriate, executive agencies to provide—
(A) shared services, such as support for making risk assessments, validation of products that may be suitable for acquisition, and mitigation activities; and
(B) common contract solutions to support supply chain risk management activities, such as subscription services or machine-learning-enhanced analysis applications to support informed decision making.
(5) Identifying and issuing guidance on additional steps that may be necessary to address supply chain risks arising in the course of executive agencies providing shared services, common contract solutions, acquisitions vehicles, or assisted acquisitions.
(6) Engaging with the private sector and other nongovernmental stakeholders in performing the functions described in paragraphs (1) and (2) and on issues relating to the management of supply chain risks posed by the acquisition of covered articles.
(7) Carrying out such other actions, as determined by the Council, that are necessary to reduce the supply chain risks posed by acquisitions and use of covered articles.
(b)Program Office and Committees.—The Council may establish a program office and any committees, working groups, or other constituent bodies the Council deems appropriate, in its sole and unreviewable discretion, to carry out its functions.
(c)Authority for Exclusion or Removal Orders.—
(1)Criteria.—To reduce supply chain risk, the Council shall establish criteria and procedures for—
(A) recommending orders applicable to executive agencies requiring the exclusion of sources or covered articles from executive agency procurement actions (in this section referred to as “exclusion orders”);
(B) recommending orders applicable to executive agencies requiring the removal of covered articles from executive agency information systems (in this section referred to as “removal orders”);
(C) requesting and approving exceptions to an issued exclusion or removal order when warranted by circumstances, including alternative mitigation actions or other findings relating to the national interest, including national security reviews, national security investigations, or national security agreements; and
(D) ensuring that recommended orders do not conflict with standards and guidelines issued under section 11331 of title 40 and that the Council consults with the Director of the National Institute of Standards and Technology regarding any recommended orders that would implement standards and guidelines developed by the National Institute of Standards and Technology.
(2)Recommendations.—The Council shall use the criteria established under paragraph (1), information made available under subsection (a)(3), and any other information the Council determines appropriate to issue recommendations, for application to executive agencies or any subset thereof, regarding the exclusion of sources or covered articles from any executive agency procurement action, including source selection and consent for a contractor to subcontract, or the removal of covered articles from executive agency information systems. Such recommendations shall include—
(A) information necessary to positively identify the sources or covered articles recommended for exclusion or removal;
(B) information regarding the scope and applicability of the recommended exclusion or removal order;
(C) a summary of any risk assessment reviewed or conducted in support of the recommended exclusion or removal order;
(D) a summary of the basis for the recommendation, including a discussion of less intrusive measures that were considered and why such measures were not reasonably available to reduce supply chain risk;
(E) a description of the actions necessary to implement the recommended exclusion or removal order; and
(F) where practicable, in the Council’s sole and unreviewable discretion, a description of mitigation steps that could be taken by the source that may result in the Council rescinding a recommendation.
(3)Notice of recommendation and review.—A notice of the Council’s recommendation under paragraph (2) shall be issued to any source named in the recommendation advising—
(A) that a recommendation has been made;
(B) of the criteria the Council relied upon under paragraph (1) and, to the extent consistent with national security and law enforcement interests, of information that forms the basis for the recommendation;
(C) that, within 30 days after receipt of notice, the source may submit information and argument in opposition to the recommendation;
(D) of the procedures governing the review and possible issuance of an exclusion or removal order pursuant to paragraph (5); and
(E) where practicable, in the Council’s sole and unreviewable discretion, a description of mitigation steps that could be taken by the source that may result in the Council rescinding the recommendation.
(4)Confidentiality.—Any notice issued to a source under paragraph (3) shall be kept confidential until—
(A) an exclusion or removal order is issued pursuant to paragraph (5); and
(B) the source has been notified pursuant to paragraph (6).
(5)Exclusion and removal orders.—
(A)Order issuance.—Recommendations of the Council under paragraph (2), together with any information submitted by a source under paragraph (3) related to such a recommendation, shall be reviewed by the following officials, who may issue exclusion and removal orders based upon such recommendations:
(i) The Secretary of Homeland Security, for exclusion and removal orders applicable to civilian agencies, to the extent not covered by clause (ii) or (iii).
(ii) The Secretary of Defense, for exclusion and removal orders applicable to the Department of Defense and national security systems other than sensitive compartmented information systems.
(iii) The Director of National Intelligence, for exclusion and removal orders applicable to the intelligence community and sensitive compartmented information systems, to the extent not covered by clause (ii).
(B)Delegation.—The officials identified in subparagraph (A) may not delegate any authority under this subparagraph to an official below the level one level below the Deputy Secretary or Principal Deputy Director, except that the Secretary of Defense may delegate authority for removal orders to the Commander of the United States Cyber Command, who may not redelegate such authority to an official below the level one level below the Deputy Commander.
(C)Facilitation of exclusion orders.—If officials identified under this paragraph from the Department of Homeland Security, the Department of Defense, and the Office of the Director of National Intelligence issue orders collectively resulting in a governmentwide exclusion, the Administrator for General Services and officials at other executive agencies responsible for management of the Federal Supply Schedules, governmentwide acquisition contracts and multi-agency contracts shall help facilitate implementation of such orders by removing the covered articles or sources identified in the orders from such contracts.
(D)Review of exclusion and removal orders.—The officials identified under this paragraph shall review all exclusion and removal orders issued under subparagraph (A) not less frequently than annually pursuant to procedures established by the Council.
(E)Rescission.—Orders issued pursuant to subparagraph (A) may be rescinded by an authorized official from the relevant issuing agency.
(6)Notifications.—Upon issuance of an exclusion or removal order pursuant to paragraph (5)(A), the official identified under that paragraph who issued the order shall—
(A) notify any source named in the order of—
(i) the exclusion or removal order; and
(ii) to the extent consistent with national security and law enforcement interests, information that forms the basis for the order;
(B) provide classified or unclassified notice of the exclusion or removal order to the appropriate congressional committees and leadership; and
(C) provide the exclusion or removal order to the agency identified in subsection (a)(3).
(7)Compliance.—Executive agencies shall comply with exclusion and removal orders issued pursuant to paragraph (5).
(d)Authority To Request Information.—The Council may request such information from executive agencies as is necessary for the Council to carry out its functions.
(e)Relationship to Other Councils.—The Council shall consult and coordinate, as appropriate, with other relevant councils and interagency committees, including the Chief Information Officers Council, the Chief Acquisition Officers Council, the Federal Acquisition Regulatory Council, and the Committee on Foreign Investment in the United States, with respect to supply chain risks posed by the acquisition and use of covered articles.
(f)Rules of Construction.—Nothing in this section shall be construed—
(1) to limit the authority of the Office of Federal Procurement Policy to carry out the responsibilities of that Office under any other provision of law; or
(2) to authorize the issuance of an exclusion or removal order based solely on the fact of foreign ownership of a potential procurement source that is otherwise qualified to enter into procurement contracts with the Federal Government.
(Added Pub. L. 115–390, title II, § 202(a), Dec. 21, 2018, 132 Stat. 5180.)
§ 1324. Strategic plan
(a)In General.—Not later than 180 days after the date of the enactment of the Federal Acquisition Supply Chain Security Act of 2018, the Council shall develop a strategic plan for addressing supply chain risks posed by the acquisition of covered articles and for managing such risks that includes—
(1) the criteria and processes required under section 1323(a) of this title, including a threshold and requirements for sharing relevant information about such risks with all executive agencies and, as appropriate, with other Federal entities and non-Federal entities;
(2) an identification of existing authorities for addressing such risks;
(3) an identification and promulgation of best practices and procedures and available resources for executive agencies to assess and mitigate such risks;
(4) recommendations for any legislative, regulatory, or other policy changes to improve efforts to address such risks;
(5) recommendations for any legislative, regulatory, or other policy changes to incentivize the adoption of best practices for supply chain risk management by the private sector;
(6) an evaluation of the effect of implementing new policies or procedures on existing contracts and the procurement process;
(7) a plan for engaging with executive agencies, the private sector, and other nongovernmental stakeholders to address such risks;
(8) a plan for identification, assessment, mitigation, and vetting of supply chain risks from existing and prospective information and communications technology made available by executive agencies to other executive agencies through common contract solutions, shared services, acquisition vehicles, or other assisted acquisition services; and
(9) plans to strengthen the capacity of all executive agencies to conduct assessments of—
(A) the supply chain risk posed by the acquisition of covered articles; and
(B) compliance with the requirements of this subchapter.
(b)Submission to Congress.—Not later than 7 calendar days after completion of the strategic plan required by subsection (a), the Chairperson of the Council shall submit the plan to the appropriate congressional committees and leadership.
(Added Pub. L. 115–390, title II, § 202(a), Dec. 21, 2018, 132 Stat. 5184.)
§ 1325. Annual report

Not later than December 31 of each year, the Chairperson of the Council shall submit to the appropriate congressional committees and leadership a report on the activities of the Council during the preceding 12-month period.

(Added Pub. L. 115–390, title II, § 202(a), Dec. 21, 2018, 132 Stat. 5184.)
§ 1326. Requirements for executive agencies
(a)In General.—The head of each executive agency shall be responsible for—
(1) assessing the supply chain risk posed by the acquisition and use of covered articles and avoiding, mitigating, accepting, or transferring that risk, as appropriate and consistent with the standards, guidelines, and practices identified by the Council under section 1323(a)(1); and
(2) prioritizing supply chain risk assessments conducted under paragraph (1) based on the criticality of the mission, system, component, service, or asset.
(b)Inclusions.—The responsibility for assessing supply chain risk described in subsection (a) includes—
(1) developing an overall supply chain risk management strategy and implementation plan and policies and processes to guide and govern supply chain risk management activities;
(2) integrating supply chain risk management practices throughout the life cycle of the system, component, service, or asset;
(3) limiting, avoiding, mitigating, accepting, or transferring any identified risk;
(4) sharing relevant information with other executive agencies as determined appropriate by the Council in a manner consistent with section 1323(a) of this title;
(5) reporting on progress and effectiveness of the agency’s supply chain risk management consistent with guidance issued by the Office of Management and Budget and the Council; and
(6) ensuring that all relevant information, including classified information, with respect to acquisitions of covered articles that may pose a supply chain risk, consistent with section 1323(a) of this title, is incorporated into existing processes of the agency for conducting assessments described in subsection (a) and ongoing management of acquisition programs, including any identification, investigation, mitigation, or remediation needs.
(c)Interagency Acquisitions.—
(1)In general.—Except as provided in paragraph (2), in the case of an interagency acquisition, subsection (a) shall be carried out by the head of the executive agency whose funds are being used to procure the covered article.
(2)Assisted acquisitions.—In an assisted acquisition, the parties to the acquisition shall determine, as part of the interagency agreement governing the acquisition, which agency is responsible for carrying out subsection (a).
(3)Definitions.—In this subsection, the terms “assisted acquisition” and “interagency acquisition” have the meanings given those terms in section 2.101 of title 48, Code of Federal Regulations (or any corresponding similar regulation or ruling).
(d)Assistance.—The Secretary of Homeland Security may—
(1) assist executive agencies in conducting risk assessments described in subsection (a) and implementing mitigation requirements for information and communications technology; and
(2) provide such additional guidance or tools as are necessary to support actions taken by executive agencies.
(Added Pub. L. 115–390, title II, § 202(a), Dec. 21, 2018, 132 Stat. 5184.)
§ 1327. Judicial review procedures
(a)In General.—Except as provided in subsection (b) and chapter 71 of this title, and notwithstanding any other provision of law, an action taken under section 1323 or 4713 of this title, or any action taken by an executive agency to implement such an action, shall not be subject to administrative review or judicial review, including bid protests before the Government Accountability Office or in any Federal court.
(b)Petitions.—
(1)In general.—Not later than 60 days after a party is notified of an exclusion or removal order under section 1323(c)(6) of this title or a covered procurement action under section 4713 of this title, the party may file a petition for judicial review in the United States Court of Appeals for the District of Columbia Circuit claiming that the issuance of the exclusion or removal order or covered procurement action is unlawful.
(2)Standard of review.—The Court shall hold unlawful a covered action taken under sections 1323 or 4713 of this title, in response to a petition that the court finds to be—
(A) arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law;
(B) contrary to constitutional right, power, privilege, or immunity;
(C) in excess of statutory jurisdiction, authority, or limitation, or short of statutory right;
(D) lacking substantial support in the administrative record taken as a whole or in classified information submitted to the court under paragraph (3); or
(E) not in accord with procedures required by law.
(3)Exclusive jurisdiction.—The United States Court of Appeals for the District of Columbia Circuit shall have exclusive jurisdiction over claims arising under sections 1323(c)(5) or 4713 of this title against the United States, any United States department or agency, or any component or official of any such department or agency, subject to review by the Supreme Court of the United States under section 1254 of title 28.
(4)Administrative record and procedures.—
(A)In general.—The procedures described in this paragraph shall apply to the review of a petition under this section.
(B)Administrative record.—
(i)Filing of record.—The United States shall file with the court an administrative record, which shall consist of the information that the appropriate official relied upon in issuing an exclusion or removal order under section 1323(c)(5) or a covered procurement action under section 4713 of this title.
(ii)Unclassified, nonprivileged information.—All unclassified information contained in the administrative record that is not otherwise privileged or subject to statutory protections shall be provided to the petitioner with appropriate protections for any privileged or confidential trade secrets and commercial or financial information.
(iii)In camera and ex parte.—The following information may be included in the administrative record and shall be submitted only to the court ex parte and in camera:(I) Classified information.(II) Sensitive security information, as defined by section 1520.5 of title 49, Code of Federal Regulations.(III) Privileged law enforcement information.(IV) Information obtained or derived from any activity authorized under the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), except that, with respect to such information, subsections (c), (e), (f), (g), and (h) of section 106 (50 U.S.C. 1806), subsections (d), (f), (g), (h), and (i) of section 305 (50 U.S.C. 1825), subsections (c), (e), (f), (g), and (h) of section 405 (50 U.S.C. 1845), and section 706 (50 U.S.C. 1881e) of that Act shall not apply.(V) Information subject to privilege or protections under any other provision of law.
(iv)Under seal.—Any information that is part of the administrative record filed ex parte and in camera under clause (iii), or cited by the court in any decision, shall be treated by the court consistent with the provisions of this subparagraph and shall remain under seal and preserved in the records of the court to be made available consistent with the above provisions in the event of further proceedings. In no event shall such information be released to the petitioner or as part of the public record.
(v)Return.—After the expiration of the time to seek further review, or the conclusion of further proceedings, the court shall return the administrative record, including any and all copies, to the United States.
(C)Exclusive remedy.—A determination by the court under this subsection shall be the exclusive judicial remedy for any claim described in this section against the United States, any United States department or agency, or any component or official of any such department or agency.
(D)Rule of construction.—Nothing in this section shall be construed as limiting, superseding, or preventing the invocation of, any privileges or defenses that are otherwise available at law or in equity to protect against the disclosure of information.
(c)Definition.—In this section, the term “classified information”—
(1) has the meaning given that term in section 1(a) of the Classified Information Procedures Act (18 U.S.C. App.); and
(2) includes—
(A) any information or material that has been determined by the United States Government pursuant to an Executive order, statute, or regulation to require protection against unauthorized disclosure for reasons of national security; and
(B) any restricted data, as defined in section 11 of the Atomic Energy Act of 1954 (42 U.S.C. 2014).
(Added Pub. L. 115–390, title II, § 202(a), Dec. 21, 2018, 132 Stat. 5185.)
§ 1328. Termination

This subchapter shall terminate on December 31, 2033.

(Added Pub. L. 115–390, title II, § 202(a), Dec. 21, 2018, 132 Stat. 5188; amended Pub. L. 117–263, div. E, title LIX, § 5949(k)(1), Dec. 23, 2022, 136 Stat. 3492.)