S5310-118

1. Short title This Act may be cited as the Federal Acquisition Security Council Improvement Act of 2024.

2. Changes with respect to the Federal Acquisition Security Council Section 1321 of title 41, United States Code, is amended— by redesignating paragraphs (5) through (8) as paragraphs (7) through (10); by inserting after paragraph (4) the following new paragraph: The term covered source of concern means a source of concern that is specifically designated as a covered source of concern by a statute that states that such designation is for the purposes of this subchapter. The term designated order means an order described under section 1323(c)(3). by adding at the end the following new paragraph: The term recommended order means an order recommended under section 1323(c)(2). The term source of concern means a source— subject to the jurisdiction, direction, or control of the government of a foreign adversary, or operates on behalf of the government of a foreign adversary; or that poses a risk to the national security of the United States based on collaboration with, whole or partial ownership or control by, or being affiliated with a military, internal security force, or intelligence agency of a foreign adversary. In this paragraph, the term foreign adversary has the meaning given the term covered nation in section 4872(d) of title 10. Section 1322 of title 41, United States Code, is amended— in subsection (a), by striking executive branch and inserting Executive Office of the President; in subsection (b)— by amending paragraph (1) to read as follows: The members of the Council shall be as follows: The Administrator for Federal Procurement Policy. The Deputy Director for Management of the Office of Management and Budget. The following officials, each of whom shall occupy a position at the level of Assistant Secretary or Deputy Assistant Secretary (or equivalent): Two officials from the Office of the Director of National Intelligence, one of which shall be from the National Counterintelligence and Security Center. Two officials from the Department of Defense, one of which shall be from the National Security Agency. Two officials from the Department of Homeland Security, one of which shall be from the Cybersecurity and Infrastructure Security Agency. One official from the General Services Administration. One official from the Office of the National Cyber Director. Two officials from the Department of Justice, one of which shall be from the Federal Bureau of Investigation. Two officials from the Department of Commerce, one of which shall be from the National Institute of Standards and Technology and one of which shall be from the Bureau of Industry and Security. An official from any executive agency not listed under clauses (i) through (vii) whose temporary or permanent participation is determined by the Chairperson of the Council to be necessary to carry out the functions of the Council while maintaining the intended balance in subject matter expertise. in paragraph (2)— in the heading, by striking Lead representatives and inserting Members; by amending subparagraph (A)(i) to read as follows: The head of each executive agency listed under paragraph (1)(C) shall designate the official or officials from that agency who shall serve on the Council in accordance with such paragraph. by amending subparagraph (A)(ii) to read as follows: To the extent feasible, any official designated under clause (i) shall have expertise in supply chain risk management, acquisitions, law, or information and communications technology. by amending subparagraph (B) to read as follows: A member of the Council shall— regularly participate in the activities of the Council; ensure that any information requested by the Council from the agency represented by the member is provided to the Council; and ensure that the head of the agency represented by the member and other appropriate personnel of the agency are aware of the activities of the Council. in subsection (c)— by amending paragraph (1) to read as follows: The Chairperson of the Council shall be— the National Cyber Director; or another member of the Council designated by the National Cyber Director. in paragraph (2)— in subparagraph (B), by striking (b)(1)(H) and inserting (b)(1)(C)(vii); and in subparagraph (C), by striking lead representative of each agency represented on the Council and inserting members of the Council; and in subsection (d)— by striking The Council and inserting the following: The Council by adding at the end the following: The Chairperson of the Council shall meet, not less frequently than semiannually, with— the Secretary of Homeland Security, the Secretary of Defense, and the Director of National Intelligence; or in the case that any of the officials under subparagraph (A) delegated authority to an official under section 1323(c)(6)(C), with the delegated official. Section 1323 of title 41, United States Code, is amended— in subsection (a)— by striking supply chain each place it appears and inserting acquisition security and supply chain; in paragraph (1), as amended by subparagraph (A), by striking , particularly and inserting that arise; in paragraph (2), as amended by subparagraph (A), by inserting associated with the acquisition and use of covered articles after risk; in paragraph (6)— by striking posed by and inserting associated with; and by inserting and use before of covered articles; by redesignating paragraph (7) as paragraph (12); in paragraph (12), as redesignated by subparagraph (E), by striking posed by acquisitions and inserting associated with the acquisition; and by inserting after paragraph (6) the following new paragraphs: Implementing a prioritization scheme for evaluating the security risks associated with the acquisition and use of covered articles provided or produced by a covered source of concern. Evaluating each covered source of concern to determine whether to issue a designated order with respect to the covered source of concern or a covered article produced or provided by the covered source of concern. Evaluating sources of concern to determine whether to issue a recommended order with respect to the source of concern, or any covered article produced or provided by the source of concern. Monitoring the issuance of designated orders under subsection (c)(6)(B), as required, by the Secretary of Homeland Security, the Secretary of Defense, and the Director of National Intelligence with the requirement to issue designated orders under subsection (c)(6)(B) and providing technical assistance to those agencies on compliance matters. Reporting to Congress annually on the security risks associated with the acquisition and use of covered articles produced or provided by sources of concern. in subsection (b)— by striking The Council and inserting the following: The Council in paragraph (1), as so redesignated, by striking a program office and; and by adding at the end the following new paragraph: The Council shall establish a Federal Acquisition Security Council Program Office (referred to in this paragraph as the Program Office) within the Office of the National Cyber Director to carry out the functions of the Council duties described under subparagraph (B). The Program Office shall provide to the Council and any committees, working groups, or other constituent bodies established by the Council under paragraph (1)— administrative, legal, and policy support; and analysis and subject matter expertise on information communications technology, acquisition security, and supply chain risk. The head of the Program Office shall be a senior official from the Office of the National Cyber Director that occupies a position at the level of Assistant Secretary or Deputy Assistant Secretary (or equivalent). The Program Office may not provide administrative support to the Council for any activities of the Council carried out pursuant to a provision of law other than a provision of law under this subchapter. The Program Office may use the staff and resources of the Office of the National Cyber Director or maintain dedicated staff and resources, as appropriate, in the performance of the duties of the Office. The Program Office may accept officers or employees of the United States or members of the Armed Forces on a detail from an element of the intelligence community (as such term is defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)) or from another element of the Federal Government on a nonreimbursable basis, as jointly agreed to by the heads of the receiving and detailing elements, for a period not to exceed three years. Nothing in this subparagraph may be construed as imposing any limitation on any other authority for reimbursable or nonreimbursable details. A nonreimbursable detail made under this subparagraph shall not be considered an augmentation of the appropriations of the receiving element of the Program Office or the Office of the National Cyber Director. The Program Office shall terminate on the date described under section 1328. in subsection (c)— in paragraph (1)— in the matter preceding subparagraph (A), by striking supply chain risk and inserting acquisition security and supply chain risk associated with the acquisition of covered articles; in subparagraph (A), by inserting recommended before exclusion orders; in subparagraph (B), by inserting recommended before removal orders; in subparagraph (C), by striking ; and and inserting a semicolon; in subparagraph (D), by striking the period at the end and inserting ; and; and by adding at the end the following new subparagraph: issuing designated orders. in paragraph (2)— in the heading, by striking Recommendations and inserting Recommended Orders; by striking use and inserting , using; by striking subsection (a)(3) and inserting subsection (a)(4); by striking recommendations and inserting recommend orders; by inserting to the officials described under clause (iii) of paragraph (6)(A) for issuance under such paragraph after thereof,; by striking Such recommendations and inserting Any such order recommended; in subparagraph (D), by striking supply chain risk and inserting acquisition security and supply chain risk associated with the acquisition of covered articles; and in subparagraph (E), by striking exclusion or removal; by redesignating paragraphs (3) through (7) as paragraphs (4) through (8); by inserting after paragraph (2) the following new paragraph: Not later than 270 days after a source of concern is designated as a covered source of concern pursuant to paragraph (2), the Council— shall provide to the officials described under clause (iii) of paragraph (6)(B) for issuance under such paragraph orders requiring— the exclusion of the covered source of concern from any executive agency procurement action, including source selection and consent for a contractor; or the removal of covered articles produced or provided by the covered source of concern from the information system of executive agencies; or report to Congress why the Council has determined to not issue an order described under subclause (I) with respect to the covered source of concern or covered articles produced or provided by the covered source of concern. Any order provided under clause (i) shall include— information regarding the scope and applicability of the order, including any information necessary to positively identify the covered source of concern or covered articles produced or provided by the covered source of concern required to be excluded or removed under the order; a summary of any risk assessment reviewed or conducted in support of the order; a summary of the basis for the order, including a discussion of less intrusive measures that were considered and why such measures were not reasonably available to reduce security risk; a description of the actions necessary to implement the order; and where practicable, in the Council’s sole and unreviewable discretion, a description of mitigation steps that could be taken by the covered source of concern that may result in the Council rescinding the order. In the case that the Council provides an order under subparagraph (A), the Council may also provide an order to the officials described under paragraph (6)(A)(iii) requiring the exclusion of sources or covered articles from executive agency procurement actions or removal of covered articles from executive agency information systems if— such covered articles or such sources use a covered source of concern in the performance of a contract with the executive agency; or such sources enter into a contract, the performance of which such source knows or has reason to believe will require, in the performance of a contract with the executive agency, the use of a covered source of concern or the use of a covered article produced or provided by a covered source of concern. Any effective date prescribed by the Council for an order issued pursuant to clause (i) shall take into account— the risk posed by the covered source of concern or the covered article produced or provided by the covered source of concern to the national security of the United States; the likelihood of the covered source of concern or the covered article produced or provided by the covered source of concern causing imminent threat to public health and safety; the availability of an alternative source or covered article produced or provided by an alternative source; and an assessment of the potential direct or quantifiable costs that may be incurred by the Federal Government, a State, local, or Tribal government, or by the private sector, as a result of compliance by the head of an executive agency with such an exclusion or removal order, as necessary. in paragraph (4), as so redesignated— in the paragraph heading, by striking of recommendation and review and inserting and review of recommended and designated orders; by striking the recommendation each place it appears, and inserting the order; in the matter preceding subparagraph (A), by striking A notice of the Council’s recommendation under paragraph (2) and inserting Before the Council recommends an order under paragraph (2) or issues an order under paragraph (3), a notice; in subparagraph (A), by striking a recommendation has been made and inserting the order will be recommended or issued; in subparagraph (D), by striking paragraph (5); and and inserting paragraph (6);; in subparagraph (E), by striking the period at the end and inserting ; and; and by adding at the end the following new subparagraph: Until an order is issued pursuant to paragraph (6), information collected under this paragraph shall be exempt from public disclosure and shall be treated as information described in section 552(b)(3) of title 5, United States Code (commonly referred to as the Freedom of Information Act). in paragraph (5), as so redesignated— by striking paragraph (3) and inserting paragraph (4); in subparagraph (A), by striking paragraph (5) and inserting paragraph (6); and in subparagraph (B), by striking paragraph (6) and inserting paragraph (7); in paragraph (6), as so redesignated— by amending subparagraph (A) to read as follows: After considering any response properly submitted by a source under paragraph (4) related to an order to be recommended under paragraph (2), the Council shall— make such modifications to the order as the Council considers appropriate; and provide the order (together with any information submitted by a source under paragraph (4) related to such order) to the officials described under clause (iii). Not later than 90 days after receiving a recommended order, the officials described under clause (iii) shall— issue the order to the heads of the applicable agencies; or submit a notification to the Council that the order will not be issued, that includes in the notification to the Council, all the reasons for why the order will not be issued. The officials described in this clause are as follows: The Secretary of Homeland Security, for exclusion and removal orders applicable to civilian agencies, to the extent not covered by subclause (II) or (III). The Secretary of Defense, for exclusion and removal orders applicable to the Department of Defense and national security systems other than sensitive compartmented information systems. The Director of National Intelligence, for exclusion and removal orders applicable to the intelligence community and sensitive compartmented information systems, to the extent not covered by subclause (II). by redesignating subparagraphs (B) through (E) as subparagraphs (C) through (F), respectively; by inserting after subparagraph (A) the following new subparagraph: After considering any response properly submitted by a source under paragraph (4) related to a designated order, the Council shall— make any such modifications to the order as the Council considers appropriate; or if the Council determines that the issuance of a designated order is not warranted, rescind the designated order and notify the source of the rescission; and except in the case that the Council rescinds the designated order under subclause (I)(bb), provide the designated order (including any modifications made to such order by the Council) to the officials described in clause (iii). The officials described in clause (iii) shall, not later than 90 days after receiving a designated order, issue the order to the heads of the applicable agencies. The officials described in this clause are as follows: The Secretary of Homeland Security, for exclusion and removal orders applicable to civilian agencies, to the extent not covered by subclause (II) or (III). The Secretary of Defense, for exclusion and removal orders applicable to the Department of Defense and national security systems other than sensitive compartmented information systems. The Director of National Intelligence, for exclusion and removal orders applicable to the intelligence community and sensitive compartmented information systems, to the extent not covered by subclause (II). An official described under clause (iii) may waive for a period of not more than 365 days the application of an order issued by such official under clause (ii) with respect to a covered source of concern or a covered article produced or provided by a covered source of concern if the official submits, not later than 30 days after making such waiver, a written notification to the Council, the appropriate congressional committees, and leadership that contains the justification for such waiver, which may include a classified annex. An official described under clause (iii) may renew a waiver under clause (iv) for an additional period of not more than 365 days if— the renewal of the waiver is in the national security interests of the United States; and the official submits, not later than 30 days after renewing such waiver, a written notification to the Council, the appropriate congressional committees, and leadership that includes the justification for renewing the wavier. An official described under clause (iii) may waive the application of an order issued by such official under clause (ii) with respect to a covered source of concern or a covered article produced or provided by a covered source of concern for any activity subject to the reporting requirements under title V of the National Security Act of 1947 (50 U.S.C. 3091 et seq.) or any authorized intelligence activities of the United States. An exclusion or removal order issued under this subparagraph by an official may be rescinded only by the Council. in subparagraph (C), as so redesignated— by striking subparagraph (A) and inserting subparagraph (A)(iii) or (B)(iii); by striking this subparagraph and inserting subparagraph (A)(iii) or (B)(iii); and by striking , except and all that follows through Deputy Commander; in subparagraph (D), as so redesignated— by striking this paragraph and inserting subparagraph (A)(iii) or (B)(iii); and by striking help; in subparagraph (E), as so redesignated, by striking this paragraph and inserting subparagraph (A); and by adding after subparagraph (F), as so redesignated, the following new subparagraph: The effective date of an order issued under this paragraph may not be more than one year after the order is issued. in paragraph (7), as so redesignated, by striking paragraph (5)(A) and inserting subparagraph (A) or (B) of paragraph (6); and in paragraph (8), as so redesignated, by striking paragraph (5) and inserting paragraph (6); in subsection (e), by inserting the Chief Data Officers Council, before the Chief Acquisition; and in subsection (f)(2), by striking the period at the end and inserting unless such source is specifically designated by statute as a covered source of concern for the purposes of this subchapter.. Section 1324(a) of title 41, United States Code, is amended— by inserting , and periodically thereafter after 2018; in the matter preceding paragraph (1), by inserting acquisition security and before supply chain risks; in paragraph (8), by inserting acquisition security and before supply chain risks; and in paragraph (9)(A), by inserting acquisition security and before supply chain risk. Section 1326 of title 41, United States Code, is amended— by striking supply chain each place such term appears and inserting security and supply chain; in subsection (a)— in paragraph (1), by striking ; and and inserting a semicolon; in paragraph (2), by striking the period at the end and inserting ; and; and by adding at the end the following: providing any information requested by the Chairperson of the Council for the purpose of carrying out activities of this subchapter, subject to applicable law or policy on control and handling of classified, sensitive, or proprietary information. in subsection (b)(6), by striking may pose and all that follows through risk and inserting may pose a security or supply chain risk. Section 1327(b) of title 41, United States Code, is amended— in paragraph (1), by striking section 1323(c)(6) and inserting section 1323(c)(7); in paragraph (3), by striking sections 1323(c)(5) and inserting sections 1323(c)(6); and in paragraph (4), by amending subparagraph (B)(i) to read as follows: The United States shall file with the court an administrative record, which shall consist of— the information the Council relied upon in issuing a designated order under section 1323(c)(6); and the information that the appropriate official relied upon in issuing an exclusion or removal order under section 1323(c)(6) or a covered procurement action under section 4713. Subchapter III of chapter 13 of title 41, United States Code, is amended by adding at the end the following new section: In implementing this subchapter, the Council shall coordinate, as applicable and practicable, with the head of an agency to assist with compliance by the agency with— section 889 of the John S. McCain National Defense Authorization Act of 2019 (Public Law 115–232; 41 U.S.C. 3901 note); section 5949 of the James M. Inhofe National Defense Authorization Act of 2023 (Public Law 117–263; 41 U.S.C. 4713 note); and sections 1821 through 1833 of the American Security Drone Act of 2023 (Public Law 118–31). Not later than two years after the date of the enactment of this section, the Federal Acquisition Security Council shall update any regulations the Council determines necessary. Subchapter III of chapter 13 of title 41, United States Code, is amended— in the table of sections for the subchapter by adding after the item related to section 1328 the following: in section 1321(1)(B), by striking Government Reform and inserting Accountability; and by striking of this title each place the term appears. (5)Covered source of concernThe term covered source of concern means a source of concern that is specifically designated as a covered source of concern by a statute that states that such designation is for the purposes of this subchapter.(6)Designated orderThe term designated order means an order described under section 1323(c)(3).; and (11)Recommended orderThe term recommended order means an order recommended under section 1323(c)(2). (12)Source of concern(A)In generalThe term source of concern means a source—(i)subject to the jurisdiction, direction, or control of the government of a foreign adversary, or operates on behalf of the government of a foreign adversary; or(ii)that poses a risk to the national security of the United States based on collaboration with, whole or partial ownership or control by, or being affiliated with a military, internal security force, or intelligence agency of a foreign adversary.(B)Foreign adversary definedIn this paragraph, the term foreign adversary has the meaning given the term covered nation in section 4872(d) of title 10.. (1)In generalThe members of the Council shall be as follows:(A)The Administrator for Federal Procurement Policy.(B)The Deputy Director for Management of the Office of Management and Budget.(C)The following officials, each of whom shall occupy a position at the level of Assistant Secretary or Deputy Assistant Secretary (or equivalent):(i)Two officials from the Office of the Director of National Intelligence, one of which shall be from the National Counterintelligence and Security Center.(ii)Two officials from the Department of Defense, one of which shall be from the National Security Agency.(iii)Two officials from the Department of Homeland Security, one of which shall be from the Cybersecurity and Infrastructure Security Agency.(iv)One official from the General Services Administration.(v)One official from the Office of the National Cyber Director. (vi)Two officials from the Department of Justice, one of which shall be from the Federal Bureau of Investigation.(vii)Two officials from the Department of Commerce, one of which shall be from the National Institute of Standards and Technology and one of which shall be from the Bureau of Industry and Security.(viii)An official from any executive agency not listed under clauses (i) through (vii) whose temporary or permanent participation is determined by the Chairperson of the Council to be necessary to carry out the functions of the Council while maintaining the intended balance in subject matter expertise.; and (i)In generalThe head of each executive agency listed under paragraph (1)(C) shall designate the official or officials from that agency who shall serve on the Council in accordance with such paragraph.; (ii)RequirementsTo the extent feasible, any official designated under clause (i) shall have expertise in supply chain risk management, acquisitions, law, or information and communications technology.; and (B)FunctionsA member of the Council shall—(i)regularly participate in the activities of the Council;(ii)ensure that any information requested by the Council from the agency represented by the member is provided to the Council; and(iii)ensure that the head of the agency represented by the member and other appropriate personnel of the agency are aware of the activities of the Council.; (1)In generalThe Chairperson of the Council shall be—(A)the National Cyber Director; or(B)another member of the Council designated by the National Cyber Director.; and (1)Council meetingsThe Council; and (2)Other meetingsThe Chairperson of the Council shall meet, not less frequently than semiannually, with—(A)the Secretary of Homeland Security, the Secretary of Defense, and the Director of National Intelligence; or(B)in the case that any of the officials under subparagraph (A) delegated authority to an official under section 1323(c)(6)(C), with the delegated official.. (7)Implementing a prioritization scheme for evaluating the security risks associated with the acquisition and use of covered articles provided or produced by a covered source of concern.(8)Evaluating each covered source of concern to determine whether to issue a designated order with respect to the covered source of concern or a covered article produced or provided by the covered source of concern. (9)Evaluating sources of concern to determine whether to issue a recommended order with respect to the source of concern, or any covered article produced or provided by the source of concern.(10)Monitoring the issuance of designated orders under subsection (c)(6)(B), as required, by the Secretary of Homeland Security, the Secretary of Defense, and the Director of National Intelligence with the requirement to issue designated orders under subsection (c)(6)(B) and providing technical assistance to those agencies on compliance matters. (11)Reporting to Congress annually on the security risks associated with the acquisition and use of covered articles produced or provided by sources of concern.; (1)In generalThe Council; and (2)Federal acquisition security council program office(A)EstablishmentThe Council shall establish a Federal Acquisition Security Council Program Office (referred to in this paragraph as the Program Office) within the Office of the National Cyber Director to carry out the functions of the Council duties described under subparagraph (B).(B)DutiesThe Program Office shall provide to the Council and any committees, working groups, or other constituent bodies established by the Council under paragraph (1)—(i)administrative, legal, and policy support; and(ii)analysis and subject matter expertise on information communications technology, acquisition security, and supply chain risk.(C)StructureThe head of the Program Office shall be a senior official from the Office of the National Cyber Director that occupies a position at the level of Assistant Secretary or Deputy Assistant Secretary (or equivalent).(D)ProhibitionThe Program Office may not provide administrative support to the Council for any activities of the Council carried out pursuant to a provision of law other than a provision of law under this subchapter.(E)Funding and resourcesThe Program Office may use the staff and resources of the Office of the National Cyber Director or maintain dedicated staff and resources, as appropriate, in the performance of the duties of the Office.(F)Shared staffing authority(i)In generalThe Program Office may accept officers or employees of the United States or members of the Armed Forces on a detail from an element of the intelligence community (as such term is defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)) or from another element of the Federal Government on a nonreimbursable basis, as jointly agreed to by the heads of the receiving and detailing elements, for a period not to exceed three years.(ii)Rule of constructionNothing in this subparagraph may be construed as imposing any limitation on any other authority for reimbursable or nonreimbursable details.(iii)Nonreimbursable detailA nonreimbursable detail made under this subparagraph shall not be considered an augmentation of the appropriations of the receiving element of the Program Office or the Office of the National Cyber Director.(G)SunsetThe Program Office shall terminate on the date described under section 1328.; (E)issuing designated orders.; (3)Designated orders(A)Exclusion or removal of covered sources of concern(i)In generalNot later than 270 days after a source of concern is designated as a covered source of concern pursuant to paragraph (2), the Council— (I)shall provide to the officials described under clause (iii) of paragraph (6)(B) for issuance under such paragraph orders requiring—(aa)the exclusion of the covered source of concern from any executive agency procurement action, including source selection and consent for a contractor; or(bb)the removal of covered articles produced or provided by the covered source of concern from the information system of executive agencies; or (II)report to Congress why the Council has determined to not issue an order described under subclause (I) with respect to the covered source of concern or covered articles produced or provided by the covered source of concern. (ii)Contents of orderAny order provided under clause (i) shall include—(I)information regarding the scope and applicability of the order, including any information necessary to positively identify the covered source of concern or covered articles produced or provided by the covered source of concern required to be excluded or removed under the order;(II)a summary of any risk assessment reviewed or conducted in support of the order;(III)a summary of the basis for the order, including a discussion of less intrusive measures that were considered and why such measures were not reasonably available to reduce security risk;(IV)a description of the actions necessary to implement the order; and(V)where practicable, in the Council’s sole and unreviewable discretion, a description of mitigation steps that could be taken by the covered source of concern that may result in the Council rescinding the order.(B)Exclusion or removal of second order sources or covered articles(i)IssuanceIn the case that the Council provides an order under subparagraph (A), the Council may also provide an order to the officials described under paragraph (6)(A)(iii) requiring the exclusion of sources or covered articles from executive agency procurement actions or removal of covered articles from executive agency information systems if—(I)such covered articles or such sources use a covered source of concern in the performance of a contract with the executive agency; or(II)such sources enter into a contract, the performance of which such source knows or has reason to believe will require, in the performance of a contract with the executive agency, the use of a covered source of concern or the use of a covered article produced or provided by a covered source of concern.(ii)Effective date considerationsAny effective date prescribed by the Council for an order issued pursuant to clause (i) shall take into account—(I)the risk posed by the covered source of concern or the covered article produced or provided by the covered source of concern to the national security of the United States;(II)the likelihood of the covered source of concern or the covered article produced or provided by the covered source of concern causing imminent threat to public health and safety;(III)the availability of an alternative source or covered article produced or provided by an alternative source; and (IV)an assessment of the potential direct or quantifiable costs that may be incurred by the Federal Government, a State, local, or Tribal government, or by the private sector, as a result of compliance by the head of an executive agency with such an exclusion or removal order, as necessary.; (F)Until an order is issued pursuant to paragraph (6), information collected under this paragraph shall be exempt from public disclosure and shall be treated as information described in section 552(b)(3) of title 5, United States Code (commonly referred to as the Freedom of Information Act).; (A)Issuance of recommended orders(i)Modifications to orderAfter considering any response properly submitted by a source under paragraph (4) related to an order to be recommended under paragraph (2), the Council shall—(I)make such modifications to the order as the Council considers appropriate; and(II)provide the order (together with any information submitted by a source under paragraph (4) related to such order) to the officials described under clause (iii).(ii)OrderNot later than 90 days after receiving a recommended order, the officials described under clause (iii) shall—(I)issue the order to the heads of the applicable agencies; or(II)submit a notification to the Council that the order will not be issued, that includes in the notification to the Council, all the reasons for why the order will not be issued. (iii)OfficialsThe officials described in this clause are as follows:(I)The Secretary of Homeland Security, for exclusion and removal orders applicable to civilian agencies, to the extent not covered by subclause (II) or (III). (II)The Secretary of Defense, for exclusion and removal orders applicable to the Department of Defense and national security systems other than sensitive compartmented information systems. (III)The Director of National Intelligence, for exclusion and removal orders applicable to the intelligence community and sensitive compartmented information systems, to the extent not covered by subclause (II).; (B)Issuance of designated order(i)ModificationsAfter considering any response properly submitted by a source under paragraph (4) related to a designated order, the Council shall—(I)(aa)make any such modifications to the order as the Council considers appropriate; or(bb)if the Council determines that the issuance of a designated order is not warranted, rescind the designated order and notify the source of the rescission; and (II)except in the case that the Council rescinds the designated order under subclause (I)(bb), provide the designated order (including any modifications made to such order by the Council) to the officials described in clause (iii). (ii)IssuanceThe officials described in clause (iii) shall, not later than 90 days after receiving a designated order, issue the order to the heads of the applicable agencies.(iii)OfficialsThe officials described in this clause are as follows:(I)The Secretary of Homeland Security, for exclusion and removal orders applicable to civilian agencies, to the extent not covered by subclause (II) or (III).(II)The Secretary of Defense, for exclusion and removal orders applicable to the Department of Defense and national security systems other than sensitive compartmented information systems.(III)The Director of National Intelligence, for exclusion and removal orders applicable to the intelligence community and sensitive compartmented information systems, to the extent not covered by subclause (II).(iv)WaiverAn official described under clause (iii) may waive for a period of not more than 365 days the application of an order issued by such official under clause (ii) with respect to a covered source of concern or a covered article produced or provided by a covered source of concern if the official submits, not later than 30 days after making such waiver, a written notification to the Council, the appropriate congressional committees, and leadership that contains the justification for such waiver, which may include a classified annex. (v)Renewal of waiverAn official described under clause (iii) may renew a waiver under clause (iv) for an additional period of not more than 365 days if—(I)the renewal of the waiver is in the national security interests of the United States; and(II)the official submits, not later than 30 days after renewing such waiver, a written notification to the Council, the appropriate congressional committees, and leadership that includes the justification for renewing the wavier.(vi)National security waiverAn official described under clause (iii) may waive the application of an order issued by such official under clause (ii) with respect to a covered source of concern or a covered article produced or provided by a covered source of concern for any activity subject to the reporting requirements under title V of the National Security Act of 1947 (50 U.S.C. 3091 et seq.) or any authorized intelligence activities of the United States. (vii)Rescission of orderAn exclusion or removal order issued under this subparagraph by an official may be rescinded only by the Council.; (G)Effective date of ordersThe effective date of an order issued under this paragraph may not be more than one year after the order is issued.; (3)providing any information requested by the Chairperson of the Council for the purpose of carrying out activities of this subchapter, subject to applicable law or policy on control and handling of classified, sensitive, or proprietary information.; and (i)Filing of recordThe United States shall file with the court an administrative record, which shall consist of—(I)the information the Council relied upon in issuing a designated order under section 1323(c)(6); and(II)the information that the appropriate official relied upon in issuing an exclusion or removal order under section 1323(c)(6) or a covered procurement action under section 4713.. 1329.Additional provisions(a)Compliance with existing prohibitionsIn implementing this subchapter, the Council shall coordinate, as applicable and practicable, with the head of an agency to assist with compliance by the agency with—(1)section 889 of the John S. McCain National Defense Authorization Act of 2019 (Public Law 115–232; 41 U.S.C. 3901 note);(2)section 5949 of the James M. Inhofe National Defense Authorization Act of 2023 (Public Law 117–263; 41 U.S.C. 4713 note); and(3)sections 1821 through 1833 of the American Security Drone Act of 2023 (Public Law 118–31).(b)Update to regulationsNot later than two years after the date of the enactment of this section, the Federal Acquisition Security Council shall update any regulations the Council determines necessary.. 1329. Additional provisions.;

1329. Additional provisions In implementing this subchapter, the Council shall coordinate, as applicable and practicable, with the head of an agency to assist with compliance by the agency with— section 889 of the John S. McCain National Defense Authorization Act of 2019 (Public Law 115–232; 41 U.S.C. 3901 note); section 5949 of the James M. Inhofe National Defense Authorization Act of 2023 (Public Law 117–263; 41 U.S.C. 4713 note); and sections 1821 through 1833 of the American Security Drone Act of 2023 (Public Law 118–31). Not later than two years after the date of the enactment of this section, the Federal Acquisition Security Council shall update any regulations the Council determines necessary.

3. Reallocating existing resources Section 5949(l) of the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 (Public Law 117–263) is amended— in paragraph (1), by striking Office of Management and Budget and inserting Office of the National Cyber Director; and in paragraph (2), by striking Office of Management and Budget and inserting Office of the National Cyber Director.