The publication is reproduced in full below:
DHS SOFTWARE SUPPLY CHAIN RISK MANAGEMENT ACT OF 2021
Mr. THOMPSON of Mississippi. Madam Speaker, I move to suspend the rules and pass the bill (H.R. 4611) to direct the Secretary of Homeland Security to issue guidance with respect to certain information and communications technology or services contracts, and for other purposes, as amended.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 4611
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``DHS Software Supply Chain Risk Management Act of 2021''.
SEC. 2. DEPARTMENT OF HOMELAND SECURITY GUIDANCE WITH RESPECT
TO CERTAIN INFORMATION AND COMMUNICATIONS
TECHNOLOGY OR SERVICES CONTRACTS.
(a) Guidance.--The Secretary of Homeland Security, acting through the Under Secretary, shall issue guidance with respect to new and existing covered contracts.
(b) New Covered Contracts.--In developing guidance under subsection (a), with respect to each new covered contract, as a condition on the award of such a contract, each contractor responding to a solicitation for such a contract shall submit to the covered officer--
(1) a planned bill of materials when submitting a bid proposal; and
(2) the certification and notifications described in subsection (e).
(c) Existing Covered Contracts.--In developing guidance under subsection (a), with respect to each existing covered contract, each contractor with an existing covered contract shall submit to the covered officer--
(1) the bill of materials used for such contract, upon the request of such officer; and
(2) the certification and notifications described in subsection (e).
(d) Updating Bill of Materials.--With respect to a covered contract, in the case of a change to the information included in a bill of materials submitted pursuant to subsections
(b)(1) and (c)(1), each contractor shall submit to the covered officer the update to such bill of materials, in a timely manner.
(e) Certification and Notifications.--The certification and notifications referred to in subsections (b)(2) and (c)(2), with respect to a covered contract, are the following:
(1) A certification that each item listed on the submitted bill of materials is free from all known vulnerabilities or defects affecting the security of the end product or service identified in--
(A) the National Institute of Standards and Technology National Vulnerability Database; and
(B) any database designated by the Under Secretary, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, that tracks security vulnerabilities and defects in open source or third-party developed software.
(2) A notification of each vulnerability or defect affecting the security of the end product or service, if identified, through--
(A) the certification of such submitted bill of materials required under paragraph (1); or
(B) any other manner of identification.
(3) A notification relating to the plan to mitigate, repair, or resolve each security vulnerability or defect listed in the notification required under paragraph (2).
(f) Enforcement.--In developing guidance under subsection
(a), the Secretary shall instruct covered officers with respect to--
(1) the processes available to such officers enforcing subsections (b) and (c); and
(2) when such processes should be used.
(g) Effective Date.--The guidance required under subsection
(a) shall take effect on the date that is 180 days after the date of the enactment of this section.
(h) GAO Report.--Not later than 1 year after the date of the enactment of this Act, the Comptroller General of the United States shall submit to the Secretary, the Committee on Homeland Security of the House of Representatives, and the Committee on Homeland Security and Governmental Affairs of the Senate a report that includes--
(1) a review of the implementation of this section;
(2) information relating to the engagement of the Department of Homeland Security with industry;
(3) an assessment of how the guidance issued pursuant to subsection (a) complies with Executive Order 14208 (86 Fed. Reg. 26633; relating to improving the nation's cybersecurity); and
(4) any recommendations relating to improving the supply chain with respect to covered contracts.
(i) Definitions.--In this section:
(1) Bill of materials.--The term ``bill of materials'' means a list of the parts and components (whether new or reused) of an end product or service, including, with respect to each part and component, information relating to the origin, composition, integrity, and any other information as determined appropriate by the Under Secretary.
(2) Covered contract.--The term ``covered contract'' means a contract relating to the procurement of covered information and communications technology or services for the Department of Homeland Security.
(3) Covered information and communications technology or services.--The term ``covered information and communications technology or services'' means the terms--
(A) ``information technology'' (as such term is defined in section 11101(6) of title 40, United States Code);
(B) ``information system'' (as such term is defined in section 3502(8) of title 44, United States Code);
(C) ``telecommunications equipment'' (as such term is defined in section 3(52) of the Communications Act of 1934
(47 U.S.C. 153(52))); and
(D) ``telecommunications service'' (as such term is defined in section 3(53) of the Communications Act of 1934 (47 U.S.C. 153(53))).
(4) Covered officer.--The term ``covered officer'' means--
(A) a contracting officer of the Department; and
(B) any other official of the Department as determined appropriate by the Under Secretary.
(5) Software.--The term ``software'' means computer programs and associated data that may be dynamically written or modified during execution.
(6) Under secretary.--The term ``Under Secretary'' means the Under Secretary for Management of the Department of Homeland Security.
SEC. 3. DETERMINATION OF BUDGETARY EFFECTS.
The budgetary effects of this Act, for the purpose of complying with the Statutory Pay-As-You-Go Act of 2010, shall be determined by reference to the latest statement titled
``Budgetary Effects of PAYGO Legislation'' for this Act, submitted for printing in the Congressional Record by the Chairman of the House Budget Committee, provided that such statement has been submitted prior to the vote on passage.
The SPEAKER pro tempore. Pursuant to the rule, the gentleman from Mississippi (Mr. Thompson) and the gentleman from Mississippi (Mr. Guest) each will control 20 minutes.
The Chair recognizes the gentleman from Mississippi (Mr. Thompson).
General Leave
Mr. THOMPSON of Mississippi. Madam Speaker, I ask unanimous consent that all Members may have 5 legislative days in which to revise and extend their remarks and to include extraneous material on this measure.
The SPEAKER pro tempore. Is there objection to the request of the gentleman from Mississippi?
There was no objection.
Mr. THOMPSON of Mississippi. Madam Speaker, I yield myself such time as I may consume.
Madam Speaker, I rise in strong support of H.R. 4611, the DHS Software Supply Chain Risk Management Act of 2021.
With each passing day, we see cyberattacks becoming increasingly more frequent and sophisticated, posing a significant threat to homeland security and the U.S. economy.
The tactics cybercriminals use to steal information or disrupt access to critical information systems are ever evolving. Many prey upon vulnerabilities within the victim's security measures or the victim's software supply chain.
The ransomware attack on the Colonial Pipeline and the attempted hack of a water treatment plan in Oldsmar, Florida, earlier this year, show just how easily critical infrastructure systems can be compromised.
Last year's compromise of the SolarWinds Orion software supply chain demonstrated how widespread and damaging such attacks can be.
In the SolarWinds attack, cybercriminals were able to add malicious code to a commercial software product that was subsequently downloaded by several Federal agencies, including the Department of Homeland Security.
As the lead Federal agency for cybersecurity, it is important that DHS lead by example, aggressively protecting its own networks.
To that end, H.R. 4611 would enhance the Department's ability to protect its networks by modernizing how it buys information and communications technology or services.
H.R. 4611 directs DHS to issue Department-wide guidance to improve visibility into the supply chain for software purchased from new and existing contractors.
Specifically, under this legislation, contractors would have to provide a bill of materials that identifies each part or component of the software supplied to DHS and take steps to ensure that each item is free from known security vulnerabilities or defects.
The bill of materials process is akin to the listing of ingredients on a package of food.
Once DHS has this detailed supply chain information, it will have far greater visibility into what it is purchasing and installing on its networks.
{time} 1545
With this information, DHS can take more timely action to mitigate risks associated with software on its network.
Importantly, H.R. 4611, which was introduced by my colleague from New York (Mr. Torres), requires DHS to instruct personnel on how to enforce the new requirements to hold contractors accountable.
Finally, the bill requires the Government Accountability Office to review the department-wide guidance and assess how it aligns with President Biden's recent executive order on improving the Nation's cybersecurity.
As the President stated in this order, the Federal Government must take decisive steps to modernize its approach to cybersecurity to keep pace with today's dynamic and increasingly sophisticated cyber threat environment.
I could not agree more.
Enactment of H.R. 4611 would be a decisive step toward improving DHS's ability to prevent, detect, and respond to cyberattacks on its own networks.
I urge my colleagues to support this legislation and reserve the balance of my time.
Mr. GUEST. Madam Speaker, I yield myself such time as I may consume.
Madam Speaker, I rise today in support of H.R. 4611, the DHS Software Supply Chain Risk Management Act of 2021.
As we have seen over the past year, our software supply chains are increasingly vulnerable. It is vital that the Department of Homeland Security does its part to ensure that software in use by the Department and its contractors is secure.
This legislation will help DHS better understand and track the software and systems in use by its contractors so that it can better mitigate risk within the software supply chain.
I urge Members to join me in supporting H.R. 4611, and I reserve the balance of my time.
Mr. THOMPSON of Mississippi. Madam Speaker, I yield 2 minutes to the gentleman from New York (Mr. Torres), the vice chair of the Committee on Homeland Security and the sponsor of the bill.
Mr. TORRES of New York. Madam Speaker, a cyberattack on a software supply chain is like an infectious disease outbreak, spreading widely and rapidly, and causing untold damage far and wide.
The SolarWinds espionage campaign against the United States, which spread surreptitiously through a software product, represents the greatest intrusion into the Federal Government in the history of the United States.
SolarWinds should serve as a wake-up call. The United States Government can no longer take for granted the safety of the software it uses. The Federal Government must be proactive in identifying and correcting cyber vulnerabilities; and as the lead agency on cybersecurity, DHS in particular must emerge as the gold standard.
I am therefore proud to partner, on a bipartisan basis, with my colleague, the gentleman from New York (Mr. Garbarino), to pass H.R. 4611, the DHS Software Supply Chain Risk Management Act of 2021.
H.R. 4611 would require the DHS Under Secretary for Management to issue department-wide guidance that in turn requires DHS contractors to submit a software bill of materials, identifying the origin of each component of software provided to DHS.
DHS should know the precise origin of the software it uses; whether a software component comes from a questionable firm that fails to follow best practices in cybersecurity; whether it comes from a hostile nation-state intent on planting back doors.
Homeland security can easily die in darkness, and the purpose of H.R. 4611 is to bring greater light, greater transparency to the software supply chains which for far too long have been left wide open to cyber espionage and sabotage. We owe it to ourselves to learn from the experience of SolarWinds, for those who fail to learn from history are doomed to repeat it.
Mr. GUEST. Madam Speaker, I have no further speakers, and I urge Members to support this bill. I yield back the balance of my time.
Mr. THOMPSON of Mississippi. Madam Speaker, I yield myself the balance of my time to close.
As the lead Federal agency for cybersecurity, DHS has taken steps to increase public awareness of software vulnerabilities routinely exploited by malicious cyber actors.
To identify and manage these types of vulnerabilities on its own network, DHS needs better visibility into the supply chains of the software it procures.
Enactment of H.R. 4611 would ensure that DHS has access to the information it needs to enhance its ability to manage the risks to its own networks.
I urge my colleagues to support H.R. 4611, and I yield back the balance of my time.
The SPEAKER pro tempore. The question is on the motion offered by the gentleman from Mississippi (Mr. Thompson) that the House suspend the rules and pass the bill, H.R. 4611, as amended.
The question was taken.
The SPEAKER pro tempore. In the opinion of the Chair, two-thirds being in the affirmative, the ayes have it.
Mr. POSEY. Madam Speaker, on that I demand the yeas and nays.
The SPEAKER pro tempore. Pursuant to section 3(s) of House Resolution 8, the yeas and nays are ordered.
Pursuant to clause 8 of rule XX, further proceedings on this motion are postponed.
____________________
SOURCE: Congressional Record Vol. 167, No. 170
The Congressional Record is a unique source of public documentation. It started in 1873, documenting nearly all the major and minor policies being discussed and debated.
House Representatives' salaries are historically higher than the median US income.
Alerts Sign-up