House Approves DHS Authority to Address Supply Chain Risk, Bar Contractors

supply chain risk management process automation

The House of Representatives on Tuesday agreed by voice vote to approve HR 6430, the Securing the Homeland Security Supply Chain Act of 2018, which grants the Department of Homeland Security (DHS) Secretary authority to exclude certain contractors from doing business with the Federal government to address “urgent national security interests” and curb supply chain risks.

The bill, sponsored by Rep. Peter King, R-N.Y., was introduced in the House on July 18 and approved by the House Homeland Security Committee on July 24. It does not yet have a companion bill in the Senate, and will not become law until the Senate takes that action.

The bill grants authority over all information technology–“including cloud computing services of all types”–telecommunications equipment and services, and any “hardware, systems, devices, software, or services that include embedded or incidental information technology.”

While the bill generally requires DHS to notify contractors of a ban beforehand and provide them an opportunity to protest, it also grants the DHS Secretary the authority to waive or delay that notice and institute a ban immediately in the interest of national security.

All potential bans would need to be relayed to Congress, the bill states, and the DHS Secretary would be required to review all bans annually.

During debate on the House floor Tuesday, King said, “There is no question that nation-states and criminal actors are constantly trying to exploit U.S. government and private sector systems.”

He quoted DHS CIO John Zangardi–who flagged gaps in department authority over procurement decisions during a July 12 hearing with the House Homeland Security Committee–as evidence of the need for the mechanisms provided in the bill. King said these measures will allow “true coordination between acquisition process and intelligence.”

Rep. Bennie Thompson, D-Miss., a cosponsor of the bill, said current supply chain risks are “too real and need to be mitigated,” pointing to the required congressional notification in the bill as evidence of “robust oversight” for any exercise of the provided authorities.

Thompson and King both cited Kaspersky Labs, ZTE, and Huawei as prime examples of companies with nation-state ties seeking “to steal information or insert potentially harmful hardware or software,” with King adding that they “underscore the threats posed to the Federal supply chain and the urgency in developing stronger mechanisms to secure it.”

Recent