The US House of Representatives passed a bill on November 12, 2024 that would enhance federal efforts to implement a new supply-chain security enforcement initiative. The bipartisan bill seeks to strengthen the role and authority of the Federal Acquisition Security Council (FASC). The bill—the FASC Improvement Act—would permit the FASC and Congress to act quickly to investigate potential risks to federal acquisition security. If passed, it would give Congress a direct role in identifying companies of concern and issuing orders to exclude and remove those companies from executive agency procurements.
The FASC is an interagency council tasked with identifying companies, products, and services that introduce risk to the information technology supply chain. After investigation, the FASC may recommend their removal and exclusion from executive agency information systems and procurements. The FASC’s recommendations to remove or exclude a company, its products, or its services can be adopted and issued as orders by the Secretaries of Defense and Homeland Security, and by the Director of National Intelligence. Exclusion and removal orders issued by those agencies can be implemented by specific agencies or on a government-wide basis.
The FASC’s actions can have devastating effects for companies with foreign ties, their investors, and their customers. When exclusion and removal orders are issued, government agencies to which they apply will be prohibited from purchasing the company’s products and services, and those products and services will be removed from the federal government supply chain. Not only will the company be excluded and removed from federal procurement and systems, but it will be placed on a “blacklist” that will prohibit downstream government contractors from doing business with it. The bottom line is that there are significant risks even to companies that do not work with the government directly.
Although the FASC was established by the Federal Acquisition Supply Chain Security Act (FASCSA) in 2018, it only began issuing notices of its recommendations this year. The FASC is actively investigating companies, but none of its recommendations have been adopted and issued as exclusion and removal orders yet. The FASC’s slow pace may be a motivating factor for this bill, which would streamline the process for designating, investigating, and excluding sources of concern.
The FASC Improvement Act would expand the FASC’s authority beyond its current focus on supply chain risks by permitting the FASC to take broader acquisition security enforcement actions. The bill strengthens congressional oversight of the FASC and permits the FASC to directly issue binding removal and exclusion orders when directed to do so by Congress. The bill also permits Congress to designate sources of concern that the FASC must investigate.
The new bill also addresses the perceived concern over the FASC’s slow pace. It mandates a 270-day timeframe for action on designated sources of concern. Under this timeframe, the FASC must decide to issue a designated order of exclusion and removal or report to Congress explaining why such an order was not issued.
The bill would move the FASC into the executive office of the President and would elevate the FASC’s agency membership requirements. Those moves are intended to strengthen the FASC’s governing structure and improve its efficacy. For example, under the FASC’s current governing statute, the Chairperson of the FASC must be a senior-level official from the Office of Management and Budget. Under the new bill, the Chairperson must be the National Cyber Director or the National Cyber Director will designate someone else on the FASC to be Chairperson
Finally, the bill makes subtle changes to the FASC’s process for assessing risk and issuing orders in order to incorporate best practices on due process considerations, national security exemptions, case-by-case waivers, and second-order prohibitions. These changes are intended to better insulate the FASC’s actions from legal challenges.
In testimony before the House, one of the bill’s sponsors, House Committee on Oversight and Accountability Chairman James Comer (R-Ky), noted that the bill is intended to provide Congress “a streamlined and standardized process for prohibiting federal agencies from buying or using a source of concern in the future,” and to allow the executive branch to act quickly to protect the federal supply chain from “nefarious” technology and “hostile” actors.
While the bill received majority support in the House, it still needs approval from the Senate before reaching the President’s desk. That said, the bill’s bipartisan backing and smooth passage in the House suggest that it may be met with similar support in the Senate.
However, timing of the bill’s passing is less clear. If the bill is going to be passed before the end of 2024, it will need to be attached to the National Defense Authorization Act or the end-of-year government funding package. If not, then it may be passed to the next Congress, which will likely spend the first 100 days focused primarily on reconciliation and confirming President-elect Donald Trump’s nominations in the Senate.
Morgan Lewis will continue to monitor the promulgation of this legislation and developments in this area.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: