[Pages H5535-H5536]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

DHS SOFTWARE SUPPLY CHAIN RISK MANAGEMENT ACT OF 2021

Mr. THOMPSON of Mississippi. Madam Speaker, I move to suspend the
rules and pass the bill (H.R. 4611) to direct the Secretary of Homeland
Security to issue guidance with respect to certain information and
communications technology or services contracts, and for other
purposes, as amended.
The Clerk read the title of the bill.
The text of the bill is as follows:

H.R. 4611

Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the ``DHS Software Supply Chain
Risk Management Act of 2021''.

SEC. 2. DEPARTMENT OF HOMELAND SECURITY GUIDANCE WITH RESPECT
TO CERTAIN INFORMATION AND COMMUNICATIONS
TECHNOLOGY OR SERVICES CONTRACTS.

(a) Guidance.--The Secretary of Homeland Security, acting
through the Under Secretary, shall issue guidance with
respect to new and existing covered contracts.
(b) New Covered Contracts.--In developing guidance under
subsection (a), with respect to each new covered contract, as
a condition on the award of such a contract, each contractor
responding to a solicitation for such a contract shall submit
to the covered officer--
(1) a planned bill of materials when submitting a bid
proposal; and
(2) the certification and notifications described in
subsection (e).
(c) Existing Covered Contracts.--In developing guidance
under subsection (a), with respect to each existing covered
contract, each contractor with an existing covered contract
shall submit to the covered officer--
(1) the bill of materials used for such contract, upon the
request of such officer; and
(2) the certification and notifications described in
subsection (e).
(d) Updating Bill of Materials.--With respect to a covered
contract, in the case of a change to the information included
in a bill of materials submitted pursuant to subsections
(b)(1) and (c)(1), each contractor shall submit to the
covered officer the update to such bill of materials, in a
timely manner.
(e) Certification and Notifications.--The certification and
notifications referred to in subsections (b)(2) and (c)(2),
with respect to a covered contract, are the following:
(1) A certification that each item listed on the submitted
bill of materials is free from all known vulnerabilities or
defects affecting the security of the end product or service
identified in--
(A) the National Institute of Standards and Technology
National Vulnerability Database; and
(B) any database designated by the Under Secretary, in
coordination with the Director of the Cybersecurity and
Infrastructure Security Agency, that tracks security
vulnerabilities and defects in open source or third-party
developed software.
(2) A notification of each vulnerability or defect
affecting the security of the end product or service, if
identified, through--
(A) the certification of such submitted bill of materials
required under paragraph (1); or
(B) any other manner of identification.
(3) A notification relating to the plan to mitigate,
repair, or resolve each security vulnerability or defect
listed in the notification required under paragraph (2).
(f) Enforcement.--In developing guidance under subsection
(a), the Secretary shall instruct covered officers with
respect to--
(1) the processes available to such officers enforcing
subsections (b) and (c); and
(2) when such processes should be used.
(g) Effective Date.--The guidance required under subsection
(a) shall take effect on the date that is 180 days after the
date of the enactment of this section.
(h) GAO Report.--Not later than 1 year after the date of
the enactment of this Act, the Comptroller General of the
United States shall submit to the Secretary, the Committee on
Homeland Security of the House of Representatives, and the
Committee on Homeland Security and Governmental Affairs of
the Senate a report that includes--
(1) a review of the implementation of this section;
(2) information relating to the engagement of the
Department of Homeland Security with industry;
(3) an assessment of how the guidance issued pursuant to
subsection (a) complies with Executive Order 14208 (86 Fed.
Reg. 26633; relating to improving the nation's
cybersecurity); and
(4) any recommendations relating to improving the supply
chain with respect to covered contracts.
(i) Definitions.--In this section:
(1) Bill of materials.--The term ``bill of materials''
means a list of the parts and components (whether new or
reused) of an end product or service, including, with respect
to each part and component, information relating to the
origin, composition, integrity, and any other information as
determined appropriate by the Under Secretary.
(2) Covered contract.--The term ``covered contract'' means
a contract relating to the procurement of covered information
and communications technology or services for the Department
of Homeland Security.
(3) Covered information and communications technology or
services.--The term ``covered information and communications
technology or services'' means the terms--
(A) ``information technology'' (as such term is defined in
section 11101(6) of title 40, United States Code);
(B) ``information system'' (as such term is defined in
section 3502(8) of title 44, United States Code);
(C) ``telecommunications equipment'' (as such term is
defined in section 3(52) of the Communications Act of 1934
(47 U.S.C. 153(52))); and
(D) ``telecommunications service'' (as such term is defined
in section 3(53) of the Communications Act of 1934 (47 U.S.C.
153(53))).
(4) Covered officer.--The term ``covered officer'' means--
(A) a contracting officer of the Department; and
(B) any other official of the Department as determined
appropriate by the Under Secretary.
(5) Software.--The term ``software'' means computer
programs and associated data that may be dynamically written
or modified during execution.
(6) Under secretary.--The term ``Under Secretary'' means
the Under Secretary for Management of the Department of
Homeland Security.

SEC. 3. DETERMINATION OF BUDGETARY EFFECTS.

The budgetary effects of this Act, for the purpose of
complying with the Statutory Pay-As-You-Go Act of 2010, shall
be determined by reference to the latest statement titled
``Budgetary Effects of PAYGO Legislation'' for this Act,
submitted for printing in the Congressional Record by the
Chairman of the House Budget Committee, provided that such
statement has been submitted prior to the vote on passage.

The SPEAKER pro tempore. Pursuant to the rule, the gentleman from
Mississippi (Mr. Thompson) and the gentleman from Mississippi (Mr.
Guest) each will control 20 minutes.
The Chair recognizes the gentleman from Mississippi (Mr. Thompson).

General Leave

Mr. THOMPSON of Mississippi. Madam Speaker, I ask unanimous consent
that all Members may have 5 legislative days in which to revise and
extend their remarks and to include extraneous material on this
measure.
The SPEAKER pro tempore. Is there objection to the request of the
gentleman from Mississippi?
There was no objection.
Mr. THOMPSON of Mississippi. Madam Speaker, I yield myself such time
as I may consume.
Madam Speaker, I rise in strong support of H.R. 4611, the DHS
Software Supply Chain Risk Management Act of 2021.
With each passing day, we see cyberattacks becoming increasingly more
frequent and sophisticated, posing a significant threat to homeland
security and the U.S. economy.
The tactics cybercriminals use to steal information or disrupt access
to critical information systems are ever evolving. Many prey upon
vulnerabilities within the victim's security measures or the victim's
software supply chain.
The ransomware attack on the Colonial Pipeline and the attempted hack
of a water treatment plan in Oldsmar, Florida, earlier this year, show
just how easily critical infrastructure systems can be compromised.
Last year's compromise of the SolarWinds Orion software supply chain
demonstrated how widespread and damaging such attacks can be.
In the SolarWinds attack, cybercriminals were able to add malicious
code to a commercial software product that was subsequently downloaded
by several Federal agencies, including the Department of Homeland
Security.
As the lead Federal agency for cybersecurity, it is important that
DHS lead by example, aggressively protecting its own networks.
To that end, H.R. 4611 would enhance the Department's ability to
protect its networks by modernizing how it buys information and
communications technology or services.
H.R. 4611 directs DHS to issue Department-wide guidance to improve
visibility into the supply chain for software purchased from new and
existing contractors.

[[Page H5536]]

Specifically, under this legislation, contractors would have to
provide a bill of materials that identifies each part or component of
the software supplied to DHS and take steps to ensure that each item is
free from known security vulnerabilities or defects.
The bill of materials process is akin to the listing of ingredients
on a package of food.
Once DHS has this detailed supply chain information, it will have far
greater visibility into what it is purchasing and installing on its
networks.

{time} 1545

With this information, DHS can take more timely action to mitigate
risks associated with software on its network.
Importantly, H.R. 4611, which was introduced by my colleague from New
York (Mr. Torres), requires DHS to instruct personnel on how to enforce
the new requirements to hold contractors accountable.
Finally, the bill requires the Government Accountability Office to
review the department-wide guidance and assess how it aligns with
President Biden's recent executive order on improving the Nation's
cybersecurity.
As the President stated in this order, the Federal Government must
take decisive steps to modernize its approach to cybersecurity to keep
pace with today's dynamic and increasingly sophisticated cyber threat
environment.
I could not agree more.
Enactment of H.R. 4611 would be a decisive step toward improving
DHS's ability to prevent, detect, and respond to cyberattacks on its
own networks.
I urge my colleagues to support this legislation and reserve the
balance of my time.
Mr. GUEST. Madam Speaker, I yield myself such time as I may consume.
Madam Speaker, I rise today in support of H.R. 4611, the DHS Software
Supply Chain Risk Management Act of 2021.
As we have seen over the past year, our software supply chains are
increasingly vulnerable. It is vital that the Department of Homeland
Security does its part to ensure that software in use by the Department
and its contractors is secure.
This legislation will help DHS better understand and track the
software and systems in use by its contractors so that it can better
mitigate risk within the software supply chain.
I urge Members to join me in supporting H.R. 4611, and I reserve the
balance of my time.
Mr. THOMPSON of Mississippi. Madam Speaker, I yield 2 minutes to the
gentleman from New York (Mr. Torres), the vice chair of the Committee
on Homeland Security and the sponsor of the bill.
Mr. TORRES of New York. Madam Speaker, a cyberattack on a software
supply chain is like an infectious disease outbreak, spreading widely
and rapidly, and causing untold damage far and wide.
The SolarWinds espionage campaign against the United States, which
spread surreptitiously through a software product, represents the
greatest intrusion into the Federal Government in the history of the
United States.
SolarWinds should serve as a wake-up call. The United States
Government can no longer take for granted the safety of the software it
uses. The Federal Government must be proactive in identifying and
correcting cyber vulnerabilities; and as the lead agency on
cybersecurity, DHS in particular must emerge as the gold standard.
I am therefore proud to partner, on a bipartisan basis, with my
colleague, the gentleman from New York (Mr. Garbarino), to pass H.R.
4611, the DHS Software Supply Chain Risk Management Act of 2021.
H.R. 4611 would require the DHS Under Secretary for Management to
issue department-wide guidance that in turn requires DHS contractors to
submit a software bill of materials, identifying the origin of each
component of software provided to DHS.
DHS should know the precise origin of the software it uses; whether a
software component comes from a questionable firm that fails to follow
best practices in cybersecurity; whether it comes from a hostile
nation-state intent on planting back doors.
Homeland security can easily die in darkness, and the purpose of H.R.
4611 is to bring greater light, greater transparency to the software
supply chains which for far too long have been left wide open to cyber
espionage and sabotage. We owe it to ourselves to learn from the
experience of SolarWinds, for those who fail to learn from history are
doomed to repeat it.
Mr. GUEST. Madam Speaker, I have no further speakers, and I urge
Members to support this bill. I yield back the balance of my time.
Mr. THOMPSON of Mississippi. Madam Speaker, I yield myself the
balance of my time to close.
As the lead Federal agency for cybersecurity, DHS has taken steps to
increase public awareness of software vulnerabilities routinely
exploited by malicious cyber actors.
To identify and manage these types of vulnerabilities on its own
network, DHS needs better visibility into the supply chains of the
software it procures.
Enactment of H.R. 4611 would ensure that DHS has access to the
information it needs to enhance its ability to manage the risks to its
own networks.
I urge my colleagues to support H.R. 4611, and I yield back the
balance of my time.
The SPEAKER pro tempore. The question is on the motion offered by the
gentleman from Mississippi (Mr. Thompson) that the House suspend the
rules and pass the bill, H.R. 4611, as amended.
The question was taken.
The SPEAKER pro tempore. In the opinion of the Chair, two-thirds
being in the affirmative, the ayes have it.
Mr. POSEY. Madam Speaker, on that I demand the yeas and nays.
The SPEAKER pro tempore. Pursuant to section 3(s) of House Resolution
8, the yeas and nays are ordered.
Pursuant to clause 8 of rule XX, further proceedings on this motion
are postponed.

____________________