Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

Code · BILL · 115th Congress · H.R. 5515 (Enrolled) — To authorize appropriations for fiscal year 2019 for military activities of the Department of Defense, for military c... · Sec. 1655

Sec. 1655. Mitigation of risks to national security posed by providers of information technology products and services who have obligations to foreign governments

952 words·~4 min read·/bill/115/hr/5515/enr/section-1655·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Subject to the regulations issued under subsection (b), the Department of Defense may not use a product, service, or system procured or acquired after the date of the enactment of this Act relating to information or operational technology, cybersecurity, an industrial control system, or weapons system provided by a person unless that person discloses to the Secretary of Defense the following: Whether, and if so, when, within five years before or at any time after the date of the enactment of this Act, the person has allowed a foreign government to review the code of a non-commercial product, system, or service developed for the Department, or whether the person is under any obligation to allow a foreign person or government to review the code of a non-commercial product, system, or service developed for the Department as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government.
Whether, and if so, when, within five years before or at any time after the date of the enactment of this Act, the person has allowed a foreign government listed in section 1654 to review the source code of a product, system, or service that the Department is using or intends to use, or is under any obligation to allow a foreign person or government to review the source code of a product, system, or service that the Department is using or intends to use as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government.
Whether or not the person holds or has sought a license pursuant to the Export Administration Regulations under subchapter C of chapter VII of title 15, Code of Federal Regulations, the International Traffic in Arms Regulations under subchapter M of chapter I of title 22, Code of Federal Regulations, or successor regulations, for information technology products, components, software, or services that contain code custom-developed for the non-commercial product, system, or service the Department is using or intends to use.
The Secretary of Defense shall issue regulations regarding the implementation of subsection (a). If information obtained from a person under subsection
(a)or the contents of the registry under subsection
(f)are the subject of a request under section 552 of title 5, United States Code (commonly referred to as the Freedom of Information Act ), the Secretary of Defense shall conduct a uniform review process, without regard to the office holding the information, to determine if the information is exempt from disclosure under such section 552. Procurement contracts for covered products or systems shall include a clause requiring the information contained in subsection
(a)be disclosed during the period of the contract if an entity becomes aware of information requiring disclosure required pursuant to such subsection, including any mitigation measures taken or anticipated. If, after reviewing a disclosure made by a person under subsection (a), the Secretary determines that the disclosure relating to a product, system, or service entails a risk to the national security infrastructure or data of the United States, or any national security system under the control of the Department, the Secretary shall take such measures as the Secretary considers appropriate to mitigate such risks, including, as the Secretary considers appropriate, by conditioning any agreement for the use, procurement, or acquisition of the product, system, or service on the inclusion of enforceable conditions or requirements that would mitigate such risks. Not later than two years after the date of the enactment of this Act the Secretary shall develop such third-party testing standard as the Secretary considers acceptable for commercial off the shelf
(COTS)products, systems, or services to use when dealing with foreign governments. This section shall not apply to open source software. Not later than one year after the date of the enactment of this Act, the Secretary of Defense shall— establish within the operational capabilities of the Committee for National Security Systems
(CNSS)or within such other agency as the Secretary considers appropriate a registry containing the information disclosed under subsection (a); and upon request, make such information available to any agency conducting a procurement pursuant to the Federal Acquisition Regulations or the Defense Federal Acquisition Regulations. Not later than one year after the date of the enactment of this Act and not less frequently than once each year thereafter, the Secretary of Defense shall submit to the appropriate committees of Congress a report detailing the number, scope, product classifications, and mitigation agreements related to each product, system, and service for which a disclosure is made under subsection (a). In this section: The term appropriate committees of Congress means— the Committee on Armed Services, the Select Committee on Intelligence, and the Committee on Homeland Security and Governmental Affairs of the Senate; and the Committee on Armed Services, the Permanent Select Committee on Intelligence, the Committee on Homeland Security, and the Committee on Oversight and Government Reform of the House of Representatives. The term commercial item has the meaning given such term in section 103 of title 41, United States Code. The term information technology has the meaning given such term in section 11101 of title 40, United States Code. The term national security system has the meaning given such term in section 3552(b) of title 44, United States Code. The term non-commercial product, system, or service means a product, system, or service that does not meet the criteria of a commercial item. The term open source software means software for which the human-readable source code is available for use, study, re-use, modification, enhancement, and re-distribution by the users of such software.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.