Sec. 1639. Mitigation of risks to national security posed by providers of information technology products and services who have obligations to foreign governments
554 words·~3 min read·
/bill/115/s/2987/pcs/section-1639·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
The Department of Defense may not use a product, service, or system relating to information or operational technology, cybersecurity, an industrial control system, a weapons system, or computer antivirus provided by a person unless that person discloses to the Secretary of Defense the following: Whether the person has allowed a foreign government to review or access the code of a product, system, or service custom-developed for the Department, or is under any obligation to allow a foreign person or government to review or access the code of a product, system, or service custom-developed for the Department as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government.
Whether the person has allowed a foreign government listed in section 1638(a) to review or access the source code of a product, system, or service that the Department is using or intends to use, or is under any obligation to allow a foreign person or government to review or access the source code of a product, system, or service that the Department is using or intends to use as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government.
In a case in which the person is a United States person or an affiliate of a United States person, whether or not the person holds or has sought a license pursuant to the Export Administration Regulations under subchapter C of chapter VII of title 15, Code of Federal Regulations, the International Traffic in Arms Regulations under subchapter M of chapter I of title 22, Code of Federal Regulations, or successor regulations, for information technology products, components, software, or services that contain code custom-developed for the product, system, or service the Department is using or intends to use.
Procurement contracts for covered products or systems shall include a clause requiring the information contained in subsection
(a)be disclosed during the period of the contract if an entity becomes aware of information requiring disclosure as per that section, including any mitigation measures taken or anticipated. If, after reviewing a disclosure made by a person under subsection (a), the Secretary determines that the disclosure relating to a product, system, or service entails a risk to the national security infrastructure or data of the United States, or any national security system under the control of the Department, the Secretary shall take such measures as the Secretary considers appropriate to mitigate such risks, including, as the Secretary considers appropriate, by conditioning any agreement for the use, procurement, or acquisition of the product, system, or service on the inclusion of enforceable conditions or requirements that would mitigate such risks. Not later than two years after the date of the enactment of this Act the Secretary shall develop such third-party testing standard as the Secretary considers acceptable for commercial off the shelf
(COTS)products, systems, or services to use when dealing with foreign governments. A disclosure under subsection
(a)shall not be subject to section 552 of title 5, United States Code (commonly referred to as the Freedom of Information Act ), or any other similar provision of Federal or State law requiring the disclosure of information to the public.