“(a)The Secretary of Defense shall, in conjunction with the Director of National Intelligence and the Secretary of State, establish a program to enable commanders of combatant commands to identify and manage risks resulting from covered persons and entities engaging in covered activities. The Secretary of Defense shall issue guidance establishing such program, including identifying who shall be responsible for carrying out and overseeing the program, procedures for using information available from intelligence, security, and law enforcement sources to identify such risks, and strategies for managing the risks posed by covered persons and entities engaging in covered activities.
“(b)“(1)“(A)Under the program established under subsection (a), the commander of the combatant command concerned shall evaluate covered persons and entities within the area of responsibility of such command to identify such covered persons and entities that are engaging in covered activities.
“(B)Upon identification of a covered person or entity who is engaging in covered activities pursuant to an evaluation under subparagraph (A), the commander of the combatant command concerned, or the designated deputies of such commander, shall submit to the Under Secretary of Defense for Acquisition and Sustainment, the Under Secretary of Defense for Intelligence and Security, and the Under Secretary of Defense for Policy a notice of such identification and the rationale for such identification.
“(2)The head of a contracting activity may take a covered procurement action with respect to a person or entity identified as engaging in a covered activity under the program established under subsection (a) if such head receives a notification from the Under Secretary of Defense for Acquisition and Sustainment stating that, based on a risk assessment conducted by the commander of a combatant command who made such identification—
“(A)such person or entity is a covered person or entity;
“(B)such person or entity is or was engaging in one or more covered activities; and
“(C)less intrusive measures are not reasonably available to manage the risk posed by such person or entity.
“(c)“(1)The head of a contracting activity, or other appropriate official, shall notify covered persons and entities of the following:
“(A)The program established under subsection (a).
“(B)The authorities provided by subsection (b).
“(C)The responsibilities of covered persons or entities to exercise due diligence to mitigate their engagement in covered activities.
“(2)“(A)Not later than 30 days prior to taking a covered procurement action, the head of a contracting activity shall notify the covered person or entity of the covered procurement action. The covered person or entity shall be permitted the opportunity to challenge the covered procurement action by requesting an administrative review of the action under the procedures of the Department of Defense not later than 30 days after receipt of notice of the action.
“(B)The rationale of the commander of a combatant command that identified the covered person or entity receiving a notice under subparagraph (A) as a covered person or entity engaging in a covered activity under subsection (b)(1) shall not be disclosed to such covered person or entity, or their representatives, to the extent that such disclosure would compromise national security or pose an unacceptable threat to personnel of the United States or its partners or allies.
“(C)Classified information relied upon to take a covered procurement action may not be disclosed to a covered person or entity, or to their representatives, unless a protective order issued by a court of competent jurisdiction established under article I or article III of the Constitution of the United States specifically addresses the conditions under which such classified information may be disclosed.
“(d)Not later than 15 days after the head of a contracting activity takes a covered procurement action, such head of a contracting activity shall report such covered procurement action to the Under Secretary of Defense for Acquisition and Sustainment and include such covered procurement action in the Federal Awardee Performance and Integrity Information System or other formal systems of record and, in the case that such cover procurement action is for the exclusion a person or commercial entity from an award, the System for Award Management.
“(e)The Secretary of Defense, in coordination with the Director of National Intelligence and the Secretary of State, shall, on an annual basis, review the lists of persons and entities previously subject to a covered procurement action under subsection (b)(2) to determine whether or not such persons and entities continue to warrant use of the covered procurement action.
“(f)The Secretary of Defense, in conjunction with the Secretary of State, may grant a waiver for actions taken under subsection (b) if it is in the best interest of national security.
“(g)The authority provided by subsection (b) to make a determination to use a covered procurement action, in whole or in part, may not be delegated below the level of head of contracting activity, or equivalent official, for purposes of grants or cooperative agreements.
“(h)The Federal Acquisition Regulation and the Defense Federal Acquisition Regulation Supplement shall be revised to implement the provisions of this subtitle.
“(i)“(1)Not later than March 1 of 2023, and annually thereafter, the Secretary of Defense shall submit to the congressional defense committees (as defined in section 101(a) of title 10, United States Code) a report on the use of the authorities in this section in the preceding calendar year, including the following: “(A)For each instance in which a head of contracting activity took a covered procurement action, the following:
“(i)The head of contracting activity taking such action.
“(ii)An explanation of the basis for taking the covered procurement action.
“(iii)The value of the contract, grant, or cooperative agreement subject to the covered procurement action.
“(iv)The value of all contracts, grants, or cooperative agreements the Department of Defense has with the person or entity concerned at the time of taking the covered procurement action.
“(B)For each instance in which a head of contracting activity did not take a covered procurement action following an identification from a combatant commander under subsection (b), the following:
“(i)The head of contracting activity concerned.
“(ii)An explanation of the basis for not taking the covered procurement action.
“(C)Specific examples where the authorities under this section can not be used to mitigate national security threats posed by vendors supporting Department operations because of the restriction on using such authorities only with respect to contingency operations.
“(D)A description of the policies ensuring that oversight of the use of the authorities in this section is effectively carried out by a single office in the Office of the Under Secretary of Defense for Acquisition and Sustainment.
“(2)Any report under this subsection may, at the election of the Secretary of Defense—
“(A)be submitted in unclassified form, but with a classified annex; or
“(B)be submitted in classified form.
“(j)Nothing in this section shall apply to the authorized intelligence or law enforcement activities of the United States Government.
“(k)The authorities in this section shall be in addition to, and not to the exclusion of, any other authorities available to executive agencies to implement policies and purposes similar to those set forth in this section.
“(l)The provisions of this section shall cease to be effective on December 31, 2033.
