As reported by the Senate Committee on Homeland Security and Governmental Affairs on November 26, 2018
S. 3085 would create the Federal Acquisition Security Council, which would work to mitigate security risks that may arise from information technology (IT), telecommunications services, and other goods and services procured by the federal government. The council would consist of representatives from at least 11 departments and agencies and a representative from the Office of Management and Budget (OMB) would serve as chair of the council.
Under the bill, the council would look at the security of the entire supply chain for goods and services procured by the government including threats from terrorism, piracy, and theft in both the real world and cyber space. (The term supply chain refers to the total number of organizations, individuals, and processes involved in producing and selling something to a final user.) Primary responsibilities for the council would include:
- Developing criteria for assessing threats and vulnerabilities to the supply chain, and
- Issuing guidance on risks to the supply chain and how to address such risks.
Using information from OMB and based on the scope of the council’s responsibilities, CBO estimates that when fully implemented the council would spend about $2 million annually; most of that would be for the cost of about 10 employees. CBO estimates that implementing S. 3085 would cost $10 million over the 2019-2023 period; any spending would be subject to the availability of appropriated funds.
S. 3085 also would allow agencies to change their procurement actions based on expected risks to the agency from different acquisitions. Those changes would involve preparing risk management plans and strategies to assess risks to the supply chain prior to purchasing and goods or services.
CBO is unaware of any comprehensive information on the security of the government’s supply chain. CBO aims to produce estimates that generally reflect the middle of a range of most likely outcomes that would result if the legislation was enacted. However, CBO cannot determine how agencies currently handle supply chain risks nor how many resources are devoted to those activities. In addition, what policies, procedures, or guidance the new council would provide to agencies is not clear. Finally, under existing authority initially provided by section 806 of Public Law 111-383 and recently reauthorized by section 881 of the 2019 National Defense Authorization Act (P.L. 115-232), the Department of Defense can currently perform many of the activities described in section 3 of S. 3085. However, CBO cannot determine whether those authorities have ever been used. Thus, CBO cannot estimate whether implementing that section would have costs or savings for government agencies.
CBO expects that agencies would continue to procure goods and services at the lowest price available and that issues involving supply chain risk would not significantly increase or decrease the costs of goods and services procured by the government.
Enacting S. 3085 could affect direct spending by agencies that are authorized to use receipts from the sale of goods, fees, and other collections to cover operating costs. Therefore, pay-as-you-go procedures apply. Because most agencies can adjust the amounts collected as operating costs change, CBO estimates that any net changes in direct spending by those agencies would be negligible. Enacting the bill would not affect revenues.
CBO estimates that enacting S. 3085 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2029.
S. 3085 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act.