(a) Definitions

In this section:

(1) Appropriate congressional committees

The term “appropriate congressional committees” means—

(A) the Select Committee on Intelligence, the Committee on Foreign Relations, the Committee on Armed Services, the Committee on Banking, Housing, and Urban Affairs, the Committee on the Judiciary, the Committee on Appropriations, and the Committee on Homeland Security and Governmental Affairs of the Senate; and

(B) the Permanent Select Committee on Intelligence, the Committee on Foreign Affairs, the Committee on Armed Services, the Committee on Financial Services, the Committee on the Judiciary, the Committee on Appropriations, the Committee on Homeland Security, and the Committee on Oversight and Reform of the House of Representatives.

(2) Covered entity

The term “covered entity” means any foreign company that either directly or indirectly develops, maintains, owns, operates, brokers, markets, sells, leases, licenses, or otherwise makes available spyware.

(3) Foreign commercial spyware

The term “foreign commercial spyware” means spyware that is developed (solely or in partnership with a foreign company), maintained, sold, leased, licensed, marketed, sourced (in whole or in part), or otherwise provided, either directly or indirectly, by a foreign company.

(4) Foreign company

The term “foreign company” means a company that is incorporated or domiciled outside of the United States, including any subsidiaries or affiliates wherever such subsidiaries or affiliates are domiciled or incorporated.

(5) Spyware

The term “spyware” means a tool or set of tools that operate as an end-to-end system of software to provide an unauthorized user remote access to information stored on or transiting through an electronic device connected to the Internet and not owned or operated by the unauthorized user, including end-to-end systems that—

(A) allow an unauthorized user to remotely infect electronic devices with malicious software, including without any action required by the user of the device;

(B) can record telecommunications or other audio captured on a device not owned by the unauthorized user;

(C) undertake geolocation, collect cell site location information, or otherwise track the location of a device or person using the internal sensors of an electronic device not owned by the unauthorized user;

(D) allow an unauthorized user access to and the ability to retrieve information on the electronic device, including text messages, files, e-mails, transcripts of chats, contacts, photos, and browsing history; or

(E) any additional criteria described in publicly available documents published by the Director of National Intelligence, such as whether the end-to-end system is used outside the context of a codified lawful intercept system.

(b) Annual assessments of counterintelligence threats

(1) Requirement

Not later than 90 days after December 23, 2022, and annually thereafter, the Director of National Intelligence, in coordination with the Director of the Central Intelligence Agency, the Director of the National Security Agency, and the Director of the Federal Bureau of Investigation, shall submit to the appropriate congressional committees a report with an accompanying classified annex containing an assessment of the counterintelligence threats and other risks to the national security of the United States posed by the proliferation of foreign commercial spyware. The assessment shall incorporate all credible data, including open-source information.

(2) Elements

Each report under paragraph (1) shall include the following, if known:

(A) A list of the most significant covered entities.

(B) A description of the foreign commercial spyware marketed by the covered entities identified under subparagraph (A) and an assessment by the intelligence community of the foreign commercial spyware.

(C) An assessment of the counterintelligence risk to the intelligence community or personnel of the intelligence community posed by foreign commercial spyware.

(D) For each covered entity identified in subparagraph (A), details of any subsidiaries, resellers, or other agents acting on behalf of the covered entity.

(E) Details of where each covered entity identified under subparagraphs (A) and (D) is domiciled.

(F) A description of how each covered entity identified under subparagraphs (A) and (D) is financed, where the covered entity acquired its capital, and the organizations and individuals having substantial investments or other equities in the covered entity.

(G) An assessment by the intelligence community of any relationship between each covered entity identified in subparagraphs (A) and (D) and any foreign government, including any export controls and processes to which the covered entity is subject.

(H) A list of the foreign customers of each covered entity identified in subparagraphs (A) and (D), including the understanding by the intelligence community of the organizations and end-users within any foreign government.

(I) With respect to each foreign customer identified under subparagraph (H), an assessment by the intelligence community regarding how the foreign customer is using the spyware, including whether the foreign customer has targeted personnel of the intelligence community.

(J) With respect to the first report required under paragraph (1), a mitigation plan to reduce the exposure of personnel of the intelligence community to foreign commercial spyware.

(K) With respect to each report following the first report required under paragraph (1), details of steps taken by the intelligence community since the previous report to implement measures to reduce the exposure of personnel of the intelligence community to foreign commercial spyware.

(3) Classified annex

In submitting the report under subsection ¹ (2), the Director shall also include an accompanying but separate classified annex, providing a watchlist of companies selling, leasing, or otherwise providing foreign commercial spyware that the Director determines are engaged in activities that pose a counterintelligence risk to personnel of the intelligence community.

(4) Form

Each report under paragraph (1) shall be submitted in classified form.

(5) Dissemination

The Director of National Intelligence shall separately distribute each report under paragraph (1) and each annex under paragraph (3) to the President, the heads of all elements of the intelligence community, the Secretary of State, the Attorney General, the Secretary of Commerce, the Secretary of Homeland Security, the National Cyber Director, and the heads of any other departments or agencies the Director of National Intelligence determines appropriate.

(c) Authority to prohibit purchase or use by intelligence community

(1) Foreign commercial spyware

(A) In general

The Director of National Intelligence may prohibit any element of the intelligence community from procuring, leasing, or otherwise acquiring on the commercial market, or extending or renewing a contract to procure, lease, or otherwise acquire, foreign commercial spyware.

(B) Considerations

In determining whether and how to exercise the authority under subparagraph (A), the Director of National Intelligence shall consider—

(i) the assessment of the intelligence community of the counterintelligence threats or other risks to the United States posed by foreign commercial spyware;

(ii) the assessment of the intelligence community of whether the foreign commercial spyware has been used to target United States Government personnel.

(iii) whether the original owner or developer retains any of the physical property or intellectual property associated with the foreign commercial spyware;

(iv) whether the original owner or developer has verifiably destroyed all copies of the data collected by or associated with the foreign commercial spyware;

(v) whether the personnel of the original owner or developer retain any access to data collected by or associated with the foreign commercial spyware;

(vi) whether the use of the foreign commercial spyware requires the user to connect to an information system of the original owner or developer or information system of a foreign government; and

(vii) whether the foreign commercial spyware poses a counterintelligence risk to the United States or any other threat to the national security of the United States.

(2) Company that has acquired foreign commercial spyware

(A) Authority

The Director of National Intelligence may prohibit any element of the intelligence community from entering into any contract or other agreement for any purpose with a company that has acquired, in whole or in part, any foreign commercial spyware.

(B) Considerations

In considering whether and how to exercise the authority under subparagraph (A), the Director of National Intelligence shall consider—

(i) whether the original owner or developer of the foreign commercial spyware retains any of the physical property or intellectual property associated with the spyware;

(ii) whether the original owner or developer of the foreign commercial spyware has verifiably destroyed all data, and any copies thereof, collected by or associated with the spyware;

(iii) whether the personnel of the original owner or developer of the foreign commercial spyware retain any access to data collected by or associated with the foreign commercial spyware;

(iv) whether the use of the foreign commercial spyware requires the user to connect to an information system of the original owner or developer or information system of a foreign government; and

(v) whether the foreign commercial spyware poses a counterintelligence risk to the United States or any other threat to the national security of the United States.

(3) Notifications of prohibition

Not later than 30 days after the date on which the Director of National Intelligence exercises the authority to issue a prohibition under subsection (c), the Director of National Intelligence shall notify the congressional intelligence committees of such exercise of authority. Such notice shall include—

(A) a description of the circumstances under which the prohibition was issued;

(B) an identification of the company or product covered by the prohibition;

(C) any information that contributed to the decision of the Director of National Intelligence to exercise the authority, including any information relating to counterintelligence or other risks to the national security of the United States posed by the company or product, as assessed by the intelligence community; and

(D) an identification of each element of the intelligence community to which the prohibition has been applied.

(4) Waiver authority

(A) In general

The head of an element of the intelligence community may request from the Director of National Intelligence the waiver of a prohibition made under paragraph (1) or (2).

(B) Director of National Intelligence determination

The Director of National Intelligence, upon receiving the waiver request in subparagraph (A), may issue a waiver for a period not to exceed one year in response to the request from the head of an element of the intelligence community if such waiver is in the national security interest of the United States.

(C) Notice

Not later than 30 days after approving a waiver request pursuant to subparagraph (B), the Director of National Intelligence shall submit to the congressional intelligence committees, the Subcommittee on Defense of the Committee on Appropriations of the Senate, and the Subcommittee on Defense of the Committee on Appropriations of the House of Representatives a written notification. The notification shall include—

(i) an identification of the head of the element of the intelligence community that requested the waiver;

(ii) the details of the waiver request, including the national security interests of the United States;

(iii) the rationale and basis for the determination that the waiver is in the national security interests of the United States;

(iv) the considerations that informed the ultimate determination of the Director of National Intelligence to issue the wavier; ² and

(v) and any other considerations contributing to the determination, made by the Director of National Intelligence.

(D) Waiver termination

The Director of National Intelligence may revoke a previously granted waiver at any time. Upon revocation of a waiver, the Director of National Intelligence shall submit a written notification to the congressional intelligence committees, the Subcommittee on Defense of the Committee on Appropriations of the Senate, and the Subcommittee on Defense of the Committee on Appropriations of the House of Representatives not later than 30 days after making a revocation determination.

(5) Termination of prohibition

The Director of National Intelligence may terminate a prohibition made under paragraph (1) or (2) at any time. Upon termination of a prohibition, the Director of National Intelligence shall submit a notification of the termination to the congressional intelligence committees, the Subcommittee on Defense of the Committee on Appropriations of the Senate, and the Subcommittee on Defense of the Committee on Appropriations of the House of Representatives not later than 30 days after terminating a prohibition, detailing the basis for the termination, including any United States national security interests that may be affected by such termination.