(a) In General.—The head of each executive agency shall be responsible for—

(1) assessing the supply chain risk posed by the acquisition and use of covered articles and avoiding, mitigating, accepting, or transferring that risk, as appropriate and consistent with the standards, guidelines, and practices identified by the Council under section 1323(a)(1); and

(2) prioritizing supply chain risk assessments conducted under paragraph (1) based on the criticality of the mission, system, component, service, or asset.


Ask a legal question, get an answer ASAP!
Click here to chat with a lawyer about your rights.

(b) Inclusions.—The responsibility for assessing supply chain risk described in subsection (a) includes—

(1) developing an overall supply chain risk management strategy and implementation plan and policies and processes to guide and govern supply chain risk management activities;

(2) integrating supply chain risk management practices throughout the life cycle of the system, component, service, or asset;

(3) limiting, avoiding, mitigating, accepting, or transferring any identified risk;

(4) sharing relevant information with other executive agencies as determined appropriate by the Council in a manner consistent with section 1323(a) of this title;

(5) reporting on progress and effectiveness of the agency’s supply chain risk management consistent with guidance issued by the Office of Management and Budget and the Council; and

(6) ensuring that all relevant information, including classified information, with respect to acquisitions of covered articles that may pose a supply chain risk, consistent with section 1323(a) of this title, is incorporated into existing processes of the agency for conducting assessments described in subsection (a) and ongoing management of acquisition programs, including any identification, investigation, mitigation, or remediation needs.


(c) Interagency Acquisitions.—

(1) In general.—Except as provided in paragraph (2), in the case of an interagency acquisition, subsection (a) shall be carried out by the head of the executive agency whose funds are being used to procure the covered article.

(2) Assisted acquisitions.—In an assisted acquisition, the parties to the acquisition shall determine, as part of the interagency agreement governing the acquisition, which agency is responsible for carrying out subsection (a).

(3) Definitions.—In this subsection, the terms “assisted acquisition” and “interagency acquisition” have the meanings given those terms in Section 2.101 of Title 48, Code of Federal Regulations (or any corresponding similar regulation or ruling).


(d) Assistance.—The Secretary of Homeland Security may—

(1) assist executive agencies in conducting risk assessments described in subsection (a) and implementing mitigation requirements for information and communications technology; and

(2) provide such additional guidance or tools as are necessary to support actions taken by executive agencies.