41 USC 1326 – Requirements for executive agencies
(a)
(1) assessing the supply chain risk posed by the acquisition and use of covered articles and avoiding, mitigating, accepting, or transferring that risk, as appropriate and consistent with the standards, guidelines, and practices identified by the Council under section 1323(a)(1); and
(2) prioritizing supply chain risk assessments conducted under paragraph (1) based on the criticality of the mission, system, component, service, or asset.
(b)
(1) developing an overall supply chain risk management strategy and implementation plan and policies and processes to guide and govern supply chain risk management activities;
(2) integrating supply chain risk management practices throughout the life cycle of the system, component, service, or asset;
(3) limiting, avoiding, mitigating, accepting, or transferring any identified risk;
(4) sharing relevant information with other executive agencies as determined appropriate by the Council in a manner consistent with section 1323(a) of this title;
(5) reporting on progress and effectiveness of the agency’s supply chain risk management consistent with guidance issued by the Office of Management and Budget and the Council; and
(6) ensuring that all relevant information, including classified information, with respect to acquisitions of covered articles that may pose a supply chain risk, consistent with section 1323(a) of this title, is incorporated into existing processes of the agency for conducting assessments described in subsection (a) and ongoing management of acquisition programs, including any identification, investigation, mitigation, or remediation needs.
(c)
(1)
(2)
(3)
(d)
(1) assist executive agencies in conducting risk assessments described in subsection (a) and implementing mitigation requirements for information and communications technology; and
(2) provide such additional guidance or tools as are necessary to support actions taken by executive agencies.