Under the rule, suppliers that fall short of risk-reduction standards can be excluded from certain national security systems-related information-technology contracts.

"It is necessary to reduce the supply chain risk in the acquisition of sensitive information-technology systems" used for intelligence or cryptologic activities, for command and control of military forces, or that form integral weapons-systems parts, the DoD's Defense Acquisition Regulations System says in a Nov. 18 Federal Register notice.

The rule addresses the risk, as defined by Congress, "that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system," the notice says.

Read Full Article