Supply Chain Risk Management

Executive Order on Securing the Information and Communications Technology Services Supply Chain
A national emergency was declared in the Executive Order 13873 on Securing the Information and Communications Technology Services Supply Chain signed May 15, 2019. As stated in the Executive Order, "...foreign adversaries are increasingly creating and exploiting vulnerabilities in information and communications technology and services..." The Department of Commerce intends to publish rules or regulations within 150 days of the Executive Order's publication, until then it is strongly suggested to review the full Executive Order along with Section 2339a of Title 10, United States Code.
Supply Chain Risk Management
The Undersecretary of Defense for Acquisition and Sustainment (USD(A&S)) has directed that all procurement officials, when acquiring a "covered system" or "covered item of supply", regardless of procurement dollar value, shall verify that the award will not involve any entity listed in the National Security System (NSS) Restricted List contained in the Supplier Performance Risk System (SPRS). The list can be accessed by clicking the "Section 2339a" tab in the upper right of the SPRS website.

Supply Chain Risk means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a national security system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system. SCRM refers to the systematic process for managing supply chain risk by: (1) identifying susceptibilities, vulnerabilities, and threats throughout the DoD's supply chain, (2) developing mitigation strategies to combat those threats.

Current DoD policy can be found in this memo.
Section 806 of the FY 2011 NDAA
Section 806 of the Ike Skelton National Defense Authorization Act (NDAA) for FY 2011 (Public Law 111-383), as amended (section 806), authorizes certain DoD officials to take specific procurement actions to mitigate against supply chain risk in the procurement of ICT (Information and Communications Technology) for NSS (National Security Systems). These authorities and procedures are implemented at Defense Federal Acquisition Regulation Supplement (DFARS) Subpart 239.73, "Requirements for Information Relating to Supply Chain Risk."
Section 2339a of Title 10, United States Code
The authorities originally provided by Section 806 were subsequently updated, made permanent, and codified at Section 2339a of Title 10, United States Code. Accordingly, all references to the statutory authority will now refer to Title 10, United States Code, 2339a (Section 2339a), rather than Section 806. Class deviation 2018-00020, "Permanent Supply Chain Risk Management Authority," has made the corresponding revisions to DFARS subpart 239.73; and all references to Section 806 in other previously issued guidance regarding these authorities ( e.g., the March 13, 2018, Deputy Secretary of Defense memo) shall be deemed to refer to Section 2339a, unless advised otherwise by legal counsel. Per the Under Secretary of Defense Memorandum dated 28 December 2018, all DoD acquisition personnel shall use the Supplier Performance Risk System (SPRS) to ensure access to the list of Section 2339a class determinations (NSS Restricted List). All procurement officials, regardless of procurement dollar value, shall verify that the award will not involve any entity, product, or service that is within the scope of the NSS Restricted List in SPRS when acquiring a "covered system" or a "covered item of supply" (as defined at DFARS 239.7301), unless an exception is granted.
Resources
Below are corresponding Memorandums and PARC alerts that apply to the above mentioned actions and requirements. You can also find the current link to the SPRS and other helpful resources.