Page:United States Statutes at Large Volume 122.djvu/4425

 12 2 STA T .4 4 0 2 PUBLIC LA W 110 – 41 7—O CT. 14 , 200 8(F)Recom me ndati on sr e g arding t h ea p propriate management str u cture ,f isca l controls, and sta k eholder engagement re q uired to ensure that a unified technolog y transition program w ill cost - effecti v ely and efficiently ena b le technology transition . (b) R EPORTING RE QU IRE M ENT REPE AL E D . —S ection 2359 a of title 10, U nited States C ode, is amended— (1) by striking subsection (h) and (2) by redesignating subsection (i) as subsection (h). SEC.254 . TRU STE D DE F E N SES Y STE M S. (a) V ULNERA B ILIT YAS SESSMENT REQUIRED.— T he Secretary of D efense shall conduct an assessment of selected covered acquisition programs to identify vulnerabilities in the supply chain of each program ’ s electronics and information processing systems that potentially compromise the level of trust in the systems. Such assessment shall— (1) identify vulnerabilities at multiple levels of the elec- tronics and information processing systems of the selected pro- grams, including microcircuits, software, and firmware; (2) prioriti z e the potential vulnerabilities and effects of the various elements and stages of the system supply chain to identify the most effective balance of investments to minimize the effects of compromise; (3) provide recommendations regarding ways of managing supply chain risk for covered acquisition programs; and ( 4 ) identify the appropriate lead person, and supporting elements, within the Department of Defense for the develop- ment of an integrated strategy for managing risk in the supply chain for covered acquisition programs. (b) ASSESSMENT O FM ET H ODS FOR VERIFYING THE TRUST OF SEMI C ONDUCTORS P ROCURED FROM COMMERCIAL SOURCES.—The Under Secretary of Defense for Acquisition, Technology, and L ogis- tics, in consultation with appropriate elements of the Department of Defense, the intelligence community, private industry, and aca- demia, shall conduct an assessment of various methods of verifying the trust of semiconductors procured by the Department of Defense from commercial sources for use in mission-critical components of potentially vulnerable defense systems. The assessment shall include the following

(1) An identification of various methods of verifying the trust of semiconductors, including methods under development at the Defense Agencies, government laboratories, institutions of higher education, and in the private sector. (2) A determination of the methods identified under para- graph (1) that are most suitable for the Department of Defense. (3) An assessment of the additional research and technology development needed to develop methods of verifying the trust of semiconductors that meet the needs of the Department of Defense. (4) Any other matters that the Under Secretary considers appropriate. (c) STRATEGY REQUIRED.— (1) I N GENERAL.—The lead person identified under sub- section (a)(4), in cooperation with the supporting elements also identified under such subsection, shall develop an integrated strategy— 10USC23 02 note.

�