The agencies would have to review the supply chain risk for new “high-impact or moderate-impact” IT systems, using criteria from the FBI and NIST.