The NSA has has published criteria for evaluating levels of assurance required for DoD microelectronics.
DoD Microelectronics: Levels of Assurance Definitions and Applications.
Author(s)
National Security Agency
Cybersecurity Directorate
Joint Federated Assurance Center
Very good point.
I don't know the details. But at first glance this indeed looks like it sets up "Wack-a-Mole."
@corlin LoA1 (Technology) seems unworkable. How you keep track of all known, existing open-source technologies and academic research that might be leveraged to gain access? Even if you meet LoA1, the certification might be made moot within days by a new publication.