April is National Supply Chain Integrity Month - Week 4

Week 4: Knowing the Essentials

As the use of ICT continues to accelerate and expand, so will the attack surface for adversaries seeking to steal, compromise or alter, and destroy sensitive information. In the final week of National Supply Chain Integrity Month, CISA is reminding everyone that strengthening ICT supply chains requires an ongoing, unified effort between government and industry. To this end, CISA is providing two resources to help organizations and their staff get started, including a new one released jointly with the National Institute of Standards and Technology (NIST):

ICT Supply Chain Risk Management (SCRM) Essentials

Like cybersecurity, managing risks to ICT supply chains cannot be done in silos, fragmented among specific individuals or departments responsible for a piece of an organization’s risks. CISA’s SCRM Essentials is a guide for leaders and staff that empower all personnel to own their role in implementing organizational SCRM practices with six actionable steps, including:

  1. Identify the people,
  2. Manage the security and compliance,
  3. Assess the components,
  4. Know the supply chain and suppliers,
  5. Verify assurance of third parties, and
  6. Evaluate your SCRM program.



This is a great resource for personnel in cyber and physical security, IT, logistics, legal, acquisitions and procurements, and risk management who can help improve your organization’s overall security resilience. Download and share the ICT SCRM Essentials for more detailed information on these steps­.

Defending Against Software Supply Chain Attacks

With technologies and software constantly changing or being updated, security measures must keep us. Recent software compromises and other security incidents have revealed how actions by malicious actors stealthily deploying compromised software can go undetected by end-users and system administrators, who believe the software is performing necessary actions. The reality is that supply chain attacks can be difficult to detect and protect against because there are many ways threat actors can attack networks and because vulnerabilities may be introduced during any phase of a product’s life cycle.

Design, Development & Production, Distribution, Acquisition and Deployment, Maintenance, and Disposal

CISA’s Defending Against Software Supply Chain Attacks provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate software supply chain risks.

Download and share the Defending Against Software Supply Chain Attacks to understand the practices that can assist in preventing, mitigating, and responding to software vulnerabilities that may be introduced through the cyber supply chain and exploited by malicious actors.

To learn more about how CISA enhances supply chain resiliency and to view online resources, visit www.cisa.gov/supply-chain-integrity-month.

Taxonomy Topics