On May 15, 2019, the President issued Executive Order on Securing the Information and Communications Technology and Services Supply Chain (E.O. 13873) to strengthen efforts to prevent foreign adversaries from exploiting vulnerabilities in the ICT supply chain and protect the vast amount of sensitive information being stored in and communicated through ICT products and services.
The E.O. sets out the procedures the Department of Commerce will use to prohibit the use or transaction of “information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary”, and that pose risk of sabotage or subversion; 2) catastrophic effects on the Nation’s critical infrastructure or digital economy; or 3) adverse consequences to national security and public safety.
CISA was directed, within 80 days of the E.O. release, “to assess and identify entities, hardware, software, and services that present vulnerabilities in the United States and that pose the greatest potential consequences to the national security of the United States” as decision support to the Department of Commerce.
In response, CISA and the ICT Supply Chain Risk Management (SCRM) Task Force worked with industry and government partners:
Develop a standardized taxonomy of ICT elements (e.g., hardware, software, and services)
Perform criticality assessments on these ICT elements with appropriate stakeholder input
Assess the national security risks stemming from vulnerabilities in ICT hardware, software, and services including components enabling 5G communications
CISA AND THE TASK FORCE'S ACTIONS
This work resulted in the development of two resources. Please note that these resources are provided "as is" for informational purposes only. This methodology can used as an input to a risk assessment, but by itself is not sufficient for a comprehensive review of risk.
Additionally, as risks emerged from the impact of the COVID-19 global pandemic on the globalized model of supply chains, CISA and the Task Force developed the Lessons Learned During The Covid-19 Pandemic Analysis Report. This report identifies new priorities and recommendations that businesses, organizations, and governments may adopt to increase the resilience of their supply chains, and as a result, also help strengthen national security, economic security, and public health and safety.