Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Cybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and ResilienceCybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and Resilience
CISA Logo

Search

 

America's Cyber Defense Agency
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
    CISA Conferences
    CISA Live!
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
  • About
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Site Links
    CISA GitHub
    CISA Central
    Contact Us
    Subscribe
    Transparency and Accountability
    Policies & Plans

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Breadcrumb
  1. Home
  2. Federal Acquisition Security Council (FASC) Information Sharing Agency (ISA)
Share:
Banner graphic for Future Forward event series; dark blue with light blue hexagon pattern

Federal Acquisition Security Council Information Sharing Agency

Submit Supply Chain Risk Information

Our Mission

The Federal Acquisition Security Council (FASC), enacted as part of the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure (SECURE) Technology Act (P.L.115–390, December 21, 2018), aims to protect federal information communications technology (ICT) systems by recommending exclusion or removal of covered articles that pose too great a risk to the federal enterprise (§ 1323(c)). The FASC is responsible for identifying supply chain risk management standards and guidelines, identifying and developing criteria for sharing information, engaging with private sector and other non-government organizations (NGO) stakeholders, coordinating with interagency committees, and providing recommendations on exclusions and/or removal orders.

The FASC Information Sharing Agency (ISA) performs administrative information sharing functions on behalf of the FASC, as provided at 41 U.S.C. 1323(a)(3). The ISA facilitates and provides administrative support to a FASC supply chain and risk management Task Force, and serves as the liaison to the FASC on behalf of the Task Force, as the Task Force develops the processes under which the functions described in 41 U.S.C. 1323(a)(3) are implemented on behalf of the FASC. The ISA's administrative functions shall not be construed to limit or impair the authority or responsibilities of any other Federal agency with respect to information sharing.

Current FASCSA Orders 

Statutes, Regulations, Policy

Because of the scale of supply chain risks faced by Government agencies, and the need for Government-wide coordination, Congress adopted new legislation in 2018 to improve executive branch coordination, supply chain information sharing, and actions to address supply chain risks.

Federal Acquisition Security Council Act of 2018

Federal Acquisition Security Council Rule

Various legislation have designated additional requirements to the FASC.

Secure and Trusted Communications Networks Act of 2019

2021 NDAA - 5G/6G wireless equipment

2023 NDAA Section 5949 - Semiconductor Analysis

2024 NDAA American Security Drones Act (ASDA)

Executive Order 14093

Executive Order 14017

Our Partners

OMB

Office of Management and Budget (OMB)

GSA

General Services Administration (GSA)

U.S. Department of Homeland Security seal

Department of Homeland Security (DHS)

CISA Logo

Cybersecurity and Infrastructure Security Agency (CISA)

DNI

Director of National Intelligence (DNI)

NCSC

National Counterintelligence Security Center (NCSC)

DOJ

Department of Justice (DOJ)

FBI

Federal Bureau of Investigation (FBI)

DoD

Department of Defense (DOD)

NSA

National Security Agency (NSA)

DoC

Department of Commerce (DOC)

National Institute of Standards & Technology logo

National Institute of Standards and Technology (NIST)

Important Definitions

Supply Chain Risk Management (SCRM)

SCRM is the management of the risk(s) that any person may sabotage, maliciously introduce unwanted functionality, extract data, or otherwise manipulate the design, integrity, manufacturing, production, distribution, installation, operation, maintenance, disposition, or retirement of covered articles so as to surveil, deny, disrupt, or otherwise manipulate the function, use, or operation of the covered articles or information stored or transmitted by or through covered articles.

Read more
Supply Chain Risk Information (SCRI)

SCRI includes, but is not limited to, information that describes or identifies: 

(1) Functionality and features of covered articles, including access to data and information system privileges;
(2) The user environment where a covered article is used or installed;
(3) The ability of a source to produce and deliver covered articles as expected;
(4) Foreign control of, or influence over, a source or covered article ( e.g., foreign ownership, personal and professional ties between a source and any foreign entity, legal regime of any foreign country in which a source is headquartered or conducts operations);
(5) Implications to government mission(s) or assets, national security, homeland security, or critical functions associated with use of a source or covered article;
(6) Vulnerability of Federal systems, programs, or facilities;
(7) Market alternatives to the covered source;
(8) Potential impact or harm caused by the possible loss, damage, or compromise of a product, material, or service to an organization's operations or mission;
(9) Likelihood of a potential impact or harm, or the exploitability of a system;
(10) Security, authenticity, and integrity of covered articles and their supply and compilation chain;
(11) Capacity to mitigate risks identified;
(12) Factors that may reflect upon the reliability of other supply chain risk information; and
(13) Any other considerations that would factor into an analysis of the security, integrity, resilience, quality, trustworthiness, or authenticity of covered articles or sources.

Read more
Covered Article

Covered article means any of the following:

(1) Information technology, as defined in 40 U.S.C. 11101, including cloud computing services of all types;
(2) Telecommunications equipment or telecommunications service, as those terms are defined in section 3 of the Communications Act of 1934 (47 U.S.C. 153);
(3) The processing of information on a Federal or non-Federal information system, subject to the requirements of the Controlled Unclassified Information program or subsequent U.S. Government program for controlling sensitive unclassified information; or
(4) Hardware, systems, devices, software, or services that include embedded or incidental information technology.

 

Read more

CISA Resources

FASCSA Orders Slick Sheet.pdf(PDF, 354.96 KB )

Voluntary Information Submission

All Federal and non-Federal entities may voluntarily submit to the FASC information relevant to SCRM, covered articles, sources, or covered procurement actions.

Submit Supply Chain Risk Information (SCRI)
Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • X
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 1-844-Say-CISA SayCISA@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback