ICT SCRM Task Force

Image of a globe with circular icons of various transportation modes (e.g., a truck, airplane, ship, trolley) connected by a web of lines. A supply chain is only as strong as its weakest link. The cyber threat from foreign adversaries, hackers, and criminals presents new and significant risks to government and industry. Constant, targeted, and well-funded attacks by malicious actors threaten government and industry alike by way of their contractors, sub-contractors, and suppliers at all tiers of the supply chain. Sophisticated threat actors exploit vulnerabilities deep in the information and communications technology (ICT) supply chain as a beachhead from which they can gain access to sensitive and proprietary information further along the chain.

The ICT Supply Chain Risk Management (SCRM) Task Force—sponsored by CISA’s National Risk Management Center (NRMC)—is the United States’ preeminent public-private supply chain risk management partnership, established in response to these realities and entrusted with the critical mission of identifying and developing consensus strategies that enhance ICT supply chain security.

ANNOUNCEMENTS

May 10, 2021: We are pleased to announce the publication of the ICT Supply Chain Risk Management Toolkit—which includes strategic messaging, social media, videos, and resources—designed to be utilized by stakeholders to emphasize the role that we all have in ICT supply chains.

To learn more, visit the ICT Supply Chain Risk Management Toolkit.

Overview

From satellite connectivity to financial transactions, thousands of businesses, organizations, and governments rely on ICT to store information on, interact with, and deliver services to end-users. Additionally, ICT has helped transform the nation’s 16 critical infrastructure sectors into an interconnected ecosystem.

In December 2018, DHS established the ICT SCRM Task Force with representatives from the public and private sectors to identify challenges and develop workable solutions for managing risks to the global ICT supply chain. Since it’s establishment, the Task Force launched several working groups to:

Develop a common framework for the bi-directional sharing of SCRM threat information between government and industry;
Identify processes and criteria for threat-based evaluation of ICT supplies, products, and services;
Identify of market segment(s) and evaluation criteria for Qualified Bidder and Manufacturer List(s);
Produce policy recommendations to incentivize the purchase of ICT from original manufacturers or authorized resellers; and
Develop a SCRM assurance template for vendors.

Read the Task Force’s Year 2 Report to learn more about its progress and accomplishments from these working groups over the past two years.

While ICT products and services have allowed for a rapid and dramatic change in how we work, learn, and socialize, it also presents broad attack surfaces for adversaries to find innovative ways to potentially infiltrate, exploit, and/or corrupt equipment, systems, and information used every day by the government, industry, and private citizens.

Recognizing the importance of securing ICT supply chains, on May 15, 2019, the Executive Order (E.O.) 13873 on Securing the Information and Communications Technology and Services Supply Chain was signed into law. E.O. 13873 directs the federal government to strengthen efforts to prevent foreign adversaries from exploiting vulnerabilities in the ICT supply chain and protect the vast amount of sensitive information being stored in and communicated through ICT products and services.

CISA’s NRMC is well positioned to synchronize interagency ICT SCRM efforts across the Department and to build resilience by enhancing coordination and collaboration with the private sector through the ICT SCRM Task Force.

ICT SCRM Task Force Members

The ICT SCRM Task Force is composed of a diverse range of representatives from large and small private sector organizations within the Information Technology (IT) and Communications sectors and federal agencies. This includes subject matter experts, infrastructure owners and operators, and other key stakeholders who provide recommendations and guidance to help shape trusted supply chain practices..

Companies and organizations participating in the Task Force include:

Government	IT Sector	Communications Sector
Federal Bureau of Investigation	Accenture	AT&T
Federal Communications Commission	BSA	Charter Communications
Federal Energy Regulatory Commission	CyberRx	Comcast
General Services Administration	Cybersecurity Coalition	CompTIA
National Aeronautics and Space Administration	Cyxtera	Cox
Office of the Comptroller of the Currency	Dell	CTIA
Pennsylvania Chief Information Security Officer	FireEye	Ericsson
U.S. Department of Commerce	General Dynamics Information Technology	iconectiv
U.S. Department of Defense	HP	Lumen
U.S. Department of Energy	IBM	National Association of Broadcasters
U.S. Department of Health and Human Services	Information Technology Information Sharing and Analysis Center	NCTA
U.S. Department of Homeland Security	Information Technology Industry Council	NTT
U.S. Department of Justice	Intel	Pioneer
U.S. Department of the Treasury	Interos	TIA
U.S. Nuclear Regulatory Commission	Microsoft	T-Mobile
U.S. Office of the Director of National Intelligence	Palo Alto Networks	USTelecom
U.S. Social Security Administration	Samsung	Verizon Wireless
U.S. Department of State	Synopsys	–-
–-	Threat Sketch	–-

ICT SCRM Task Force in Action

In response to requirements in E.O. 13873, the ICT SCRM Task Force worked with industry and government partners to:

Develop a standardized taxonomy of ICT elements (e.g., hardware, software, and services)
Perform criticality assessments on these ICT elements with appropriate stakeholder input
Assess the national security risks stemming from vulnerabilities in ICT hardware, software, and services including components enabling 5G communications.

These resources are provided "as is" for informational purposes only. The assessment methodology can be used as an input to a risk assessment, but, by itself, is not sufficient for a comprehensive review of risk.

Additionally, as new risks emerge—such as the impact of the COVID-19 global pandemic on the globalized model of supply chains—the Task Force will develop new resources (such as the Lessons Learned During The Covid-19 Pandemic Analysis Report) and assist with identifying new priorities and developing recommendations that businesses, organizations, and governments may adopt to increase the resilience of their supply chains, and as a result, also help strengthen national security, economic security, and public health and safety.

ICT SCRM Task Force Year 2.5 Activities

In January 2021, a six-month extension to the Task Force’s charter was signed. The extension will allow the Task Force to continue its work as outlined in the Year 2 Report, launch new WGs and efforts, and release new resources through July 2021. The extension will also ensure both government and industry members can continue to collaborate on other ongoing public-private engagement efforts around supply chain, and support the Federal Acquisition Security Council (FASC).

Over the course of the next several months, the Task Force’s efforts include work by the:

Information Sharing Working Group: To better understand challenges surrounding the bi-directional sharing of SCRM information, this WG will steer its focus on proposing paths, such as long-term policy and legal changes, that will give liability protection to the private sector in order to promote information sharing about suspect suppliers.
Small and Medium-sized Businesses (SMB) Working Group: SMBs play a significant role in our nation’s economy and are at the heart of many industries, such as manufacturing. However, many SMBs may find it difficult to institutionalize Federal Supply Chain guidance due to limited finances, resources, and employees. This WG will engage the SMB community to understand their needs and tailor Task Force products to make them more applicable to SMBs.
Product Use Acceleration Working Group: Accelerating the applicability and utilization of Task Force products will help organizations manage impacts of supply chain risks. This WG will engage with government agencies; state, local, territorial, and tribal entities; academia; and non-governmental entities on how to apply Task Force products in their businesses, pilot specific products to test their usability, and incorporate feedback to ensure products continue to be useful and provide meaningful information.
Study Group on Lessons Learned from Recent Software Supply Chain Attacks: As cyber attacks become more sophisticated, the roles of the chief information officer (CIO), chief information security officer (CISO), and IT or cyber security personnel are essential for safeguarding an organization’s information and assets. This study will dive into how the Task Force can support CIOs, CISOs, and other security personnel in making better risk-informed decisions when procuring or deploying certain ICT products—especially ones with high-level administrative access across an organization.

ICT SCRM Resources and News

ICT SCRM Latest News

Blog Article – April is National Supply Chain Integrity Month - Week 4: Knowing the Essentials
Blog Article – April is National Supply Chain Integrity Month - Week 3: Understanding Supply Chain Threats
Blog Article – April is National Supply Chain Integrity Month - Week 2: Assessing ICT Trustworthiness
Blog Article – April is National Supply Chain Integrity Month
Blog Article – Task Force Establishes Way Forward After Charter Extension: Year 2.5
Blog Article – Building Collective Resilience for the ICT Supply Chain
Press Release – CISA’s ICT SCRM Task Force Approves Recommendations and Interim Report
Press Release – CISA Releases Analysis Report on COVID-19 Impact to ICT Global Supply Chains
Press Release – CISA Releases ICT SCRM Task Force Year 2 Report
Press Release – CISA Announces Extension of the ICT SCRM Task Force

For questions or comments, email ict_scrm_taskforce@hq.dhs.gov.