ICT SCRM Task Force

With the nation’s critical infrastructure dependent on information and communications technology (ICT) to operate, disruptions or security incidents impacting the ICT supply chain can have cascading impacts within and across organizations, sectors, and the National Critical Functions (NCFs). The consequences of a supply chain incident can extend beyond the initially targeted organization to a larger ecosystem of vendors, suppliers, and customers.

The ICT Supply Chain Risk Management (SCRM) Task Force—sponsored by CISA’s National Risk Management Center (NRMC)—is the United States’ preeminent public-private supply chain risk management partnership established in response to these potential occurrences and entrusted with the critical mission of identifying and developing consensus strategies that enhance ICT supply chain security.


ICT SCRM Task Force Resources	ICT Supply Chain Resource Library	Executive Order 14017

ANNOUNCEMENT

September 1, 2022: Today, CISA, the National Security Agency (NSA), and the Office of the Director for National Intelligence released the Securing the Software Supply Chain: Recommended Practices for Developer that was developed by the Enduring Security Framework Working Group (a cross-sector, public-private working group). This guide is the first of a three-part series that addresses high priority cyber-based threats to the nation’s critical infrastructure. Part I focuses on principals to include security requirements planning, designing software architecture from a security perspective, adding security features, and maintaining the security of software and the underlying infrastructure (e.g., environments, source code review, testing).

Download/share: Securing the Software Supply Chain: Recommended Practices for Developer

Overview

Thousands of businesses, organizations, and governments rely on ICT to store information on, interact with, and deliver services to end-users. Additionally, ICT has helped transform the nation’s 16 critical infrastructure sectors into an interconnected ecosystem. In December 2018, the Department of Homeland Security established the ICT SCRM Task Force—a public-private partnership charged with identifying challenges and developing actionable solutions to enhance global ICT supply chain resilience. Composed of federal government and industry representatives from across the Information Technology and Communications Sectors, the Task Force serves as the Agency’s center of gravity for supply chain risk management partnership activity.

While ICT products and services have allowed for a rapid and dramatic change in how we work, learn, and socialize, it also presents broad attack surfaces for adversaries to find innovative ways to potentially infiltrate, exploit, and/or corrupt equipment, systems, and information used every day by the government, industry, and private citizens. Recognizing the importance of securing ICT supply chains, on May 15, 2019, the Executive Order (E.O.) 13873 on Securing the Information and Communications Technology and Services Supply Chain was signed into law. E.O. 13873 directs the federal government to strengthen efforts to prevent foreign adversaries from exploiting vulnerabilities in the ICT supply chain and protect the vast amount of sensitive information being stored in and communicated through ICT products and services.

CISA is well positioned to synchronize interagency supply chain efforts across the Department to build resilience by enhancing coordination and collaboration with the private sector through the ICT SCRM Task Force. Learn more about CISA's E.O. 13873 response efforts.

ICT SCRM Task Force Members

The ICT SCRM Task Force is composed of a diverse range of representatives from large and small private sector organizations within the Information Technology (IT) and Communications sectors, ICT associations, and federal agencies. Members include subject matter experts, ICT sector owners and operators, and other key stakeholders who provide recommendations and guidance to help shape trusted supply chain practices.

Companies and organizations participating in the Task Force include:

Government	IT Sector	Communications Sector	Other
American Petroleum Institute	Accenture	ACT \| The App Association	CREST International
CIA	Amazon	AT&T	National Cyber Security Centre (U.K.)
Federal Bureau of Investigation	Analog Devices	Blue Valley Telecommunications	RAND
Federal Communications Commission	Belkin International	Charter Communications	Safecode
Federal Deposit Insurance Corporation	BlueVoyant	Comcast	SoftIron, Inc.
Federal Energy Regulatory Commission	BSA		Xcel Energy
General Services Administration	CDW-G	CompTIA	—
Idaho National Lab	CISCO	Cox	—
National Aeronautics and Space Administration	Consumer Technology Association (CTA)	CTIA	—
National Association of State Chief Information Officers	CyberRx	Ericsson	—
National Association of State Procurement Officials	Cyxtera	E.W. Scripps Company	—
National Institute of Standards and Technology	Dell	Hubbard Broadcasting	—
National Security Agency	FireEye	iconectiv	—
National Telecommunications and Information Administration	Fortress Information Security	Lumen	—
Nuclear Regulatory Commission	General Dynamics Information Technology	National Association of Broadcasters	—
Office of Intelligence and Analysis	Hewlett Packard Enterprise	National Telecommunications Cooperative Association (NTCA)	—
Office of Management and Budget	Hodgkins Consulting	NTT	—
Office of the Comptroller of the Currency	HP	Premier Communications	—
Small Business Administration	Hunter Strategy	Pioneer	—
State of Alabama Chief Information Security Officer/Cyber Security Working Group	IBM	Quincy Media	—
State of Pennsylvania Chief Information Security Officer/Cyber Security Working Group	Information Technology Information Sharing and Analysis Center	Sprint	—
U.S. Department of Commerce	Information Technology Industry Council	TIA	—
U.S. Department of Defense	Intel	T-Mobile	—
U.S. Department of Energy	Interos	USTelecom	—
U.S. Department of Health and Human Services	Juniper	Verizon Wireless	—
U.S. Department of Homeland Security	Linode	—	—
U.S. Department of Justice	Microsoft	—	—
U.S. Department of State	MITRE	—	—
U.S. Department of the Treasury	MongoDB	—	—
U.S. Office of the Director of National Intelligence	NetApp	—	—
U.S. Social Security Administration	Palo Alto Networks	—	—
—	Rehancement Group	—	—
—	Reliable Energy Analytics	—	—
—	River Winds Computing	—	—
—	Samsung	—	—
—	SecurityScorecard	—	—
—	Sightline Security	—	—
—	Software Engineering Institute - Carnegie Mellon University	—	—
—	Synopsys	—	—
—	Tenable	—	—
—	The Open Group	—	—
—	Threat Sketch	—	—
—	Venable, LLC	—	—
—	VMware	—	—

ICT SCRM Task Force in Action

In response to requirements in E.O. 13873, the ICT SCRM Task Force worked with industry and government partners to:

Develop a standardized taxonomy of ICT elements (e.g., hardware, software, and services)
Perform criticality assessments on these ICT elements with appropriate stakeholder input
Assess the national security risks stemming from vulnerabilities in ICT hardware, software, and services including components enabling 5G communications.

These resources are provided "as is" for informational purposes only. The assessment methodology can be used as an input to a risk assessment, but, by itself, is not sufficient for a comprehensive review of risk.

Additionally, as new risks emerge—such as the impact of the COVID-19 global pandemic on the globalized model of supply chains—the Task Force will develop new resources (such as the Lessons Learned During The Covid-19 Pandemic Analysis Report) and assist with identifying new priorities and developing recommendations that businesses, organizations, and governments may adopt to increase the resilience of their supply chains, and as a result, also help strengthen national security, economic security, and public health and safety.

ICT SCRM Task Force Year 3 Activities

	Hardware Bills of Materials (HBOM) Working Group, which will identify use cases for HBOMs and develop a taxonomy for HBOM data fields that could help inform the development of related guidance.
	Small and Medium-sized Businesses Working Group, which will continue to develop guidance for the small and medium-sized community to assist with their establishment and conduct of supply chain risk management programs and policies.
	Software Assurance Working Group, which will develop a Buyer's Guide that will help ensure that buyers, suppliers, and acquisition specialists refer to one piece of guidance that includes all important documentation regarding the implementation, security, and reliability of software assurance as well as the risks that can arise.
	Product Marketing Working Group, which will undertake a marketing campaign to increase stakeholders’ awareness of the Task Force and its products, as well as engage with stakeholders to gather feedback on the Task Force’s products.

ICT SCRM Resources & News

For ICT supply chain resources, visit the ICT Supply Chain Resource Library.
For resources by the Task Force, visit the ICT SCRM Task Force Resources.
To understand SCRM and the role it plays within our society, take the free online FedVTE course: Cyber Supply Chain Risk Management for the Public. This three-part course provides an introduction of what a supply chain is, how adversaries target supply chains, and steps that individuals and organizations can take to improve supply chain security. No log-in required.

Latest News

Blog Article – April is National Supply Chain Integrity Month – Fortify The Chain!
Press Release – CISA and Partners Promote Call to Action During National Supply Chain Integrity Month
Joint Statement – Joint Statement by Secretaries Raimondo and Mayorkas on Assessment of Critical Supply Chains Supporting the Information and Communications Technology Industry (dhs.gov)
Press Release – ICT Supply Chain Risk Management Task Force Announces New Members and Approves A New 2022 Working Group

For questions or comments, email ict_scrm_taskforce@hq.dhs.gov.