A supply chain is only as strong as its weakest link. The cyber threat from foreign adversaries, hackers, and criminals presents new and significant risks to government and industry. Constant, targeted, and well-funded attacks by malicious actors threaten government and industry alike by way of their contractors, sub-contractors, and suppliers at all tiers of the supply chain. Sophisticated threat actors exploit vulnerabilities deep in the information and communications technology (ICT) supply chain as a beachhead from which they can gain access to sensitive and proprietary information further along the chain.
The ICT Supply Chain Risk Management (SCRM) Task Force—sponsored by CISA’s National Risk Management Center (NRMC)—is the United States’ preeminent public-private supply chain risk management partnership, established in response to these realities and entrusted with the critical mission of identifying and developing consensus strategies that enhance ICT supply chain security.
ANNOUNCEMENT
January 11, 2022: Today, CISA announced the ICT Supply Chain Risk Management Task Force’s three new government members and its 2022 workplan. Going forward, the Task Force will continue its progress on two previous efforts; launch a new working group focused on hardware bill of materials; scope two additional topics; and expand its relationships with international partners, new sectors, and stakeholders.
- To learn more, read CISA’s press release: ICT Supply Chain Risk Management Task Force Announces New Members And Approves A New 2022 Working Group
Overview
From satellite connectivity to financial transactions, thousands of businesses, organizations, and governments rely on ICT to store information on, interact with, and deliver services to end-users. Additionally, ICT has helped transform the nation’s 16 critical infrastructure sectors into an interconnected ecosystem. In December 2018, the Department of Homeland Security established the ICT SCRM Task Force—a public-private partnership charged with identifying challenges and developing actionable solutions to enhance global ICT supply chain resilience. Composed of federal government and industry representatives from across the Information Technology and Communications Sectors, the Task Force serves as the Agency’s center of gravity for supply chain risk management partnership activity.
While ICT products and services have allowed for a rapid and dramatic change in how we work, learn, and socialize, it also presents broad attack surfaces for adversaries to find innovative ways to potentially infiltrate, exploit, and/or corrupt equipment, systems, and information used every day by the government, industry, and private citizens. Recognizing the importance of securing ICT supply chains, on May 15, 2019, the Executive Order (E.O.) 13873 on Securing the Information and Communications Technology and Services Supply Chain was signed into law. E.O. 13873 directs the federal government to strengthen efforts to prevent foreign adversaries from exploiting vulnerabilities in the ICT supply chain and protect the vast amount of sensitive information being stored in and communicated through ICT products and services.
CISA’s NRMC is well positioned to synchronize interagency ICT SCRM efforts across the Department and to build resilience by enhancing coordination and collaboration with the private sector through the ICT SCRM Task Force.
ICT SCRM Task Force Members
The ICT SCRM Task Force is composed of a diverse range of representatives from large and small private sector organizations within the Information Technology (IT) and Communications sectors and federal agencies. This includes subject matter experts, infrastructure owners and operators, and other key stakeholders who provide recommendations and guidance to help shape trusted supply chain practices.
Companies and organizations participating in the Task Force include:
|
Government |
IT Sector |
Communications Sector |
Other |
|---|---|---|---|
|
American Petroleum Institute |
Accenture |
ACT | The App Association |
CREST International |
|
CIA |
Amazon |
AT&T |
National Cyber Security Centre (U.K.) |
|
Federal Bureau of Investigation |
Analog Devices |
Blue Valley Telecommunications |
RAND |
|
Federal Communications Commission |
Belkin International |
Charter Communications |
Safecode |
|
Federal Deposit Insurance Corporation |
BlueVoyant |
Comcast |
SoftIron, Inc. |
|
Federal Energy Regulatory Commission |
BSA |
Xcel Energy |
|
|
General Services Administration |
CDW-G |
CompTIA |
— |
|
Idaho National Lab |
CISCO |
Cox |
— |
|
National Aeronautics and Space Administration |
Consumer Technology Association (CTA) |
CTIA |
— |
|
National Association of State Chief Information Officers |
CyberRx |
Ericsson |
— |
|
National Association of State Procurement Officials |
Cyxtera |
E.W. Scripps Company |
— |
|
National Institute of Standards and Technology |
Dell |
Hubbard Broadcasting |
— |
|
National Security Agency |
FireEye |
iconectiv |
— |
|
National Telecommunications and Information Administration |
Fortress Information Security |
Lumen |
— |
|
Nuclear Regulatory Commission |
General Dynamics Information Technology |
National Association of Broadcasters |
— |
|
Office of Intelligence and Analysis |
Hewlett Packard Enterprise |
National Telecommunications Cooperative Association (NTCA) |
— |
|
Office of Management and Budget |
Hodgkins Consulting |
NTT |
— |
|
Office of the Comptroller of the Currency |
HP |
Premier Communications |
— |
|
Small Business Administration |
Hunter Strategy |
Pioneer |
— |
|
State of Alabama Chief Information Security Officer/Cyber Security Working Group |
IBM |
Quincy Media |
— |
|
State of Pennsylvania Chief Information Security Officer/Cyber Security Working Group |
Information Technology Information Sharing and Analysis Center |
Sprint |
— |
|
U.S. Department of Commerce |
Information Technology Industry Council |
TIA |
— |
|
U.S. Department of Defense |
Intel |
T-Mobile |
— |
|
U.S. Department of Energy |
Interos |
USTelecom |
— |
|
U.S. Department of Health and Human Services |
Juniper |
Verizon Wireless |
— |
|
U.S. Department of Homeland Security |
Linode |
— |
— |
|
U.S. Department of Justice |
Microsoft |
— |
— |
|
U.S. Department of State |
MITRE |
— |
— |
|
U.S. Department of the Treasury |
MongoDB |
— |
— |
|
U.S. Nuclear Regulatory Commission |
NetApp |
— |
— |
|
U.S. Office of the Director of National Intelligence |
Palo Alto Networks |
— |
— |
|
U.S. Social Security Administration |
Rehancement Group |
— |
— |
|
— |
Reliable Energy Analytics |
— |
— |
|
— |
River Winds Computing |
— |
— |
|
— |
Samsung |
— |
— |
|
— |
Sightline Security |
— |
— |
|
— |
Software Engineering Institute - Carnegie Mellon University |
— |
— |
|
— |
Synopsys |
— |
— |
|
— |
Tenable |
— |
— |
|
— |
The Open Group |
— |
— |
|
— |
Threat Sketch |
— |
— |
|
— |
Venable, LLC |
— |
— |
|
— |
Vmware |
— |
— |
ICT SCRM Task Force in Action
In response to requirements in E.O. 13873, the ICT SCRM Task Force worked with industry and government partners to:
- Develop a standardized taxonomy of ICT elements (e.g., hardware, software, and services)
- Perform criticality assessments on these ICT elements with appropriate stakeholder input
- Assess the national security risks stemming from vulnerabilities in ICT hardware, software, and services including components enabling 5G communications.
These resources are provided "as is" for informational purposes only. The assessment methodology can be used as an input to a risk assessment, but, by itself, is not sufficient for a comprehensive review of risk.
- Paper on E.O. 13873 Response: Methodology for Assessing the Most Critical ICT and Services
- Frequently Asked Questions: DHS's ICT Methodology in Support of E.O. 13873
Additionally, as new risks emerge—such as the impact of the COVID-19 global pandemic on the globalized model of supply chains—the Task Force will develop new resources (such as the Lessons Learned During The Covid-19 Pandemic Analysis Report) and assist with identifying new priorities and developing recommendations that businesses, organizations, and governments may adopt to increase the resilience of their supply chains, and as a result, also help strengthen national security, economic security, and public health and safety.
ICT SCRM Task Force Year 3 Activities
Over the course of the next several months, the Task Force’s efforts include the launch of a new Hardware Bill of Materials Working Group; continuation of two current working groups; and scoping of two additional efforts related to promoting software assurance and the utility of Software Bill of Materials.
-
Hardware Bills of Materials Working Group which will identify appropriate information for a baseline hardware bill of materials template that can be used by organizations when procuring or deploying ICT products.
-
Small and Medium-sized Businesses Working Group which will engage the small and medium-sized community to understand and tailor Task Force products to meet their needs
-
Product Marketing Working Group, (formerly Product Use Acceleration), which will engage with stakeholders to ensure Task Force products provide useful and meaningful information.
ICT SCRM Resources and News
- CISA's ICT SCRM Essentials
- CISA's ICT SCRM Fact Sheet
- CISA's ICT Supply Chain Risks Infographic
- CISA and NIST’s Defending Against Software Supply Chain Attacks
- CISA Insights: Risk Considerations for Managed Service Provider Customers
- ICT SCRM Task Force Interim Report
- ICT SCRM Task Force: Lessons Learned During the COVID-19 Pandemic
- ICT SCRM Task Force Operationalizing Vendor SCRM Template for Small and Medium-sized Businesses
- Operationalizing Vendor SCRM Template for SMBs Spreadsheet is as an alternate tool to utilize this product, intended to allow options to accommodate yes, no, or partial responses to each of the questions.
- ICT SCRM Task Force Preliminary Considerations of Paths to Enable Improved Multi-Directional Sharing of Supply Chain Risk Information
- ICT SCRM Task Force Threat Scenarios Report (Version 1)
- ICT SCRM Task Force Threat Scenarios Report (Version 2)
- ICT SCRM Task Force Threat Scenarios Report (Version 3)
- ICT SCRM Task Force Year Two Report
- ICT SCRM Task Force Report on Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists
- ICT SCRM Task Force Vendor SCRM Template
- Internet of Things (IoT) Acquisition Guidance Document
- Overview of Risks Introduced by Fifth Generation (5G) Adoption in the United States
- Paper on E.O. 13873 Response: Methodology for Assessing the Most Critical ICT and Services
ICT SCRM News
- Blog Article – Going Beyond: Assessing Security Practices of IT Service Providers
- Blog Article – April is National Supply Chain Integrity Month - Week 4: Knowing the Essentials
- Blog Article – April is National Supply Chain Integrity Month - Week 3: Understanding Supply Chain Threats
- Blog Article – April is National Supply Chain Integrity Month - Week 2: Assessing ICT Trustworthiness
- Blog Article – April is National Supply Chain Integrity Month
- Blog Article – Task Force Establishes Way Forward After Charter Extension: Year 2.5
- Blog Article – Building Collective Resilience for the ICT Supply Chain
- Press Release – ICT Supply Chain Risk Management Task Force Announces New Members And Approves A New 2022 Working Group *new press release
- Press Release – CISA’s ICT SCRM Task Force Approves Recommendations and Interim Report
- Press Release – CISA Releases Analysis Report on COVID-19 Impact to ICT Global Supply Chains
- Press Release – CISA Releases ICT SCRM Task Force Year 2 Report
- Press Release – CISA Announces Extension of the ICT SCRM Task Force
For questions or comments, email ict_scrm_taskforce@hq.dhs.gov.