A supply chain is only as strong as its weakest link. The cyber threat from foreign adversaries, hackers, and criminals presents new and significant risks to government and industry. Constant, targeted, and well-funded attacks by malicious actors threaten government and industry alike by way of their contractors, sub-contractors, and suppliers at all tiers of the supply chain. Sophisticated threat actors exploit vulnerabilities deep in the information and communications technology (ICT) supply chain as a beachhead from which they can gain access to sensitive and proprietary information further along the chain.
The ICT Supply Chain Risk Management (SCRM) Task Force—sponsored by CISA’s National Risk Management Center (NRMC)—is the United States’ preeminent public-private supply chain risk management partnership, established in response to these realities and entrusted with the critical mission of identifying and developing consensus strategies that enhance ICT supply chain security.
ANNOUNCEMENT
November 2020: CISA published an analysis report, Lessons Learned During The COVID-19 Pandemic, which examines how the COVID-19 pandemic impacted the logistical supply chains of ICT companies. Developed by the ICT SCRM Task Force's COVID-19 Impact Study Working Group, the report focuses on key supply chain operational areas, such as inventory management, supply chain mapping/transparency, and supply chain diversity and provides recommendations on how organizations can increase their ICT supply chain resilience from future risks.
- Download/share the Lessons Learned During The COVID-19 Pandemic Report.
Overview
From satellite connectivity to financial transactions, thousands of businesses, organizations, and governments rely on ICT to store information on, interact with, and deliver services to end-users. Additionally, ICT has helped transform the nation’s 16 critical infrastructure sectors into an interconnected ecosystem.
In December 2018, DHS established the ICT SCRM Task Force with representatives from the public and private sectors to identify challenges and develop workable solutions for managing risks to the global ICT supply chain.
While ICT products and services have allowed for a rapid and dramatic change in how we work, learn, and socialize, it also presents broad attack surfaces for adversaries to find innovative ways to potentially infiltrate, exploit, and/or corrupt equipment, systems, and information used every day by the government, industry, and private citizens.
Recognizing the importance of securing ICT supply chains, on May 15, 2019, the Executive Order (E.O.) 13873 on Securing the Information and Communications Technology and Services Supply Chain was signed into law. E.O. 13873 directs the federal government to strengthen efforts to prevent foreign adversaries from exploiting vulnerabilities in the ICT supply chain and protect the vast amount of sensitive information being stored in and communicated through ICT products and services.
CISA’s NRMC is well positioned to synchronize interagency ICT SCRM efforts across the Department and to build resilience by enhancing coordination and collaboration with the private sector through the ICT SCRM Task Force.
ICT SCRM Task Force Members
The ICT SCRM Task Force is composed of a diverse range of representatives from large and small private sector organizations within the Information Technology (IT) and Communications sectors and federal agencies. This includes subject matter experts, infrastructure owners and operators, and other key stakeholders who provide recommendations and guidance to help shape trusted supply chain practices..
Since it’s establishment, the Task Force has launched several main work streams:
- Developing recommendations for a common framework for the bi-directional sharing of SCRM threat information between government and industry
- Identifying processes and criteria for threat-based evaluation of ICT supplies, products, and services
- Identifying of market segment(s) and evaluation criteria for Qualified Bidder and Manufacturer List(s)
- Producing policy recommendations to incentivize the purchase of ICT from original manufacturers or authorized resellers
- Developing a SCRM assurance template for vendors
- Evaluating the impact of COVID-19 on the ICT supply chain
Companies and organizations participating in the Task Force include:
|
Government |
IT Sector |
Communications Sector |
|
Federal Bureau of Investigation |
Accenture |
AT&T |
|
Federal Communications Commission |
BSA |
Charter Communications |
|
Federal Energy Regulatory Commission |
CyberRx |
Comcast |
|
General Services Administration |
Cybersecurity Coalition |
CompTIA |
|
National Aeronautics and Space Administration |
Cyxtera |
Cox |
|
Office of the Comptroller of the Currency |
Dell |
CTIA |
|
Pennsylvania Chief Information Security Officer |
FireEye |
Ericsson |
|
U.S. Department of Commerce |
General Dynamics Information Technology |
iconectiv |
|
U.S. Department of Defense |
HP |
Lumen |
|
U.S. Department of Energy |
IBM |
National Association of Broadcasters |
|
U.S. Department of Health and Human Services |
Information Technology Information Sharing and Analysis Center |
NCTA |
|
U.S. Department of Homeland Security |
Information Technology Industry Council |
NTT |
|
U.S. Department of Justice |
Intel |
Pioneer |
|
U.S. Department of the Treasury |
Interos |
T-Mobile |
|
U.S. Nuclear Regulatory Commission |
Microsoft |
USTelecom |
|
U.S. Office of the Director of National Intelligence |
Palo Alto Networks |
Verizon Wireless |
|
U.S. Social Security Administration |
Samsung |
– |
|
U.S. Department of State |
Synopsys |
– |
|
– |
Threat Sketch |
– |
ICT SCRM Task Force in Action
In response to requirements in E.O. 13873, the ICT SCRM Task Force worked with industry and government partners to:
- Develop a standardized taxonomy of ICT elements (e.g., hardware, software, and services)
- Perform criticality assessments on these ICT elements with appropriate stakeholder input
- Assess the national security risks stemming from vulnerabilities in ICT hardware, software, and services including components enabling 5G communications.
These resources are provided "as is" for informational purposes only. The assessment methodology can be used as an input to a risk assessment, but, by itself, is not sufficient for a comprehensive review of risk.
- Paper on E.O. 13873 Response: Methodology for Assessing the Most Critical ICT and Services
- Frequently Asked Questions: DHS's ICT Methodology in Support of E.O. 13873
Additionally, as new risks emerge—such as the impact of the COVID-19 global pandemic on the globalized model of supply chains—the Task Force will develop new resources (such as the Lessons Learned During The Covid-19 Pandemic Analysis Report [hyperlink will be added]) and assist with identifying new priorities and developing recommendations that businesses, organizations, and governments may adopt to increase the resilience of their supply chains, and as a result, also help strengthen national security, economic security, and public health and safety.
Moving forward, the Task Force will partner with both government and industry partners to implement and create awareness around its recommendations. The Task Force will also consider launching new work streams to evaluate areas of supply chain risk. It will also continue to inventory existing industry and government supply chain initiatives which allows for information sharing and a more refined understanding of the current landscape. Overall, the Task Force will continue to drive unique solutions that enhance overall supply chain risk management security.
ICT SCRM Resources and News
- ICT SCRM Essentials
- ICT SCRM Fact Sheet
- ICT Supply Chain Risks Infographic
- ICT SCRM Task Force Interim Report
- ICT SCRM Task Force: Lessons Learned During the COVID-19 Pandemic
- ICT SCRM Task Force Threat Scenarios Report
- Internet of Things (IoT) Acquisition Guidance Document
- Overview of Risks Introduced by Fifth Generation (5G) Adoption in the United States
- Paper on E.O. 13873 Response: Methodology for Assessing the Most Critical ICT and Services
ICT SCRM Latest News
For questions or comments, email ict_scrm_taskforce@hq.dhs.gov.