These resources and tools were developed by the ICT Supply Chain Risk Management (SCRM) Task Force—a public-private partnership that represents the Agency’s collective approach to enhancing supply chain resilience. Representatives include subject matter experts, infrastructure owners/operators, and other key stakeholders from the Information Technology (IT) sector, Communications sector, and federal agencies.
While the Task Force’s products are available to all stakeholders, they are especially useful for:
Acquisitions and procurements professionals;
Personnel whose role is in legal, logistics, marketing, and product development;
Information Technology (IT) or cyber security personnel;
Risk management officials and personnel; and
Personnel who manage vendor and supplier lists;
Software customers and vendors.
This report provides an overview of the Task Force and its first year’s efforts in addressing SCRM challenges such as information sharing; evaluating supply chain threats; identifying criteria, processes and structures for establishing Qualified Bidder Lists (QBL) and Qualified Manufacturer Lists (QML); and policy recommendations for incentivizing the purchase of ICT from original equipment manufacturers and authorized resellers.
This report showcases the Task Force’s collective ongoing efforts to address challenges to information sharing, threat analysis, qualified bidder and qualified manufacturer lists, vendor assurance, as well as an ad-hoc effort on the COVID-19 pandemic impacts on ICT supply chains.
This analysis report examines how the COVID-19 pandemic impacted the logistical supply chains of ICT companies and provides recommendations on how organizations can increase their supply chain resilience from future risks. The report studies key supply chain operational areas such as inventory management, supply chain mapping/transparency, and supply chain diversity to understand and document impacts to organization’s supply chains due to COVID-19.
This resource gears the applicability of the previously released enterprise Vendor Template to be used specifically by SMBs. The product provides guidance on applying industry standards and best practices for reporting and vetting processes when purchasing ICT hardware, software, and services. Additionally, download the spreadsheet version of this SMB Vendor SCRM Template, which is as an alternate tool to utilize this product, intended to allow options to accommodate yes, no, or partial responses to each of the questions.
This product provides research by subject matter experts in addressing liability limitations to improve sharing of SCRI among the federal government and private industry. It provides guidance on applying industry standards and best practices for reporting and vetting processes when purchasing ICT hardware, software, and services.
This initial report on Threat Scenarios focused specifically on “suppliers.” The Task Force leveraged the NIST Risk Management Practices described in NIST SP 800-161 to help guide the analysis of the supply chain risk management threats and threat sources. Threat scenarios across nine supplier threat categories provide insights into the processes and criteria for conducting supplier threat assessment. Each scenario specified the threat, source(s) or actor(s), outcome, and mitigating strategies.
Version 2 adds the assessment of “impacts” and “mitigating” controls to the nine supplier threat scenarios originally provided. Version 2 also includes example-based threat mitigating strategies and SCRM controls that may reduce the impact of these threats.
Version 3 provides a practical, example-based guidance on supplier SCRM threat analysis and evaluation that can be applied by procurement or source selection officials. The latest version adds the assessment of products and services to include scenario-specific impacts and mitigating controls to the supplier threat scenarios.
This report provides organizations a list of evaluation criteria and factors that can be used to inform their decision to build or rely on a qualified list for the acquisition of ICT products and services while managing supply chain risks.
This Template provides a set of questions regarding an ICT supplier/provider’s implementation and application of industry standards and best practices that can help guide supply chain risk planning in a standardized way. The template provides organizations clarity for reporting and vetting processes when purchasing ICT hardware, software, and services.
Task Force Videos
Building a More Resilient ICT Supply Chain: Lessons Learned During The COVID-19 Pandemic highlights the impacts to ICT supply chains from the COVID-19 pandemic such as vendor transparency, single region/single source suppliers, and inventory management. In this video, Chris Oatway, an ICT SCRM Task Force member who helped develop the Report, highlights these important issue and discusses how the Report can help your organization build supply chain resilience.
- YouTube URL: www.youtube.com/watch?v=07-WWpqPWcM
Evaluating Vendor and Supplier Trustworthiness highlights two resources that can assist organizations and businesses assess the trustworthiness of their vendors and suppliers and their potential usefulness to your organization: the report on Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists and the Vendor SCRM Template. In this video, David George and Renee Johnson, two ICT SCRM Task Force members who helped develop these products, explain the potential usefulness to industry.
YouTube URL: www.youtube.com/watch?v=bf_M_47BNkw
Impact Analysis and Mitigation of ICT Supply Chain Threats highlights Version 3.0 of the Threat Scenarios Report, which uses the NIST Risk Management Framework to identify and analyze potential threat scenarios that can occur in a global ICT supply chain and how best to mitigate against these threats. In this video, Task Force member Drew Morin details how the report provides practical, example-based guidance that can be used by procurement or source selection officials in government and industry to assess supply chain risks and develop practices and procedures to manage the potential impact of these threats.
- YouTube URL: https://www.youtube.com/watch?v=3MJBYrQA1tg
Mitigating ICT Supply Chain Risk for Small and Medium-sized Businesses presents use cases that small and medium-sized IT and communications providers commonly encounter when using the Vendor Supply Chain Risk Management Template, which is another Task Force product. The guide (which includes an easy-to-use spreadsheet as an alternate tool) focuses on select questions from the Template that are most relevant to SMBs in order to make this resource more accessible and relevant to this cohort of providers. In this video, Ola Sage, a Task Force member who helped develop this guide, explains its usefulness and how it can help increase SMB supply chain resilience.
- YouTube URL: https://www.youtube.com/watch?v=te1CFaV0cUs
Preliminary Considerations for Paths to Enable Improved Multi-Directional Sharing of Supply Chain Risk Information focuses on issues related to the sharing of supply chain risk information (SCRI) among the federal government and industry. In this video, Edna Conway, a Task Force member who helped to develop this resource, highlights these important issues and discusses how the report both identifies the single most impactful barrier to SCRI and proposes liability protections for consideration.
- YouTube URL: https://www.youtube.com/watch?v=ynPsOto-VoM
For questions or comments, email firstname.lastname@example.org.