ICT Supply Chain Risk Management Task Force Resources

These resources and tools were developed by the ICT Supply Chain Risk Management (SCRM) Task Force­—a public-private partnership that represents the Agency’s collective approach to enhancing supply chain resilience. Representatives include subject matter experts, infrastructure owners/operators, and other key stakeholders from the Information Technology (IT) sectorCommunications sector, and federal agencies.

While the Task Force’s products are available to all stakeholders, they are especially useful for:

Acquisitions and procurements professionals;

Personnel whose role is in legal, logistics, marketing, and product development;

Information Technology (IT) or cyber security personnel;

Risk management officials and personnel; and 

Personnel who manage vendor and supplier lists;

Software customers and vendors.

Task Force Resources

ICT SCRM Task Force Interim Report

This report provides an overview of the Task Force and its first year’s efforts in addressing SCRM challenges such as information sharing; evaluating supply chain threats; identifying criteria, processes and structures for establishing Qualified Bidder Lists (QBL) and Qualified Manufacturer Lists (QML); and policy recommendations for incentivizing the purchase of ICT from original equipment manufacturers and authorized resellers.

ICT SCRM Task Force Year Two Report

This report showcases the Task Force’s collective ongoing efforts to address challenges to information sharing, threat analysis, qualified bidder and qualified manufacturer lists, vendor assurance, as well as an ad-hoc effort on the COVID-19 pandemic impacts on ICT supply chains.

ICT SCRM Task Force Lessons Learned During the COVID-19 Pandemic Analysis Report

This analysis report examines how the COVID-19 pandemic impacted the logistical supply chains of ICT companies and provides recommendations on how organizations can increase their supply chain resilience from future risks. The report studies key supply chain operational areas such as inventory management, supply chain mapping/transparency, and supply chain diversity to understand and document impacts to organization’s supply chains due to COVID-19.

ICT SCRM Task Force Operationalizing Vendor SCRM Template for Small and Medium-sized Businesses 

This resource gears the applicability of the previously released enterprise Vendor Template to be used specifically by SMBs. The product provides guidance on applying industry standards and best practices for reporting and vetting processes when purchasing ICT hardware, software, and services. Additionally, download the spreadsheet version of this SMB Vendor SCRM Template, which is as an alternate tool to utilize this product, intended to allow options to accommodate yes, no, or partial responses to each of the questions.

ICT SCRM Task Force Preliminary Considerations of Paths to Enable Improved Multi-Directional Sharing of Supply Chain Risk Information 

This product provides research by subject matter experts in addressing liability limitations to improve sharing of SCRI among the federal government and private industry. It provides guidance on applying industry standards and best practices for reporting and vetting processes when purchasing ICT hardware, software, and services. 

ICT SCRM Task Force Threat Scenarios Report (Version 1)

This initial report on Threat Scenarios focused specifically on “suppliers.” The Task Force leveraged the NIST Risk Management Practices described in NIST SP 800-161 to help guide the analysis of the supply chain risk management threats and threat sources. Threat scenarios across nine supplier threat categories provide insights into the processes and criteria for conducting supplier threat assessment. Each scenario specified the threat, source(s) or actor(s), outcome, and mitigating strategies.

ICT SCRM Task Force Threat Scenarios Report (Version 2) 

Version 2 adds the assessment of “impacts” and “mitigating” controls to the nine supplier threat scenarios originally provided. Version 2 also includes example-based threat mitigating strategies and SCRM controls that may reduce the impact of these threats.

ICT SCRM Task Force Threat Scenarios Report (Version 3) 

Version 3 provides a practical, example-based guidance on supplier SCRM threat analysis and evaluation that can be applied by procurement or source selection officials. The latest version adds the assessment of products and services to include scenario-specific impacts and mitigating controls to the supplier threat scenarios.

ICT SCRM Task Force Report on Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists 

This report provides organizations a list of evaluation criteria and factors that can be used to inform their decision to build or rely on a qualified list for the acquisition of ICT products and services while managing supply chain risks.

ICT SCRM Task Force Vendor SCRM Template 

This Template provides a set of questions regarding an ICT supplier/provider’s implementation and application of industry standards and best practices that can help guide supply chain risk planning in a standardized way. The template provides organizations clarity for reporting and vetting processes when purchasing ICT hardware, software, and services.

Task Force Videos

Building a More Resilient ICT Supply Chain: Lessons Learned During The COVID-19 Pandemic highlights the impacts to ICT supply chains from the COVID-19 pandemic such as vendor transparency, single region/single source suppliers, and inventory management. In this video, Chris Oatway, an ICT SCRM Task Force member who helped develop the Report, highlights these important issue and discusses how the Report can help your organization build supply chain resilience.

Evaluating Vendor and Supplier Trustworthiness highlights two resources that can assist organizations and businesses assess the trustworthiness of their vendors and suppliers and their potential usefulness to your organization: the report on Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists and the Vendor SCRM Template. In this video, David George and Renee Johnson, two ICT SCRM Task Force members who helped develop these products, explain the potential usefulness to industry.   


Impact Analysis and Mitigation of ICT Supply Chain Threats highlights Version 3.0 of the Threat Scenarios Report, which uses the NIST Risk Management Framework to identify and analyze potential threat scenarios that can occur in a global ICT supply chain and how best to mitigate against these threats. In this video, Task Force member Drew Morin details how the report provides practical, example-based guidance that can be used by procurement or source selection officials in government and industry to assess supply chain risks and develop practices and procedures to manage the potential impact of these threats.

Mitigating ICT Supply Chain Risk for Small and Medium-sized Businesses presents use cases that small and medium-sized IT and communications providers commonly encounter when using the Vendor Supply Chain Risk Management Template, which is another Task Force product. The guide (which includes an easy-to-use spreadsheet as an alternate tool) focuses on select questions from the Template that are most relevant to SMBs in order to make this resource more accessible and relevant to this cohort of providers. In this video, Ola Sage, a Task Force member who helped develop this guide, explains its usefulness and how it can help increase SMB supply chain resilience.

Preliminary Considerations for Paths to Enable Improved Multi-Directional Sharing of Supply Chain Risk Information focuses on issues related to the sharing of supply chain risk information (SCRI) among the federal government and industry. In this video, Edna Conway, a Task Force member who helped to develop this resource, highlights these important issues and discusses how the report both identifies the single most impactful barrier to SCRI and proposes liability protections for consideration.

For questions or comments, email ict_scrm_taskforce@cisa.dhs.gov.

Was this webpage helpful?  Yes  |  Somewhat  |  No