This library is a non-exhaustive list of free, voluntary resources and information on supply chain programs, rulemakings, and other activities from across the federal government. The resources provide a better understanding of the wide array of supply chain risk management (SCRM) efforts and activities underway or in place.
Please engage directly with the owner of these programs to better understand the specifics of any of these individual authorities or programs or reach out to update/expand this list.
- This resource provides a framework with an actionable checklist for government, organizations, and small and medium-sized businesses that use Managed Service Providers (MSPs) to manage their IT services on how to mitigate against third-party risk and harden their networks to improve overall security and resilience.
- A guide for leaders and staff with actionable steps on how to start implementing organizational SCRM practices to improve their overall security resilience.
- A one-pager on the role of ICT in critical infrastructure operations, risks ICT faces, and overview of the Task Force.
- This infographic provides government and industry leaders at all levels insight into how vulnerabilities can be introduced into the ICT supply chain and the consequences of their exploitation.
- In response to Executive Order 13873, CISA's National Risk Management Center and the ICT SCRM Task Force worked with government and industry partners to describe a standardized taxonomy of ICT elements; perform criticality assessments on the ICT elements with appropriate stakeholder input; and assess the national security risks stemming from vulnerabilities in ICT hardware, software, and services, including components enabling 5G communication.
- Supported by CISA, the National Security Agency (NSA), and the Office of the Director for National Intelligence, the Enduring Security Framework Working Group (a cross-sector, public-private working group), developed this guide is the first of a three-part series that addresses high priority cyber-based threats to the nation’s critical infrastructure. Part I focuses on principals to include security requirements planning, designing software architecture from a security perspective, adding security features, and maintaining the security of software and the underlying infrastructure (e.g., environments, source code review, testing).
Other Resources, Programs, and Trainings
- This infographic provides a high-level overview of select mobile network equipment components market leaders, major components of 5G networking, and points of vulnerability in the 5G network.
- This free three-part course introduces what a supply chain is, how adversaries target supply chains, and steps that individuals and organizations can take to improve supply chain security. There are no log-in requirements.
- This resource, released by CISA and the National Institute of Standards and Technology (NIST), provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber SCRM (C-SCRM) Framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate software supply chain risks. It also provides in-depth recommendations and key steps for prevention, mitigation, and resilience of software supply chain attacks.
- This document highlights areas of elevated risk resulting from the software-enabled and connected aspects of IoT technologies and their role in the physical world. It provides information on certain vulnerabilities and weaknesses; suggests solutions for common challenges; and identifies factors to consider before purchasing or using IoT devices, systems, and services.
- This working group facilitates information sharing and the reduction of risk to the Nation’s industrial control systems. It provides a vehicle for communicating and partnering across all critical infrastructure sectors between federal agencies and departments, as well as private asset owners and operators of industrial control systems.
- This resource provides an overview of CISA’s preliminary analysis of the vulnerabilities likely to affect the secure adoption and implementation of 5G technologies. Examples of key findings include a potential increase of attack vectors due to the increase of components required to deploy 5G as well as the integration of legacy vulnerabilities from 4G/LTE since 5G will initially be built on 4G infrastructure.
Building Collective Supply Chain Resilience highlights the role and importance of the ICT SCRM Task Force and working together to manage risks to the global ICT supply chain.
YouTube URL: www.youtube.com/watch?v=ZrzrvvGOpdE
Assessing ICT Trustworthiness highlights the importance of securing not only your organization’s immediate supply chain, but also the extended supply chains of your vendors and suppliers.
YouTube URL: www.youtube.com/watch?v=IOnO4tsL2fE
Understanding Supply Chain Threats emphasizes the importance of having security measures in place to mitigate against the most common supply chain threats.
YouTube URL: www.youtube.com/watch?v=pq40KJVOoJg
Knowing the Essentials details how organizations and their staff can get started strengthening their SCRM practices and stay vigilant of the evolving threat environment.
YouTube URL: www.youtube.com/watch?v=XMuIG7s1DE0
ICT SCRM Task Force Resources
For resources by the ICT Supply Chain Risk Management Task Force, visit: ICT SCRM Task Force Resources.
Proposed Rulemakings and Executive Orders
- The Department of Commerce and Department of Homeland Security released a one-year report tilted, Assessment of the Critical Supply Chains Supporting the U.S. Information and Communications Technology Industry. The report defines the critical sectors and subsectors supporting the ICT industry, evaluates the current supply chain conditions, identifies key risks that threaten to disrupt those supply chains, and proposes eight recommendations to mitigate risk and strengthen supply chain resiliency.
- For additional information, visit CISA's webpage on Executive Order 14017 or download/share the Fact Sheet on the Assessment of the Critical Supply Chains Supporting the U.S. Information and Communications Technology Industry
- Paper on EO 13873 Response: Methodology for Assessing the Most Critical ICT and Services and Frequently Asked Questions: DHS's ICT Methodology in Support of EO 13873: In response to EO 13873, CISA's National Risk Management Center and the ICT SCRM Task Force worked with government and industry partners to describe a standardized taxonomy of ICT elements; perform criticality assessments on the ICT elements with appropriate stakeholder input; and assess the national security risks stemming from vulnerabilities in ICT hardware, software, and services, including components enabling 5G communication.
Department of Commerce
- Updates to the Bureau of Industry and Security (BIS) Entity List prohibits the export, reexport, and retransfer of all U.S.-origin items subject to Export Administration Regulations (EAR) to entities on that list. Under the de minimis rule (15 CFR §734.4), foreign-made products that incorporate more than a set percentage of controlled U.S.-origin content by value may be subject to export controls to selected entities. Additional license requirements will be imposed on items subject to EAR to selected entities on the list. As well, limitations on most license exceptions will be applied to these items. BIS offers the De minimis and Direct Product Rules Decision Tool “to help determine if a non-U.S.-made item located outside the United States is subject to [EAR].” As well, EAR features guidelines for de minimis rules (15 CFR Appendix Supplement No. 2 to Part 734)
- The BIS Entity List (15 CFR Appendix Supplement No. 4 to Part 744), as defined in 15 CFR §744.16, contains the names of foreign parties subject to specific license requirements for the export, reexport, or in-country transfer of controlled items, ensuring sensitive technologies do not fall into the hands of those who would threaten U.S. national security or American citizens. Organizations or persons who violate these rules—as defined under EAR—are subject to criminal penalties and administrative sanctions. For more information, visit the BIS Entity List webpage.
- Effective May 15, 2020, BIS published a rule (85 FR 29849) that “amends General Prohibition Three, also known as the foreign-produced direct product rule, by exercising existing authority under the Export Control Reform Act of 2018, to impose a new control over certain foreign-produced items when there is knowledge that such items are destined to a designated entity on the [BIS] Entity List.
- NISTIR 8276, Key Practices in Cyber Supply Chain Risk Management: Observations from Industry
- NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management
- Special Publication (SP) 800-161 Rev. 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations
- Improving the Nation's Cybersecurity: NIST’s Responsibilities Under the May 2021 Executive Order
- SP 800-53 Rev. 5, Security and Privacy Controls for Federal Information Systems and Organizations
- On January 3, 2020, the FCC adopted a rule that prospectively prohibits the use of Universal Service Fund (USF) funds to purchase, obtain, maintain, improve, modify, or otherwise support equipment or services produced or provided by a covered company posing a national security threat to the integrity of communications networks or the communications supply chain (85 FR 230, FCC-19-121). This rule relates to sections 2 and 3 of the Secure and Trusted Communications Network Act.
- On September 30, 2020, the FCC adopted a report and order that allows the FCC to adopt rules and procedures that streamline the process by which [the FCC] coordinates with the Executive Branch agencies for assessment of any national security, law enforcement, foreign policy, or trade policy issues regarding certain applications filed with the Commission (IB Docket No. 16-155).
- On June 30, 2020, the FCC issued a final designation order (DA-20-690) in PS Docket No. 19-351 designating “Huawei, as well as its parents, affiliates, and subsidiaries, as a covered company for purposes of 47 CFR § 54.9.” On July 30, 2020, Huawei filed an application for review (Public Notice DA-20-832) of said final designation order in the docket.
- On June 30, 2020, FCC issued a final designation order (DA-20-691) in PS Docket No. 19-352 designating “ZTE, as well as its parents, affiliates, and subsidiaries, as a covered company for purposes of 47 CFR § 54.9.” On July 30, 2020, ZTE filed a petition for reconsideration (Public Notice DA-20-831) of said final designation order in the docket.
Supply Chain and 5G-Related Legislation
Recent legislative efforts relating to 5G technology that could potentially have an impact on ICT supply chains or ICT SCRM Task Force efforts include:
- Secure and Trusted Communications Networks Act of 2019, which became Public Law No. 116-124 on March 12, 2020
- Secure 5G and Beyond Act of 2020, which became Public Law No. 116-129 on March 23, 2020
For questions, comments, or to provide updates to this library, please email firstname.lastname@example.org.