ICT Supply Chain Library

This library is a non-exhaustive list of free, voluntary resources and information on supply chain programs, rulemakings, and other activities from across the federal government. The resources were compiled by the ICT Supply Chain Risk Management (SCRM) Task Force’s Tiger Team that’s focus was to provide a better understanding of the wide array of supply chain risk management (SCRM) efforts and activities underway or in place.

Please engage directly with the owner of these programs to better understand the specifics of any of these individual authorities or programs or reach out to update/expand this list.

LATEST RESOURCES

Preliminary Considerations of Paths to Enable Improved Multi-Directional Sharing of Supply Chain Risk Information (SCRI): Developed by the ICT SCRM Task Force, this report provides research by subject matter experts in addressing liability limitations to improve sharing of SCRI among the federal government and private industry.

Operationalizing the Vendor SCRM Template for Small and Medium-sized Businesses (SMBs). Developed by the ICT SCRM Task Force, this resource gears the applicability of the previously released enterprise Vendor Template to be used specifically by SMBs. The product provides guidance on applying industry standards and best practices for reporting and vetting processes when purchasing ICT hardware, software, and services. Additionally, download the spreadsheet version of this SMB Vendor SCRM Template, which is as an alternate tool to utilize this product, intended to allow options to accommodate yes, no, or partial responses to each of the questions.

CISA Insights: Risk Considerations for Managed Service Provider Customers: This resource provides a framework that government and private sector organizations (to include small and medium-sized businesses) outsourcing some level of IT support to MSPs can use to better mitigate against third-party risk.

Threat Scenarios Report (Version 3): This report provides a practical, example-based guidance on supplier SCRM threat analysis and evaluation that can be applied by procurement or source selection officials. The latest version adds the assessment of products and services to include scenario-specific impacts and mitigating controls to the supplier threat scenarios.

CISA Resources

CISA Insights: Risk Considerations for Managed Service Provider Customers

This resource provides a framework with an actionable checklist for government, organizations, and small and medium-sized businesses that use Managed Service Providers (MSPs) to manage their IT services on how to mitigate against third-party risk and harden their networks to improve overall security and resilience.

ICT Supply Chain Risk Management (SCRM) Essentials

A guide for leaders and staff with actionable steps on how to start implementing organizational SCRM practices to improve their overall security resilience.

ICT SCRM Fact Sheet

A one-pager on the role of ICT in critical infrastructure operations, risks ICT faces, and overview of the Task Force.

ICT Supply Chain Risks Infographic

This infographic provides government and industry leaders at all levels insight into how vulnerabilities can be introduced into the ICT supply chain and the consequences of their exploitation.

Paper on EO 13873 Response: Methodology for Assessing the Most Critical ICT and Services and Frequently Asked Questions: DHS's ICT Methodology in Support of EO 13873

In response to Executive Order 13873, CISA's National Risk Management Center and the ICT SCRM Task Force worked with government and industry partners to describe a standardized taxonomy of ICT elements; perform criticality assessments on the ICT elements with appropriate stakeholder input; and assess the national security risks stemming from vulnerabilities in ICT hardware, software, and services, including components enabling 5G communication.

Other Resources, Programs, and Trainings

5G Market Penetration and Risk Factors Infographic

This infographic provides a high-level overview of select mobile network equipment components market leaders, major components of 5G networking, and points of vulnerability in the 5G network.

Cyber Supply Chain Risk Management for the Public

This free three-part course introduces what a supply chain is, how adversaries target supply chains, and steps that individuals and organizations can take to improve supply chain security. There are no log-in requirements.

Defending Against Software Supply Chain Attacks

This resource, released by CISA and the National Institute of Standards and Technology (NIST), provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber SCRM (C-SCRM) Framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate software supply chain risks. It also provides in-depth recommendations and key steps for prevention, mitigation, and resilience of software supply chain attacks.

Internet of Things (IoT) Acquisition Guidance Document

This document highlights areas of elevated risk resulting from the software-enabled and connected aspects of IoT technologies and their role in the physical world. It provides information on certain vulnerabilities and weaknesses; suggests solutions for common challenges; and identifies factors to consider before purchasing or using IoT devices, systems, and services.

Industrial Control Systems Joint Working Group

This working group facilitates information sharing and the reduction of risk to the Nation’s industrial control systems. It provides a vehicle for communicating and partnering across all critical infrastructure sectors between federal agencies and departments, as well as private asset owners and operators of industrial control systems.

Overview of Risks Introduced by 5G Adoption in the United States

This resource provides an overview of CISA’s preliminary analysis of the vulnerabilities likely to affect the secure adoption and implementation of 5G technologies. Examples of key findings include a potential increase of attack vectors due to the increase of components required to deploy 5G as well as the integration of legacy vulnerabilities from 4G/LTE since 5G will initially be built on 4G infrastructure.

ICT SCRM Task Force Resources

These resources and tools were developed by the ICT Supply Chain Risk Management (SCRM) Task Force—a public-private partnership that represents the Agency’s collective approach to enhancing supply chain resilience. Representatives include subject matter experts, infrastructure owners/operators, and other key stakeholders from the Information Technology (IT) sector, Communications sector, and federal agencies.

While the Task Force’s products are available to all stakeholders, they are especially useful for:

Acquisitions and procurement professionals;	Personnel whose role is in legal, logistics, marketing, and product development;
Information Technology (IT) or cyber security personnel;	Risk management officials and personnel; and
Personnel who manage vendor and supplier lists;	Software customers and vendors.

ICT SCRM Task Force Interim Report

This report provides an overview of the Task Force and its first year’s efforts in addressing SCRM challenges such as information sharing; evaluating supply chain threats; identifying criteria, processes and structures for establishing Qualified Bidder Lists (QBL) and Qualified Manufacturer Lists (QML); and policy recommendations for incentivizing the purchase of ICT from original equipment manufacturers and authorized resellers.

ICT SCRM Task Force Year Two Report

This report showcases the Task Force’s collective ongoing efforts to address challenges to information sharing, threat analysis, qualified bidder and qualified manufacturer lists, vendor assurance, as well as an ad-hoc effort on the COVID-19 pandemic impacts on ICT supply chains.

ICT SCRM Task Force Lessons Learned During the COVID-19 Pandemic Analysis Report

This analysis report examines how the COVID-19 pandemic impacted the logistical supply chains of ICT companies and provides recommendations on how organizations can increase their supply chain resilience from future risks. The report studies key supply chain operational areas such as inventory management, supply chain mapping/transparency, and supply chain diversity to understand and document impacts to organization’s supply chains due to COVID-19.

ICT SCRM Task Force Operationalizing Vendor SCRM Template for Small and Medium-sized Businesses

This resource gears the applicability of the previously released enterprise Vendor Template to be used specifically by SMBs. The product provides guidance on applying industry standards and best practices for reporting and vetting processes when purchasing ICT hardware, software, and services.

ICT SCRM Task Force Preliminary Considerations of Paths to Enable Improved Multi-Directional Sharing of Supply Chain Risk Information

This product provides research by subject matter experts in addressing liability limitations to improve sharing of SCRI among the federal government and private industry. It provides guidance on applying industry standards and best practices for reporting and vetting processes when purchasing ICT hardware, software, and services. Additionally, download the spreadsheet version of this SMB Vendor SCRM Template, which is as an alternate tool to utilize this product, intended to allow options to accommodate yes, no, or partial responses to each of the questions.

ICT SCRM Task Force Threat Scenarios Report (Version 1)

This initial report on Threat Scenarios focused specifically on “suppliers.” The Task Force leveraged the NIST Risk Management Practices described in NIST SP 800-161 to help guide the analysis of the supply chain risk management threats and threat sources. Threat scenarios across nine supplier threat categories provide insights into the processes and criteria for conducting supplier threat assessment. Each scenario specified the threat, source(s) or actor(s), outcome, and mitigating strategies.

ICT SCRM Task Force Threat Scenarios Report (Version 2)

Version 2 adds the assessment of “impacts” and “mitigating” controls to the nine supplier threat scenarios originally provided. Version 2 also includes example-based threat mitigating strategies and SCRM controls that may reduce the impact of these threats.

ICT SCRM Task Force Threat Scenarios Report (Version 3)

Version 3 provides a practical, example-based guidance on supplier SCRM threat analysis and evaluation that can be applied by procurement or source selection officials. The latest version adds the assessment of products and services to include scenario-specific impacts and mitigating controls to the supplier threat scenarios.

ICT SCRM Task Force Report on Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists

This report provides organizations a list of evaluation criteria and factors that can be used to inform their decision to build or rely on a qualified list for the acquisition of ICT products and services while managing supply chain risks.

ICT SCRM Task Force Vendor SCRM Template

This Template provides a set of questions regarding an ICT supplier/provider’s implementation and application of industry standards and best practices that can help guide supply chain risk planning in a standardized way. The template provides organizations clarity for reporting and vetting processes when purchasing ICT hardware, software, and services. Additionally, download the spreadsheet version of this SMB Vendor SCRM Template, which is as an alternate tool to utilize this product, intended to allow options to accommodate yes, no, or partial responses to each of the questions.

Proposed Rulemakings and Executive Orders

Executive Order 14017: AMERICA’s Supply Chains

Executive Order 14028: Improving the Nation's Cybersecurity

Executive Order 14034: Protecting Americans' Sensitive Data from Foreign Adversaries

Executive Order Regarding the Acquisition of Musical.ly by ByteDance Ltd

Executive Order 13920: Securing the United States Bulk-Power System

Executive Order 13913: Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector

Proposed Rule to Implement Regulations Pursuant to Executive Order 13873

Paper on EO 13873 Response: Methodology for Assessing the Most Critical ICT and Services and Frequently Asked Questions: DHS's ICT Methodology in Support of EO 13873: In response to EO 13873, CISA's National Risk Management Center and the ICT SCRM Task Force worked with government and industry partners to describe a standardized taxonomy of ICT elements; perform criticality assessments on the ICT elements with appropriate stakeholder input; and assess the national security risks stemming from vulnerabilities in ICT hardware, software, and services, including components enabling 5G communication.

Executive Order 13873: Securing the Information and Communications Technology And Services Supply Chain

Department of Commerce

Bureau of Industry and Security

De minimis Regulation

Updates to the Bureau of Industry and Security (BIS) Entity List prohibits the export, reexport, and retransfer of all U.S.-origin items subject to Export Administration Regulations (EAR) to entities on that list. Under the de minimis rule (15 CFR §734.4), foreign-made products that incorporate more than a set percentage of controlled U.S.-origin content by value may be subject to export controls to selected entities. Additional license requirements will be imposed on items subject to EAR to selected entities on the list. As well, limitations on most license exceptions will be applied to these items. BIS offers the De minimis and Direct Product Rules Decision Tool “to help determine if a non-U.S.-made item located outside the United States is subject to [EAR].” As well, EAR features guidelines for de minimis rules (15 CFR Appendix Supplement No. 2 to Part 734)

Entity List

The BIS Entity List (15 CFR Appendix Supplement No. 4 to Part 744), as defined in 15 CFR §744.16, contains the names of foreign parties subject to specific license requirements for the export, reexport, or in-country transfer of controlled items, ensuring sensitive technologies do not fall into the hands of those who would threaten U.S. national security or American citizens. Organizations or persons who violate these rules—as defined under EAR—are subject to criminal penalties and administrative sanctions. For more information, visit the BIS Entity List webpage.

Export Administration Regulations: Amendments to General Prohibition Three (Foreign-Produced Direct Product Rule) and the Entity List

Effective May 15, 2020, BIS published a rule (85 FR 29849) that “amends General Prohibition Three, also known as the foreign-produced direct product rule, by exercising existing authority under the Export Control Reform Act of 2018, to impose a new control over certain foreign-produced items when there is knowledge that such items are destined to a designated entity on the [BIS] Entity List.

On January 3, 2020, the FCC adopted a rule that prospectively prohibits the use of Universal Service Fund (USF) funds to purchase, obtain, maintain, improve, modify, or otherwise support equipment or services produced or provided by a covered company posing a national security threat to the integrity of communications networks or the communications supply chain (85 FR 230, FCC-19-121). This rule relates to sections 2 and 3 of the Secure and Trusted Communications Network Act.

Process Reform for Executive Branch Review of Certain FCC Applications and Petitions Involving Foreign Ownership Report and Order

On September 30, 2020, the FCC adopted a report and order that allows the FCC to adopt rules and procedures that streamline the process by which [the FCC] coordinates with the Executive Branch agencies for assessment of any national security, law enforcement, foreign policy, or trade policy issues regarding certain applications filed with the Commission (IB Docket No. 16-155).

Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs – Huawei Designation

On June 30, 2020, the FCC issued a final designation order (DA-20-690) in PS Docket No. 19-351 designating “Huawei, as well as its parents, affiliates, and subsidiaries, as a covered company for purposes of 47 CFR § 54.9.” On July 30, 2020, Huawei filed an application for review (Public Notice DA-20-832) of said final designation order in the docket.

Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs – ZTE Designation

On June 30, 2020, FCC issued a final designation order (DA-20-691) in PS Docket No. 19-352 designating “ZTE, as well as its parents, affiliates, and subsidiaries, as a covered company for purposes of 47 CFR § 54.9.” On July 30, 2020, ZTE filed a petition for reconsideration (Public Notice DA-20-831) of said final designation order in the docket.

Office of Management and Budget

Federal Acquisition Security Council

Supply Chain and 5G-Related Legislation

National Strategy to Secure 5G of the United States

Recent legislative efforts relating to 5G technology that could potentially have an impact on ICT supply chains or ICT SCRM Task Force efforts include:

Secure and Trusted Communications Networks Act of 2019, which became Public Law No. 116-124 on March 12, 2020
Secure 5G and Beyond Act of 2020, which became Public Law No. 116-129 on March 23, 2020

Other Activities

Cyberspace Solarium Commission

Committee on Foreign Investment in the United States (CFIUS)

Outsourcing of Network Services Assessment Tool (ONSAT)

For questions, comments, or to provide updates to this library, please email ict_scrm_taskforce@cisa.dhs.gov.

ICT Supply Chain Resource Library