Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Cybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and ResilienceCybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and Resilience
CISA Logo

Search

 

America's Cyber Defense Agency
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
    CISA Conferences
    CISA Live!
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
  • About
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Site Links
    CISA GitHub
    CISA Central
    Contact Us
    Subscribe
    Transparency and Accountability
    Policies & Plans

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Breadcrumb
  1. Home
  2. ICT Supply Chain Resource Library
Share:

ICT Supply Chain Resource Library

This library is a non-exhaustive list of free, voluntary resources and information on supply chain programs, rulemakings, and other activities from across the federal government. The resources provide a better understanding of the wide array of supply chain risk management (SCRM) efforts and activities underway or in place.

CISA Resources

CISA Insights on Risk Considerations for Managed Service Provider Customers

SEP 03, 2021 | ALERT

ICT Supply Chain Risk Management Fact Sheet

FEB 17, 2021 | PUBLICATION
Download File (PDF, 242.51 KB)

Securing the Software Supply Chain: Recommended Practices for Developers

EXTERNAL
This guide discusses security requirements planning, software architecture from a security perspective, key security features, and overall security of software and the underlying infrastructure.
Securing the Software Supply Chain: Recommended Practices Guide for Developers (defense.gov)

Securing the Software Supply Chain: Recommended Practices Guide for Suppliers and accompanying Fact Sheet

PUBLICATION
This guide for suppliers (i.e., vendors) was developed to help organizations define software security checks, protect software, produce well-secured software, and respond to vulnerabilities on a continuous basis.
View Files

Securing the Software Supply Chain: Recommended Practices Guide for Customers and accompanying Fact Sheet

PUBLICATION
Best practices for software customers on procuring and deploying secure software, with guidance for the Software Bill of Materials.
View Files

Scada-LTS Third Party Component

APR 25, 2023 | ICS ADVISORY | ICSA-23-115-02
CISA released this Industrial Control Systems (ICS) advisory on April 25, 2023 which provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

Software Bill of Materials (SBOM) Sharing Lifecycle Report

APR 17, 2023 | PUBLICATION
Highlights solutions for sharing SBOMs and assist readers in considering appropriate solutions depending on their needs concerning the discovery, access, and transport of SBOMs.
Download File (PDF, 795.95 KB)

Types of Software Bill of Materials (SBOM)

APR 21, 2023 | PUBLICATION
This community-led resource summarizes common types of SBOMs that tools may create in the industry today, along with the data typically presented for each type of SBOM.

Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management

SEP 25, 2023 | PUBLICATION
Provides a framework that includes a consistent naming methodology for attributes of components, a format for identifying and providing information about the different types of components, and guidance of what HBOM information is appropriate.
View Files

Empowering Small and Medium-Sized Businesses

OCT 11, 2023 | PUBLICATION
A Resource Guide that provides a valuable starting point for SMBs to develop and tailor an ICT SCRM plan that meets the needs of their business.
View Files

Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle

AUG 01, 2024 | PUBLICATION
The guide consolidates relevant software assurance guidance and frameworks into a single document and enables stakeholders to easily navigate through these requirements in a clear, concise manner.
View Files

Connected Communities Procurement and Implementation Guidance

DEC 01, 2023 | PUBLICATION
These Connected Communities Procurement and Implementation Guidance infographics assist state, local, tribal, and territorial (SLTT) government officials in mitigating risks in their supply chains when procuring smart and connected technologies.
View Files

Other Resources, Programs, and Trainings

5G Market Penetration and Risk Factors Infographic

PUBLICATION
A high-level overview of select mobile network equipment components market leaders, major components of 5G networking, and points of vulnerability in the 5G network.
Download File (PDF, 11.48 KB)

Cyber Supply Chain Risk Management for the Public

TRAINING
To understand SCRM and the role it plays within our society, take the free online CISA Learning course: Cyber Supply Chain Risk Management for the Public.
Cyber Supply Chain Risk Management for the Public

Cybersecurity Maturity Model Certification 2.0 Program

EXTERNAL
The CMMC 2.0 program is the next iteration of the CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standars.
Cybersecurity Maturity Model Certification (CMMC) 2.0 Program

Defending Against Software Supply Chain Attacks

PUBLICATION
overview of software supply chain risks and recommendations on how software customers and vendors can mitigate software supply chain risks.
Download File (PDF, 1.18 MB)

Internet of Things (IoT) Acquisition Guidance Document

PUBLICATION
Identifies considerations for the purchase of IoT devices, systems, and services.
Download File (PDF, 3.03 MB)

Overview of Risks Introduced by 5G Adoption in the United States

DEC 17, 2020 | PUBLICATION
View Files
JUN 12 - JUN 12

Innovations in ICT Supply Chain Risk Management Conference

CONFERENCE | IN-PERSON
The Cybersecurity and Infrastructure Security Agency (CISA) will host the first annual Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force Conference, on June 12 at the MITRE Corporation in McLean, VA. 
Eventbrite Registration

Videos

Video on ICT Supply Chain Risk Management: Building Collective Supply Chain Resilience

VIDEO
Highlights the role and importance of the ICT SCRM Task Force and working together to manage risks to the global ICT supply chain.
Building Collective Supply Chain Resilience

Video on ICT Supply Chain Risk Management: Assessing ICT Trustworthiness

VIDEO
Discusses the importance of securing not only your organization’s immediate supply chain, but also the extended supply chains of your vendors and suppliers.
Assessing ICT Trustworthiness

Video on ICT Supply Chain Risk Management: Understanding Supply Chain Threats

VIDEO
Emphasizes the importance of having security measures in place to mitigate against the most common supply chain threats.
Understanding Supply Chain Threats

Video on ICT Supply Chain Risk Management: Knowing the Essentials

VIDEO
Details how organizations and their staff can get started strengthening their SCRM practices and stay vigilant of the evolving threat environment.
Knowing the Essentials

Executive Orders

Chips Act of 2022

Creating Helpful Incentives to Produce Semiconductors (CHIPS) for America Fund supports the rapid implementation of the semiconductor provisions included in the Fiscal Year (“FY”) 2021 National Defense Authorization Act.

Executive Order 14017: AMERICA’s Supply Chains

Cooperation on resilient supply chains with allies and partners who share our values will foster collective economic and national security and strengthen the capacity to respond to international disasters and emergencies.

Executive Order 14028: Improving the Nation's Cybersecurity

An EO mandating improving the nation's cybersecurity.

Executive Order 14034: Protecting Americans' Sensitive Data from Foreign Adversaries

Protect against the risks associated with connected software applications that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.

Executive Order 13873: Securing the Information and Communications Technology And Services Supply Chain

Protect the security, integrity, and reliability of information and communications technology and services provided and used in the United States.

Paper on E.O. 13873 Response: Methodology for Assessing the Most Critical ICT and Services

CISA and the ICT Supply Chain Risk Management Task Force developed two resources in response to Executive Order 13873.

Executive Order 13913: Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector

Creates the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector.

Executive Order 14017 100 Days Review

Findings of the initial set of reviews of supply chains of 4 critical products: semiconductor manufacturing and advanced packaging; large capacity batteries; critical minerals and materials; and pharmaceuticals and active pharmaceutical ingredients.

Executive Order 14239: Achieving Efficiency Through State and Local Preparedness

This order empowers State, local, and individual preparedness and injects common sense into infrastructure prioritization and strategic investments through risk-informed decisions that make our infrastructure, communities, and economy resilient.

Supply Chain Risk Management Reliability Standards

Reliability Standards that address the: sufficiency of responsible entities' supply chain risk management plans related to the identification of, assessment of, and response to supply chain risks.

Executive Order 14144: Strengthening and Promoting Innovation in the Nation's Cybersecurity

Issued to enhance the United States' cybersecurity posture across federal systems, supply chains, and critical infrastructure. It builds upon the foundation set by Executive Order 14028 and introduces several new key measures. 

Executive Order 14123: White House Council on Supply Chain Resilience

This initiative aims to enhance the resilience and competitiveness of United States supply chains, addressing vulnerabilities exposed by the COVID-19 pandemic and ongoing inflation resulting in the White House Council on Supply Chain Resilience.

Proposed Rulemakings

March 2021 ANPRM: Securing the Information and Communications Technology and Services Supply Chain

Learn more about this Advance Notice of Proposed Rulemaking.

Proposed Rule to Implement Regulations Pursuant to Executive Order 13873

Process and procedures that the Secretary of Commerce will use to identify, assess, and address certain information and communications technology and services transactions that pose an undue risk to critical infrastructure of the nation.

Section 889 Requirements of the 2019 National Defense Authorization Act (NDAA)

DoD, GSA, and NASA issued multiple rules amending the Federal Acquisition Regulation (FAR) to implement section 889 of the National Defense Authorization Act (NDAA).

Department of Commerce

Communications Supply Chain Risk Information Partnership (C-SCRIP)

Share supply chain security risk information with trusted providers of advanced communications service and suppliers of communications equipment or services.

De minimis Regulation

Updates to the Bureau of Industry and Security (BIS) Entity List prohibits the export, reexport, and retransfer of all U.S.-origin items subject to Export Administration Regulations to entities on that list.

Entity List

Contains the foreign parties subject to specific license requirements for the export, reexport, or in-country transfer of controlled items, ensuring sensitive technologies do not fall into the hands of those who would threaten national security.

Export Administration Regulations: Amendments to General Prohibition Three (Foreign-Produced Direct Product Rule) and the Entity List

Imposes a control over certain foreign-produced items when there is knowledge that such items are destined to a designated entity on the [BIS] Entity List.

Software Bill of Materials (SBOM) Program

Greater transparency allows earlier identification (and mitigation) of potentially vulnerable systems, supports informed purchasing decisions, and incentivizes secure software development practices.

Department of Commerce | National Institute of Standards and Technology (NIST)

Executive Order 14017 100 Days Review

Findings of the initial set of reviews of supply chains of 4 critical products: semiconductor manufacturing and advanced packaging; large capacity batteries; critical minerals and materials and pharmaceuticals and active pharmaceutical ingredients.

National Cybersecurity Center of Excellence Supply Chain Assurance Project

Assists organizations verify that the internal components of the computing devices they acquire are genuine and have not been tampered with.

NISTIR 8276, Key Practices in Cyber Supply Chain Risk Management: Observations from Industry

Demonstrable business practices that can help protect cyber supply chain risk management. 

NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management

Helps individual organizations within an enterprise improve their cybersecurity risk information.

Improving the Nation's Cybersecurity: NIST’s Responsibilities Under the May 2021 Executive Order

Charges multiple agencies with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.

NIST SP 800-218, Secure Software Development Framework V1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities

Describes a set of fundamental, sound practices for secure software development called the Secure Software Development Framework (SSDF). 

NIST Internal Report (NISTIR) 8179

This publication helps organizations identify those systems and components that are most vital and which may need additional security or other protections. 

RFI Summary Analysis: Evaluating and Improving Cybersecurity Resources: The Cybersecurity Framework and Cybersecurity Supply Chain Risk Management

A NIST effort to work with the private sector and others in government to improve cybersecurity in supply chains.

Special Publication (SP) 800-161 Rev. 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations

Guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations. 

SP 800-53 Rev. 5, Security and Privacy Controls for Federal Information Systems and Organizations

Catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks.

Supply Chain Assurance: Validating the Integrity of Computing Devices

Demonstrate how organizations can verify that the components of their acquired computing devices are genuine and have not been tampered with or otherwise modified throughout the devices' life cycles.

Artificial Intelligence Risk Management Framework

The NIST AI Risk Management Framework (AI RMF) is intended to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.

Federal Communications Commission

Communications Security, Reliability, and Interoperability Council (CSRIC)

Recommendations to the FCC regarding ways the FCC can help to ensure security, reliability, and interoperability of communications systems.

CSRIC (Communications Security, Reliability, and Interoperability Council) Report on Recommended Best Practices to Improve Supply Chain Security

​​​​​This report is focused on software supply chain security in this new ecosystem with service providers, cloud service providers, and software vendors to identify recommended best practices to improve communications software supply chain security.

E-Rate – Schools and Libraries USF Program

​​​​​The schools and libraries universal service support program, commonly known as the E-rate program, helps schools and libraries to obtain affordable broadband. 

Final Rule: Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs; Huawei Designation; ZTE Designation

Protects against national security threats to the communications supply.

Process Reform for Executive Branch Review of Certain FCC Applications and Petitions Involving Foreign Ownership Report and Order

Streamlines the process for coordination between the FCC and Executive Branch agencies for assessments regarding certain applications filed with the Commission.

Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs – Huawei Designation

FCC Program designation aimed at protecting the communications supply chain. 

Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs – ZTE Designation

FCC Program designation aimed at protecting the communications supply chain. 

Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs

The Federal Communications Commission was created for many reasons, including for the purpose of national defense and promoting safety of life and property through the use of wire and radio communication.

Office of Management and Budget

Federal Acquisition Security Council

 Assists in the direction and coordination of Government-wide procurement policy and Government-wide procurement regulatory activities in the Federal Government

Supply Chain and 5G-Related Legislation

Secure and Trusted Communications Networks Act of 2019

Public Law No. 116-124 on March 12, 2020

Secure 5G and Beyond Act of 2020

Became Public Law No. 116-129 on March 23, 2020

Other Activities

Cyberspace Solarium Commission

Strategic approach to defending the United States in cyberspace against cyber-attacks of significant consequences.

Committee on Foreign Investment in the United States (CFIUS)

CFIUS is an interagency committee authorized to review certain transactions involving foreign investment in the United States and certain real estate transactions by foreign persons.

Outsourcing of Network Services Assessment Tool (ONSAT)

Critical connection between established security and protection practices
and business practices.

Contact Us

For questions, comments, or to provide updates to this library, please email ict_scrm_taskforce@cisa.dhs.gov.

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • X
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 1-844-Say-CISA SayCISA@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback