ICT Supply Chain Resource Library

Resources and tools were developed by the ICT Supply Chain Risk Management (SCRM) Task Force­—a public-private partnership that represents a collective approach to enhancing supply chain resilience.

The report defines the critical sectors and subsectors supporting the ICT industry, evaluates the current supply chain conditions, identifies key risks that threaten to disrupt those supply chains, and proposes recommendations to mitigate risk.

An overview of the critical supply chains supporting the U.S. information and communications technology industry.

Creating Helpful Incentives to Produce Semiconductors (CHIPS) for America Fund supports the rapid implementation of the semiconductor provisions included in the Fiscal Year (“FY”) 2021 National Defense Authorization Act.

Cooperation on resilient supply chains with allies and partners who share our values will foster collective economic and national security and strengthen the capacity to respond to international disasters and emergencies.

An EO mandating improving the nation's cybersecurity.

Protect against the risks associated with connected software applications that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.

Requirements for ByteDance Ltd. after the acquisition of Musical.ly.

Protect the security, integrity, and reliability of information and communications technology and services provided and used in the United States.

CISA and the ICT Supply Chain Risk Management Task Force developed two resources in response to Executive Order 13873.

Creates the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector.

Protect the security, integrity, and reliability of bulk-power system electric equipment used in the United States.

Findings of the initial set of reviews of supply chains of 4 critical products: semiconductor manufacturing and advanced packaging; large capacity batteries; critical minerals and materials; and pharmaceuticals and active pharmaceutical ingredients.

Learn more about this Advance Notice of Proposed Rulemaking.

Process and procedures that the Secretary of Commerce will use to identify, assess, and address certain information and communications technology and services transactions that pose an undue risk to critical infrastructure of the nation.

DoD, GSA, and NASA issued multiple rules amending the Federal Acquisition Regulation (FAR) to implement section 889 of the National Defense Authorization Act (NDAA).

Share supply chain security risk information with trusted providers of advanced communications service and suppliers of communications equipment or services.

Updates to the Bureau of Industry and Security (BIS) Entity List prohibits the export, reexport, and retransfer of all U.S.-origin items subject to Export Administration Regulations to entities on that list.

Contains the foreign parties subject to specific license requirements for the export, reexport, or in-country transfer of controlled items, ensuring sensitive technologies do not fall into the hands of those who would threaten national security.

Imposes a control over certain foreign-produced items when there is knowledge that such items are destined to a designated entity on the [BIS] Entity List.

Greater transparency allows earlier identification (and mitigation) of potentially vulnerable systems, supports informed purchasing decisions, and incentivizes secure software development practices.

Findings of the initial set of reviews of supply chains of 4 critical products: semiconductor manufacturing and advanced packaging; large capacity batteries; critical minerals and materials and pharmaceuticals and active pharmaceutical ingredients.

Assists organizations verify that the internal components of the computing devices they acquire are genuine and have not been tampered with.

Demonstrable business practices that can help protect cyber supply chain risk management. 

Helps individual organizations within an enterprise improve their cybersecurity risk information.

Charges multiple agencies with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.

Describes a set of fundamental, sound practices for secure software development called the Secure Software Development Framework (SSDF). 

This publication helps organizations identify those systems and components that are most vital and which may need additional security or other protections. 

A NIST effort to work with the private sector and others in government to improve cybersecurity in supply chains.

Guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations. 

Catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks.

Demonstrate how organizations can verify that the components of their acquired computing devices are genuine and have not been tampered with or otherwise modified throughout the devices' life cycles.

Summarizes the eSCRM program. 

Recommendations to the FCC regarding ways the FCC can help to ensure security, reliability, and interoperability of communications systems.

​​​​​This report is focused on software supply chain security in this new ecosystem with service providers, cloud service providers, and software vendors to identify recommended best practices to improve communications software supply chain security.

​​​​​The schools and libraries universal service support program, commonly known as the E-rate program, helps schools and libraries to obtain affordable broadband. 

Protects against national security threats to the communications supply.

Streamlines the process for coordination between the FCC and Executive Branch agencies for assessments regarding certain applications filed with the Commission.

FCC Program designation aimed at protecting the communications supply chain. 

FCC Program designation aimed at protecting the communications supply chain. 

The Federal Communications Commission was created for many reasons, including for the purpose of national defense and promoting safety of life and property through the use of wire and radio communication.

 Assists in the direction and coordination of Government-wide procurement policy and Government-wide procurement regulatory activities in the Federal Government

Public Law No. 116-124 on March 12, 2020

Became Public Law No. 116-129 on March 23, 2020

Strategic approach to defending the United States in cyberspace against cyber-attacks of significant consequences.

CFIUS is an interagency committee authorized to review certain transactions involving foreign investment in the United States and certain real estate transactions by foreign persons.

Critical connection between established security and protection practices
and business practices.