Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency

Search

 
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help Locally
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
    Work @ CISA
  • About
    Culture
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Contact Us
    Site Links
    Reporting Employee and Contractor Misconduct
    CISA GitHub
Report a Cyber Issue
Breadcrumb
  1. Home
Share:

ICT Supply Chain Resource Library

This library is a non-exhaustive list of free, voluntary resources and information on supply chain programs, rulemakings, and other activities from across the federal government. The resources provide a better understanding of the wide array of supply chain risk management (SCRM) efforts and activities underway or in place.

CISA Resources

CISA Insights on Risk Considerations for Managed Service Provider Customers

SEP 03, 2021 | ALERT

ICT Supply Chain Risk Management Fact Sheet

APR 23, 2020 | PUBLICATION
Download File (PDF, 242.51 KB)

Securing the Software Supply Chain: Recommended Practices for Developers

EXTERNAL
This guide discusses security requirements planning, software architecture from a security perspective, key security features, and overall security of software and the underlying infrastructure.
Securing the Software Supply Chain: Recommended Practices Guide for Developers (defense.gov)

Securing the Software Supply Chain: Recommended Practices Guide for Suppliers and accompanying Fact Sheet

PUBLICATION
This guide for suppliers (i.e., vendors) was developed to help organizations define software security checks, protect software, produce well-secured software, and respond to vulnerabilities on a continuous basis.
View Files

Securing the Software Supply Chain: Recommended Practices Guide for Customers and accompanying Fact Sheet

PUBLICATION
Best practices for software customers on procuring and deploying secure software, with guidance for the Software Bill of Materials.
View Files

Other Resources, Programs, and Trainings

5G Market Penetration and Risk Factors Infographic

PUBLICATION
A high-level overview of select mobile network equipment components market leaders, major components of 5G networking, and points of vulnerability in the 5G network.
Download File (PDF, 11.48 KB)

Cyber Supply Chain Risk Management for the Public

TRAINING
To understand SCRM and the role it plays within our society, take the free online FedVTE course: Cyber Supply Chain Risk Management for the Public.
Cyber Supply Chain Risk Management for the Public

Defending Against Software Supply Chain Attacks

PUBLICATION
overview of software supply chain risks and recommendations on how software customers and vendors can mitigate software supply chain risks.
Download File (PDF, 1.18 MB)

Internet of Things (IoT) Acquisition Guidance Document

PUBLICATION
Identifies considerations for the purchase of IoT devices, systems, and services.
Download File (PDF, 3.03 MB)

Overview Risks Introduced 5G Adoption United States

JUL 12, 2019 | PUBLICATION
View Files

Videos

Video on ICT Supply Chain Risk Management: Building Collective Supply Chain Resilience

VIDEO
Highlights the role and importance of the ICT SCRM Task Force and working together to manage risks to the global ICT supply chain.
Building Collective Supply Chain Resilience

Video on ICT Supply Chain Risk Management: Assessing ICT Trustworthiness

VIDEO
Discusses the importance of securing not only your organization’s immediate supply chain, but also the extended supply chains of your vendors and suppliers.
Assessing ICT Trustworthiness

Video on ICT Supply Chain Risk Management: Understanding Supply Chain Threats

VIDEO
Emphasizes the importance of having security measures in place to mitigate against the most common supply chain threats.
Understanding Supply Chain Threats

Video on ICT Supply Chain Risk Management: Knowing the Essentials

VIDEO
Details how organizations and their staff can get started strengthening their SCRM practices and stay vigilant of the evolving threat environment.
Knowing the Essentials

ICT SCRM Task Force Resources

ICT SCRM Task Force Resources

Resources and tools were developed by the ICT Supply Chain Risk Management (SCRM) Task Force­—a public-private partnership that represents a collective approach to enhancing supply chain resilience.

Proposed Rulemakings and Executive Orders

Executive Order 14017: AMERICA’s Supply Chains

Cooperation on resilient supply chains with allies and partners who share our values will foster collective economic and national security and strengthen the capacity to respond to international disasters and emergencies.

Assessment of the Critical Supply Chains Supporting the U.S. Information and Communications Technology Industry

The report defines the critical sectors and subsectors supporting the ICT industry, evaluates the current supply chain conditions, identifies key risks that threaten to disrupt those supply chains, and proposes recommendations to mitigate risk.

Fact Sheet on the Assessment of the Critical Supply Chains Supporting the U.S. Information and Communications Technology Industry

An overview of the critical supply chains supporting the U.S. information and communications technology industry.

Executive Order 14028: Improving the Nation's Cybersecurity

An EO mandating improving the nation's cybersecurity.

Executive Order 14034: Protecting Americans' Sensitive Data from Foreign Adversaries

Protect against the risks associated with connected software applications that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.

Executive Order Regarding the Acquisition of Musical.ly by ByteDance Ltd

Requirements for ByteDance Ltd. after the acquisition of Musical.ly.

Executive Order 13920: Securing the United States Bulk-Power System

Protect the security, integrity, and reliability of bulk-power system electric equipment used in the United States.

Executive Order 13913: Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector

Creates the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector.

Proposed Rule to Implement Regulations Pursuant to Executive Order 13873

Process and procedures that the Secretary of Commerce will use to identify, assess, and address certain information and communications technology and services transactions that pose an undue risk to critical infrastructure of the nation.

Executive Order 13873: Securing the Information and Communications Technology And Services Supply Chain

Protect the security, integrity, and reliability of information and communications technology and services provided and used in the United States.

Paper on E.O. 13873 Response: Methodology for Assessing the Most Critical ICT and Services

CISA and the ICT Supply Chain Risk Management Task Force developed two resources in response to Executive Order 13873.

Frequently Asked Questions: DHS's ICT Methodology in Support of EO 13873:

Commonly asked questions regarding Executive Order 13873.

Department of Commerce

De minimis Regulation

Updates to the Bureau of Industry and Security (BIS) Entity List prohibits the export, reexport, and retransfer of all U.S.-origin items subject to Export Administration Regulations to entities on that list.

Entity List

Contains the foreign parties subject to specific license requirements for the export, reexport, or in-country transfer of controlled items, ensuring sensitive technologies do not fall into the hands of those who would threaten national security.

Export Administration Regulations: Amendments to General Prohibition Three (Foreign-Produced Direct Product Rule) and the Entity List

Imposes a control over certain foreign-produced items when there is knowledge that such items are destined to a designated entity on the [BIS] Entity List.

National Cybersecurity Center of Excellence Supply Chain Assurance Project

Assists organizations verify that the internal components of the computing devices they acquire are genuine and have not been tampered with.

NISTIR 8276, Key Practices in Cyber Supply Chain Risk Management: Observations from Industry

Demonstrable business practices that can help protect cyber supply chain risk management. 

NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management

Helps individual organizations within an enterprise improve their cybersecurity risk information.

Special Publication (SP) 800-161 Rev. 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations

Guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations. 

Improving the Nation's Cybersecurity: NIST’s Responsibilities Under the May 2021 Executive Order

Charges multiple agencies with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.

SP 800-53 Rev. 5, Security and Privacy Controls for Federal Information Systems and Organizations

Catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks.

Communications Supply Chain Risk Information Partnership (C-SCRIP)

Share supply chain security risk information with trusted providers of advanced communications service and suppliers of communications equipment or services.

Software Bill of Materials (SBOM) Program

Greater transparency allows earlier identification (and mitigation) of potentially vulnerable systems, supports informed purchasing decisions, and incentivizes secure software development practices.

Department of Energy

Enterprise Supply Chain Risk Management e(SCRM) Program

Summarizes the eSCRM program. 

Federal Communications Commission

Communications Security, Reliability, and Interoperability Council (CSRIC)

Recommendations to the FCC regarding ways the FCC can help to ensure security, reliability, and interoperability of communications systems.

Final Rule: Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs; Huawei Designation; ZTE Designation

Protects against national security threats to the communications supply.

Process Reform for Executive Branch Review of Certain FCC Applications and Petitions Involving Foreign Ownership Report and Order

Streamlines the process for coordination between the FCC and Executive Branch agencies for assessments regarding certain applications filed with the Commission.

Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs – Huawei Designation

FCC Program designation aimed at protecting the communications supply chain. 

Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs – ZTE Designation

FCC Program designation aimed at protecting the communications supply chain. 

Office of Management and Budget

Federal Acquisition Security Council

 Assists in the direction and coordination of Government-wide procurement policy and Government-wide procurement regulatory activities in the Federal Government

Supply Chain and 5G-Related Legislation

Secure and Trusted Communications Networks Act of 2019

Public Law No. 116-124 on March 12, 2020

Secure 5G and Beyond Act of 2020

Became Public Law No. 116-129 on March 23, 2020

Other Activities

Cyberspace Solarium Commission

Strategic approach to defending the United States in cyberspace against cyber-attacks of significant consequences.

Committee on Foreign Investment in the United States (CFIUS)

CFIUS is an interagency committee authorized to review certain transactions involving foreign investment in the United States and certain real estate transactions by foreign persons.

Outsourcing of Network Services Assessment Tool (ONSAT)

Critical connection between established security and protection practices
and business practices.

Contact Us

For questions, comments, or to provide updates to this library, please email ict_scrm_taskforce@cisa.dhs.gov.

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Accessibility
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • The White House
  • USA.gov
  • Website Feedback