This library is a non-exhaustive list of free, voluntary resources and information on supply chain programs, rulemakings, and other activities from across the federal government. The resources provide a better understanding of the wide array of supply chain risk management (SCRM) efforts and activities underway or in place.
CISA Resources
ICT Supply Chain Risk Management Fact Sheet
Securing the Software Supply Chain: Recommended Practices for Developers
Securing the Software Supply Chain: Recommended Practices Guide for Suppliers and accompanying Fact Sheet
Securing the Software Supply Chain: Recommended Practices Guide for Customers and accompanying Fact Sheet
Other Resources, Programs, and Trainings
5G Market Penetration and Risk Factors Infographic
Cyber Supply Chain Risk Management for the Public
Defending Against Software Supply Chain Attacks
Internet of Things (IoT) Acquisition Guidance Document
Videos
Video on ICT Supply Chain Risk Management: Building Collective Supply Chain Resilience
Video on ICT Supply Chain Risk Management: Assessing ICT Trustworthiness
Video on ICT Supply Chain Risk Management: Understanding Supply Chain Threats
Video on ICT Supply Chain Risk Management: Knowing the Essentials
ICT SCRM Task Force Resources
ICT SCRM Task Force Resources
Resources and tools were developed by the ICT Supply Chain Risk Management (SCRM) Task Force—a public-private partnership that represents a collective approach to enhancing supply chain resilience.
Proposed Rulemakings and Executive Orders
Executive Order 14017: AMERICA’s Supply Chains
Cooperation on resilient supply chains with allies and partners who share our values will foster collective economic and national security and strengthen the capacity to respond to international disasters and emergencies.
Assessment of the Critical Supply Chains Supporting the U.S. Information and Communications Technology Industry
The report defines the critical sectors and subsectors supporting the ICT industry, evaluates the current supply chain conditions, identifies key risks that threaten to disrupt those supply chains, and proposes recommendations to mitigate risk.
Fact Sheet on the Assessment of the Critical Supply Chains Supporting the U.S. Information and Communications Technology Industry
An overview of the critical supply chains supporting the U.S. information and communications technology industry.
Executive Order 14028: Improving the Nation's Cybersecurity
An EO mandating improving the nation's cybersecurity.
Executive Order 14034: Protecting Americans' Sensitive Data from Foreign Adversaries
Protect against the risks associated with connected software applications that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.
Executive Order Regarding the Acquisition of Musical.ly by ByteDance Ltd
Requirements for ByteDance Ltd. after the acquisition of Musical.ly.
Executive Order 13920: Securing the United States Bulk-Power System
Protect the security, integrity, and reliability of bulk-power system electric equipment used in the United States.
Executive Order 13913: Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector
Creates the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector.
Proposed Rule to Implement Regulations Pursuant to Executive Order 13873
Process and procedures that the Secretary of Commerce will use to identify, assess, and address certain information and communications technology and services transactions that pose an undue risk to critical infrastructure of the nation.
Executive Order 13873: Securing the Information and Communications Technology And Services Supply Chain
Protect the security, integrity, and reliability of information and communications technology and services provided and used in the United States.
Paper on E.O. 13873 Response: Methodology for Assessing the Most Critical ICT and Services
CISA and the ICT Supply Chain Risk Management Task Force developed two resources in response to Executive Order 13873.
Frequently Asked Questions: DHS's ICT Methodology in Support of EO 13873:
Commonly asked questions regarding Executive Order 13873.
Department of Commerce
De minimis Regulation
Updates to the Bureau of Industry and Security (BIS) Entity List prohibits the export, reexport, and retransfer of all U.S.-origin items subject to Export Administration Regulations to entities on that list.
Entity List
Contains the foreign parties subject to specific license requirements for the export, reexport, or in-country transfer of controlled items, ensuring sensitive technologies do not fall into the hands of those who would threaten national security.
Export Administration Regulations: Amendments to General Prohibition Three (Foreign-Produced Direct Product Rule) and the Entity List
Imposes a control over certain foreign-produced items when there is knowledge that such items are destined to a designated entity on the [BIS] Entity List.
National Cybersecurity Center of Excellence Supply Chain Assurance Project
Assists organizations verify that the internal components of the computing devices they acquire are genuine and have not been tampered with.
NISTIR 8276, Key Practices in Cyber Supply Chain Risk Management: Observations from Industry
Demonstrable business practices that can help protect cyber supply chain risk management.
NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management
Helps individual organizations within an enterprise improve their cybersecurity risk information.
Special Publication (SP) 800-161 Rev. 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations
Guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations.
Improving the Nation's Cybersecurity: NIST’s Responsibilities Under the May 2021 Executive Order
Charges multiple agencies with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.
SP 800-53 Rev. 5, Security and Privacy Controls for Federal Information Systems and Organizations
Catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks.
Communications Supply Chain Risk Information Partnership (C-SCRIP)
Share supply chain security risk information with trusted providers of advanced communications service and suppliers of communications equipment or services.
Software Bill of Materials (SBOM) Program
Greater transparency allows earlier identification (and mitigation) of potentially vulnerable systems, supports informed purchasing decisions, and incentivizes secure software development practices.
Department of Energy
Enterprise Supply Chain Risk Management e(SCRM) Program
Summarizes the eSCRM program.
Federal Communications Commission
Communications Security, Reliability, and Interoperability Council (CSRIC)
Recommendations to the FCC regarding ways the FCC can help to ensure security, reliability, and interoperability of communications systems.
Final Rule: Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs; Huawei Designation; ZTE Designation
Protects against national security threats to the communications supply.
Process Reform for Executive Branch Review of Certain FCC Applications and Petitions Involving Foreign Ownership Report and Order
Streamlines the process for coordination between the FCC and Executive Branch agencies for assessments regarding certain applications filed with the Commission.
Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs – Huawei Designation
FCC Program designation aimed at protecting the communications supply chain.
Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs – ZTE Designation
FCC Program designation aimed at protecting the communications supply chain.
Office of Management and Budget
Federal Acquisition Security Council
Assists in the direction and coordination of Government-wide procurement policy and Government-wide procurement regulatory activities in the Federal Government
Supply Chain and 5G-Related Legislation
Secure and Trusted Communications Networks Act of 2019
Public Law No. 116-124 on March 12, 2020
Secure 5G and Beyond Act of 2020
Became Public Law No. 116-129 on March 23, 2020
Other Activities
Cyberspace Solarium Commission
Strategic approach to defending the United States in cyberspace against cyber-attacks of significant consequences.
Committee on Foreign Investment in the United States (CFIUS)
CFIUS is an interagency committee authorized to review certain transactions involving foreign investment in the United States and certain real estate transactions by foreign persons.
Outsourcing of Network Services Assessment Tool (ONSAT)
Critical connection between established security and protection practices
and business practices.
Contact Us
For questions, comments, or to provide updates to this library, please email ict_scrm_taskforce@cisa.dhs.gov.