ICT Supply Chain Resource Library
This library is a non-exhaustive list of free, voluntary resources and information on supply chain programs, rulemakings, and other activities from across the federal government. The resources provide a better understanding of the wide array of supply chain risk management (SCRM) efforts and activities underway or in place.
Securing the Software Supply Chain: Recommended Practices Guide for Suppliers and accompanying Fact Sheet
Securing the Software Supply Chain: Recommended Practices Guide for Customers and accompanying Fact Sheet
Other Resources, Programs, and Trainings
ICT SCRM Task Force Resources
Resources and tools were developed by the ICT Supply Chain Risk Management (SCRM) Task Force—a public-private partnership that represents a collective approach to enhancing supply chain resilience.
Assessment of the Critical Supply Chains Supporting the U.S. Information and Communications Technology Industry
The report defines the critical sectors and subsectors supporting the ICT industry, evaluates the current supply chain conditions, identifies key risks that threaten to disrupt those supply chains, and proposes recommendations to mitigate risk.
Fact Sheet on the Assessment of the Critical Supply Chains Supporting the U.S. Information and Communications Technology Industry
An overview of the critical supply chains supporting the U.S. information and communications technology industry.
Creating Helpful Incentives to Produce Semiconductors (CHIPS) for America Fund supports the rapid implementation of the semiconductor provisions included in the Fiscal Year (“FY”) 2021 National Defense Authorization Act.
Cooperation on resilient supply chains with allies and partners who share our values will foster collective economic and national security and strengthen the capacity to respond to international disasters and emergencies.
An EO mandating improving the nation's cybersecurity.
Protect against the risks associated with connected software applications that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.
Requirements for ByteDance Ltd. after the acquisition of Musical.ly.
Executive Order 13873: Securing the Information and Communications Technology And Services Supply Chain
Protect the security, integrity, and reliability of information and communications technology and services provided and used in the United States.
CISA and the ICT Supply Chain Risk Management Task Force developed two resources in response to Executive Order 13873.
Executive Order 13913: Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector
Creates the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector.
Protect the security, integrity, and reliability of bulk-power system electric equipment used in the United States.
Findings of the initial set of reviews of supply chains of 4 critical products: semiconductor manufacturing and advanced packaging; large capacity batteries; critical minerals and materials; and pharmaceuticals and active pharmaceutical ingredients.
Learn more about this Advance Notice of Proposed Rulemaking.
Process and procedures that the Secretary of Commerce will use to identify, assess, and address certain information and communications technology and services transactions that pose an undue risk to critical infrastructure of the nation.
DoD, GSA, and NASA issued multiple rules amending the Federal Acquisition Regulation (FAR) to implement section 889 of the National Defense Authorization Act (NDAA).
Department of Commerce
Share supply chain security risk information with trusted providers of advanced communications service and suppliers of communications equipment or services.
Updates to the Bureau of Industry and Security (BIS) Entity List prohibits the export, reexport, and retransfer of all U.S.-origin items subject to Export Administration Regulations to entities on that list.
Contains the foreign parties subject to specific license requirements for the export, reexport, or in-country transfer of controlled items, ensuring sensitive technologies do not fall into the hands of those who would threaten national security.
Export Administration Regulations: Amendments to General Prohibition Three (Foreign-Produced Direct Product Rule) and the Entity List
Imposes a control over certain foreign-produced items when there is knowledge that such items are destined to a designated entity on the [BIS] Entity List.
Greater transparency allows earlier identification (and mitigation) of potentially vulnerable systems, supports informed purchasing decisions, and incentivizes secure software development practices.
Department of Commerce | National Institute of Standards and Technology (NIST)
Findings of the initial set of reviews of supply chains of 4 critical products: semiconductor manufacturing and advanced packaging; large capacity batteries; critical minerals and materials and pharmaceuticals and active pharmaceutical ingredients.
Assists organizations verify that the internal components of the computing devices they acquire are genuine and have not been tampered with.
Demonstrable business practices that can help protect cyber supply chain risk management.
Helps individual organizations within an enterprise improve their cybersecurity risk information.
Charges multiple agencies with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.
NIST SP 800-218, Secure Software Development Framework V1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities
Describes a set of fundamental, sound practices for secure software development called the Secure Software Development Framework (SSDF).
This publication helps organizations identify those systems and components that are most vital and which may need additional security or other protections.
RFI Summary Analysis: Evaluating and Improving Cybersecurity Resources: The Cybersecurity Framework and Cybersecurity Supply Chain Risk Management
A NIST effort to work with the private sector and others in government to improve cybersecurity in supply chains.
Special Publication (SP) 800-161 Rev. 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations
Guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations.
Catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks.
Demonstrate how organizations can verify that the components of their acquired computing devices are genuine and have not been tampered with or otherwise modified throughout the devices' life cycles.
Department of Energy
Federal Communications Commission
Recommendations to the FCC regarding ways the FCC can help to ensure security, reliability, and interoperability of communications systems.
CSRIC (Communications Security, Reliability, and Interoperability Council) Report on Recommended Best Practices to Improve Supply Chain Security
This report is focused on software supply chain security in this new ecosystem with service providers, cloud service providers, and software vendors to identify recommended best practices to improve communications software supply chain security.
The schools and libraries universal service support program, commonly known as the E-rate program, helps schools and libraries to obtain affordable broadband.
Final Rule: Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs; Huawei Designation; ZTE Designation
Protects against national security threats to the communications supply.
Process Reform for Executive Branch Review of Certain FCC Applications and Petitions Involving Foreign Ownership Report and Order
Streamlines the process for coordination between the FCC and Executive Branch agencies for assessments regarding certain applications filed with the Commission.
Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs – Huawei Designation
FCC Program designation aimed at protecting the communications supply chain.
Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs – ZTE Designation
FCC Program designation aimed at protecting the communications supply chain.
Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs
The Federal Communications Commission was created for many reasons, including for the purpose of national defense and promoting safety of life and property through the use of wire and radio communication.
Office of Management and Budget
Supply Chain and 5G-Related Legislation
Strategic approach to defending the United States in cyberspace against cyber-attacks of significant consequences.
CFIUS is an interagency committee authorized to review certain transactions involving foreign investment in the United States and certain real estate transactions by foreign persons.