ICT Supply Chain Resource Library

Resources and tools were developed by the ICT Supply Chain Risk Management (SCRM) Task Force­—a public-private partnership that represents a collective approach to enhancing supply chain resilience.

Cooperation on resilient supply chains with allies and partners who share our values will foster collective economic and national security and strengthen the capacity to respond to international disasters and emergencies.

The report defines the critical sectors and subsectors supporting the ICT industry, evaluates the current supply chain conditions, identifies key risks that threaten to disrupt those supply chains, and proposes recommendations to mitigate risk.

An overview of the critical supply chains supporting the U.S. information and communications technology industry.

An EO mandating improving the nation's cybersecurity.

Protect against the risks associated with connected software applications that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.

Requirements for ByteDance Ltd. after the acquisition of Musical.ly.

Protect the security, integrity, and reliability of bulk-power system electric equipment used in the United States.

Creates the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector.

Process and procedures that the Secretary of Commerce will use to identify, assess, and address certain information and communications technology and services transactions that pose an undue risk to critical infrastructure of the nation.

Protect the security, integrity, and reliability of information and communications technology and services provided and used in the United States.

CISA and the ICT Supply Chain Risk Management Task Force developed two resources in response to Executive Order 13873.

Commonly asked questions regarding Executive Order 13873.

Updates to the Bureau of Industry and Security (BIS) Entity List prohibits the export, reexport, and retransfer of all U.S.-origin items subject to Export Administration Regulations to entities on that list.

Contains the foreign parties subject to specific license requirements for the export, reexport, or in-country transfer of controlled items, ensuring sensitive technologies do not fall into the hands of those who would threaten national security.

Imposes a control over certain foreign-produced items when there is knowledge that such items are destined to a designated entity on the [BIS] Entity List.

Assists organizations verify that the internal components of the computing devices they acquire are genuine and have not been tampered with.

Demonstrable business practices that can help protect cyber supply chain risk management. 

Helps individual organizations within an enterprise improve their cybersecurity risk information.

Guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations. 

Charges multiple agencies with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.

Catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks.

Share supply chain security risk information with trusted providers of advanced communications service and suppliers of communications equipment or services.

Greater transparency allows earlier identification (and mitigation) of potentially vulnerable systems, supports informed purchasing decisions, and incentivizes secure software development practices.

Summarizes the eSCRM program. 

Recommendations to the FCC regarding ways the FCC can help to ensure security, reliability, and interoperability of communications systems.

Protects against national security threats to the communications supply.

Streamlines the process for coordination between the FCC and Executive Branch agencies for assessments regarding certain applications filed with the Commission.

FCC Program designation aimed at protecting the communications supply chain. 

FCC Program designation aimed at protecting the communications supply chain. 

 Assists in the direction and coordination of Government-wide procurement policy and Government-wide procurement regulatory activities in the Federal Government

Public Law No. 116-124 on March 12, 2020

Became Public Law No. 116-129 on March 23, 2020

Strategic approach to defending the United States in cyberspace against cyber-attacks of significant consequences.

CFIUS is an interagency committee authorized to review certain transactions involving foreign investment in the United States and certain real estate transactions by foreign persons.

Critical connection between established security and protection practices
and business practices.