ICT Supply Chain Risk Management Toolkit


This Toolkit—which includes strategic messaging, social media, videos, and resources—is designed to emphasize the role that we all have in securing information and communications technology (ICT) supply chains. All the products detailed below incorporate industry standards to make them highly effective tools to help increase supply chain resilience.

Every company, organization, and individual that uses ICT products and services­­—such as cell phone devices, online banking, and cloud computing—is part of a globally-connected supply chain. The reality is that the evolving threat landscape coupled with today’s digitized world provides a large attack surface for adversaries to launch sophisticated and stealthy supply chain attacks to steal, compromise or alter, and destroy sensitive information.

While the Toolkit is available to all stakeholders, it is especially useful for:

  • Information Technology (IT) or cybersecurity personnel;

  • Chief Information Officers and Chief Information Security Officers;

  • Acquisitions and procurement professionals;

  • Personnel who manage vendor and supplier lists;

  • Risk management officials and personnel;

  • Software customers and vendors; and

  • Personnel whose role is in legal, logistics, marketing, and product development.

Responding and reducing the impacts of supply chain risks depends on a unity of effort.

Strategic Messaging to Enhance Supply Chain Security 

Stakeholders can use the below strategic messaging in internal and public communications to inform their personnel, vendors, suppliers, partners, and others about their role in supply chain risk management. We hope you will send or share these with those in your organization who can help spread awareness of this important effort.

Strategic Message 1: New Toolkit to Strengthen Supply Chain Resilience

As the nation’s risk advisor, securing information and communications technology (ICT) and their supply chains is one of the top priorities of the Cybersecurity and Infrastructure Security Agency (CISA). Together with representatives from information and communications technology (ICT) private sector companies and associations, CISA formed the ICT Supply Chain Risk Management (SCRM) Task Force to work together to develop strategies to mitigate and address supply chain risks faced by industry.

Recently, CISA and the Task Force released a new ICT Supply Chain Risk Management Toolkit webpage to assist organizations and businesses navigate the wealth of information available on how to secure ICT and their associated supply chains. The Toolkit provides free, voluntary guidance and resources to help educate and empower organizations and businesses on how to identify, respond to, and reduce the impact of supply chain threats,

Learn more at: www.cisa.gov/ict-supply-chain-toolkit.

Strategic Message 2: Resources to Assess the Trustworthiness of Vendors and Suppliers

Protecting our organization’s information requires understanding not only our immediate supply chain, but also the extended supply chains of our vendors and suppliers. The Cybersecurity and Infrastructure Security Agency (CISA) and Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force developed two new resources to help organizations and businesses with this effort:

Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists: This report provides a list of criteria and factors that can be used to inform an organization's decision to build or rely on a qualified list for the acquisition of ICT products and services.

Vendor SCRM Template: This template provides a set of questions regarding an ICT supplier/provider’s implementation and application of industry standards and best practices that can help guide supply chain risk planning in a standardized way. The template provides organizations clarity for reporting and vetting processes when purchasing ICT hardware, software, and services.

  • Please note: The Task Force is also looking for parties interested in piloting the template and ascertaining the usefulness of the product. 

Both of these tools are great resources for IT or cybersecurity personnel; acquisitions and procurement officials; those who manage vendor and supplier lists; and others. Please feel free to share, download, and use these free, voluntary.

Learn more at: www.cisa.gov/ict-supply-chain-toolkit.

Strategic Message 3: Uncovering ICT Supply Chain Impacts Due to the COVID-19 Pandemic

The impacts to ICT supply chains from the COVID-19 pandemic are continuing to be felt today. To uncover these impacts, the Cybersecurity and Infrastructure Security Agency (CISA) and the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force conducted extensive research and obtained industry input and feedback to develop an analysis report, Building a More Resilient ICT Supply Chain: Lessons Learned During the COVID-19 Pandemic

The Report found that the pandemic underscored the need for an approach that was already underway: diversifying supply chains to a broader array of locations and away from single source/single region suppliers. The pandemic exposed how some manufacturing companies were unprepared because of their reliance on lean inventory models, which provide great efficiency and cost effectiveness in normal environments. The pandemic also underscored the difficulties that companies face in understanding their junior tier suppliers and where they are located. When these junior tier suppliers experience slowdowns, shutdowns, or interruptions, those risks can cascade through the entire supply chain system, making it difficult for a company to figure out where or why the delay is happening.

To help manufacturing companies increase supply chain resilience from future risks, this Report includes practical recommendations such as developing standardized approaches to map out detailed supply chains, dual-sourcing from multiple or lower-risk regions, holding buffer inventories, and more.

Learn more at: www.cisa.gov/ict-supply-chain-toolkit.
 

Social Media Tools to Spread Awareness 

Below are sample social media and videos that can be leveraged on your organization’s social channels to drive awareness and action on the importance of supply chain security.

Hashtags:

  • #SCRMTaskForce

  • #RiskMGMT

  • #SupplyChain

Messaging:

  • We’re all connected, and we all have a role in securing #ICT #supplychains. Organizations should take steps to safeguard their information, systems, and other assets. Learn more: www.cisa.gov/ict-supply-chain-toolkit #SCRMTaskForce #RiskMGMT

  • Before a #cybersecurity incident occurs, ensure your organization’s security protocol includes #supplychain risk management. Learn the steps you can take to start now: www.cisa.gov/ict-supply-chain-toolkit #SCRMTaskForce #RiskMGMT

  • Don’t accidentally inherit a #SupplyChain risk. Download @CISAgov's resources on how to assess the trustworthiness of your organization’s vendors and suppliers. Learn more: www.cisa.gov/ict-supply-chain-toolkit #SCRMTaskForce #RiskMGMT

  • Staying vigilant against #supplychain risks starts with empowering all personnel to own their role in #riskmanagement & understand how to prepare for software supply chain attacks. www.cisa.gov/ict-supply-chain-toolkit #SCRMTaskForce #RiskMGMT

  • As our reliance on information & communications technology increases, #supplychain security must stay on top of our minds. Learn how to identity and mitigate #ICT threats. www.cisa.gov/ict-supply-chain-toolkit  #SCRMTaskForce #RiskMGMT

  • Keeping supply chains secure is no easy feat. From #IT teams to acquisitions personnel, we all have a role in working together to secure the globally connected ecosystem. Learn more: www.cisa.gov/ict-supply-chain-toolkit  #SCRMTaskForce #RiskMGMT

  • Educate to Mitigate: Ensure that your organization is aware of current #supplychain best practices & resources to promote #ICT supply chain security and risk management. Learn more: www.cisa.gov/ict-supply-chain-toolkit #SCRMTaskForce #RiskMGMT

  • Avoid paying the costs of a #supplychain risk when purchasing ICT hardware, software, and services. Check out @CISAgov’s resources on how to assess the trustworthiness of your vendors and suppliers: www.cisa.gov/ict-supply-chain-toolkit #SCRMTaskForce #RiskMGMT

  • #CISA’s #SupplyChain resources help personnel screen for counterfeit parts, manage insider threat, understand mitigation tips & strategies, and more: www.cisa.gov/ict-supply-chain-toolkit #SCRMTaskForce #RiskMGMT

  • As technology evolves, so does the threat environment. @CISAgov’s #SupplyChain resources helps organizations identify, respond to, and mitigate risks to information and communications technology: www.cisa.gov/ict-supply-chain-toolkit #SCRMTaskForce #RiskMGMT

  • The COVID19 pandemic caused profound disruptions to #ICT companies & global supply chains. @CISAgov's report identifies three major #supplychain stress points + six recommendations to enhance #supplychain resilience: www.cisa.gov/ict-supply-chain-toolkit #SCRMTaskForce #RiskMGMT

  • From dual-sourcing from lower-risk regions to holding buffer inventories, read @CISAgov's analysis report on the impact of #COVID19 on global supply chains to learn how #ICT companies can increase their #supplychain resilience: www.cisa.gov/ict-supply-chain-toolkit #SCRMTaskForce #RiskMGMT

Videos:

Building a More Resilient ICT Supply Chain: Lessons Learned During The COVID-19 Pandemic highlights the impacts to ICT supply chains from the COVID-19 pandemic such as vendor transparency, single region/single source suppliers, and inventory management. In this video, Chris Oatway, a ICT SCRM Task Force member who helped develop the Report, highlights these important issue and discusses how the Report can help your organization build supply chain resilience.


Evaluating Vendor and Supplier Trustworthiness highlights two resources that can assist organizations and businesses assess the trustworthiness of their vendors and suppliers and their potential usefulness to your organization: the report on Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists and the Vendor SCRM Template. In this video, David George and Renee Johnson, two ICT SCRM Task Force members who helped develop these products, explain the potential usefulness to industry.   


 

Building Collective Supply Chain Resilience highlights the role and importance of the ICT SCRM Task Force and working together to manage risks to the global ICT supply chain.

Building Collective Supply Chain Resilience


Assessing ICT Trustworthiness highlights the importance of securing not only your organization’s immediate supply chain, but also the extended supply chains of your vendors and suppliers.


Understanding Supply Chain Threats emphasizes the importance of having security measures in place to mitigate against the most common supply chain threats.


Knowing the Essentials details how organizations and their staff can get started strengthening their SCRM practices and stay vigilant of the evolving threat environment.

 

 

Resources to Strengthen Supply Chain Resilience

The below free, voluntary products were developed by CISA’s ICT SCRM Task Force­—a public-private partnership that embodies the Agency’s collective approach to enhancing supply chain resilience. Over the past two years, the Task Force has addressed challenges to information sharing, analyzed over 200 threats to supply chains, and studied the impacts from COVID-19 on supply chain logistics.

The Task Force incorporated industry best practices and standards such as those from the National Institute of Standards and the Open Trusted Technology Provider Standard (O-TTPS) to make these products the best possible tools.
 

ICT SCRM Task Force Lessons Learned During the COVID-19 Pandemic Analysis Report

  • This analysis report examines how the COVID-19 pandemic impacted the logistical supply chains of ICT companies and provides recommendations on how organizations can increase their supply chain resilience from future risks. The report studies key supply chain operational areas such as inventory management, supply chain mapping/transparency, and supply chain diversity to understand and document impacts to organization’s supply chains due to COVID-19.

ICT SCRM Task Force Threat Scenarios Report (Version 1)

  • This initial report on Threat Scenarios focused specifically on “suppliers.” The Task Force leveraged the NIST Risk Management Practices described in NIST SP 800-161 to help guide the analysis of the supply chain risk management threats and threat sources. After evaluating close to 200 supply chain threats, these threats were cataloged into nine supplier threat categories. These categories helped in the evaluation process and in the development of scenarios intended to provide insights into the processes and criteria for conducting supplier threat assessment. Each scenario specified the threat, source(s) or actor(s), outcome, and mitigating strategies.

ICT SCRM Task Force Threat Scenarios Report (Version 2)

  • The latest report, Version 2 released February 2021, adds the assessment of “impacts” and “mitigating” controls to the supplier threat scenarios originally provided. Version 2 also includes threat mitigating strategies and SCRM controls that may reduce the impact of these threats. The objective is to provide a practical, example-based guidance on supplier SCRM threat analysis and evaluation that can be applied during procurement or source selection by government and industry to assess supply chain risks and develop practices/procedures to manage the potential impact of these threats.

ICT SCRM Task Force Report on Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists *new resource

  • This report provides organizations a list of criteria and factors that can be used to inform their decision to build or rely on a qualified list for the acquisition of ICT products and services. The Task Force analyzed five case studies that led to the development of an overarching set of common ICT SCRM evaluation criteria control categories to be considered when building a qualified list program that, in whole or in part, seeks to manage supply chain risks.

ICT SCRM Task Force Vendor SCRM Template *new resource

  • This Template provides a set of questions regarding an ICT supplier/provider’s implementation and application of industry standards and best practices that can help guide supply chain risk planning in a standardized way. The template provides organizations clarity for reporting and vetting processes when purchasing ICT hardware, software, and services.

 

For questions and comments, or if you’re interested in piloting the Vendor SCRM Template, please email ict_scrm_taskforce@cisa.dhs.gov.

Was this webpage helpful?  Yes  |  Somewhat  |  No