Building Collective Resilience for the ICT Supply Chain
Now more than ever, resilient critical infrastructure is imperative for public health and safety and community well-being. As teleworking and remote learning have become the new norm to limit the spread of coronavirus (COVID-19), employees and families are relying on Information and Communications Technology (ICT)—those hardware, software, and services critical to communicating—to connect, collaborate, and continue their daily routine.
One of the Cybersecurity and Infrastructure Security Agency’s (CISA) top priorities is securing the global ICT supply chain. Every day, ICT systems support a broad range of critical infrastructure activities that collectively enable the provisioning of National Critical Functions (NCFs), such as generating electricity, operating hospitals, and supplying clean water. ICT products and services also provide remote access into work environments, e-Learning capabilities, and mobile computing. If vulnerabilities in the ICT supply chain are exploited, the consequences can affect all users of that technology or service.
In response to COVID-19, many companies and organizations are providing vital services to communities across the nation. As they increasingly rely on ICT to keep their operations running with as little disruption as possible, they must stay vigilant of adversaries seeking to target critical systems. Supply chain risks may enable adversaries to exploit vulnerabilities and unsuspecting users to maliciously gain access to systems, steal intellectual property, and disrupt critical functions. Adversaries may also attempt to breach third-parties, such as contractors, service providers, vendors, and suppliers with less mature information security controls. Similarly, they may try to exploit new and emerging risks from telework-heavy environments such as shortages in physical and IT security personnel and reduced access controls by service vendors.
Protecting the Nation’s critical infrastructure requires a collective, coordinated effort. Individual companies and organizations can start today by building and implementing an effective ICT supply chain risk management (SCRM) program to improve their overall security posture. To implement an ICT SCRM program, consider using the following steps:
- Identify the people: Build a team of representatives from various roles and functions of the company (e.g., cybersecurity, information technology, physical security, procurement/acquisition, legal, logistics, marketing, and product development). Ensure personnel at all levels are well-trained in the security procedures of their role or function.
- Manage the security and compliance: Document the set of policies and procedures that address security, integrity, resilience, and quality. Ensure they are based on industry standards and best practices on how to conduct SCRM such as those from the National Institute of Standards and Technology (NIST).
- Assess the components: Build a list of ICT components (e.g., hardware, software, and services) that your organization procures to enable your business. Know which internal systems are relied upon for critical information or functions, and which systems have remote access capability that must be protected to prevent unauthorized access.
- Know the supply chain and suppliers: Identify your suppliers and, when possible, the suppliers’ sources. In today’s world of increased outsourcing, it is important to understand your upstream suppliers as part of the larger supply chain ecosystem.
- Verify assurance of third-parties: Verify that your suppliers maintain an adequate security culture and SCRM program to appropriately address the risks that concern your organization. Establish the protocols your organization will use to assess the supply chain practices of your suppliers.
- Evaluate your SCRM program: Determine the frequency with which to review your SCRM program, incorporate feedback, and make changes to your risk management program. This may also include auditing suppliers against practices and protocols established by your organization.
Additionally, CISA’s National Risk Management Center has published several resources on ICT supply chain risk management, to include a new ICT Supply Chain Essentials guide. Read, download, or share these resources to help raise awareness.
- ICT Supply Chain Essentials guide for leaders and risk management professionals to understand where to start implementing SCRM
- ICT Supply Chain Risk Management Fact Sheet includes these steps for organizations to improve their overall security posture
- ICT SCRM Task Force Threat Scenarios Report for ICT threat sources and risks to the supplies, products, and services you purchase
- ICT Response Paper on Executive Order 13873: Methodology for Assessing the Most Critical Information and Communications Technologies and Services