Sharing Information to Get Ahead of Supply Chain Risks
Author: by the National Risk Management Center
The increase in digitization and use of information and communications technology (ICT) has improved ability of many companies to provide National Critical Functions. ICT enables access to real-time information, remote entry to networks, instant communication, and so much more. At the same time, nation-states seeking to cause harm to the United States (i.e., espionage or stealing information) have thousands of companies and entry points to choose from. The government buys ICT from private industry, and while many of those companies know their direct suppliers, they may not know who their suppliers’ suppliers are. For an adversary, targeting those second- or third-tier supplies represents a way to target the government as well as other critical functions.
In a world of shared risks, securing the global ICT supply chain requires an ongoing, unified effort between government and industry. In response, the ICT Supply Chain Risk Management Task Force, a public-private partnership for enhancing supply chain resilience, has developed two new resources: 1) to address liability challenges on sharing supply chain threat information and, 2) to assist small and medium-sized businesses (SMBs) with mitigating ICT supply chain risks.
The first resource, Preliminary Considerations of Paths to Enable Improved Multi-Directional Sharing of Supply Chain Risk Information, offers subject matter expert research on legal and policy considerations for giving liability protection to the private sector in order to promote information sharing about suspect suppliers. In developing the report, the Task Force considered seven potential causes of action (i.e., defamation, business or commercial disparagement, breach of contract, and misappropriation of trade secrets) that could impose significant liability upon private entities for sharing supply chain risk information. Ultimately, improving the quality and volume of information sharing among the federal government and private industry is necessary to obtain actionable information that could mitigate threats to the Nation’s ICT supply chain.
The second resource, Operationalizing the Vendor SCRM Template for Small and Medium-sized Businesses, helps IT and communications small and medium-sized businesses assess their risk posture from the perspective of the acquirer, integrator, and supplier when procuring ICT hardware, software, and services or acquiring new contracts. Such businesses play a significant role in our nation’s economy and are at the heart of many industries. According to the U.S. Small Business Administration, there are over thirty million small and medium-sized businesses across the United States, which account for nearly half of the nation's gross domestic product. Additionally, this guide includes an easy-to-use spreadsheet as an alternate tool. Both products gear the applicability of the previously released enterprise Vendor SCRM Template to help businesses apply industry standards and best practices in a standardized way.
Over the past two years, the Task Force has analyzed over 200 threats to supply chains, studied the impacts from COVID-19 on supply chain logistics, and has leveraged its collective expertise to develop actionable solutions on a wide range of supply chain issues. For these resources and more, please visit: CISA.gov/ict-supply-chain-toolkit. Additionally, please view the videos below to learn more about these resources.
Mitigating ICT Supply Chain Risk for Small and Medium-sized Businesses - YouTube
Improving Multi-Directional Sharing of Supply Chain Risk Information - YouTube