Task Force Establishes Way Forward After Charter Extension: Year 2.5

Authored by: National Risk Management Center

Keeping supply chains secure is no easy feat. From product development to its final delivery, a single product can require hundreds of entities, varying compliance requirements, and a diverse array of logistical challenges. With the nation’s critical infrastructure dependent on information and communications technology (ICT) to operate, disruptions or security incidents to the ICT supply chain can have cascading impacts within and across organizations, sectors, and the National Critical Functions.

Supply chain security is one of the Cybersecurity and Infrastructure Security Agency’s (CISA) top priorities—a priority that it achieved largely through the collective effort of the ICT Supply Chain Risk Management (SCRM) Task Force. Co-chaired by CISA’s National Risk Management Center and the IT and Communications Sector Coordinating Councils (SCC), the Task Force is a public-private partnership that brings subject matter experts and representatives from more than forty small to large organizations together to collectively manage supply chain risks.

In January 2021, a six-month extension to the Task Force’s charter was signed, which will allow the Task Force to continue to launch new or updated lines of effort; start piloting its products within the ICT community and other stakeholders; and build relationships with international partners, sectors, and new stakeholders. Efforts over the next six months will include work by the:

• Information Sharing Working Group: Since vulnerabilities in the ICT supply chain could affect all users of that technology, organizations that share or receive suspect-supplier information early on in the acquisition process can prevent the collateral damage to users as well as all involved entities. Continuing the Task Force’s work, this WG will steer its focus on proposing paths, such as long-term policy and legal changes, that will give liability protection to the private sector in order to promote information sharing about suspect suppliers.
• Small and Medium-sized Businesses (SMB) Working Group: SMBs play a significant role in our nation’s economy and are at the heart of many industries, such as manufacturing. However, many SMBs may find it difficult to institutionalize Federal Supply Chain guidance due to limited finances, resources, and employees. This new WG will engage the SMB community to understand their needs and tailor Task Force products to make them more applicable to SMBs.
• Product Use Acceleration Working Group: Accelerating the applicability and utilization of Task Force products will help organizations manage impacts of supply chain risks. This new WG will engage with government agencies; state, local, territorial, and tribal entities; academia (i.e., Centers of Excellence); and non-governmental entities on how to apply Task Force products in their businesses, pilot specific products to test their usability, and incorporate feedback to ensure products continue to be useful and provide meaningful information.
• Study Group on Lessons Learned from Recent Software Supply Chain Attacks: As cyber attacks become more sophisticated, the roles of the chief information officer (CIO), chief information security officer (CISO), and IT or cyber security personnel are essential for safeguarding an organization’s information and assets. This study will dive into how the Task Force can support CIOs, CISOs, and other security personnel in making better risk-informed decisions when procuring or deploying certain ICT products—especially ones with high-level administrative access across an organization.

Over the course of the next several months, the Task Force will also proactively look at future activities and products that can help organizations and agencies respond to shifts in the global ICT threat landscape. Effective risk management depends on a unity of effort—a unity that the Task Force brings to its goal of achieving a globally secure and resilient ICT supply chain.

To learn more about or to participate in the Task Force, visit CISA.gov/ict-scrm-task-force or email ICT_SCRM_TaskForce@hq.dhs.gov.

To read about the Task Force’s second-year progress, read the Year 2 Report.