The Working Group (WG) on Threat Evaluation is one of four WGs for the ICT Supply Chain Risk Management (SCRM) Task Force. Composed of of sector members, subject matter experts, and representatives from across the Federal government, the purpose of this WG is to identify processes and criteria for threat-based evaluation of ICT suppliers, products, and services.
For this report, the WG leveraged the NIST Risk Management Practices described in NIST SP 800-161 to help guide the analysis of the SCRM threats and threat sources. After evaluating the threat data, nine supplier threat categories were identified: counterfeit parts, cybersecurity, internal security operations and controls, system development life cycle processes and tools, insider threats, economic risks, inherited risk, legal risks, and external end-to-end supply chain risks. These categories guided the WG is the development of scenarios for each category that specified the threat, source(s) or actor(s), outcome, mitigating strategies, and more information.
This report is provided "as is" for informational purposes only and serves as a baseline evaluation of risks to ICT suppliers.