ICT SCRM Task Force: Threat Scenarios Report

The ICT SCRM Task Force Working Group on Threat Evaluation (WG2) was created with the purpose of identifying processes and criteria for threat-based evaluation of ICT suppliers, products, and services.

In February 2020, WG2 released an initial report on Threat Scenarios focused specifically on “suppliers”. WG2 leveraged the NIST Risk Management Practices described in NIST SP 800-161 to help guide the analysis of the supply chain risk management threats and threat sources. After evaluating close to 200 supply chain threats, these threats were compartmentalized into nine supplier threat categories to aid in the evaluation process and guide the development of scenarios intended to provide insights into the processes and criteria for conducting supplier threat assessment. These categories guided WG2 in the development of scenarios for each category that specified the threat, source(s) or actor(s), outcome, mitigating strategies, and more information.

The latest report, Version 2 released February 2021, adds the assessment of “impacts” and “mitigating” controls to the supplier threat scenarios originally provided. Version 2 also includes threat mitigating strategies and SCRM controls that may reduce the impact of these threats. The objective is to provide a practical, example-based guidance on supplier SCRM threat analysis and evaluation that can be applied during procurement or source selection by government and industry to assess supply chain risks and develop practices/procedures to manage the potential impact of these threats.

These reports are provided "as is" for informational purposes only and serve as a baseline evaluation of risks to ICT suppliers.

Return to ICT SCRM Task Force.