Working Group

ICT Supply Chain Risk Management Task Force

Announcements

CISA Releases the Empowering SMBs: A Resource Guide for Developing a Resilient Supply Chain Risk Management Plan

October 23, 2023: NRMC is pleased to announce the publication of the Empowering SMBs: A Resource Guide for Developing a Resilient Supply Chain Risk Management Plan, which provides ICT SMBs with a starting point to develop and tailor a SCRM plan that meets the needs of their business. Additionally, this product serves as a tool to support SMBs in developing an actionable SCRM plan to mitigate the risk of disruption to their supply chain, enhance their supply chain resilience, and satisfy potential requests from stakeholder procurement processes.

Empowering Small and Medium-Sized Businesses (SMB): A Resource Guide for Developing a Resilient Supply Chain Risk Management Plan

CISA Releases Hardware Bill Of Materials Framework (HBOM) For Supply Chain Risk Management

September 25, 2023: NRMC is pleased to announce the publication of the Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management which seeks to create a consistent, repeatable way for vendors to communicate to purchasers the hardware components in products that they have or may purchase, to enable purchasers to evaluate and mitigate risks in their supply chain. Additionally, this framework provides a useful tool to help industry and government evaluate and address supply chain risks, set forth a consistent, predictable structure for HBOMs and provide a set of clearly defined data fields of HBOM components and their attributes to promote efficiencies across the Information and Communications Technology sector for a variety of use cases.

Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management

Overview

In December 2018, the Department of Homeland Security established the ICT SCRM Task Force—a public-private partnership charged with identifying challenges and developing actionable solutions to enhance global ICT supply chain resilience. Composed of federal government and industry representatives from across the Information Technology and Communications Sectors, the Task Force serves as the Agency’s center of gravity for supply chain risk management partnership activity.

While ICT products and services have allowed for a rapid and dramatic change in how we work, learn, and socialize, it also presents broad attack surfaces for adversaries to find innovative ways to potentially infiltrate, exploit, and/or corrupt equipment, systems, and information used every day by the government, industry, and private citizens. Recognizing the importance of securing ICT supply chains, on May 15, 2019, the Executive Order (E.O.) 13873 on Securing the Information and Communications Technology and Services Supply Chain was signed into law. E.O. 13873 directs the federal government to strengthen efforts to prevent foreign adversaries from exploiting vulnerabilities in the ICT supply chain and protect the vast amount of sensitive information being stored in and communicated through ICT products and services.

CISA is well positioned to synchronize interagency supply chain efforts across the Department to build resilience by enhancing coordination and collaboration with the private sector through the ICT SCRM Task Force. Learn more about CISA's E.O. 13873 response efforts.

Product Survey Feedback

Product Survey Feedback. We welcome your feedback! Please share your thoughts about one or more of the ICT SCRM Task Force products through this voluntary, anonymous Product Feedback Survey.

ICT SCRM Task Force Year 3 Activities

The Task Force embodies CISA’s collective defense approach to enhance the ICT supply chain resilience. Members will continue to explore means for building partnerships with international partners, additional critical infrastructure sectors, and stakeholders who can help grow the applicability and utilization of Task Force products as well as support the Federal Acquisition Security Council (FASC).

The Task Force's current efforts include:

	Hardware Bills of Materials (HBOM) Working Group, which will identify use cases for HBOMs and develop a taxonomy for HBOM data fields that could help inform the development of related guidance.
	Small and Medium-sized Businesses Working Group, which will continue to develop guidance for the small and medium-sized community to assist with their establishment and conduct of supply chain risk management programs and policies.
	Software Assurance Working Group, which will develop a Buyer's Guide that will help ensure that buyers, suppliers, and acquisition specialists refer to one piece of guidance that includes all important documentation regarding the implementation, security, and reliability of software assurance as well as the risks that can arise.
	Product Marketing Working Group, which will undertake a marketing campaign to increase stakeholders’ awareness of the Task Force and its products, as well as engage with stakeholders to gather feedback on the Task Force’s products.

ICT SCRM Task Force Resources

Please share your thoughts about the ICT Supply Chain Risk Management Task Force resources through this voluntary, anonymous Product Feedback Survey. We welcome your feedback!

ICT Supply Chain Risk Management Task Force Interim Report

DEC 17, 2020 | PUBLICATION

This report provides an overview of the Task Force and its first year’s efforts in addressing SCRM challenges such as information sharing; evaluating supply chain threats; identifying criteria for establishing Qualified Bidder Lists (QBL); and more.

Download File (PDF, 1.49 MB)

ICT Supply Chain Risk Management Task Force Year Two Report

DEC 17, 2020 | PUBLICATION

Provides an update on the ICT Supply Chain Risk Management Task Force’s progress in Year Two to advance meaningful partnerships and analysis around supply chain security and resilience.

Download File (PDF, 1.72 MB)

Building A More Resilient ICT Supply Chain: Lessons Learned During the COVID-19 Pandemic

DEC 17, 2020 | PUBLICATION

This analysis report examines how the COVID-19 pandemic impacted the logistical supply chains of ICT companies and provides recommendations on how organizations can increase their supply chain resilience from future risks.

Download File (PDF, 1.64 MB)

Operationalizing Vendor Supply Chain Risk Management Template for Small and Medium-Sized Businesses and Excel

OCT 26, 2021 | PUBLICATION

Provides a set of questions regarding an ICT supplier/provider’s implementation and application of industry standards and best practices that can help small and medium-sized businesses guide supply chain risk planning in a standardized way.

View Files

Preliminary Considerations of Paths to Enable Improved Multi-Directional Sharing of Supply Chain Risk Information

SEP 21, 2021 | PUBLICATION

This product provides research by SMEs in addressing liability limitations to improve sharing of supply chain risk information among the federal government and private industry.

Download File (PDF, 334.6 KB)

ICT Supply Chain Risk Management Task Force Threat Scenarios Report Versions 1, 2, and 3

AUG 02, 2021 | PUBLICATION

Provides practical, example-based guidance on supply chain risk management (SCRM) threat analysis and evaluation.

View Files

Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists

APR 12, 2021 | PUBLICATION

This report provides organizations a list of evaluation criteria and factors that can be used to inform their decision to build or rely on a qualified list for the acquisition of ICT products and services while managing supply chain risks.

Download File (PDF, 1.31 MB)

ICT SCRM Task Force Vendor Template

APR 12, 2021 | PUBLICATION

Provides a set of questions regarding an ICT supplier/provider’s implementation and application of industry standards and best practices that can help guide supply chain risk planning in a standardized way.

Download File (PDF, 1.51 MB)

Securing Small and Medium-Sized Business (SMB) Supply Chains: A Resource Handbook to Reduce Information and Communication Technology Risks

JAN 26, 2023 | PUBLICATION

This handbook provides an overview of the highest supply chain risk categories commonly faced by ICT small and medium-sized businesses (SMBs), including cyber risks, and resources that can assist SMBs.

Download File (PDF, 580.12 KB)

Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management

SEP 25, 2023 | PUBLICATION

Provides a framework that includes a consistent naming methodology for attributes of components, a format for identifying and providing information about the different types of components, and guidance of what HBOM information is appropriate.

Download File (PDF, 823.16 KB)

Empowering Small and Medium-Sized Businesses

OCT 11, 2023 | PUBLICATION

A Resource Guide that provides a valuable starting point for SMBs to develop and tailor an ICT SCRM plan that meets the needs of their business.

Download File (PDF, 1.03 MB)

ICT Supply Chain Fact Sheets

Reducing ICT Supply Chain Risk in Small and Medium-Sized Businesses Fact Sheet

MAY 23, 2023 | PUBLICATION

A fact sheet that provides an overview of the Securing Small and Medium-Sized Business (SMB) Supply Chains: A Resource Handbook to Reduce Information and Communication Technology Risks.

Download File (PDF, 469.13 KB)

Assisting Small and Medium-sized Businesses Assess Vendors and Suppliers Fact Sheet

APR 03, 2023 | PUBLICATION

A fact sheet that provides an overview of the ICT SCRM Task Force's resource, Operationalizing the Vendor Supply Chain Risk Management Template for Small and Medium-Sized Businesses (SMB), and how this guide can help SMBs assess the security posture.

Download File (PDF, 446.63 KB)

Building More Resilient ICT Supply Chains Fact Sheet

APR 03, 2023 | PUBLICATION

A fact sheet that provides an overview of the ICT Supply Chain Risk Management (SCRM) Task Force's resource, Lessons Learned During the Covid-19 Pandemic Study and the practical recommendations that can support organizations and businesses with operational decisions.

Download File (PDF, 375.54 KB)

Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists Fact Sheet

APR 03, 2023 | PUBLICATION

A fact sheet that provides an overview of the ICT SCRM Task Force's resource, Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists, which provides risk-based recommendations surrounding the use of “Qualified Lists”.

Download File (PDF, 442.38 KB)

Sharing Supply Chain Risk Information to Increase Resilience Fact Sheet

APR 03, 2023 | PUBLICATION

A fact sheet that provides an overview of the report, Preliminary Considerations of Paths to Enable Improved Multi-Directional Sharing of Supply Chain Risk Information (SCRI), which details why sharing of SCRI is important.

Download File (PDF, 323.17 KB)

Procuring Safe and Secure ICT Products and Services Fact Sheet

APR 03, 2023 | PUBLICATION

A fact sheet that provides an overview of the ICT SCRM Task Force's resource, Vendor SCRM Template, which helps organizations and businesses assess the security posture of their vendors and suppliers in a standardized way.

Download File (PDF, 361.62 KB)

Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management Fact Sheet

SEP 14, 2023 |

Learn more about the Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management.

Download File (PDF, 377.75 KB)

Empowering Small and Medium-Sized Businesses Resource Guide Fact Sheet

OCT 11, 2023 | PUBLICATION

A fact sheet that provides an overview of the ICT SCRM Task Force’s resource Empowering SMBs: A Resource Guide for Developing a Resilient Supply Chain Risk Management Plan.

Download File (PDF, 1.51 MB)