October 23, 2023: NRMC is pleased to announce the publication of the Empowering SMBs: A Resource Guide for Developing a Resilient Supply Chain Risk Management Plan, which provides ICT SMBs with a starting point to develop and tailor a SCRM plan that meets the needs of their business. Additionally, this product serves as a tool to support SMBs in developing an actionable SCRM plan to mitigate the risk of disruption to their supply chain, enhance their supply chain resilience, and satisfy potential requests from stakeholder procurement processes.
September 25, 2023: NRMC is pleased to announce the publication of the Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management which seeks to create a consistent, repeatable way for vendors to communicate to purchasers the hardware components in products that they have or may purchase, to enable purchasers to evaluate and mitigate risks in their supply chain. Additionally, this framework provides a useful tool to help industry and government evaluate and address supply chain risks, set forth a consistent, predictable structure for HBOMs and provide a set of clearly defined data fields of HBOM components and their attributes to promote efficiencies across the Information and Communications Technology sector for a variety of use cases.
In December 2018, the Department of Homeland Security established the ICT SCRM Task Force—a public-private partnership charged with identifying challenges and developing actionable solutions to enhance global ICT supply chain resilience. Composed of federal government and industry representatives from across the Information Technology and Communications Sectors, the Task Force serves as the Agency’s center of gravity for supply chain risk management partnership activity.
While ICT products and services have allowed for a rapid and dramatic change in how we work, learn, and socialize, it also presents broad attack surfaces for adversaries to find innovative ways to potentially infiltrate, exploit, and/or corrupt equipment, systems, and information used every day by the government, industry, and private citizens. Recognizing the importance of securing ICT supply chains, on May 15, 2019, the Executive Order (E.O.) 13873 on Securing the Information and Communications Technology and Services Supply Chain was signed into law. E.O. 13873 directs the federal government to strengthen efforts to prevent foreign adversaries from exploiting vulnerabilities in the ICT supply chain and protect the vast amount of sensitive information being stored in and communicated through ICT products and services.
CISA is well positioned to synchronize interagency supply chain efforts across the Department to build resilience by enhancing coordination and collaboration with the private sector through the ICT SCRM Task Force. Learn more about CISA's E.O. 13873 response efforts.
Product Survey Feedback
|Product Survey Feedback. We welcome your feedback! Please share your thoughts about one or more of the ICT SCRM Task Force products through this voluntary, anonymous Product Feedback Survey.|
ICT SCRM Task Force Year 3 Activities
The Task Force embodies CISA’s collective defense approach to enhance the ICT supply chain resilience. Members will continue to explore means for building partnerships with international partners, additional critical infrastructure sectors, and stakeholders who can help grow the applicability and utilization of Task Force products as well as support the Federal Acquisition Security Council (FASC).
The Task Force's current efforts include:
Hardware Bills of Materials (HBOM) Working Group, which will identify use cases for HBOMs and develop a taxonomy for HBOM data fields that could help inform the development of related guidance.
Small and Medium-sized Businesses Working Group, which will continue to develop guidance for the small and medium-sized community to assist with their establishment and conduct of supply chain risk management programs and policies.
Software Assurance Working Group, which will develop a Buyer's Guide that will help ensure that buyers, suppliers, and acquisition specialists refer to one piece of guidance that includes all important documentation regarding the implementation, security, and reliability of software assurance as well as the risks that can arise.
Product Marketing Working Group, which will undertake a marketing campaign to increase stakeholders’ awareness of the Task Force and its products, as well as engage with stakeholders to gather feedback on the Task Force’s products.
A diverse range of representatives from large and small private sector organizations within the IT and Communications sectors, ICT associations, and federal agencies.
These resources and tools were developed by the ICT Supply Chain Risk Management (SCRM) Task Force.
ICT SCRM Task Force Resources
Please share your thoughts about the ICT Supply Chain Risk Management Task Force resources through this voluntary, anonymous Product Feedback Survey. We welcome your feedback!
Operationalizing Vendor Supply Chain Risk Management Template for Small and Medium-Sized Businesses and Excel
Preliminary Considerations of Paths to Enable Improved Multi-Directional Sharing of Supply Chain Risk Information
Securing Small and Medium-Sized Business (SMB) Supply Chains: A Resource Handbook to Reduce Information and Communication Technology Risks
ICT Supply Chain Fact Sheets
ICT SCRM Task Force Videos
For questions or comments, email firstname.lastname@example.org.