Procuring Safe and Secure ICT Products and Services Fact Sheet

Procuring Safe and Secure ICT Products and Services Fact Sheet
Overview
Protecting your organization’s data requires understanding not only your immediate supply chain, but also your vendors' and suppliers' supply chain practices. The Cybersecurity and Infrastructure Security Agency’s (CISA), Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force developed a Vendor SCRM Template to help organizations and businesses of any size assess the security posture of their vendors and suppliers in a standard way when purchasing ICT hardware, software, and services.
Assessing Vendor and Supplier Trustworthiness
Having trustworthy vendors and suppliers are key elements to manage and reduce supply chain risks. The Vendor SCRM Template is a baseline questionnaire to help organizations address potential gaps in their supply chain procurement process. It builds upon existing industry standards to enable both vendors and customers to communicate in a way that is consistently understood, predictable, and actionable. These questions provide enhanced visibility and transparency into entity trust and assurance practices and assist in informed decision-making about acceptable risk exposure. The template can help enhance any organization’s supply chain risk posture and resiliency by ensuring that purchased products meet industry standards.
The questions listed in Table 1 are grouped in seven key categories, broadly covering ICT supply chain risk management, governance, and associated risk domains. The seven key categories are: Supply Chain Management and Supplier Governance, Secure Design and Engineering, Information Security, Physical Security, Personnel Security, Supply Chain Integrity, and Supply Chain Resilience.
Table 1: Vendor SCRM Template Sample Questions
Category | Sub-Category |
Sample Question |
---|---|---|
|
ICT Supply Chain Management | Do you have a documented Quality Management System for your ICT supply chain operation based on an industry standard or framework? |
|
Product Offering Lifecycle Management and Organization | Does your organization document and communicate security control requirements for your hardware, software, or solution offering? |
|
Asset Management | Do you inventory and audit back-up, replacement hardware, and software assets to ensure their accountability and integrity? |
|
Physical Security in Transit | Do you utilize a controlled bill of materials or similar capability to protect assets that are being received, in process, or in-transit? |
|
Onboarding | Do you have a process for onboarding personnel? |
|
Supply Chain Integrity | Do you have documented performance and validation procedures for your hardware/software products or services? |
|
Diversity of Supply Base | Does your company consider supplier diversity to avoid single sources and to reduce the occurrence of suppliers being susceptible to the same threats to resilience? |
The purpose of the template is to illuminate the risk factors, so the acquiring organization understands how the risk profile of the entity aligns with their tolerance of risk for the specific product or service being provided. These questions will aid in mitigating (not eliminating) risk and are consistent with commercial and public sector standards. The questions should be used as applicable, depending on the product or service and the customer involved (e.g., Department of Defense (DoD), civilian, commercial).
Robust Methodology
These seven key categories were built on a framework of established industry standards and other ICT SCRM Task Force efforts, while incorporating inputs from the National Institute of Standards and Technology (NIST) SP 800-161, DoD Cybersecurity Maturity Model Certification (CMMC), and the Outsourcing Network Services Assessment Tool (ONSAT).
Resources
- ICT Supply Chain Risk Management Task Force: https://www.cisa.gov/resources-tools/groups/ict-supply-chain-risk-management-task-force
- ICT Supply Chain Library: CISA.gov/ict-supply-chain-library