Sharing Supply Chain Risk Information to Increase Resilience Fact Sheet

Sharing Supply Chain Risk Information to Increase Resilience Fact Sheet
The Challenge of Information Sharing
Improving the quality and volume of information sharing among the federal government and private industry is necessary to obtain actionable information that could mitigate threats to the Nation’s information and communications technology (ICT) supply chain. Significant barriers to the sharing of supply chain risk information (SCRI) exist.
This report is the culmination of a multi-year effort by the Cybersecurity and Infrastructure Security Agency’s (CISA) Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force to address the issues of sharing SCRI between companies and government entities. The initial work defined a common framework for the bi-directional sharing of actionable SCRI between federal government and industry.
Subject matter experts (SMEs) researched legal and policy considerations for private enterprise or government utilization in addressing liability limitations. The SMEs found that limiting liability would facilitate the most effective sharing of actionable SCRI with the government or between companies.
This report focused its research on paths to limit certain state law causes of action, to which a business may be exposed to by virtue of its sharing of SCRI. This report offers research by SMEs on legal and policy considerations to be used by private enterprises or government in seeking to address the issue of liability limitations. This report contains consensus input of non-federal members and does not reflect the official policy or position of the federal government or its official representatives.
The Importance of Information Sharing
The report, titled Preliminary Considerations of Paths to Enable Improved Multi-Directional Sharing of Supply Chain Risk Information, details how the sharing of information on suspect suppliers SCRI between the federal government and industry is an important avenue in which to mitigate the threats to the nation’s ICT supply chain. This body of work reflects the fact that private and public sector entities share the same global ICT supply chain and therefore share the same risks. All organizations that are part of this supply chain should be aware of these information sharing issues.
Limitations and Barriers for Sharing SCRI
To improve the sharing of SCRI, including naming suspect suppliers, and to provide protection from potential liability for sharing information, this report recommends amending the 2015 Cybersecurity Information Sharing Act to specifically add supply chain risk as a form of information that constitutes a cyber threat indicator. If SCRI was explicitly listed as a class of information considered a cyber threat indicator, entities would have clear legal authority to share SCRI in accordance with the statute without fear of litigation.
The report offers SME research on legal and policy considerations for providing liability protection to the private sector to promote information sharing about suspect suppliers. In developing the report, seven potential causes of action that could impose significant liability on private entities for sharing supply chain risk information are considered:
- Tortious Interference, Existing Contract
- Tortious Interference, Prospective Contract
- Business Relationship or Business Advantage
- Business or Commercial Disparagement
- Defamation
- Breach of Contract
- Misappropriation of Trade Secrets
Below is an excerpt from the report’s appendix showing causes of action and the mitigating factors as well as corresponding safe harbor solutions for sharing SCRI.
Table 1: Potential Standard for SCRI Sharing with Private Party or Government Based on Identified Causes of Action
Cause of Action | Mitigating Factors | Proposed Corresponding Solution of Safe Harbor |
---|---|---|
Tortious Interference with Existing Contract |
|
|
Fraudulent Misrepresentation |
|
|
Breach of Contract |
|
|
Resources
- ICT Supply Chain Risk Management Task Force: https://www.cisa.gov/resources-tools/groups/ict-supply-chain-risk-management-task-force
- ICT Supply Chain Library: CISA.gov/ict-supply-chain-library