Information and communications technology (ICT) is integral for the daily operations and functionality of U.S. critical infrastructure. If vulnerabilities in the ICT supply chain—composed of hardware, software, and managed services from third-party vendors, suppliers, service providers, and contractors—are exploited, the consequences can affect all users of that technology or service.
CISA, through the National Risk Management Center (NRMC), is committed to working with government and industry partners to ensure that supply chain risk management (SCRM) is an integrated component of security and resilience planning for the Nation’s infrastructure.
September 1: The Office of Management and Budget (OMB) published an Interim Final Rule on the Federal Acquisition Supply Chain Security Act (85 FR 54263) with a request for comments to implement the requirements of the laws that govern the operation of the Federal Acquisition Security Council (FASC), the sharing of supply chain risk information, and the exercise of its authorities to recommend issuance of removal and exclusion orders to address supply chain security risks. The FASC has identified CISA as the executive agency for information sharing, which will allow for more robust communication between the government and private industry.
Comments will be accepted through November 2, 2020. For more information, read the Federal Register notice.
ICT SCRM Overview
The ICT supply chain is a complex, globally interconnected ecosystem that encompasses the entire life cycle of ICT hardware, software, and managed services and a wide range of entities—including third-party vendors, suppliers, service providers, and contractors. From cell phone devices to information-sharing software, government and industry purchase these products and services and use them to power and enable critical infrastructure systems. However, a supply chain is only as strong as its weakest link.
Foreign adversaries, hackers, and criminals seeking to steal, compromise or alter, and destroy sensitive information can target government and industry via the contractors, sub-contractors, and suppliers at all tiers of the ICT supply chain. Compounding the complexity of securing the supply chain is that vulnerabilities may be introduced during any phase of the product life cycle: design, development and production, distribution, acquisition and deployment, maintenance, and disposal. These vulnerabilities can include the incorporation of malicious software, hardware, and counterfeit components; flawed product designs; and poor manufacturing processes and maintenance procedures.
CISA, through the NRMC, is committed to working with government and industry partners to enhance the security and resilience of the global ICT supply chain and to ensure that SCRM is an integrated component of the Agency’s cybersecurity efforts.
ICT SCRM Task Force
In December 2018, the Department of Homeland Security established the ICT SCRM Task Force—a public-private partnership charged to identify and develop consensus risk management strategies to enhance global ICT supply chain security.
Composed of representatives from 20 federal agencies and 40 industry members from across the Information Technology and Communications Sectors, the Task Force acts as a center of gravity for supply chain risk management partnership activity. The Task Force recently published an Interim Report on its activities to date which highlight output from past and current working groups. These working groups include efforts to:
- Better understand challenges surrounding the bi-directional sharing of SCRM information;
- Identify processes and criteria for threat-based evaluation of ICT supplies, products, and services;
- Identify market segment(s) and evaluation criteria for Qualified Bidder and Manufacturer List(s)
- Produce policy recommendations to incentivize the purchase of ICT from original manufacturers or authorized resellers; and
- Develop a supply chain attestation template for vendors.
Learn more about the ICT SCRM Task Force.
ICT SCRM Program Basics for Your Company
Protecting your organization’s information in a digitally-connected world requires understanding not only your organization’s immediate supply chain, but also the extended supply chains of third-party vendors, service providers, and customers. These essential steps will assist your organization in managing supply chain risks and building an effective SCRM practice.
- Identify the people: Build a team of representatives from various roles and functions of the company (e.g., cybersecurity, information technology, physical security, procurement/acquisition, legal, logistics, marketing, and product development). Ensure personnel at all levels are well-trained in the security procedures of their role or function.
- Manage the security and compliance: Document the set of policies and procedures that address security, integrity, resilience, and quality. Ensure they are based on industry standards and best practices on how to conduct SCRM such as those from the National Institute of Standards and Technology (NIST).
- Assess the components: Build a list of ICT components (e.g., hardware, software, and services) that your organization procures to enable your business. Know which internal systems are relied upon for critical information or functions, and which systems have remote access capability that must be protected to prevent unauthorized access.
- Know the supply chain and suppliers: Identify your suppliers and, when possible, the suppliers’ sources. In today’s world of increased outsourcing, it is important to understand your upstream suppliers as part of the larger supply chain ecosystem.
- Verify assurance of third-parties: Verify that your suppliers maintain an adequate security culture and SCRM program to appropriately address the risks that concern your organization. Establish the protocols your organization will use to assess the supply chain practices of your suppliers.
- Evaluate your SCRM program: Determine the frequency with which to review your SCRM program, incorporate feedback, and make changes to your risk management program. This may also include auditing suppliers against practices and protocols established by your organization.
Download the ICT SCRM Essentials for more detailed information on how companies and organizations can effectively implement organizational SCRM practices.
Download the Internet of Things (IoT) Acquisition Guidance Document for SCRM and cybersecurity factors to consider before purchasing or using IoT devices, systems, and services.
Executive Order 13873
On May 15, 2019, the President issued Executive Order on Securing the Information and Communications Technology and Services Supply Chain (E.O. 13873) to strengthen efforts to prevent foreign adversaries from exploiting vulnerabilities in the ICT supply chain and protect the vast amount of sensitive information being stored in and communicated through ICT products and services.
The E.O. sets out the procedures the Department of Commerce will use to prohibit the use or transaction of “information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary”, and that pose risk of sabotage or subversion; 2) catastrophic effects on the Nation’s critical infrastructure or digital economy; or 3) adverse consequences to national security and public safety.
CISA was directed, within 80 days of the E.O. release, “to assess and identify entities, hardware, software, and services that present vulnerabilities in the United States and that pose the greatest potential consequences to the national security of the United States” as decision support to the Department of Commerce.
In response, CISA's NRMC and the ICT SCRM Task Force worked with industry and government partners to develop two resources that describe a standardized taxonomy of ICT elements; perform criticality assessments on these ICT elements with appropriate stakeholder input; and assess the national security risks stemming from vulnerabilities in ICT hardware, software, and services including components enabling 5G communication.
Please note that these resources are provided "as is" for informational purposes only. This methodology can used as an input to a risk assessment, but by itself is not sufficient for a comprehensive review of risk.
- Paper on E.O. 13873 Response: Methodology for Assessing the Most Critical ICT and Services
- Frequently Asked Questions: DHS's ICT Methodology in Support of E.O. 13873
ICT SCRM Resources & News
- ICT SCRM Essentials
- ICT SCRM Fact Sheet
- ICT Supply Chain Risks Infographic
- ICT SCRM Task Force Interim Report
- ICT SCRM Task Force Threat Scenarios Report
- Internet of Things (IoT) Acquisition Guidance Document
- Overview of Risks Introduced by 5G Adoption in the United States
- Paper on EO 13873 Response: Methodology for Assessing the Most Critical ICT and Services
- Fifth Generation (5G) Infographic
- Press Release – CISA’s ICT SCRM Task Force Approves Recommendations and Interim Report
- Press Release – CISA’s ICT SCRM Task Force Launched Work Streams
- Press Release – DHS and Private Sector Partners Establish ICT SCRM Task Force
- Press Release - DHS Announces ICT SCRM Task Force Members
For questions or comments, email firstname.lastname@example.org.