Information and communications technology (ICT) is integral for the daily operations and functionality of U.S. critical infrastructure. If vulnerabilities in the ICT supply chain—composed of hardware, software, and managed services from third-party vendors, suppliers, service providers, and contractors—are exploited, the consequences can affect all users of that technology or service.
CISA, through the National Risk Management Center (NRMC), is committed to working with government and industry partners to ensure that supply chain risk management (SCRM) is an integrated component of security and resilience planning for the Nation’s infrastructure.
January 11, 2022: Today, CISA announced the ICT Supply Chain Risk Management Task Force’s three new government members and its 2022 workplan. Going forward, the Task Force will continue its progress on two previous efforts; launch a new working group focused on hardware bill of materials; scope two additional topics; and expand its relationships with international partners, new sectors, and stakeholders.
- To learn more, read CISA’s press release: ICT Supply Chain Risk Management Task Force Announces New Members And Approves A New 2022 Working Group
The ICT supply chain is a complex, globally interconnected ecosystem that encompasses the entire life cycle of ICT hardware, software, and managed services and a wide range of entities—including third-party vendors, suppliers, service providers, and contractors. From cell phone devices to information-sharing software, government and industry purchase these products and services and use them to power and enable critical infrastructure systems. However, a supply chain is only as strong as its weakest link.
Foreign adversaries, hackers, and criminals seeking to steal, compromise or alter, and destroy sensitive information can target government and industry via the contractors, sub-contractors, and suppliers at all tiers of the ICT supply chain. Compounding the complexity of securing the supply chain is that vulnerabilities may be introduced during any phase of the product life cycle: design, development and production, distribution, acquisition and deployment, maintenance, and disposal. These vulnerabilities can include the incorporation of malicious software, hardware, and counterfeit components; flawed product designs; and poor manufacturing processes and maintenance procedures.
CISA, through the NRMC, is committed to working with government and industry partners to enhance the security and resilience of the global ICT supply chain and to ensure that SCRM is an integrated component of the Agency’s cybersecurity efforts.
To understand SCRM and the role it plays within our society, take the free online FedVTE course: Cyber Supply Chain Risk Management for the Public. This three-part course provides an introduction of what a supply chain is, how adversaries target supply chains, and steps that individuals and organizations can take to improve supply chain security. No log-in required.
ICT SCRM Task Force
In December 2018, the Department of Homeland Security established the ICT SCRM Task Force—a public-private partnership charged to identify and develop consensus risk management strategies to enhance global ICT supply chain security. Composed of federal government and industry representatives from across the Information Technology and Communications Sectors, the Task Force serves as the Agency’s center of gravity for supply chain risk management partnership activity.
In August 2021, the ICT SCRM Task Force was extended to July 31, 2023. This will allow the Task Force to launch a new working group, continue its progress from two previous efforts, scope additional efforts related to promoting software assurance and the utility of Software Bill of Materials, and explore means to build partnerships to collectively enhance ICT supply chain resilience.
Over the course of the next several months, the Task Force’s efforts include:
- Hardware Bills of Materials Working Group which will identify appropriate information for a baseline hardware bill of materials template that can be used by organizations when procuring or deploying ICT products.
- Small and Medium-sized Businesses Working Group which will engage the small and medium-sized community to understand and tailor Task Force products to meet their needs
- Product Marketing Working Group, (formerly Product Use Acceleration), which engages with stakeholders to ensure Task Force products provide useful and meaningful information.
Learn more about the ICT SCRM Task Force.
ICT SCRM Program Basics for Your Company
Protecting your organization’s information in a digitally-connected world requires understanding not only your organization’s immediate supply chain, but also the extended supply chains of third-party vendors, service providers, and customers. These essential steps will assist your organization in managing supply chain risks and building an effective SCRM practice.
Identify the people: Build a team of representatives from various roles and functions of the company (e.g., cybersecurity, information technology, physical security, procurement/acquisition, legal, logistics, marketing, and product development). Ensure personnel at all levels are well-trained in the security procedures of their role or function.
Manage the security and compliance: Document the set of policies and procedures that address security, integrity, resilience, and quality. Ensure they are based on industry standards and best practices on how to conduct SCRM such as those from the National Institute of Standards and Technology (NIST).
Assess the components: Build a list of ICT components (e.g., hardware, software, and services) that your organization procures to enable your business. Know which internal systems are relied upon for critical information or functions, and which systems have remote access capability that must be protected to prevent unauthorized access.
Know the supply chain and suppliers: Identify your suppliers and, when possible, the suppliers’ sources. In today’s world of increased outsourcing, it is important to understand your upstream suppliers as part of the larger supply chain ecosystem.
Verify assurance of third-parties: Verify that your suppliers maintain an adequate security culture and SCRM program to appropriately address the risks that concern your organization. Establish the protocols your organization will use to assess the supply chain practices of your suppliers.
Evaluate your SCRM program: Determine the frequency with which to review your SCRM program, incorporate feedback, and make changes to your risk management program. This may also include auditing suppliers against practices and protocols established by your organization.
Download the ICT SCRM Essentials for more detailed information on how companies and organizations can effectively implement organizational SCRM practices.
Download the Internet of Things (IoT) Acquisition Guidance Document for SCRM and cybersecurity factors to consider before purchasing or using IoT devices, systems, and services.
Executive Order 13873
On May 15, 2019, the President issued Executive Order on Securing the Information and Communications Technology and Services Supply Chain (E.O. 13873) to strengthen efforts to prevent foreign adversaries from exploiting vulnerabilities in the ICT supply chain and protect the vast amount of sensitive information being stored in and communicated through ICT products and services.
The E.O. sets out the procedures the Department of Commerce will use to prohibit the use or transaction of “information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary”, and that pose risk of sabotage or subversion; 2) catastrophic effects on the Nation’s critical infrastructure or digital economy; or 3) adverse consequences to national security and public safety.
CISA was directed, within 80 days of the E.O. release, “to assess and identify entities, hardware, software, and services that present vulnerabilities in the United States and that pose the greatest potential consequences to the national security of the United States” as decision support to the Department of Commerce.
In response, CISA's NRMC and the ICT SCRM Task Force worked with industry and government partners to develop two resources that describe a standardized taxonomy of ICT elements; perform criticality assessments on these ICT elements with appropriate stakeholder input; and assess the national security risks stemming from vulnerabilities in ICT hardware, software, and services including components enabling 5G communication.
Please note that these resources are provided "as is" for informational purposes only. This methodology can used as an input to a risk assessment, but by itself is not sufficient for a comprehensive review of risk.
ICT SCRM Resources & News
- CISA's ICT SCRM Essentials
- CISA's ICT SCRM Fact Sheet
- CISA's ICT Supply Chain Risks Infographic
- CISA and NIST’s Defending Against Software Supply Chain Attacks
- CISA Insights: Risk Considerations for Managed Service Provider Customers
- ICT SCRM Task Force Interim Report
- ICT SCRM Task Force Lessons Learned During the COVID-19 Pandemic Analysis Report
- ICT SCRM Task Force Operationalizing Vendor SCRM Template for Small and Medium-sized Businesses
- Operationalizing Vendor SCRM Template for SMBs Spreadsheet is as an alternate tool to utilize this product, intended to allow options to accommodate yes, no, or partial responses to each of the questions.
- ICT SCRM Task Force Preliminary Considerations of Paths to Enable Improved Multi-Directional Sharing of Supply Chain Risk Information
- ICT SCRM Task Force Threat Scenarios Report (Version 1)
- ICT SCRM Task Force Threat Scenarios Report (Version 2)
- ICT SCRM Task Force Threat Scenarios Report (Version 3)
- ICT SCRM Task Force Year Two Report
- ICT SCRM Task Force Report on Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists
- ICT SCRM Task Force Vendor SCRM Template
- Internet of Things (IoT) Acquisition Guidance Document
- Online Course: Cyber Supply Chain Risk Management for the Public
- This is a free course, provided through the Federal Virtual Training Environment (FedVTE), with no log-in requirements.
- Overview of Risks Introduced by 5G Adoption in the United States
- Paper on EO 13873 Response: Methodology for Assessing the Most Critical ICT and Services
- Fifth Generation (5G) Infographic
- Blog Article – Going Beyond: Assessing Security Practices of IT Service Providers
- Blog Article – April is National Supply Chain Integrity Month - Week 4: Knowing the Essentials
- Blog Article – April is National Supply Chain Integrity Month - Week 3: Understanding Supply Chain Threats
- Blog Article – April is National Supply Chain Integrity Month - Week 2: Assessing ICT Trustworthiness
- Blog Article – April is National Supply Chain Integrity Month - Week 1: Building Collective Supply Chain Resilience
- Blog Article – Task Force Establishes Way Forward After Charter Extension: Year 2.5
- Blog Article – Building Collective Resilience for the ICT Supply Chain
- Press Release – ICT Supply Chain Risk Management Task Force Announces New Members and Approves A New 2022 Working Group *new press release
- Press Release – CISA’s ICT SCRM Task Force Approves Recommendations and Interim Report
- Press Release – CISA Releases Analysis Report on COVID-19 Impact to ICT Global Supply Chains
- Press Release – CISA Releases ICT SCRM Task Force Year 2 Report
- Press Release – CISA Announces Extension of the ICT SCRM Task Force
For questions or comments, email email@example.com.