Information and communications technology (ICT) is integral for the daily operations and functionality of U.S. critical infrastructure. If vulnerabilities in the ICT supply chain—composed of hardware, software, and managed services from third-party vendors, suppliers, service providers, and contractors—are exploited, the consequences can affect all users of that technology or service.
CISA, through the National Risk Management Center (NRMC), is committed to working with government and industry partners to ensure that supply chain risk management (SCRM) is an integrated component of security and resilience planning for the Nation’s infrastructure.
May 10, 2021: We are pleased to announce the publication of the ICT Supply Chain Risk Management Toolkit—which includes strategic messaging, social media, videos, and resources—designed to be utilized by stakeholders to emphasize the role that we all have in securing ICT supply chains.
To learn more, visit the ICT Supply Chain Risk Management Toolkit.
The ICT supply chain is a complex, globally interconnected ecosystem that encompasses the entire life cycle of ICT hardware, software, and managed services and a wide range of entities—including third-party vendors, suppliers, service providers, and contractors. From cell phone devices to information-sharing software, government and industry purchase these products and services and use them to power and enable critical infrastructure systems. However, a supply chain is only as strong as its weakest link.
Foreign adversaries, hackers, and criminals seeking to steal, compromise or alter, and destroy sensitive information can target government and industry via the contractors, sub-contractors, and suppliers at all tiers of the ICT supply chain. Compounding the complexity of securing the supply chain is that vulnerabilities may be introduced during any phase of the product life cycle: design, development and production, distribution, acquisition and deployment, maintenance, and disposal. These vulnerabilities can include the incorporation of malicious software, hardware, and counterfeit components; flawed product designs; and poor manufacturing processes and maintenance procedures.
CISA, through the NRMC, is committed to working with government and industry partners to enhance the security and resilience of the global ICT supply chain and to ensure that SCRM is an integrated component of the Agency’s cybersecurity efforts.
To understand SCRM and the role it plays within our society, take the free online FedVTE course: Cyber Supply Chain Risk Management for the Public. This three-part course provides an introduction of what a supply chain is, how adversaries target supply chains, and steps that individuals and organizations can take to improve supply chain security. No log-in required.
ICT SCRM Task Force
In December 2018, the Department of Homeland Security established the ICT SCRM Task Force—a public-private partnership charged to identify and develop consensus risk management strategies to enhance global ICT supply chain security.
Composed of representatives from 20 federal agencies and 40 industry members from across the Information Technology and Communications Sectors, the Task Force acts as a center of gravity for supply chain risk management partnership activity. The Task Force recently published a Year 2 Report on its activities to date which highlight output from past and current working groups.
In January 2021, a six-month extension to the Task Force’s charter was signed. The extension will allow the Task Force to continue its work as outlined in the Year 2 Report, launch new WGs and efforts, and release new resources through July 2021. The extension will also ensure both government and industry members can continue to collaborate on other ongoing public-private engagement efforts around supply chain, and support the Federal Acquisition Security Council (FASC).
Over the course of the next several months, the Task Force’s efforts include work by the:
Information Sharing Working Group: To better understand challenges surrounding the bi-directional sharing of SCRM information, this WG will steer its focus on proposing paths, such as long-term policy and legal changes, that will give liability protection to the private sector in order to promote information sharing about suspect suppliers.
Small and Medium-sized Businesses (SMB) Working Group: SMBs play a significant role in our nation’s economy and are at the heart of many industries, such as manufacturing. However, many SMBs may find it difficult to institutionalize Federal Supply Chain guidance due to limited finances, resources, and employees. This WG will engage the SMB community to understand their needs and tailor Task Force products to make them more applicable to SMBs.
Product Use Acceleration Working Group: Accelerating the applicability and utilization of Task Force products will help organizations manage impacts of supply chain risks. This WG will engage with government agencies; state, local, territorial, and tribal entities; academia; and non-governmental entities on how to apply Task Force products in their businesses, pilot specific products to test their usability, and incorporate feedback to ensure products continue to be useful and provide meaningful information.
Study Group on Lessons Learned from Recent Software Supply Chain Attacks: As cyber attacks become more sophisticated, the roles of the chief information officer (CIO), chief information security officer (CISO), and IT or cyber security personnel are essential for safeguarding an organization’s information and assets. This study will dive into how the Task Force can support CIOs, CISOs, and other security personnel in making better risk-informed decisions when procuring or deploying certain ICT products—especially ones with high-level administrative access across an organization.
Learn more about the ICT SCRM Task Force.
ICT SCRM Program Basics for Your Company
Protecting your organization’s information in a digitally-connected world requires understanding not only your organization’s immediate supply chain, but also the extended supply chains of third-party vendors, service providers, and customers. These essential steps will assist your organization in managing supply chain risks and building an effective SCRM practice.
Identify the people: Build a team of representatives from various roles and functions of the company (e.g., cybersecurity, information technology, physical security, procurement/acquisition, legal, logistics, marketing, and product development). Ensure personnel at all levels are well-trained in the security procedures of their role or function.
Manage the security and compliance: Document the set of policies and procedures that address security, integrity, resilience, and quality. Ensure they are based on industry standards and best practices on how to conduct SCRM such as those from the National Institute of Standards and Technology (NIST).
Assess the components: Build a list of ICT components (e.g., hardware, software, and services) that your organization procures to enable your business. Know which internal systems are relied upon for critical information or functions, and which systems have remote access capability that must be protected to prevent unauthorized access.
Know the supply chain and suppliers: Identify your suppliers and, when possible, the suppliers’ sources. In today’s world of increased outsourcing, it is important to understand your upstream suppliers as part of the larger supply chain ecosystem.
Verify assurance of third-parties: Verify that your suppliers maintain an adequate security culture and SCRM program to appropriately address the risks that concern your organization. Establish the protocols your organization will use to assess the supply chain practices of your suppliers.
Evaluate your SCRM program: Determine the frequency with which to review your SCRM program, incorporate feedback, and make changes to your risk management program. This may also include auditing suppliers against practices and protocols established by your organization.
Download the ICT SCRM Essentials for more detailed information on how companies and organizations can effectively implement organizational SCRM practices.
Download the Internet of Things (IoT) Acquisition Guidance Document for SCRM and cybersecurity factors to consider before purchasing or using IoT devices, systems, and services.
Executive Order 13873
On May 15, 2019, the President issued Executive Order on Securing the Information and Communications Technology and Services Supply Chain (E.O. 13873) to strengthen efforts to prevent foreign adversaries from exploiting vulnerabilities in the ICT supply chain and protect the vast amount of sensitive information being stored in and communicated through ICT products and services.
The E.O. sets out the procedures the Department of Commerce will use to prohibit the use or transaction of “information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary”, and that pose risk of sabotage or subversion; 2) catastrophic effects on the Nation’s critical infrastructure or digital economy; or 3) adverse consequences to national security and public safety.
CISA was directed, within 80 days of the E.O. release, “to assess and identify entities, hardware, software, and services that present vulnerabilities in the United States and that pose the greatest potential consequences to the national security of the United States” as decision support to the Department of Commerce.
In response, CISA's NRMC and the ICT SCRM Task Force worked with industry and government partners to develop two resources that describe a standardized taxonomy of ICT elements; perform criticality assessments on these ICT elements with appropriate stakeholder input; and assess the national security risks stemming from vulnerabilities in ICT hardware, software, and services including components enabling 5G communication.
Please note that these resources are provided "as is" for informational purposes only. This methodology can used as an input to a risk assessment, but by itself is not sufficient for a comprehensive review of risk.
ICT SCRM Resources & News
- CISA's ICT SCRM Essentials
- CISA's ICT SCRM Fact Sheet
- CISA's ICT Supply Chain Risks Infographic
- CISA and NIST’s Defending Against Software Supply Chain Attacks *new resource
- ICT SCRM Task Force Interim Report
- ICT SCRM Task Force Lessons Learned During the COVID-19 Pandemic Analysis Report
- ICT SCRM Task Force Threat Scenarios Report (Version 1)
- ICT SCRM Task Force Threat Scenarios Report (Version 2)
- ICT SCRM Task Force Year Two Report
- ICT SCRM Task Force Report on Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists *new resource
- ICT SCRM Task Force Vendor SCRM Template *new resource
- Internet of Things (IoT) Acquisition Guidance Document
- Online Course: Cyber Supply Chain Risk Management for the Public
- This is a free course, provided through the Federal Virtual Training Environment (FedVTE), with no log-in requirements.
- Overview of Risks Introduced by 5G Adoption in the United States
- Paper on EO 13873 Response: Methodology for Assessing the Most Critical ICT and Services
- Fifth Generation (5G) Infographic
- Blog Article – April is National Supply Chain Integrity Month - Week 4: Knowing the Essentials
- Blog Article – April is National Supply Chain Integrity Month - Week 3: Understanding Supply Chain Threats
- Blog Article – April is National Supply Chain Integrity Month - Week 2: Assessing ICT Trustworthiness
- Blog Article – April is National Supply Chain Integrity Month - Week 1: Building Collective Supply Chain Resilience
- Blog Article – Task Force Establishes Way Forward After Charter Extension: Year 2.5
- Blog Article – Building Collective Resilience for the ICT Supply Chain
- Press Release – CISA’s ICT SCRM Task Force Approves Recommendations and Interim Report
- Press Release – CISA Releases Analysis Report on COVID-19 Impact to ICT Global Supply Chains
- Press Release – CISA Releases ICT SCRM Task Force Year 2 Report
- Press Release – CISA Announces Extension of the ICT SCRM Task Force
For questions or comments, email firstname.lastname@example.org.