Information and communications technology (ICT) is integral for the daily operations and functionality of U.S. critical infrastructure. If vulnerabilities in the ICT supply chain—composed of hardware, software, and managed services from third-party vendors, suppliers, service providers, and contractors—are exploited, the consequences can affect all users of that technology or service.
CISA, through the National Risk Management Center (NRMC), is committed to working with government and industry partners to ensure that supply chain risk management (SCRM) is an integrated component of security and resilience planning for the Nation’s infrastructure.
November 17, 2022: Today, CISA, the National Security Agency (NSA), and the Office of the Director of National Intelligence released the Securing the Software Supply Chain: Recommended Practices Guide for Customers that was developed by the Enduring Security Framework Working Group (a cross-sector, public-private working group). The final of a three-part series, this guidance provides best practices for software customers for procuring and deploying secure software, which includes guidance for the Software Bill of Materials.
- Download/share the latest Securing the Software Supply Chain: Recommended Practices Guide for Customers (and accompanying fact sheet)
- Download/share Part 2 for Suppliers (and accompanying fact sheet)
- Download/share Part 1 for Developers
The ICT supply chain is a complex, globally interconnected ecosystem that encompasses the entire life cycle of ICT hardware, software, and managed services and a wide range of entities—including third-party vendors, suppliers, service providers, and contractors. From cell phone devices to information-sharing software, government and industry purchase these products and services and use them to power and enable critical infrastructure systems. However, a supply chain is only as strong as its weakest link.
Foreign adversaries, hackers, and criminals seeking to steal, compromise or alter, and destroy sensitive information can target government and industry via the contractors, sub-contractors, and suppliers at all tiers of the ICT supply chain. Compounding the complexity of securing the supply chain is that vulnerabilities may be introduced during any phase of the product life cycle: design, development and production, distribution, acquisition and deployment, maintenance, and disposal. These vulnerabilities can include the incorporation of malicious software, hardware, and counterfeit components; flawed product designs; and poor manufacturing processes and maintenance procedures.
CISA, through the NRMC, is committed to working with government and industry partners to enhance the security and resilience of the global ICT supply chain and to ensure that SCRM is an integrated component of the Agency’s cybersecurity efforts.
ICT SCRM Task Force
In December 2018, the Department of Homeland Security established the ICT SCRM Task Force—a public-private partnership charged to identify and develop consensus risk management strategies to enhance global ICT supply chain security. Composed of federal government and industry representatives from across the Information Technology and Communications Sectors, the Task Force serves as the Agency’s center of gravity for supply chain risk management partnership activity.
In August 2021, the ICT SCRM Task Force was extended to July 31, 2023. This will allow the Task Force to launch a new working group, continue its progress from two previous efforts, scope additional efforts related to promoting software assurance and the utility of Software Bill of Materials, and explore means to build partnerships to collectively enhance ICT supply chain resilience.
Over the course of the next several months, the Task Force’s efforts include:
Hardware Bills of Materials (HBOM) Working Group, which will identify use cases for HBOMs and develop a taxonomy for HBOM data fields that could help inform the development of related guidance.
Small and Medium-sized Businesses Working Group, which will continue to develop guidance for the small and medium-sized community to assist with their establishment and conduct of supply chain risk management programs and policies.
Software Assurance Working Group, which will develop a Buyer's Guide that will help ensure that buyers, suppliers, and acquisition specialists refer to one piece of guidance that includes all important documentation regarding the implementation, security, and reliability of software assurance as well as the risks that can arise.
Product Marketing Working Group, which will undertake a marketing campaign to increase stakeholders’ awareness of the Task Force and its products, as well as engage with stakeholders to gather feedback on the Task Force’s products.
Learn more about the ICT SCRM Task Force.
ICT SCRM Program Basics for Your Company
Protecting your organization’s information in a digitally connected world requires understanding not only your organization’s immediate supply chain, but also the extended supply chains of third-party vendors, service providers, and customers. These essential steps will assist your organization in managing supply chain risks and building an effective SCRM practice.
Identify the people: Build a team of representatives from various roles and functions of the company (e.g., cybersecurity, information technology, physical security, procurement/acquisition, legal, logistics, marketing, and product development). Ensure personnel at all levels are well-trained in the security procedures of their role or function.
Manage the security and compliance: Document the set of policies and procedures that address security, integrity, resilience, and quality. Ensure they are based on industry standards and best practices on how to conduct SCRM such as those from the National Institute of Standards and Technology (NIST).
Assess the components: Build a list of ICT components (e.g., hardware, software, and services) that your organization procures to enable your business. Know which internal systems are relied upon for critical information or functions, and which systems have remote access capability that must be protected to prevent unauthorized access.
Know the supply chain and suppliers: Identify your suppliers and, when possible, the suppliers’ sources. In today’s world of increased outsourcing, it is important to understand your upstream suppliers as part of the larger supply chain ecosystem.
Verify assurance of third-parties: Verify that your suppliers maintain an adequate security culture and SCRM program to appropriately address the risks that concern your organization. Establish the protocols your organization will use to assess the supply chain practices of your suppliers.
Evaluate your SCRM program: Determine the frequency with which to review your SCRM program, incorporate feedback, and make changes to your risk management program. This may also include auditing suppliers against practices and protocols established by your organization.
Download the ICT SCRM Essentials for more detailed information on how companies and organizations can effectively implement organizational SCRM practices.
Download the Internet of Things (IoT) Acquisition Guidance Document for SCRM and cybersecurity factors to consider before purchasing or using IoT devices, systems, and services.
ICT SCRM Resources & News
For ICT supply chain resources, visit the ICT Supply Chain Resource Library.
For resources by the Task Force, visit the ICT SCRM Task Force Resources.
To understand SCRM and the role it plays within our society, take the free online FedVTE course: Cyber Supply Chain Risk Management for the Public. This three-part course provides an introduction of what a supply chain is, how adversaries target supply chains, and steps that individuals and organizations can take to improve supply chain security. No log-in required.
For questions or comments, email email@example.com.