April is National Supply Chain Integrity Month. In partnership with the Office of the Director of National Intelligence (ODNI) and other government and industry partners, CISA is promoting a call to action to “Fortify The Chain” for a unified effort by organizations across the country to strengthen the global ICT supply chain.
Information and communications technology (ICT) products and services ensure the continued operation and functionality of U.S. critical infrastructure. However, recent software compromises and other events have shown the far-reaching consequences of these threats. When a supply chain incident occurs, everyone suffers: buyers, suppliers, and users.
As the nation’s risk reducer, CISA’s top priorities include securing the global ICT supply chain from the evolving risks of tomorrow. Every week, CISA is promoting resources, tools, and information, including those developed by the public-private ICT Supply Chain Risk Management (SCRM) Task Force. CISA themes for each week include:
- Week 1: Power in Partnership – Fortify The Chain!
- Week 2: No Shortages of Threats – Educate to Mitigate
- Week 3: Question, Confirm, and Trust – Be Supplier Smart
- Week 4: Plan for the Future - Anticipate Change
Use the hashtag #FortifyTheChain, #SupplyChainIntegrityMonth, or #SCRMTaskForce in your social media posts to raise supply chain awareness.
Week 1: Power in Partnership - Fortify The Chain!
We live in a globalized world, connected by myriad supply chains and complex networks; a world in which the movement of people, goods, and ideas never stops. While this fuels innovation and opportunities, it also brings security challenges that require partnerships to coordinate and collaborate on shared risks to enhance supply chain resilience. CISA established the ICT Supply Chain Risk Management (SCRM) Task Force, a public-private partnership composed of 60 member organizations from the IT and Communications Sectors companies, and the government, to do just that. Partnerships, such as this, are an essential element in enhancing the security and resilience of our Nation.
The Task Force’s free and voluntary products incorporate industry best practices and standards such as those from the National Institute of Standards and Technology and the Open Trusted Technology Provider Standard (O-TTPS) to make these products the best possible tools. You can support Call to Action by downloading and sharing Task Force resources with your organization and stakeholders and by utilizing the social media toolkit to help spread the word about the importance of supply chain resilience. #FortifyTheChain
Week 2: No Shortages of Threats - Educate to Mitigate
Today’s threats do not recognize national boundaries and can have large economic consequences. And the increased number of cyber-attacks have revealed the countless entries from which adversaries can spread risk to multiple organizations and nations. Mitigating threats to ICT supply chains cannot be done in silos, fragmented among specific individuals or departments responsible for a piece of an organization’s risks.
To help organizations ensure they have security measures in place to mitigate against the most common supply chain threats, organizations can use the ICT SRCM Task Force’s Threat Scenarios Report (Version 1, Version 2, and Version 3) which provide practical, example-based guidance on supplier SCRM threat analysis and evaluation that can be applied by acquisition/procurement personnel and others who manage supplier, product, and service lists as well as a lexicon of supply chain threats.
In response to Executive Order 14017 on Securing America’s Supply Chains, the Department of Commerce and Department of Homeland Security released a one-year report tilted, Assessment of the Critical Supply Chains Supporting the U.S. Information and Communications Technology Industry. The report defines the critical sectors and subsectors supporting the ICT industry, evaluates the current supply chain conditions, identifies key risks that threaten to disrupt those supply chains, and proposes eight recommendations to mitigate risk and strengthen supply chain resiliency.
Lastly, check out Stop Ransomware which is designed to help individuals and organizations prevent attacks that can severely impact business processes and leave organizations without the data they need to operate and deliver mission critical services.
Week 3: Question, Confirm, and Trust – Be Supplier Smart
Take procurement seriously by seeing how well you know your suppliers and vendors. After all, their risks are your risks. To help organizations and businesses with this effort, CISA’s ICT SCRM Task Force has developed multiple resources to understand not only your organization’s immediate supply chain, but also the extended supply chains of your vendors and suppliers.
The below tools are great resources for IT or cyber security personnel; acquisitions and procurement officials; those who manage vendor and supplier lists; and others:
Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists provides organizations a list of criteria and factors that can be used to inform an organization's decision to build or rely on a qualified list for the acquisition of ICT products and services.
Vendor SCRM Template provides a set of questions regarding an ICT supplier/provider’s implementation and application of industry standards and best practices that can help guide supply chain risk planning in a standardized way. The template provides organizations clarity for reporting and vetting processes when purchasing ICT hardware, software, and services. Additionally, watch this video to learn more about the above two resources: Evaluating Vendor and Supplier Trustworthiness
Mitigating ICT Supply Chain Risk for Small and Medium-sized Businesses presents use cases that small and medium-sized IT and communications providers commonly encounter. The guide (which includes an easy-to-use spreadsheet as an alternate tool) focuses on select questions from the Vendor SCRM Template that are most relevant to SMBs in order to make this resource more accessible and relevant to this cohort of providers. Additionally, watch this video to learn more: Mitigating ICT Supply Chain Risk for Small and Medium-sized Businesses
Week 4: Plan for the Future - Anticipate Change
Organizations will continue to include emerging technologies into their operations to enhance customer and user experience, support efficiency, lower costs, and provide automation. These emerging technologies can improve supply chain risk management to include inventory management, quality control, use of software to manage or modify orders, model third-party logistics, and more. However, changing social, economic, environmental, and political factors raises the importance of organizations to anticipate future risk and use strategic planning to anticipate, evaluate, and prepare against national-level risks to critical functions and services.
As part of CISA’s mission is to protect and defend the Nation’s critical infrastructure from the risks of tomorrow, its Secure Tomorrow Series uses strategic foresight to build a more resilient and secure future by examining those risks that could significantly affect our Nation’s critical infrastructure in the next 5 to 20 years. In a constantly changing and complex operating environment, exploring alternative futures and potential drivers of change is a potent technique for improving decision-making to manage uncertainty.
The Secure Tomorrow Series Toolkit is a diverse array of interactive and thought-provoking products designed to assist critical infrastructure stakeholders understand how to use strategic foresight methods to identify emerging risks and potential risk management strategies to secure critical infrastructure systems in the long-term.
Additionally, CISA’s Supply Chain Risk Management (SCRM) Essentials is the starting point for companies and organizations to effectively build an ICT supply chain risk management (SCRM) program. The CISA SCRM Essentials is a guide for leaders and staff with actionable steps (that incorporates industry standards and best practices from the National Institute of Standards) on how to start implementing organizational SCRM practices to improve their overall security resilience. It also provides steps that staff (such as team members in cyber and physical security, IT, logistics, legal, acquisition, and risk management) can follow on how to build a SCRM program.
Social Media Toolkit
This toolkit offers sample messaging and videos that can be leveraged on all your social channels to drive awareness and action on the importance of supply chain security.
Help spread the word of this importance of supply chain risk management by using the below hashtags in your social media posts.
#SupplyChainIntegrityMonth is here. We’re partnering with @ODNIgov and others to help organizations and agencies strengthen their overall security posture and #FortifyTheChain. Learn more: www.cisa.gov/supply-chain-integrity-month #SCRMTaskForce #RiskMGMT
Before a #cybersecurity incident occurs, ensure your organization’s security protocol includes #supplychain risk management. Learn the steps you can take to start now: www.cisa.gov/supply-chain-integrity-month #SupplyChainIntegrityMonth #FortifyTheChain
From counterfeit parts to legal risks, there are hundreds of #ICT supplier-related threats. Check out @CISAgov supply chain threat reports which provide practical, example-based guidance on supplier SCRM threat analysis and evaluation. www.cisa.gov/supply-chain-integrity-month #SupplyChainIntegrityMonth #FortifyTheChain
As our reliance on information & communications technology continues to increase, #supplychain security must stay on top of our minds. Learn about supply chain threats & how to mitigate them. www.cisa.gov/supply-chain-integrity-month #SupplyChainIntegrityMonth #FortifyTheChain #RiskMGMT
Keeping supply chains secure is no easy feat. From #IT teams to acquisitions personnel, we all have a role in working together to secure the globally connected ecosystem. Learn more: www.cisa.gov/supply-chain-integrity-month #SupplyChainIntegrityMonth #FortifyTheChain #RiskMGMT
Educate to Mitigate: Ensure that your organization is aware of current #supplychain best practices & resources to promote #ICT supply chain security and risk management. Learn more: www.cisa.gov/supply-chain-integrity-month #SupplyChainIntegrityMonth #FortifyTheChain #RiskMGMT
Educate to Mitigate: Learn how to build a #supplychain risk management program at your organization: www.cisa.gov/supply-chain-integrity-month #SupplyChainIntegrityMonth #FortifyTheChain #RiskMGMT
One broken link in the #supplychain can have consequences across the globe. It takes a collective effort to secure information & communications technology supply chains. Learn more: www.cisa.gov/supply-chain-integrity-month #SupplyChainIntegrityMonth #FortifyTheChain #RiskMGMT
- Explore alternative futures & potential drivers of change by downloading the Secure Tomorrow Series Toolkit – a diverse array of interactive + thought-provoking products on how to use strategic foresight methods to create more resilient critical infrastructure systems in the long-term. www.cisa.gov/secure-tomorrow-series-toolkit #SupplyChainIntegrityMonth #FortifyTheChain #RiskMGMT
Supply Chain News and Resources
CISA's Press Release: CISA and Partners Promote Call to Action During National Supply Chain Integrity Month
ICT Supply Chain Resource Library (cisa.gov) for ICT supply chain resources, videos, and information on supply chain programs, rulemakings, and other activities from across the federal government
For ODNI's resources visit, Supply Chain Threats (dni.gov).
ODNI's Supply Chain Spotlights:
For questions or comments, email email@example.com.