Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency

Search

 
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help Locally
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
    Work @ CISA
  • About
    Culture
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Contact Us
    Site Links
    Reporting Employee and Contractor Misconduct
    CISA GitHub
Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
  1. Home
Share:

Supply Chain Integrity Month

April is National Supply Chain Integrity Month. CISA, in partnership with the Office of the Director of National Intelligence National Counterintelligence and Security Center (NCSC), the Office of the National Cyber Director (ONCD), the Department of Defense, and other government and industry partners is promoting the theme, “Supply Chain Risk Management (SCRM) – The Recipe for Resilience”, a call to action to encourage stakeholders and partners to apply a comprehensive SCRM approach to secure the nation’s most critical supply chains.  

Information and communications technology (ICT) products and services ensure the continued operation and functionality of U.S. critical infrastructure. However, recent software compromises and other events have shown the far-reaching consequences of these threats. When a supply chain incident occurs everyone suffers: buyers, suppliers, and users.

As the nation’s risk advisor, CISA’s top priorities include securing the critical supply chains from the evolving risks of tomorrow through multiple ongoing efforts to include facilitating community engagement to advance software bill of materials (SBOMs), collaborating with the private sector through the ICT Supply Chain Risk Management (SCRM) Task Force, and supporting the Federal Acquisition Security Council (FASC). CISA themes for each week include:

  • Week 1: Recipe for Resilience: Knowing the Essentials
  • Week 2: Shop Small: Resources for Small and Medium Sized Businesses
  • Week 3: Cooking with Quality: Vendor/Supplier Trustworthiness
  • Week 4: Don't Poach Your Luck: Common Supply Chain Threats

Featured Content

National Counterintelligence and Security Center (NCSC)

The mission of NCSC's Supply Chain and Cyber Directorate is to enhance the nation's supply chain and cyber security, leveraging multidisciplinary counterintelligence and security expertise to inform, guide, and coordinate integrated risk decision.

ICT Supply Chain Program Basics For Your Company

These six essential steps will assist your organization in managing supply chain risks and building an effective supply chain risk management practice.

ICT Supply Chain Risk Management Task Force

A public-private partnership charged to identify and develop consensus risk management strategies to enhance global ICT supply chain security.

Software Bill of Materials (SBOM)

CISA advances the SBOM work by facilitating community engagement, development, and progress, with a focus on scaling and operationalization, as well as tools, new technologies, and new use cases.

Week 1: Recipe for Resilience: Knowing the Essentials

As the use of information and communications technology (ICT) continues to accelerate and expand, so will the attack surface for adversaries seeking to steal, compromise, alter, or destroy sensitive information. This week, CISA is reminding everyone to go back to basics and apply actionable cybersecurity and supply chain risk management steps to strengthen their ICT supply chains. To help organizations, CISA is providing the following resources:

Supply Chain Risk Management (SCRM) Essentials is a guide for leaders and staff that empowers all personnel to own their role in implementing organizational SCRM practices. This resource provides six actionable steps for personnel—including those in cyber and physical security, IT, logistics, legal, acquisitions and procurement, and risk management—that can help improve an organization’s overall security resilience. 

4 Things You Can Do To Keep Yourself Cyber Safe provides key action steps (i.e., multifactor-authentication (MFA) and updating your software) that everyone should take to help protect their information and enhance their cybersecurity. Our critical infrastructure is increasingly digital and increasingly interconnected. So, while we must protect ourselves online, it’s going to take all of us to really protect the systems we all rely on.

Introduction to Supply Chain Risk Management is a one-hour overview course for the acquisition workforce on current government-wide supply chain risk management requirements. It is organized into four categories: Supply Chain Risk Information Sharing, Exclusion Orders/Prohibitions, Protecting Sensitive Information, and additional requirements for higher risk procurements.

Know the Risk - Raise Your Shield: Supply Chain Risk Management is a 12-minute awareness video about cybersecurity and other risks in the products, services, and solutions we buy. These risks are present in all items that connect in any way to a government information system and/or which contain, transmit, or process information provided by or generated for the government to support the operations and assets of a federal agency.

Week 2: Shop Small: Resources for Small and Medium-Sized Businesses

According to the Small Business Administration, there are over 31.7 million small and medium-sized businesses (SMB) across the United States, which account for 41.7 percent of private sector employees and nearly half of the nation's gross domestic product. This metric shows the importance of assisting SMBs with efforts to enhance their ICT supply chain resilience. An SMB is considered to have fewer than 100 and up to 500 employees. SMBs may find it difficult to institutionalize federal supply chain guidance due to limited finances, resources, and employees.

The below tools are great resources for IT and Comms SMBs that are looking to enhance SMB reporting and vetting processes when purchasing ICT hardware, software, and services.

Securing Small and Medium-Sized Business Supply Chains: A Resource Handbook to Reduce Information and Communication Technology Risks identifies ICT-related supply chain risks that an ICT SMB might encounter, with a focus on cyber risks and subsequent impacts. The Resource Handbook provides six use case examples that present scenarios SMBs may face, highlighting one or more of the six risk categories, propose potential options that the SMB may consider, and provide a short summary of cost and benefits associated with implementing the proposed options. 

  • Additionally, watch this video in which Chad Kliewer, a Task Force member, discusses this handbook and the six use case examples that support small and medium-sized businesses in identifying common ICT supply chain risks: Securing Small and Medium-Sized Business Supply Chains: A Resource Handbook to Reduce ICT Risks - YouTube

Operationalizing Vendor Supply Chain Risk Management Template for Small and Medium-Sized Businesses and Excel presents use cases that small and medium-sized IT and communications providers commonly encounter. The guide (which includes an easy-to-use spreadsheet as an alternate tool) focuses on select questions from the Vendor SCRM Template that are most relevant to SMBs to make this resource more accessible and relevant to this cohort of providers. 

Week 3: Cooking with Quality: Vendor/Supplier Trustworthiness

Take procurement seriously by seeing how well you know your suppliers and vendors. After all, their risks are your risks. To help organizations and businesses with this effort, CISA has developed multiple resources to understand not only your organization’s immediate supply chain, but also the extended supply chains of your vendors and suppliers.

The below tools are great resources to assist with sharing of SBOMs and for IT or cyber security personnel; acquisitions and procurement officials; and others who manage vendor and supplier lists:

Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists provides organizations a list of criteria and factors that can be used to inform an organization's decision to build or rely on a qualified list for the acquisition of ICT products and services.

Vendor SCRM Template provides a set of questions regarding an ICT supplier/provider’s implementation and application of industry standards and best practices that can help guide supply chain risk planning in a standardized way. The template provides organizations clarity for reporting and vetting processes when purchasing ICT hardware, software, and services. Additionally, watch this video to learn more about the above two resources:

Software Bill of Materials (SBOM) Sharing Lifecycle Report highlights solutions for sharing SBOMs and assist readers in considering appropriate solutions depending on their needs concerning the discovery, access, and transport of SBOMs.

Types of Software Bill of Materials (SBOM) is a community-led resource summarizes common types of SBOMs that tools may create in the industry today, along with the data typically presented for each type of SBOM.

Week 4: Don’t Poach Your Luck: Common Supply Chain Threats

Today’s threats do not recognize national boundaries and can have large economic consequences. And the increased number of cyberattacks have revealed the countless entries from which adversaries can spread risk to multiple organizations and nations. Mitigating threats to ICT supply chains cannot be done in silos, fragmented among specific individuals or departments responsible for a piece of an organization’s risks.

To help organizations ensure they have security measures in place to mitigate against the most common supply chain threats, organizations can use the ICT SRCM Task Force’s Threat Scenarios Report (Version 1, 2, and 3) which provide practical, example-based guidance on supplier SCRM threat analysis and evaluation that can be applied by acquisition/procurement personnel and others who manage supplier, product, and service lists as well as a lexicon of supply chain threats.

In response to Executive Order 14017 on Securing America’s Supply Chains, the Department of Commerce and Department of Homeland Security released a one-year report titled, Assessment of the Critical Supply Chains Supporting the U.S. Information and Communications Technology Industry. The report defines the critical sectors and subsectors supporting the ICT industry, evaluates the current supply chain conditions, identifies key risks that threaten to disrupt those supply chains, and proposes eight recommendations to mitigate risk and strengthen supply chain resiliency.

Minimum Requirements for Vulnerability Exploitability eXchange (VEX) is a community-led resource specifies the minimum elements to create a VEX document, to help harmonize across implementations and accelerate tool creation.

Related News

Supply chain news from CISA, ODNI’s National Counterintelligence and Security Center (NCSC), the Office of the National Cyber Director (ONCD), and others. We will update this section throughout the month.

  • CISA Blog Article: CISA and Partners Launch National Supply Chain Integrity Month | CISA
  • NCSC Press Release: NCSC and Partners Launch “National Supply Chain Integrity Month” in April (dni.gov)
  • National Telecommunications and Information Administration (NTIA) Blog Article: NTIA Celebrates April as National Supply Chain Integrity Month | National Telecommunications and Information Administration
  • ONCD's Blog Article: April is Supply Chain Integrity Month - ONCD - The White House

Supply Chain Videos and Webinars

Supply Chain Essentials

Assessing ICT Trustworthiness

Mitigating Supply Chain Threats

CISA Webinar: Securing and Enhancing the ICT Supply Chain

CISA Webinar: Securing Small and Medium-Sized Business Supply Chains

Supply Chain Fact Sheets

For a robust list of supply chain resources, click here. 

CISA's Supply Chain Risk Management Essentials

FEB 17, 2021 | PUBLICATION
A guide for leaders and staff with actionable steps on how to start implementing organizational supply chain risk management practices to improve their overall security resilience.
Download File (PDF, 1.45 MB)

Assisting Small and Medium-sized Businesses Assess Vendors and Suppliers Fact Sheet

APR 03, 2023 | PUBLICATION
A fact sheet that provides an overview of the ICT SCRM Task Force's resource, Operationalizing the Vendor Supply Chain Risk Management Template for Small and Medium-Sized Businesses (SMB), and how this guide can help SMBs assess the security posture.
Download File (PDF, 446.63 KB)

Building More Resilient ICT Supply Chains Fact Sheet

APR 03, 2023 | PUBLICATION
A fact sheet that provides an overview of the ICT Supply Chain Risk Management (SCRM) Task Force's resource, Lessons Learned During the Covid-19 Pandemic Study and the practical recommendations that can support organizations and businesses with operational decisions.
Download File (PDF, 375.54 KB)

Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists Fact Sheet

APR 03, 2023 | PUBLICATION
A fact sheet that provides an overview of the ICT SCRM Task Force's resource, Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists, which provides risk-based recommendations surrounding the use of “Qualified Lists”.
Download File (PDF, 442.38 KB)

Sharing Supply Chain Risk Information to Increase Resilience Fact Sheet

APR 03, 2023 | PUBLICATION
A fact sheet that provides an overview of the report, Preliminary Considerations of Paths to Enable Improved Multi-Directional Sharing of Supply Chain Risk Information (SCRI), which details why sharing of SCRI is important.
Download File (PDF, 323.17 KB)

Procuring Safe and Secure ICT Products and Services Fact Sheet

APR 03, 2023 | PUBLICATION
A fact sheet that provides an overview of the ICT SCRM Task Force's resource, Vendor SCRM Template, which helps organizations and businesses assess the security posture of their vendors and suppliers in a standardized way.
Download File (PDF, 361.62 KB)

ICT SCRM Task Force Videos

Videos about the ICT Supply Chain Risk Management Task Force resources. 

ICT Supply Chain Risk Management Task Force

Securing Small and Medium-Sized Business Supply Chains: A Resource Handbook to Reduce ICT Risks

Evaluating Vendor and Supplier Trustworthiness

Mitigating ICT Supply Chain Risk for Small and Medium-sized Businesses

Impact Analysis and Mitigation of ICT Supply Chain Threats

Improving Multi-Directional Sharing of Supply Chain Risk Information

ICT Supply Chain: Lessons Learned During the COVID-19 Pandemic

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Accessibility
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback