Supply Chain Integrity Month

April is National Supply Chain Integrity Month. CISA, in partnership with the Office of the Director of National Intelligence National Counterintelligence and Security Center (NCSC), the Office of the National Cyber Director (ONCD), the Department of Defense, and other government and industry partners is promoting the theme, “Supply Chain Risk Management (SCRM) – The Recipe for Resilience”, a call to action to encourage stakeholders and partners to apply a comprehensive SCRM approach to secure the nation’s most critical supply chains.  

Information and communications technology (ICT) products and services ensure the continued operation and functionality of U.S. critical infrastructure. However, recent software compromises and other events have shown the far-reaching consequences of these threats. When a supply chain incident occurs everyone suffers: buyers, suppliers, and users.

As the nation’s risk advisor, CISA’s top priorities include securing the critical supply chains from the evolving risks of tomorrow through multiple ongoing efforts to include facilitating community engagement to advance software bill of materials (SBOMs), collaborating with the private sector through the ICT Supply Chain Risk Management (SCRM) Task Force, and supporting the Federal Acquisition Security Council (FASC). CISA themes for each week include:

• Week 1: Recipe for Resilience: Knowing the Essentials
• Week 2: Shop Small: Resources for Small and Medium Sized Businesses
• Week 3: Cooking with Quality: Vendor/Supplier Trustworthiness
• Week 4: Don't Poach Your Luck: Common Supply Chain Threats

Week 1: Recipe for Resilience: Knowing the Essentials

As the use of information and communications technology (ICT) continues to accelerate and expand, so will the attack surface for adversaries seeking to steal, compromise, alter, or destroy sensitive information. This week, CISA is reminding everyone to go back to basics and apply actionable cybersecurity and supply chain risk management steps to strengthen their ICT supply chains. To help organizations, CISA is providing the following resources:

Supply Chain Risk Management (SCRM) Essentials is a guide for leaders and staff that empowers all personnel to own their role in implementing organizational SCRM practices. This resource provides six actionable steps for personnel—including those in cyber and physical security, IT, logistics, legal, acquisitions and procurement, and risk management—that can help improve an organization’s overall security resilience. 

4 Things You Can Do To Keep Yourself Cyber Safe provides key action steps (i.e., multifactor-authentication (MFA) and updating your software) that everyone should take to help protect their information and enhance their cybersecurity. Our critical infrastructure is increasingly digital and increasingly interconnected. So, while we must protect ourselves online, it’s going to take all of us to really protect the systems we all rely on.

Introduction to Supply Chain Risk Management is a one-hour overview course for the acquisition workforce on current government-wide supply chain risk management requirements. It is organized into four categories: Supply Chain Risk Information Sharing, Exclusion Orders/Prohibitions, Protecting Sensitive Information, and additional requirements for higher risk procurements.

Know the Risk - Raise Your Shield: Supply Chain Risk Management is a 12-minute awareness video about cybersecurity and other risks in the products, services, and solutions we buy. These risks are present in all items that connect in any way to a government information system and/or which contain, transmit, or process information provided by or generated for the government to support the operations and assets of a federal agency.

Week 2: Shop Small: Resources for Small and Medium-Sized Businesses

According to the Small Business Administration, there are over 31.7 million small and medium-sized businesses (SMB) across the United States, which account for 41.7 percent of private sector employees and nearly half of the nation's gross domestic product. This metric shows the importance of assisting SMBs with efforts to enhance their ICT supply chain resilience. An SMB is considered to have fewer than 100 and up to 500 employees. SMBs may find it difficult to institutionalize federal supply chain guidance due to limited finances, resources, and employees.

The below tools are great resources for IT and Comms SMBs that are looking to enhance SMB reporting and vetting processes when purchasing ICT hardware, software, and services.

Securing Small and Medium-Sized Business Supply Chains: A Resource Handbook to Reduce Information and Communication Technology Risks identifies ICT-related supply chain risks that an ICT SMB might encounter, with a focus on cyber risks and subsequent impacts. The Resource Handbook provides six use case examples that present scenarios SMBs may face, highlighting one or more of the six risk categories, propose potential options that the SMB may consider, and provide a short summary of cost and benefits associated with implementing the proposed options. 

• Additionally, watch this video in which Chad Kliewer, a Task Force member, discusses this handbook and the six use case examples that support small and medium-sized businesses in identifying common ICT supply chain risks: Securing Small and Medium-Sized Business Supply Chains: A Resource Handbook to Reduce ICT Risks - YouTube

Operationalizing Vendor Supply Chain Risk Management Template for Small and Medium-Sized Businesses and Excel presents use cases that small and medium-sized IT and communications providers commonly encounter. The guide (which includes an easy-to-use spreadsheet as an alternate tool) focuses on select questions from the Vendor SCRM Template that are most relevant to SMBs to make this resource more accessible and relevant to this cohort of providers. 

Week 3: Cooking with Quality: Vendor/Supplier Trustworthiness

Take procurement seriously by seeing how well you know your suppliers and vendors. After all, their risks are your risks. To help organizations and businesses with this effort, CISA has developed multiple resources to understand not only your organization’s immediate supply chain, but also the extended supply chains of your vendors and suppliers.

The below tools are great resources to assist with sharing of SBOMs and for IT or cyber security personnel; acquisitions and procurement officials; and others who manage vendor and supplier lists:

Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists provides organizations a list of criteria and factors that can be used to inform an organization's decision to build or rely on a qualified list for the acquisition of ICT products and services.

Vendor SCRM Template provides a set of questions regarding an ICT supplier/provider’s implementation and application of industry standards and best practices that can help guide supply chain risk planning in a standardized way. The template provides organizations clarity for reporting and vetting processes when purchasing ICT hardware, software, and services. Additionally, watch this video to learn more about the above two resources:

Software Bill of Materials (SBOM) Sharing Lifecycle Report highlights solutions for sharing SBOMs and assist readers in considering appropriate solutions depending on their needs concerning the discovery, access, and transport of SBOMs.

Types of Software Bill of Materials (SBOM) is a community-led resource summarizes common types of SBOMs that tools may create in the industry today, along with the data typically presented for each type of SBOM.

Week 4: Don’t Poach Your Luck: Common Supply Chain Threats

Today’s threats do not recognize national boundaries and can have large economic consequences. And the increased number of cyberattacks have revealed the countless entries from which adversaries can spread risk to multiple organizations and nations. Mitigating threats to ICT supply chains cannot be done in silos, fragmented among specific individuals or departments responsible for a piece of an organization’s risks.

To help organizations ensure they have security measures in place to mitigate against the most common supply chain threats, organizations can use the ICT SRCM Task Force’s Threat Scenarios Report (Version 1, 2, and 3) which provide practical, example-based guidance on supplier SCRM threat analysis and evaluation that can be applied by acquisition/procurement personnel and others who manage supplier, product, and service lists as well as a lexicon of supply chain threats.

In response to Executive Order 14017 on Securing America’s Supply Chains, the Department of Commerce and Department of Homeland Security released a one-year report titled, Assessment of the Critical Supply Chains Supporting the U.S. Information and Communications Technology Industry. The report defines the critical sectors and subsectors supporting the ICT industry, evaluates the current supply chain conditions, identifies key risks that threaten to disrupt those supply chains, and proposes eight recommendations to mitigate risk and strengthen supply chain resiliency.

Minimum Requirements for Vulnerability Exploitability eXchange (VEX) is a community-led resource specifies the minimum elements to create a VEX document, to help harmonize across implementations and accelerate tool creation.

Related News

Supply chain news from CISA, ODNI’s National Counterintelligence and Security Center (NCSC), the Office of the National Cyber Director (ONCD), and others. We will update this section throughout the month.

• CISA Blog Article: CISA and Partners Launch National Supply Chain Integrity Month | CISA
• NCSC Press Release: NCSC and Partners Launch “National Supply Chain Integrity Month” in April (dni.gov)
• National Telecommunications and Information Administration (NTIA) Blog Article: NTIA Celebrates April as National Supply Chain Integrity Month | National Telecommunications and Information Administration
• ONCD's Blog Article: April is Supply Chain Integrity Month - ONCD - The White House