Note: This page is part of the us-cert.gov archive.

Archived Content

In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.

National Supply Chain Integrity Month

April is National Supply Chain Integrity Month. In partnership with the Office of the Director of National Intelligence (ODNI), the Department of Defense, and other government and industry partners, CISA is promoting a call to action for a unified effort by organizations across the country to strengthen global supply chains.

Information and communications technology (ICT) products and services ensure the continued operation and functionality of U.S. critical infrastructure. However, recent software compromises and other events have shown the far-reaching consequences of these threats. When a supply chain incident occurs, everyone suffers: buyers, suppliers, and users.

As the Nation’s risk advisor, the Cybersecurity and Infrastructure Security Agency’s (CISA) top priorities include securing the global ICT supply chain from the evolving risks of tomorrow. Every week, CISA is promoting resources, tools, and information, including those developed by the public-private ICT Supply Chain Risk Management (SCRM) Task Force. CISA themes for each week include:

Week 1: Building Collective Supply Chain Resilience

CISA’s ICT SCRM Task Force is a public-private partnership that embodies the Agency’s collective approach to enhancing supply chain resilience. Over the past two years, the Task Force has addressed challenges to information sharing, analyzed over 200 threats to supply chains, and studied the impacts from COVID-19 on supply chain logistics.

The Task Force’s free and voluntary products incorporate industry best practices and standards such as those from the National Institute of Standards and Technology and the Open Trusted Technology Provider Standard (O-TTPS) to make these products the best possible tools. Additionally, the Task Force looks forward to releasing a number of products to include two new tools to help organizations assess the trustworthiness of their vendors and suppliers.

You can support Call to Action by downloading and sharing Task Force resources (listed below) with your organization and stakeholders and by utilizing the social media toolkit to help spread the word about this campaign.

Week 2: Assessing ICT Trustworthiness

Protecting your organization’s information requires understanding not only your organization’s immediate supply chain, but also the extended supply chains of your vendors and suppliers. To help organizations and businesses with this effort, CISA’s ICT SCRM Task Force developed two new resources:

  • Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists: This report provides organizations a list of criteria and factors that can be used to inform an organization's decision to build or rely on a qualified list for the acquisition of ICT products and services.

  • Vendor SCRM Template: This template provides a set of questions regarding an ICT supplier/provider’s implementation and application of industry standards and best practices that can help guide supply chain risk planning in a standardized way. The template provides organizations clarity for reporting and vetting processes when purchasing ICT hardware, software, and services

Both of these tools are great resources for IT or cyber security personnel; acquisitions and procurement officials; those who manage vendor and supplier lists; and others. Support the Call to Action by downloading and sharing these resources and by utilizing the social media toolkit (below) to help spread the word about this campaign.

Week 3: Understanding Supply Chain Threats

As technology evolves, so does the threat environment. The consequences of an ICT supply chain threat can extend beyond the initially targeted organization to its larger ecosystem of vendors, supplies, and customers and ultimately impact national security and economic resilience. To help organizations ensure they have security measures in place to mitigate against the most common supply chain threats, CISA’s ICT SRCM Task Force developed the Threat Scenarios Report.
 

The Threat Scenarios Report provides a practical, example-based guidance on supplier SCRM threat analysis and evaluation that can be applied by acquisition/procurement personnel and others who manage supplier, product, and service lists. Using feedback from end users and stakeholders, the Task Force catalogued the universe of supply chain threats to develop a lexicon compartmentalized into nine categories (i.e., counterfeit parts, economic risks, external end-to-end supply chain risks, etc.). Additionally, they developed sample scenarios with mitigation controls intended to help organization strengthen their security posture from the risks these threats pose to government and industry.

Support the Call to Action by downloading and sharing this resource with your organization and stakeholders and by utilizing the social media toolkit (below) to help spread the word about this campaign.

Week 4: Knowing the Essentials 

ICT undeniably play an important role in our societal well-being, economic prosperity and national security. From generating electricity and operating hospitals to supplying clean water, ICT hardware, software, and services serve as the foundation for a broad array of critical infrastructure activities. As the use of ICT continues to accelerate and expand, so will the attack surface for adversaries seeking to steal, compromise or alter, and destroy sensitive information.

In the final week of this campaign, CISA is providing two resources to help organizations and their staff with how to get started strengthening their SCRM practices and stay vigilant of the evolving threat environment

ICT Supply Chain Risk Management (SCRM) Essentials

Like cybersecurity, managing risks to ICT supply chains cannot be done in silos, fragmented among specific individuals or departments responsible for a piece of an organization’s risks. CISA’s SCRM Essentials is a guide for leaders and staff that empowers all personnel to own their role in implementing organizational SCRM practices with six actionable steps:

This is a great resource for personnel—including those in cyber and physical security, IT, logistics, legal, acquisitions and procurements, and risk management—that can help improve your organization’s overall security resilience. Download SCRM Essentials for more detailed information and share it with personnel in your organization­.

Defending Against Software Supply Chain Attacks

Recent software compromises and security incidents have revealed how actions by malicious actors stealthily compromising legitimate software before the vendor distributes it can go undetected by end-users and system administrators, who believe the software is performing necessary actions. The reality is that software supply chain attacks can be difficult to detect and protect against because there are many ways threat actors can attack networks and because vulnerabilities may be introduced during any phase of a product’s life cycle.

 

Defending Against Software Supply Chain Attacks—CISA’s new joint publication with the National Institute of Standards and Technology (NIST)—provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate software supply chain risks.

Support the Call to Action by downloading and sharing these resource with your organization and stakeholders and by utilizing the social media toolkit (below) to help spread the word about this campaign.

Social Media Toolkit

This toolkit offers sample messaging and videos that can be leveraged on all your social channels to drive awareness and action on the importance of supply chain security.

Hashtags:

  • #SupplyChainIntegrityMonth

  • #SCRMTaskForce

  • #RiskMGMT

Messaging:

  • We’re all connected, and we all have a role in securing #ICT #supplychains. During #SupplyChainIntegrityMonth, organizations should take steps to safeguard their information, systems, and other assets. Learn more: www.cisa.gov/supply-chain-integrity-month #SupplyChainIntegrityMonth #SCRMTaskForce #RiskMGMT

  • Before a #cybersecurity incident occurs, ensure your organization’s security protocol includes #supplychain risk management. Learn the steps you can take to start now: www.cisa.gov/supply-chain-integrity-month #SupplyChainIntegrityMonth #SCRMTaskForce #RiskMGMT

  • As our reliance on information & communications technology continues to increase, #supplychain security must stay on top of our minds. Learn about supply chain threats & how to mitigate them. www.cisa.gov/supply-chain-integrity-month #SupplyChainIntegrityMonth #SCRMTaskForce #RiskMGMT

  • Keeping supply chains secure is no easy feat. From #IT teams to acquisitions personnel, we all have a role in working together to secure the globally connected ecosystem. Learn more: www.cisa.gov/supply-chain-integrity-month #SupplyChainIntegrityMonth #SCRMTaskForce #RiskMGMT

  • Educate to Mitigate: Ensure that your organization is aware of current #supplychain best practices & resources to promote #ICT supply chain security and risk management. Learn more: www.cisa.gov/supply-chain-integrity-month #SupplyChainIntegrityMonth #SCRMTaskForce #RiskMGMT

  • Educate to Mitigate: Learn how to build a #supplychain risk management program at your organization:  www.cisa.gov/supply-chain-integrity-month #SupplyChainIntegrityMonth #SCRMTaskForce #RiskMGMT

  • One broken link in the #supplychain can have consequences across the globe. It takes a collective effort to secure information & communications technology supply chains. Learn more: www.cisa.gov/supply-chain-integrity-month #SupplyChainIntegrityMonth #SCRMTaskForce #RiskMGMT

Videos:

Week 1 Video: Building Collective Supply Chain Resilience highlights the role and importance of the ICT SCRM Task Force and working together to manage risks to the global ICT supply chain.

YouTube URLhttps://www.youtube.com/watch?v=ZrzrvvGOpdE

Building Collective Supply Chain Resilience

Week 2 Video: Assessing ICT Trustworthiness highlights the importance of securing not only your organization’s immediate supply chain, but also the extended supply chains of your vendors and suppliers.

YouTube URLhttps://www.youtube.com/watch?v=IOnO4tsL2fE

Week 3 Video: Understanding Supply Chain Threats emphasizes the importance of having security measures in place to mitigate against the most common supply chain threats.

YouTube URLhttps://www.youtube.com/watch?v=pq40KJVOoJg

Week 4 Video: Knowing the Essentials details how organizations and their staff can get started strengthening their SCRM practices and stay vigilant of the evolving threat environment.

YouTube URLhttps://www.youtube.com/watch?v=XMuIG7s1DE0 

 

 

Supply Chain News and Resources

Below are a list of news and free, voluntary supply chain resources from CISA, CISA's ICT SCRM Task Force, ODNI’s National Counterintelligence and Security Center (NCSC), and others. We will update this section throughout the month.

News:

Resources:

 

For questions or comments, email ict_scrm_taskforce@hq.dhs.gov.

Was this webpage helpful?  Yes  |  Somewhat  |  No