Building Resilient ICT Supply Chains:  8th Annual Supply Chain Integrity Month 

It’s April and time to elevate our ongoing government and industry efforts to reduce risks and confront security challenges facing global information and communications technology (ICT) supply chains. Supply Chain Integrity Month provides an opportunity for government, industry, and other stakeholders to increase collaboration and the sharing of best practices, risk mitigation strategies, and innovative solutions to safeguard supply chains from threats such as cyberattacks, counterfeiting, and disruptions.  The Cybersecurity and Infrastructure Security Agency (CISA) is positioned to synchronize and emphasize interagency and private sector collaboration and amplify common goals.    

ICT is critical to U.S. economic and national security, as it supports all U.S. critical infrastructure and encompasses a wide range of hardware, software, and services. That is why the security and resilience of ICT supply chains is important to the seamless operation and reliability of U.S. critical infrastructure.   

This year, CISA is promoting resources, tools, and information along four themes that help partners and stakeholders increase ICT supply chain resilience. Those themes for each week of April include:        

Week 1: Preparedness: Building an Effective Supply Chain Risk Management Program    

As the use of ICT continues to accelerate and expand, so will the attack surface for adversaries seeking to steal, compromise, alter, or destroy sensitive information.   

This week, CISA is reminding everyone to go back to basics and apply actionable cybersecurity and supply chain risk management steps to strengthen their ICT supply chains. The Supply Chain Risk Management Essentials Guide provides leaders and staff with a refresher on basic SCRM practices to improve their overall security resilience.     

Week 2: Mitigation: Knowing and Mitigating Against Supply Chain Threats   

Conducting supply chain risk management threat analysis and evaluation is a crucial process for identifying vulnerabilities that could disrupt operations, compromise security, or impact business continuity. It is important to continuously conduct SCRM threat analysis and evaluation to gain insights into potential weak points and enable the implementation of proactive risk mitigation strategies before issues arise.   

This week, CISA is highlighting the importance of threat-based evaluation of ICT suppliers, products, and services. The Threat Scenarios Report provides procurement or source selection officials in government and industry with guidance on how to assess supply chain risks and develop practices/procedures to manage the potential impact of these threats.      

Week 3: Trust: Evaluating the trustworthiness of Vendors and Suppliers   

As ICT products and services evolve to provide increasing functionality, the supply chains that deliver them continue to grow more sophisticated and complex. It is essential to be proactive in vetting suppliers/vendors to ensure organizations can mitigate risks, protect sensitive date, and maintain continuity of essential goods and services.   

This week, CISA is highlighting the importance of building trust with vendors and suppliers as a key aspect of managing supply chain risks.   

The Vendor SCRM Template provides a set of questions regarding an ICT supplier/provider’s implementation and application of industry standards and best practices that can help guide supply chain risk planning in a standardized way. The ICT SCRM Task Force developed a report to provide organizations with a list of evaluation criteria and factors that can be used to inform an organization’s decision to build or rely on a qualified list for the acquisition of ICT products and services while managing supply chain risks.    

Week 4: Transparency: Securing Hardware and Software Across the Supply Chain   

Hardware and software security are a core component of ensuring supply chain resilience. In today’s highly digitalized and interconnected world, it is crucial that organizations protect their hardware and software supply chains from increasingly sophisticated and malicious attacks.   

This week, CISA is highlighting the Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management establishes a consistent, repeatable method for vendors to communicate with purchasers of hardware components in their products, facilitating the evaluation and mitigation of risk in a supply chain. We are also highlighting the Software Acquisition Guide for Government Enterprise Consumers consolidates relevant cyber-supply chain risk management software assurance guidance and frameworks into a single document, covering software during design, development, and operational use.    

With our industry and government partners, we have made great strides over the last few years in providing valuable resources that help critical infrastructure organizations enhance the security and resilience of the global ICT supply chain. We also provided guidance to ensure that supply chain risk management (SCRM) is an integrated component of the Agency’s cybersecurity efforts. Please let us know about your efforts to raise awareness of supply chain integrity. Drop us a note at ict_scrm_taskforce@cisa.dhs.gov.   

For more information, please visit Information and Communications Technology Supply Chain Security.