The Cybersecurity and Infrastructure Security Agency (CISA) and the National Counterintelligence and Security Center (NCSC) are promoting awareness of threats to supply chains and encouraging actions by organizations and businesses to strengthen their security posture as part of National Supply Chain Integrity Month, which is recognized in April.
In its announcement, CISA observes that recent events, such as those involving software compromises, demonstrate the far-reaching consequences of supply chain incidents. It notes everyone suffers when an incident occurs, including buyers, suppliers, and users. Each week this month CISA is providing resources, tools, and information for a specific theme. For the week one theme, “Building Collective Supply Chain Resilience,” CISA encourages partners utilize the products and tools developed by one of its Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force. CISA states the Task Force’s free and voluntary products incorporate industry best practices and standards. Additionally, the Task Force plans to release a number of new products, including two tools to help organizations assess the trustworthiness of their vendors and suppliers.
The NCSC announcement points to both software compromises and product shortages resulting from the COVID-19 pandemic as examples of supply chain threats. It also calls attention to foreign adversary exploitation of U.S. supply chains, noting that these actors are increasingly using companies and trusted suppliers as attack vectors against us for espionage, information theft, and sabotage. To help its partners understand and mitigate these threats, it has uploaded new resources to its supply chain website. Its announcement webpage also lists a series of basic principles to enhance the resilience of supply chains.