The Cybersecurity and Infrastructure Security Agency (CISA) and the National Counterintelligence and Security Center (NCSC) are promoting awareness of threats to supply chains and encouraging actions by organizations and businesses to strengthen their security posture as part of National Supply Chain Integrity Month, which is recognized in April.
The NCSC announcement points to both software compromises and product shortages resulting from the COVID-19 pandemic as examples of supply chain threats. It also calls attention to foreign adversary exploitation of U.S. supply chains, noting that these actors are increasingly using companies and trusted suppliers as attack vectors against us for espionage, information theft, and sabotage. To help its partners understand and mitigate these threats, it has uploaded new resources to its supply chain website. Its announcement webpage also lists a series of basic principles to enhance the resilience of supply chains.
In its announcement, CISA observes that recent events, such as those involving software compromises, demonstrate the far-reaching consequences of supply chain incidents. It notes everyone suffers when an incident occurs, including buyers, suppliers, and users. Each week this month CISA is providing resources, tools, and information for a specific theme.
Week 1 - Building Collective Supply Chain Resilience
For the week one theme, “Building Collective Supply Chain Resilience,” CISA encourages partners utilize the products and tools developed by one of its Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force. CISA states the Task Force’s free and voluntary products incorporate industry best practices and standards. Additionally, the Task Force plans to release a number of new products, including two tools to help organizations assess the trustworthiness of their vendors and suppliers.
Week 2 - Assessing ICT Trustworthiness
As National Supply Chain Integrity Month continues, this week’s theme is: Assessing Information and Communications Technology (ICT) Trustworthiness. For this theme, the Cybersecurity and Infrastructure Security Agency (CISA) notes that protecting organizational information requires understanding not only the immediate supply chain, but also the extended supply chains of vendors and suppliers. To help organizations and businesses with this effort, CISA’s ICT Supply Chain Risk Management (SCRM) Task Force developed two new resources:
- Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists: This report provides organizations a list of criteria and factors that can be used to inform an organization's decision to build or rely on a qualified list for the acquisition of ICT products and services.
- Vendor SCRM Template: This template provides a set of questions regarding an ICT supplier/provider’s implementation and application of industry standards and best practices. The results can be used to help guide supply chain risk planning in a standardized way and provide clarity for reporting and vetting processes when purchasing ICT hardware, software, and services.
Week 3 – Understanding Supply Chain Threats
As National Supply Chain Integrity Month continues, this week’s theme is: Understanding Supply Chain Threats. For this theme, the Cybersecurity and Infrastructure Security Agency (CISA) emphasizes that recent software compromises and other security incidents have revealed how new and inherent vulnerabilities in global supply chains can have cascading impacts that affect all users of information and communications technology (ICT) within and across organizations, sectors, and the National Critical Functions. To help organizations understand these threats and how to mitigate them, CISA’s ICT Supply Chain Risk Management (SCRM) Task Force developed the Threat Scenarios Report that provides acquisition and procurement personnel and others with practical, example-based guidance on supplier SCRM threat analysis and evaluation. Read more at CISA.
Week 4 – Knowing the Essentials
As National Supply Chain Integrity Month comes to a close, the theme for the fourth and final week is: Knowing the Essentials. For this theme, the Cybersecurity and Infrastructure Security Agency (CISA) reminds everyone that strengthening information and communications technology (ICT) supply chains requires an ongoing, unified effort between government and industry. To this end, it is providing two resources to help organizations and their staff get started, including a new one released jointly with the National Institute of Standards and Technology (NIST):
- ICT Supply Chain Risk Management (SCRM) Essentials: Like cybersecurity, managing risks to ICT supply chains cannot be done in silos, fragmented among specific individuals or departments responsible for a piece of an organization’s risks. CISA’s SCRM Essentials is a guide for leaders and staff that empower all personnel to own their role in implementing organizational SCRM practices with six actionable steps, including: 1) Identify the people, 2) Manage the security and compliance, 3) Assess the components, 4) Know the supply chain and suppliers, 5) Verify assurance of third parties, and 6) Evaluate your SCRM program.
- Defending against Software Supply Chain Attacks: This resource provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate software supply chain risks.