Cybersecurity Colleagues and Partners,
Today, the Cybersecurity and Infrastructure Security Agency (CISA) (http://www.cisa.gov/) released two new products developed by the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force to address liability challenges on sharing supply chain threat information and assist Small and Medium-sized Businesses (SMBs) with mitigating ICT supply chain risks.
Improving the quality and volume of supply chain risk information sharing among the federal government and private industry is necessary to obtain actionable information that could mitigate threats to the Nation’s ICT supply chain. Building off work completed in Years 1 and 2, the Task Force’s Information Sharing Working Group (WG1) developed the Preliminary Considerations of Paths to Enable Improved Multi-Directional Sharing of Supply Chain Risk Information(http://www.cisa.gov/publication/ict-scrm-task-force-improve-multi-directional-scri), which offers subject matter expert research on legal and policy considerations for giving liability protection to the federal government and private sector in order to promote information sharing.
In January 2021, the Task Force launched three new WG efforts(https://www.cisa.gov/blog/2021/03/04/task-force-establishes-way-forward-after-charter-extension-year-25) including the SMB WG which was created to tailor Task Force products to make them more accessible, relevant, and usable for SMBs. The Operationalizing the Vendor SCRM Template for SMBs (http://www.cisa.gov/publication/ict-scrm-task-force-operationalizing-vendor-scrm-template-smbs) helps IT and communications SMBs assess their ICT supply chain risk posture when procuring new ICT hardware, software, and services or acquiring new contracts from the perspective of the acquirer, integrator, and supplier. Additionally, this guide includes an easy-to-use spreadsheet(https://www.cisa.gov/sites/default/files/video/ict-scrm-task-force_smb-operationalizing-vendor-template_excel_508.xlsx) as an alternate tool. Both products gear the applicability of the previously released enterprise Vendor SCRM Template (https://www.cisa.gov/publication/ict-scrm-task-force-vendor-template) to help SMBs apply industry standards and best practices in a standardized way.
The Task Force embodies CISA’s collective defense approach to enhance ICT supply chain resilience. In two years, it has developed a variety of SCRM products; an online SCRM toolkit with strategic messaging and videos; and comprehensive webpage with free and voluntary SCRM resources and information from across the federal government. Moving forward, the Task Force will continue to leverage its collective expertise to develop actionable solutions on a wide range of supply chain issues.
For these resources and more, please visit: CISA.gov/ict-supply-chain-toolkit. Additionally, please read our latest blog article, Sharing Information to Get Ahead of Supply Chain Risks(https://www.cisa.gov/blog/2021/09/21/sharing-information-get-ahead-supply-chain-risks), and view the videos below.
Mitigating ICT Supply Chain Risk for Small and Medium-sized Businesses – YouTube(https://www.youtube.com/watch?v=te1CFaV0cUs)
Improving Multi-Directional Sharing of Supply Chain Risk Information – YouTube(https://www.youtube.com/watch?v=ynPsOto-VoM)
Thank you for sharing this information broadly.
Cybersecurity and Infrastructure Security Agency
Defend Today Secure Tomorrow
V/r,
Jenny Margaros
Section Chief, Critical Manufacturing Section, Stakeholder Engagement Division
Cybersecurity and Infrastructure Security Agency
(O) 703.603.5029 (M) 202.360.3145 (Email) Jenny.margaros@cisa.dhs.gov