As the world’s supply chains become more complex and interconnected, the race is on the ensure high levels of security, trust, and validation across these networks. At the end of 2019, two industry groups announced a new effort centered on identifying and mitigating supply chain risk.
The Cybersecurity and Infrastructure Security Agency’s (CISA) Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force created a new working group to develop attestation frameworks around various aspects of supply chain risk management best practices, Security reports.
A method of checking the authenticity of a document and declaring its authenticity via a verified signature, attestation helps organizations address a number of key focus areas, including supplier risk, product lifecycle management, business process controls, physical security, data security, and product cybersecurity.
“The development of this new working group is timely given the risks we are facing in the ICT supply chain and broader critical infrastructure community,” CISA’s Bob Kolasky said in a statement. “The goal is to empower stakeholders across the ICT ecosystem to make risk-informed decisions that increase trust across their supply chains.”
Part of a Broader Effort
The new working group seeks to complement other supply chain attestation-related activities across the U.S. government, Security points out. The working group will also be part of a broader task force effort to address concerns and needs of small and medium-sized businesses operating within the ICT supply chain ecosystem.
Along with assembling an inventory of existing supply chain risk management efforts across government and industry, CISA says the task force has launched these four main work streams:
- Developing a common framework for the bi-directional sharing of supply chain risk information between government and industry.
- Identification of processes and criteria for threat-based evaluation of ICT supplies, products, and services.
- Identification of market segment(s) and evaluation criteria for Qualified Bidder and Manufacturer List(s).
- Producing policy recommendations to incentivize the purchase of ICT from original manufacturers or authorized resellers.
“Securing global ICT supply chains remains an international business imperative for IT sector companies and customers and is essential to security in the United States and worldwide,” ITI’s John Miller said. “The new task force working group will focus on developing actionable recommendations that will help private sector entities of all sizes demonstrate the effectiveness and accountability of their supply chain security programs and practices.”
Three Years and Running
Now in its third year, the task force has three working groups centered on information sharing, threat evaluation, and qualified bidder and qualified manufacturer lists, according to IIoT Connection. In 2019, the public-private task force approved recommendations from its existing working groups, including calling for a federal acquisition rule to incentivize the purchase of ICT products from original equipment manufacturers and authorized resellers to prevent the purchase of counterfeit items.
CISA said that its newest working group complements existing supply chain attestation activities elsewhere in the federal government and is part of a larger effort by the task force to address concerns of small and medium-sized businesses. "The goal is to empower stakeholders across the ICT ecosystem,” Kolasky said in the statement, “to make risk-informed decisions that increase trust across their supply chains.”
