A public-private task force that has been collaborating for the past year on ways to mitigate risks to the global supply chain for information and communications technology (ICT) systems last week approved recommendations from three of its four working groups on how to proceed.
The ICT Supply Chain Risk Management (SCRM) Task Force in June approved the recommendations of its fourth working group, which called for a federal acquisition rule to incentivize the procurement of ICT products from original equipment manufacturers and authorize resellers to prevent the purchase of counterfeit items.
The ICT SCRM Task Force last week also approved an interim report, which provides an update on the status of its objectives and activities.
The first working group is focused on information sharing between the government and private sector and found that "supply chain risk information has less uniformity around ‘packaging' and delivery mechanisms" compared with cyber threat indicators, which typically are more standardized and even machine readable. The group also found that actionable information around supply chain risks might require sharing sensitive vendor data as well as supplier names, creating challenging legal issues.
The working group's approved recommendations include resolving the legal challenges around information sharing and specifically calls for a small sub-group made up of public and private sector representatives with the legal expertise to put forth options to reduce risks related to sharing information on supply chain risks.
A second working group focused on evaluating threats created a threat list composed of nine categories, including internal security operations and controls, compromise of system development life cycle processes and tools, insider threat, counterfeit parts, cybersecurity, inherited risk, economic, legal, and external end-to-end supply chain.
The third working group is focused on qualified bidder and qualified manufacturer lists for use by the government in buying ICT products and services. The working group's approved recommendations include publishing guidelines for helping organizations decide to use qualified bidder and manufacturer lists for ICT products and services and develop use cases for these lists where they are leveraging SCRM evaluation criteria.
"The interim report is an important step in the work of the task force," Bob Kolasky, assistant director of the Department of Homeland Security Cybersecurity and Infrastructure Security Agency, said in a statement. Kolasky, who also runs CISA's National Risk Management Center and co-chairs the ICT SCRM Task Force, also stated that the interim report "is intended to provide insight and transparency on the work of the task force, serve as a reference document for supply chain professionals, and lay the foundation for a recommended path forward to secure the nation's ICT supply chain."