The Cybersecurity and Infrastructure Security Agency (CISA) released the annual report for the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force on Dec. 17 which highlights ongoing efforts of five working groups addressing challenges related to information sharing, threat analysis, qualified bidder and qualified manufacturers lists, vendor assurance, and the COVID-19 pandemic.
The Year 2 report builds upon the work done in the previous year, and “addresses the lifecycle of supply chain risk management, including how stakeholders identify and understand risk, communicate about and work together to address risk, grow their structural operations for addressing risks, and improve their understanding and self-assessment of their risk posture,” it says.
Over the past year, the task force reported making strides in advancing and maintaining meaningful partnerships around SCRM by doing the following:
- Developing reference material to overcome legal obstacles to information sharing;
- Updating the Threat Evaluation Report, a report that evaluates threats to suppliers;
- Producing a report and case studies that provide in-depth descriptors of control categories and information regarding when and how to use a Qualified List to manage supply chain risks;
- Developing a template for SCRM compliance assessments and internal evaluations of alignment to industry standards;
- Analyzing the current and potential impacts from the COVID-19 pandemic and developing a system map to visualize ICT supply chain routes and identify chokepoints; and
- Surveying supply chain-related programs and initiatives that provide opportunities for potential task force engagement.
“Government can’t act in a silo,” CISA Assistant Director and ICT SCRM Task Force Co-Chair Bob Kolasky said in a press release. “We must work in partnership with public and private industry. The Task Force has and will continue to serve as a model of excellence in helping to improve the Nation’s collective ability to assess and mitigate threats to the ICT supply chain.”
Going forward, the ICT SCRM Task Force looks to build upon the successes it made in the first two years and “develop proactive measures for influencing security and resilience decision-making throughout the decision lifecycle” by using coordination links it developed and strengthened. Further, the Task Force will put a heavier emphasis on “working with its relevant partners across government, industry, and new partners to leverage the necessary expertise for translating the Task Force’s successes into measurable impacts.”