SUPPLY CHAIN RISK MANAGEMENT (SCRM) FOR INFORMATION AND COMMUNICATIONS TECHNOLOGY

Overview

The Information and Communications Technology (ICT) supply chain is a globally distributed, interconnected set of organizations, people, processes, services, products, and other elements. It extends across the full Systems Development Life Cycle including Research and Development (R&D), design, acquisition of custom or Commercial-off-the-Shelf (COTS) products, delivery, integration, operations, and disposal/retirement.

Federal agency information systems, which rely on COTS hardware and software, are increasingly at risk of both intentional and unintentional supply chain compromise due to the growing sophistication of ICT products and the growing speed and scale of a complex, distributed global supply chain. Federal agencies increasingly lack understanding, visibility and control of the processes and practices used to create and deliver hardware and software products and services that are contracted out, especially beyond the prime contractor. This deficiency increases the risk of exploitation of supply chain vulnerabilities and makes it increasingly difficult for Federal agencies to understand and manage their supply chain risks. Some of the threats to the ICT supply chain include counterfeit materials, malicious software, and untrustworthy products.

NIST/ITL Approach

NIST is working with government, industry, academia, and other stakeholders to identify and evaluate technologies, tools, techniques, best practices and standards useful in securing the ICT supply chain. NIST will use this information to develop SCRM tools and a Special Publication on ICT SCRM Best Practices.