The Information and Communications Technology Supply Chain Risk Management Task Force Issues Its Year Two Report

On December 17, 2020, the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force (“the Task Force”)—a public-private partnership whose membership includes industry representatives from the IT and Communications sectors, as well as federal government representatives—released its Year Two Report (“Report”). This work takes on increased importance as the federal government and private sector grapple with software supply chain challenges in the unfolding SolarWinds incident.

The Report builds on prior Task Force efforts and summarizes the work of the five working groups to address challenges to information sharing, threat analysis, qualified bidder and manufacturer lists, vendor assurance, and impacts of the COVID-19 pandemic on ICT supply chains. It identifies areas for continued Task Force work to support SCRM efforts across government and industry. As various federal efforts focused on securing the ICT supply chain have multiplied, the work of the Task Force is increasingly important.

As described in the Report, in its second year, the Task Force:

  • Finalized multiple reports, including: a Report and Recommendations on Reducing Private Litigation Risks Arising from the Sharing of Supply Chain Risk Information; a Threat Scenarios Report; a Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists Report; and a report on ICT Supply Chain Lessons Learned from COVID-19;

  • Produced a SCRM Compliance Template; and

  • Surveyed supply chain related programs and initiatives that provide opportunities for potential Task Force engagement.

To coincide with the release of the Report, on December 18 the Task Force held a virtual event—Partnership in Action: Driving Supply Chain Security. Panelists described the work done by the Task Force and its five Working Groups over the past year.

Looking ahead, the Task Force will be re-chartered for another six months beginning in early 2021, and it will focus on operationalizing the recommendations in the Report.

Background

In December 2018, the Department of Homeland Security (DHS) chartered the Task Force as a consensus-based body, managing its activities through the Cybersecurity and Infrastructure Security Agency’s (CISA’s) National Risk Management Center (NRMC). Task Force membership includes 60 members: 40 industry representatives from the IT and Communications sectors and 20 representatives from the federal government. The Task Force’s objectives are to:

  • Act as a forum for collaboration with private sector owners and operators of critical infrastructure, through their respective sector coordinating councils (SCCs), on methods and practices to effectively identify, prioritize, and mitigate ICT supply chain risks;

  • Provide realistic, actionable, timely, economically feasible, scalable, and risk-based recommendations for addressing ICT supply chain risks;

  • Recommend methods to develop and implement initiatives, including mutually beneficial public-private partnerships, designed to improve risk management in global ICT supply chains.

In September 2019, the Task Force issued its Interim Report, providing an update on its activities.

One key function of the Task Force is to coordinate the various federal efforts aimed at securing the ICT Supply Chain. The Task Force provides the Federal Acquisition Security Council (FASC) with regular briefings to provide awareness and identify potential coordination opportunities, and the FASC member agencies have representation on the Task Force. Additionally, the Task Force created a “Coordination Tiger Team”—an entity to help members and Working Groups stay informed about ongoing and nascent government and industry supply chain efforts. Many ongoing federal efforts overlap on related issues and risk a fragmented government response without greater coordination. Examples of activities inventoried by the Task Force include ongoing efforts at the Federal Communications Commission with its supply chain security orders; the Department of Defense’s implementation of Cybersecurity Maturity Model Certification; the implementation of the 2019 National Defense Authorization Act, Section 889; recommendations from the Cyberspace Solarium Commission; the National Strategy to Secure 5G; and relevant Executive Orders (EO), such as the pending Commerce Department rules implementing the ICTS Supply Chain EO, among several others.

Year Two Report Working Group Highlights

The Task Force is divided into five working groups, each of which addressed different issues. A brief overview of their activities, as summarized in the Report, can be found below.

The Bi-Directional Information Sharing Working Group (WG1) focused on “address[ing] legal issues with sharing derogatory, supplier-specific supply chain risk information to provide a framework for bidirectional sharing that protects companies as well as U.S. Government obligations and interests.” (Report at 12)

WG1 developed its Report and Recommendations on Reducing Private Litigation Risks Arising from the Sharing of Supply Chain Risk Information. The WG1 report focused on three categories of claims that pose litigation risk: (1) anti-competitive behavior, (2) false information, and (3) breach of obligations of confidentiality.

WG1 analyzed policy and legal options to encourage sharing of supply chain risk information, including the Cybersecurity Information Sharing Act of 2015 and the Protected Critical Infrastructure Information (PCII) and Critical Energy Infrastructure Information. WG1 made recommendations to improve information sharing to bolster supply chain security, including:

  • Providing education for stakeholders on supply chain threat information tools, resources, mechanisms, and opportunities. This would include working to build awareness of how to participate in, access, and provide documentation for information sharing opportunities, as well as mitigation measures to address the corresponding litigation risks;

  • Developing frameworks that can be used by private sector entities to engage with key government stakeholders and partners to request specific supply chain security risk information, including encouraging private sector partners to outline the potential benefits that could be derived from this information;

  • Identifying a centralized mechanism, entity, or process that could serve as a “clearinghouse” for sharable information on supply chain threats and risks. This entity could promulgate rules and best practices for sharing and protecting the information, both with the government as well as with other private sector entities, helping mitigate some legal risk; and

  • Continued collaboration between government and industry to evaluate how potential statutory or regulatory changes could support mitigation of legal risks in supply chain threat information sharing.

The Threat Evaluation Working Group (WG2) conducted an assessment of threats to and from products and services, evaluating those threats with a scenario-based process risk and mitigation resource. WG2 updated its Threat Scenarios Report, first published in February 2020, that inventories SCRM threats to suppliers using the National Institute of Standards and Technology (NIST) Risk Management Framework described in NIST SP 800-161. WG2 expanded the universe of supply chain threats from suppliers to include products and services and added the assessment of impacts and mitigating controls to the Supplier Threat Scenarios.

A key accomplishment of WG2 was distilling hundreds of supply chain threats into nine core threat groups, including: (1) Counterfeit Parts; (2) Cybersecurity, (3) Internal Security Operations and Controls, (4) System Development Life Cycle (SDLC) Processes and Tools, (5) Insider Threats, (6) Economic Risks, (7) Inherited Risk (Extended Supplier Chain), (8) Legal Risks, and (9) External End-to-End Supply Chain Risks (e.g. Natural Disasters, Geo-Political Issues). To ensure consistency in the Threat Evaluation Report, WG2 developed consensus definitions of product and service.

Qualified Bidder and Qualified Manufacturer Lists Working Group (WG3) recommended SCRM criteria for use in qualified bidders and manufacturers lists and for application to federal procurement use cases. WG3 analyzed five government programs as use case reviews. The Year Two Report includes descriptions of identified control categories and foundational information about when and how to use a qualified list to manage supply chain risks. The group consolidated recommendations into a Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists Report.

WG3 noted that one-size-fits-all approach would not serve stakeholders and instead developed a menu of ICT SCRM control categories to be considered in relation to the list-builder’s needs and objectives. Those categories are mapped from NIST SP-800-161’s [1] four pillars: security, integrity, resilience, and quality. The categories included the following, recognizing that risk can exist under more than one pillar:

  • Supply Chain Security

    • Physical Security

    • Cyber Security

    • Personnel Security (inclusive of Company leadership)

  • Supply Chain Integrity

    • Hardware Integrity

    • Software Integrity

  • Supply Chain Resilience

  • Supply Chain Quality

    • Supply Chain Management & Supplier Governance

WG3 also included summaries of the benefits and risks of Qualified Lists.

The Vendor Supply Chain Risk Management (SCRM) Assurance Template Working Group (WG4) created a template for analyzing, implementing, and monitoring supplier or vendor SCRM practices. The questions distilled into this template build upon existing industry standards, including NIST SP 800-161, the Enduring Security Framework (Outsourcing Network Services Assessment Tool (ONSAT)), and the Department of Defense Cybersecurity Maturity Model Certification (CMMC) process and development and reflect collaboration with other Task Force working groups.

The template is a standard framework that helps users identify relevant categories of SCRM compliance and walks through key questions that can be used to inform SCRM security and resilience discussions or implementation. WG4’s template defines the categories of vendor SCRM compliance, building on a framework of key industry standards. The WG4 template uses the seven control categories defined by WG3 that is mapped against supply chain threats identified in NIST SP 800-161.

The COVID-19 Impact Study Working Group (WG5) Study analyzed impacts to the ICT supply chains during the pandemic, focusing on three themes: inventory management, supply chain transparency, and single-source and single-region suppliers. The study also produced a high-level visual mapping of how goods and services flow through the generalized ICT supply chain, from the raw materials stage through to sale to the customer. The map also identifies examples of potential chokepoints that can occur throughout the supply chain.

As part of that study, WG5 identified major stress points on ICT supply chains during the pandemic:

  • Inventory Management: The pandemic exposed how some manufacturing companies were unprepared because of their reliance on lean inventory models, which provide great efficiency and cost effectiveness in normal environments

  • Supply Chain Transparency: COVID-19 underscored the difficulties that companies face in understanding their junior tier suppliers and where they are located

  • Single-Source and Single-Region Suppliers: The pandemic underscored the need for an approach that was already underway over the last six years: diversifying supply chains to a broader array of locations and away from single source/single region suppliers.

WG5 offered recommendations to build resilience into ICT supply chains in the following categories:

  • Considering Proactive Risk Classification

  • Mapping the Corporate Supply Chain

  • Broadening Supplier Networks and Regional Footprints

  • Potentially Developing Standardized Mapping and Illumination Tools

  • Exploring Shifts in Optimizing Inventory Practices

  • Planning Alternatives in Logistics and Transportation

What is the Future of the ICT SCRM Task Force?

Policymakers are scrutinizing supply chain security, now more than ever. The ICT SCRM Task Force could become a more central part of public and private sector efforts to address supply chain risk, but with many overlapping efforts, government will have to deconflict and streamline its many ongoing initiatives.

As the Task Force moves into its third year, it plans to:

  • develop proactive measures for influencing security and resilience decision-making throughout the decision lifecycle;

  • leverage mapping and partnership building efforts to improve prioritization and coordination throughout the ICT supply chain environment to drive increased identification, utilization, and effectiveness of security and resilience measures; and

  • translate the Task Force’s successes into measurable impacts.

What is Next for Supply Chain Risk Management?

ICT supply chain issues are increasingly under scrutiny, not least because of the still-unfolding SolarWinds situation. The SolarWinds facts and fallout are fluid but strongly suggest that supply chain in ICT—particularly software—will be top of mind for 2021. The ICT SCRM Task Force may be able to play a role in those discussions, but there remain several parallel government activities on supply chain. It will be vital that policymakers proceed with care in developing a government response to supply chain risks. There are key differences between federal agencies, contractors, and the general private sector. The private sector, including but not limited to the ICT sector, needs to continue to monitor the diverse federal activity in this area, but also be proactive in identifying and managing their own supply chain risk management programs.

Wiley’s TMT, National Security, IP, and Government Contracts team have been seamlessly working on various supply chain law and policy issues. Contact any of us for additional information.

Tawanna Lee, a Law Clerk at Wiley Rein LLP, contributed to this blog post.

—————————————-

[1] Earlier this year, NIST solicited feedback with Pre-Draft Call for Comments on Revision 1 of SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations.

Wiley Connect

Sign up for updates

By using this site, you agree to our updated Privacy PolicyTerms & Conditions, and Cookies Policy.