Tag: ICT

Posted on

NRMC: Vulnerability Awareness, Partnership Essential to ICT Supply Chain Security

The Cybersecurity and Infrastructure Security Agency (CISA) is taking a multi-faceted approach to supply chain security, and chief among them is putting in place strong public-private partnerships to maintain supply chain resilience and maintaining high awareness about the sources of supply chain threats.

That was the word from Mara Winn, Associate Director of CISA’s National Risk Management Center (NRMC), who provided updates on the NRMC’s work at FCW’s NASA SEWP SCRM Hybrid Forum 2022 on May 24.

Having a common language on security then allows organizations to have an “apples-to-apples conversation with your vendors” that are especially useful because different groups have different tolerance for risk, she said.

Winn also emphasized the importance of agencies constantly looking for where threats are coming from, and understand the trustworthiness of their own supply chain. She highlighted that everyday risks to the supply chain are “more than just ships having trouble in ports.”

Source: NRMC: Vulnerability Awareness, Partnerships Essential to ICT Supply Chain Security – MeriTalk

Posted on

National Supply Chain Integrity Month

Supply Chain Integrity Month | CISA

April is National Supply Chain Integrity Month. In partnership with the Office of the Director of National Intelligence (ODNI) and other government and industry partners, CISA is promoting a call to action to “Fortify The Chain” for a unified effort by organizations across the country to strengthen the global ICT supply chain.

Information and communications technology (ICT) products and services ensure the continued operation and functionality of U.S. critical infrastructure. However, recent software compromises and other events have shown the far-reaching consequences of these threats. When a supply chain incident occurs, everyone suffers: buyers, suppliers, and users.

As the nation’s risk reducer, CISA’s top priorities include securing the global ICT supply chain from the evolving risks of tomorrow. Every week, CISA is promoting resources, tools, and information, including those developed by the public-private ICT Supply Chain Risk Management (SCRM) Task Force. CISA themes for each week include:

  • Week 1: Power in Partnership – Fortify The Chain!
  • Week 2: No Shortages of Threats – Educate to Mitigate
  • Week 3: Question, Confirm, and Trust – Be Supplier Smart
  • Week 4: Plan for the Future – Anticipate Change

Use the hashtag #FortifyTheChain#SupplyChainIntegrityMonth, or #SCRMTaskForce in your social media posts to raise supply chain awareness.

Posted on

Cybersecurity Reference and Resource Guide

2019 Cybersecurity Resource and Reference Guide_DoD-CIO_Final_2020FEB07

The purpose of this document is to provide a useful reference of both U.S. and International resources, in order to develop cybersecurity programs and to build and maintain strong network protection. Extensive reference materials exist that support efforts to build and operate trusted networks and ensure information systems maintain an appropriate level of confidentiality, integrity, authentication, non-repudiation, and availability. The resources compiled here support security cooperation and shared best practices to help achieve collective cybersecurity goals. This guide provides readily available and unclassified information pertaining to cybersecurity norms, best practices, security cooperation, policies and standards authored and adopted by the United States (U.S.) government, the U.S. Department of Defense (DoD), and recognized international institutes and workforce development training resources provided by government, industry, and academia.

Aspects related to Cyber Supply Chain Risk Management in the document:

Cyber Supply Chain Risk Management (SCRM) is the process of identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of information and operational technology product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an information and operational technology product or service at any stage.

Website: https://csrc.nist.gov/Projects/Supply-Chain-Risk-Management

NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, April 2015

Federal agencies are concerned about the risks associated with information and communications technology (ICT) products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the ICT supply chain. These risks are associated with the federal agencies decreased visibility into, understanding of, and control over how the technology that they acquire is developed, integrated, and deployed, as well as the
processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the products and services. This publication provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations. This publication integrates SCRM into federal agency risk management activities by applying a multi- tiered, SCRM-specific approach, including guidance on supply chain risk assessment and mitigation activities.

Website: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pd

Posted on

Commerce Proposes New Software Supply Chain Safety Criteria

Commerce Proposes New Software Supply Chain Safety Criteria – MeriTalk

The Department of Commerce is proposing new safety criteria for connected software to help better secure information and communications technology and services (ICTS) supply chains, including potential third-party audits of connected software and ICTS transactions, according to a proposed rule posted to the Federal Register Nov. 26.

The Department of Commerce is seeking feedback on the rule in its entirety but is also specifically looking for feedback on how to define what is a “reliable third-party” for the purposes of the rule. The agency also wants to know if its criteria of “third-party auditing of connected software applications” is sufficiently descriptive or whether the agency needs to get more specific.

The agency will accept public comment on the proposed rule until Dec. 30.