Securing a new foundation for supply chain security: CISA task force releases year two report

On Dec. 17, 2020, the Cybersecurity and Infrastructure Security Agency (CISA), in close collaboration with its Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force[1] published its “Year 2 Report” evaluating the current ICT supply chain landscape and provided recommendations to help companies and government agencies enhance their SCRM capabilities. Established in December 2018, the ICT SCRM task force is made up of representatives from 20 federal agencies and 40 industry organizations across the IT and communications sectors. 

The “Year 2 Report” builds on findings from year one and is likely to be increasingly significant going forward, in light of the impact of COVID-19 on the resiliency of global supply chains and the recent SolarWinds supply chain infiltration. Specifically, the report presents and summarizes the findings of five working groups that endeavored to target interrelated supply chain and cybersecurity problems. The task force has been re-chartered for 2021 and will work on operationalizing their recommendations. The working groups explored issues including:

1. Legal challenges to information sharing between supply chain members
2. Threat evaluation
3. Qualified bidder lists/qualified manufacturer lists (QBL/QML)
4. Vendor SCRM
5. Supply chain challenges related to the COVID-19 pandemic

Working group summary and highlights

A brief overview of the activities, conclusions and recommendations of the working groups, as outlined in the year two report, is provided below:

In focus: benefits of the working group No. 4, Vendor SCRM Assurance Template