healthcarereimagined

NCSC works with its partners to assess and mitigate the activities of foreign intelligence entities and other adversaries who attempt to compromise the supply chains of our government and industry. These adversaries exploit supply chain vulnerabilities to steal America’s intellectual property, corrupt our software, surveil our critical infrastructure, and carry out other malicious activities. They infiltrate trusted suppliers and vendors to target equipment, systems, and information used every day by the government, businesses, and individuals. The cost to our nation comes not only in lost innovation, jobs, and economic advantage, but also in reduced U.S. military strength.

RELEVANT REPORTS, BRIEFINGS & READING MATERIAL

Executive Orders

• EO 13636 Improving Critical Infrastructure Cybersecurity
• EO 13806 Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States (PDF)
• EO 13873 Securing the Information and Communications Technology and Services Supply Chain
• EO 13913 Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector
• EO 13984 Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities
• EO 14005 Ensuring the Future Is Made in All of America by All of America’s Workers
• EO 14017 America’s Supply Chains
• EO 14024 Blocking Property with Respect to Specified Foreign Activities of the Government of the Russian Federation
• EO 14028 Improving the Nation’s Cybersecurity
  •  NIST: Security Measures for “EO-Critical Software” Use
  •  NIST: Recommended Minimum Standards for Vendor or Developer Verification (Testing) of Software Under Executive Order (EO) 14028
• EO 14034 Protecting Americans’ Sensitive Data from Foreign Adversaries

Supply Chain Risk Management – Authorities, Policies, and

      Standards

• Executive Order 13806 report (PDF)
• Executive Order 14017 – America’s Supply Chains (PDF)
• SECURE Technology Act: Establishment of the Federal Acquisition Security Council

          –  Federal Acquisition Security Council overview (PDF)

          –  Federal Acquisition Supply Chain Security Act graphic (PDF)

          –  H.R.7327 SECURE Technology Act (PDF)

   –  (New) FASC Final Rule(PDF)

• NIST Special Publication 800-161 (PDF)
• ICD 731, Supply chain Risk Management for the Intelligence Community (PDF)

 Tools

•  User Manual: The Outsourcing Network Services Assessment Tool (ONSAT) (PDF)
• (New) ONSAT Tool

National Supply Chain Integrity Month – A Call to Action

• Press Release: National Supply Chain Integrity Month – A Call to Action
• Software Supply Chain Attacks – 2021
• Supply Chain Risk Management: Best Practices in One Page – 2021
• Framework for Assessing Risks – 2021

Supply Chain Risk Management: Reducing Threats to Key U.S. Supply Chains

• NTIA Releases Minimum Elements for a Software Bill of Materials
• NCSC Supply Chain Risk Management Tri-Fold: Reducing Threats to Key U.S. Supply Chains (PDF)

Sector-Specific Supply Chain Best Practices

• Information and Communications Technology Sector
• Manufacturing and Production Sector
• Health Care Sector
• Energy Sector
• Ongoing Cyber Threats to U.S. Water and Wastewater Systems Joint Cybersecurity Advisory (PDF)

Podcasts

• Podcast on How One Federal Program Worked to Enhance its Supply Chain Security
• Podcast on Cyber & Supply Chain Threats to the Health Care Sector

Supply Chain Risk Management (SCRM) – Don’t Be the Weakest 

      Link!

• NCSC Bakers’ Dozen – 13 Elements of an Effective SCRM Program (PDF)
• NCSC SCRM Best Practices(PDF)
• Intelligence Community Logistics and SCRM (PDF)
• NCSC Supply Chain Risk Management video
• 2018 Foreign Economic Espionage in Cyberspace report (PDF)
• NCSC Federal Partner Newsletter : National Supply Chain Integrity Month (PDF)
• MITRE report: Deliver Uncompromised (PDF)

Thought Leaders: Supply Chain Security 

• The Emerging Cyber Threat to Industrial Control Systems (London: United Kingdom, Lloyd’s, February 2021) [Article characterized as a “Call to Action”]
• CSIS Working Group on Trust and Security in 5G Networks, Criteria for Security and Trust in Telecommunications Networks and Services (Washington, D.C.: Center for Strategic & International Studies, May 2020)
• Assessing SCRM Capabilities and Perspectives of the IT Vendor Community: Toward a Cyber-Supply Chain Code of Practice (College Park: University of Maryland, Robert H. Smith School of Business, 2011)
• Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and Trust (Redmond, WA: Microsoft, 2011). [also Political and Legal]
• Defense Science Board Task Force on Cyber Supply Chain (Washington, D.C.: U.S. Department of Defense, April 2017)
• Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War (McLean, Virginia: MITRE Corporation, August 2018)
• How Chinese Cybersecurity Standards Impact Doing Business in China (Washington, D.C.: Center for Strategic & International Studies, August 2018)
• Supplier Assurance Framework: Good Practice Guide (London: United Kingdom Cabinet Office, May 2018)
• Breaking Trust: Shades of Crisis across an Insecure Software Supply Chain (Washington, D.C.: Atlantic Council, July 2020)

5G Wireless Technology

• Potential Threat Vectors to 5G Infrastructure – CISA, NSA, ODNI Report
• State Department 5G Technology Website
• State Department Fact Sheet: 5G Security – What is Trust?
• State Department Fact Sheet: 5G Security – Incredible Promise, Significant Risk
• State Department 5G Technology Video
• DHS 5G Wireless Networks Graphic: Market Penetration and Risk Factors

Supply Chain Resources 

• (New) General Services Administration (GSA) and Federal Acquisition Institute (FAI) training course FAC-093: “Introduction to Supply Chain Risk Management”
  • Requires Defense Acquisition University (DAU) account or Department of Defense (DoD) Common Access Card (CAC)
• Department of Defense resources
• Department of Homeland Security resources
• UK National Cyber Security Centre resources

Additional Resources

• National Cyber Strategy of the United States – September 2018(PDF)
• National Security Strategy 2017 (PDF)
• National Counterintelligence Strategy 2016 (PDF)
• Supply Chain Risk Management Practices for Federal Information Systems and Organizations (PDF)
• (New) Committee on National Security Systems Directive Supply Chain Risk Management, CNSSD 505 (PDF)
• Defense Science Board (DSB) Task Force Report on Cyber Supply Chain
• DNI ICD 731 Supply Chain Risk Management 20131207 (PDF)
• DNI ICS 731-01 Supply Chain Criticality Assessment 20151002 (PDF)
• DNI ICS 731-02 Supply Chain Threat Assessments 20160517 (PDF)
• DNI ICS 731-03 Supply Chain Information Sharing (PDF)

Article link: https://www.dni.gov/index.php/ncsc-what-we-do/ncsc-supply-chain-threats

RELATED LINKS

NCSC Awareness Materials

Your Personal Information: Protecting it from Exploitation

RELATED CONTENT

National Counterintelligence Strategy for the United States

National Insider Threat Task Force Fact Sheet

NCSC Strategic Plan

Michael Orlando, Senior Official Performing The Duties Of The Director, NCSC