CISA Releases ICT Supply Chain Risk Management Guidance for Small, Medium-Sized Businesses

The Cybersecurity and Infrastructure Security Agency has released new guidance to help small and medium-sized businesses craft information and communication technology supply chain risk management plans with resilience in mind.

The guidance lays down eight key steps for developing a resilience-centered supply chain management plan, with separate responsibilities for the business acquirer, integrator and supplier. The guidance calls for small and medium-sized enterprises to create an executive summary, identify supply chain risks, identify critical suppliers, implement supplier diversity, develop a vendor attestation process, create a contingency plan, train employees and continuously monitor and improve systems.

The guidance was developed by the Information and Communication Technology SCRM Task Force, CISA said.

The ICT SCRM guidance is one of several lines of effort the U.S. government has issued to improve supply chain resilience.

In June, CISA announced that it is working on a resource center to help federal agencies comply with cyber supply chain risk management and software security standards. Shon Lyublanovits, C-SCRM project management office lead official at CISA, said the center will undergo a pilot test where selected agencies and private industry members would promote information exchange to improve supply chain resilience.

A launch date for the center is yet to be determined.