By National Risk Management Center and National Counterintelligence Security Center (NCSC)

April is National Supply Chain Integrity Month. CISA in partnership with the Office of the Director of National Intelligence (ODNI) and other government and industry partners is promoting a call to action for a unified effort by organizations across the country to strengthen the information and communications technology (ICT) supply chain.

The 2022 theme is “Fortify The Chain,” referring to the ICT supply chain which powers our national security missions, critical infrastructure sectors, and private industry innovations. Adversaries target the ICT supply chain for this very reason to gain maximum access to every aspect of our society.

We live in a globalized world, connected by myriad supply chains and complex networks; a world in which the movement of people, goods, and ideas never stops. To stay ahead, every day more businesses are undergoing digital transformations to provide better customer experience, streamline operations, and more. While these changes are positive, they also bring shared security challenges where a risk to one organization can cascade to many.

To help stakeholders in  industry and government, NCSC recently posted  new supply chain risk  management resources at the NCSC supply chain website. In addition to providing helpful information regarding supply chain threats and best practices, it provides links to resources of partner agencies as well.

To help protect America against supply chain threats, NCSC encourages organizations at a minimum to consider the following basic principles to enhance the resilience of their supply chains, including:

• Diversify Supply Chains: A single source of goods or services is a single point of failure.  Diversify supply chains to ensure resilience in the event a supplier suffers a compromise, shortages, or other disruptions.
• Mitigate Third-Party Risks: Conduct robust due diligence on suppliers, understand their security practices, and set and enforce minimum standards for them.  Incorporate security requirements into third-party contracts and monitor compliance throughout the lifecycle of a product or service.
• Identify and Protect Crown Jewels: Map the location and status of essential assets and prioritize their protection.  Monitor systems and network performance to minimize impact of disruptions
• Ensure Executive-level Commitment: Name a senior executive as owner of supply chain risk and include stakeholders across the enterprise in the risk mitigation program.  Communicate across the organization to ensure buy-in and establish training and awareness programs
• Strengthen Partnerships: Information exchange between government and industry on current threat information and security best practices is paramount.

With CISA’s role as the Nation’s risk reducer, the Agency is committed to working with public and private sector partners to enhance the security and resilience of the ICT supply chain. Throughout April, CISA will promote resources, tools, and information to help organizations and agencies integrate ICT supply chain risk management (SCRM) into their overall security posture. CISA’s themes for each week include:

• Week 1: Power in Partnership – Fortify The Chain!
• Week 2: No Shortages of Threats – Educate to Mitigate
• Week 3: Question, Confirm, and Trust – Be Supplier Smart
• Week 4: Plan for the Future – Anticipate Change

Resources include those developed by the ICT SCRM Task Force, a public-private partnership that embodies the Agency’s collective approach to enhancing supply chain resilience.

Be sure to check out our webpage weekly for resources, a social media toolkit, videos, and the latest news: CISA.gov/supply-chain-integrity-month.