The US Department of Homeland Security (DHS) announced the formation of the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force (the Task Force) on October 30. The Task Force is a partnership between government and private sector partners created to “examine and develop consensus recommendations to identify and manage risk to the global ICT supply chain.” The announcement came at the conclusion of National Cybersecurity Awareness Month and follows other government industry initiatives, such as the Oil and Natural Gas Pipeline Cybersecurity Initiative, that have been developed to manage risks posed by increasingly global supply chains.
This program reflects DHS’s recognition of the need to manage risks for ICT service providers by focusing on vendors and their multiple subvendors throughout the global ICT supply chain. Cyber threats are an increasingly significant risk to both the government and industry. These threats are growing as malicious adversaries target ICT supply chains to find vulnerabilities through which they can gain a foothold and eventually access sensitive information and intellectual property. The objective of the Task Force is to develop near- and long-term strategies to neutralize supply chain risks.
DHS also recognizes that addressing supply chain risks requires cooperation with industry members that share mutual interests in identifying and mitigating these risks. The Task Force is intended to operate as the primary channel for industry to collaborate with the government on these issues. Moreover, the Task Force will be the main private sector point of entry for the DHS National Protection and Programs Directorate’s Cyber Supply Chain Risk Management (C-SCRM) Program. The C-SCRM Program spearheads national coordinated efforts to address risks to ICT product and service supply chains.
The Task Force held its first meeting on November 15. Government executive committee members include the DHS, Department of Defense, Department of Justice, General Services Administration, Social Security Administration, and Department of the Treasury. Industry executive committee members include representatives from dozens of the largest ICT companies, including service providers and equipment manufacturers.
Although not directly tied to FERC’s ongoing supply chain cybersecurity efforts, including the newly approved CIP-013-1 reliability standard, the strategies developed by the Task Force could be useful for electric utilities in developing their required supply chain cybersecurity risk management plans. Because the new standard provides significant flexibility and discretion to utilities, relying on best practices and formal guidance issues by established authorities on these issues, such as the future guidance from the Task Force, could ensure that utilities’ plans are based on a solid and studied foundation.