Updated December 15, 2020
Cyber Supply Chain Risk Management: An Introduction
Introduction
inserted by other malicious actors, such as foreign
A supply chain consists of the system of organizations,
intelligence services, insiders, or criminals. These actors
people, activities, information, and resources that provide
may be motivated to steal intellectual property, tamper with
products or services to consumers. Like other types of
products, insert counterfeit goods, gain unauthorized
goods, a global supply chain exists for the development,
access, sell extraneous access, or manipulate the operation
manufacture, and distribution of information technology
of technology. They may accomplish their goals through
(IT) products (i.e., hardware and software) and information
inserting malicious code in software, manipulating
communications technology (ICT). As with other goods and
hardware, or a combination of the two.
services, risks exist to this cyber supply chain. This field is
known as cyber supply chain risk management (C-SCRM
Cyber supply chain risks do not solely result from
or Cyber SCRM).
malicious human interference. The National Institute of
Standards and Technology (NIST) finds that natural
Congress and federal agencies have taken actions to bolster
disasters may impede delivery of critical network
cyber supply chain security. In 2017, the U.S. Department
components; poor quality assurance and engineering
of Homeland Security (DHS) ordered federal agencies to
practices by vendors may create deficient products; or an
remove Kaspersky security products from their networks
entity’s own business practices may result in seeking,
because of the risk posed. Legislation was subsequently
buying, and managing sub-par goods. These threats may
enacted codifying that order. In addition, Congress in 2018
result in data loss, modification, or exfiltration; system
instructed federal agencies and contractors not to use ICT
failures; or product unavailability.
made by certain Chinese companies. Congress established
the Federal Acquisition Security Council (FASC), which
Managing Risk
issued an initial rule in 2020. The Cybersecurity and
NIST defines C-SCRM as “the process of identifying,
Infrastructure Security Agency (CISA, a part of DHS) hosts
assessing, and mitigating the risks associated with the
a public-private ICT SCRM Task Force. The Federal
distributed and interconnected nature of [IT] product and
Communications Commission authorized the use of
service supply chains.” This definition distinguishes C-
Universal Service Fund money to rip-and-replace certain
SCRM as an ongoing activity, rather than a single task, and
ICT. The U.S.-China Economic and Security Review
accounts for the procurement and maintenance of hardware
Commission issued a report highlighting supply chain
and software.
concerns.
NIST Special Publication 800-161 provides guidance to
While interest in cyber supply chain security has increased
federal agencies for how they may go about implementing
recently, there have been other periods of intense scrutiny
risk management practices. NIST recommends that C-
on supply chain issues. In 2012, for example: the White
SCRM should align with an organization’s existing risk
House issued a report on global supply chain security; the
management framework. Activities for risk management
House Permanent Select Committee on Intelligence
include cataloguing current systems and business practices,
(HPSCI) released an unclassified report on threats from
surveying systems for vulnerabilities, and developing
Chinese multinational companies Huawei and ZTE; ZTE
processes to mitigate those vulnerabilities on an ongoing
was exposed selling phones in the United States with
basis.
backdoor access; the Director of National Intelligence
(DNI) cited supply chain security as a major threat in the
Just because a risk could possibly manifest does not mean
Worldwide Threat Assessment; and the Government
that it always exists, nor is it managed as if it perpetually
Accountability Office (GAO) studied the issue.
exists. Instead, managers accept that risk is not binary but
exists on a spectrum. This perspective pushes managers to
This In Focus reviews C-SCRM, discusses ways in which it
consider how they are most at risk and prioritize mitigation
is currently managed, and highlights issues that Congress
strategies. This defense-in-depth strategy accepts that
may consider for federal agencies.
complete security is not guaranteed, but can lead system
administrators to deploy tools effectively so that they can
Cyber Supply Chain Risks
detect unwanted activity and stop damages from
One way to view risks to cyber supply chain security is
compounding.
through the threat actors, their motivations, and ways in
which they may compromise technology. DNI has
Attackers may not know which defensive strategies are
identified Russia, China, Iran, and North Korea as cyber
deployed on systems. The chance of exposure is a
threat nations. However, in its report on Department of
consideration attackers evaluate when seeking to mass-
State telecommunications, GAO highlights that technology
compromise technology—and may incentivize them to
is manufactured worldwide and vulnerabilities may be
pursue specific attacks against deliberate targets instead.
https://crsreports.congress.gov
Cyber Supply Chain Risk Management: An Introduction
Attackers may also identify a common vulnerability but
their products. Such a strategy recognizes that government
seek to selectively use it in order to maintain that method
is positioned to support the private sector, which has
for as long as possible.
different responsibilities and greater control over
technology.
Conceptualizing risk is challenging because entities may
not have threat information available to them, may lack an
Oversight
appreciation of their own vulnerabilities, or lack a
As part of regular oversight, Congress may ask federal
framework to take that information and make resource
agencies and regulated sectors about their C-SCRM
decisions with it. For entities with general risk management
programs, effectiveness, and challenges. Congress may also
programs, they may not have relevant expertise in IT
require such programs. In performing agency oversight,
products and threats to apply their established risk
Congress may request a review and report by an agency
management practices to the supply chain. The
into how it assesses and manages cyber supply chain risks.
prioritization of risk management requires that entities
This review could inform future congressional activity and
understand their own weaknesses, why they may be
compel agencies to consider these issues.
targeted, who or what may target them, and how. In order to
extend these principles to their supply chain, entities will
An example of such oversight is the Wolf Provision (found
also need information on their vendors and suppliers, threat
in Section 514 of Division B of P.L. 115-141, the
tactics, and best practices to mitigate risk.
Commerce, Justice, Science, and Related Agencies
Appropriations Act, 2018). The National Aeronautics and
Potential Issues for Congress
Space Administration (NASA) Inspector General has an
Generally, risk profiles (e.g., risk tolerance, resource
audit of NASA’s implementation of the provision.
allocations, vulnerabilities, threats, etc.) and risk
management are unique from one entity or sector to
Prohibition on Specific Companies
another. This makes risk management an activity which is
As with the Kaspersky and Chinese-made products,
individualized for each entity or sector. However, there are
Congress may ban a certain company’s products from being
policy areas in which Congress may act with regard to C-
purchased or used by federal agencies. While such a
SCRM that can affect its success.
prohibition may limit exposure to specific perceived risks
posed by a product, set of products, or a company’s work,
Clarity of Responsibility
complexities of the global cyber supply chain, business
Federal IT management is distributed among many federal
relationships, corporate restructuring, and other factors may
agencies. The Office of Management and Budget (OMB)
inhibit the intended effectiveness. Such prohibitions have
creates strategic guidance, NIST creates documents
also faced court challenges regarding the banned
describing implementation, CISA helps agencies with
company’s due process and laws against bills of attainder.
security management, and agencies themselves have to
implement information security programs. Congress may
Single Evaluator
consider creating specific responsibilities for federal or
Currently, agencies are responsible for evaluating risks
national supply chain security and assign those
posed by IT for themselves. However, some agencies lack
responsibilities across agencies or to a single federal entity.
the capability or capacity to perform thorough evaluations
Rather than assign a single federal agency with all the
of their systems for supply chain risks. An option for
responsibility for supply chain security, Congress may
Congress would be to assign a single federal agency the
identify unique responsibilities and parse those out to
responsibility to evaluate supply chain risks in IT for all
agencies; such as intelligence gathering, technical expertise,
other agencies. This agency would examine IT hardware
the development and promulgation of defensive measures,
and software for potential risks. In order to do so, the
and coordinating federal efforts. While this approach may
agency would likely need access to threat intelligence,
provide clarity, its effectiveness may depend on the scope
technical expertise, business relationships of the vendors,
of authority Congress grants and resource allocations to the
building products, and security experts, among other
designated entity or entities.
factors.
Increased Awareness
This strategy would align with the Trump Administration’s
The federal government may increase the information
initiative to increase shared services. FedRAMP is a
available from open and restricted government sources to
program Congress may look to in establishing such a
all agencies and the information technology sector. To
program. In FedRAMP, one agency evaluates cloud service
assist with increased awareness, the federal government
providers and creates documentation on the security of
could undertake activities to better understand the business
those services available to all agencies. This avoids the
relationships involved in the design or delivery of an IT
duplicate efforts of every agency examining the same
product or service, and assess those businesses for potential
product, and allows agencies to assess the product relative
risks. Rather than barring corporate activity, the
to their specific concerns.
government could alert industry and consumers of those
risks so that they may make informed decisions on whether
Chris Jaikaran, Analyst in Cybersecurity Policy
and how they may use those products or services.
IF10920
This may help agencies better assess their own risk, and
allow the companies to directly mitigate vulnerabilities in
https://crsreports.congress.gov
Cyber Supply Chain Risk Management: An Introduction
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10920 · VERSION 4 · UPDATED