Cyber Supply Chain Risk Management: An Introduction



Updated March 21, 2022
Cyber Supply Chain Risk Management: An Introduction
Introduction
threat nations. However, in its report on Department of
A supply chain consists of the system of organizations,
State telecommunications, GAO highlights that technology
people, activities, information, and resources that provide
is manufactured worldwide and vulnerabilities may be
products or services to consumers. Like other types of
inserted by other malicious actors, such as foreign
goods, a global supply chain exists for the development,
intelligence services, insiders, or criminals. These actors
manufacture, and distribution of information technology
may be motivated to steal intellectual property, tamper with
(IT) products (i.e., hardware and software) and information
products, insert counterfeit goods, gain unauthorized
communications technology (ICT). As with other goods and
access, sell extraneous access, or manipulate the operation
services, risks exist to this cyber supply chain. This field is
of technology. They may accomplish their goals through
known as cyber supply chain risk management (C-SCRM
inserting malicious code in software, manipulating
or Cyber SCRM).
hardware, or a combination of the two.
Congress and federal agencies have taken actions to bolster
Cyber supply chain risks do not solely result from
cyber supply chain security. In 2017, the U.S. Department
malicious human interference. The National Institute of
of Homeland Security (DHS) ordered federal agencies to
Standards and Technology (NIST) finds that natural
remove Kaspersky security products from their networks
disasters may impede delivery of critical network
because of the risk posed. Legislation was subsequently
components; poor quality assurance and engineering
enacted codifying that order. In addition, Congress in 2018
practices by vendors may create deficient products; or an
instructed federal agencies and contractors not to use ICT
entity’s own business practices may result in seeking,
made by certain Chinese companies. Congress established
buying, and managing sub-par goods. These threats may
the Federal Acquisition Security Council (FASC), which
result in data loss, modification, or exfiltration; system
issued an initial rule in 2020. The Cybersecurity and
failures; or product unavailability.
Infrastructure Security Agency (CISA, a part of DHS) hosts
a public-private ICT SCRM Task Force. The Federal
Managing Risk
Communications Commission authorized the use of
NIST defines C-SCRM as “the process of identifying,
Universal Service Fund money to rip-and-replace certain
assessing, and mitigating the risks associated with the
ICT. The U.S.-China Economic and Security Review
distributed and interconnected nature of [IT] product and
Commission issued a report highlighting supply chain
service supply chains.” This definition distinguishes C-
concerns. Additional legislation has been debated as part of
SCRM as an ongoing activity, rather than a single task, and
national economic competition bills (e.g., the U.S.
accounts for the procurement and maintenance of hardware
Innovation and Competition Act of 2021 and the America
and software.
COMPETES act of 2022).
NIST Special Publication 800-161 provides guidance to
While interest in cyber supply chain security has increased
federal agencies for how they may go about implementing
recently, there have been other periods of intense scrutiny
risk management practices. NIST recommends that C-
on supply chain issues. In 2012, for example: the White
SCRM should align with an organization’s existing risk
House issued a report on global supply chain security; the
management framework. Activities for risk management
House Permanent Select Committee on Intelligence
include cataloguing current systems and business practices,
(HPSCI) released an unclassified report on threats from
surveying systems for vulnerabilities, and developing
Chinese multinational companies Huawei and ZTE; ZTE
processes to mitigate those vulnerabilities on an ongoing
was exposed selling phones in the United States with
basis.
backdoor access; the Director of National Intelligence
(DNI) cited supply chain security as a major threat in the
Just because a risk could possibly manifest does not mean
Worldwide Threat Assessment; and the Government
that it always exists, nor is it managed as if it perpetually
Accountability Office (GAO) studied the issue.
exists. Instead, managers accept that risk is not binary but
exists on a spectrum. This perspective pushes managers to
This In Focus reviews C-SCRM, discusses ways in which it
consider how they are most at risk and prioritize mitigation
is currently managed, and highlights issues that Congress
strategies. This defense-in-depth strategy accepts that
may consider for federal agencies.
complete security is not guaranteed, but can lead system
administrators to deploy tools effectively so that they can
Cyber Supply Chain Risks
detect unwanted activity and stop damages from
One way to view risks to cyber supply chain security is
compounding.
through the threat actors, their motivations, and ways in
which they may compromise technology. DNI has
Attackers may not know which defensive strategies are
identified Russia, China, Iran, and North Korea as cyber
deployed on systems. The chance of exposure is a
https://crsreports.congress.gov

Cyber Supply Chain Risk Management: An Introduction
consideration attackers evaluate when seeking to mass-
This may help agencies better assess their own risk, and
compromise technology—and may incentivize them to
allow the companies to directly mitigate vulnerabilities in
pursue specific attacks against deliberate targets instead.
their products. Such a strategy recognizes that government
Attackers may also identify a common vulnerability but
is positioned to support the private sector, which has
seek to selectively use it in order to maintain that method
different responsibilities and greater control over
for as long as possible.
technology.
Conceptualizing risk is challenging because entities may
Oversight
not have threat information available to them, may lack an
As part of regular oversight, Congress may ask federal
appreciation of their own vulnerabilities, or lack a
agencies and regulated sectors about their C-SCRM
framework to take that information and make resource
programs, effectiveness, and challenges. Congress may also
decisions with it. For entities with general risk management
require such programs. In performing agency oversight,
programs, they may not have relevant expertise in IT
Congress may request a review and report by an agency
products and threats to apply their established risk
into how it assesses and manages cyber supply chain risks.
management practices to the supply chain. The
This review could inform future congressional activity and
prioritization of risk management requires that entities
compel agencies to consider these issues.
understand their own weaknesses, why they may be
targeted, who or what may target them, and how. In order to
An example of such oversight is the Wolf Provision (found
extend these principles to their supply chain, entities will
in Section 514 of Division B of P.L. 115-141, the
also need information on their vendors and suppliers, threat
Commerce, Justice, Science, and Related Agencies
tactics, and best practices to mitigate risk.
Appropriations Act, 2018). The National Aeronautics and
Space Administration (NASA) Inspector General has an
Potential Issues for Congress
audit of NASA’s implementation of the provision.
Generally, risk profiles (e.g., risk tolerance, resource
allocations, vulnerabilities, threats, etc.) and risk
Prohibition on Specific Companies
management are unique from one entity or sector to
As with the Kaspersky and Chinese-made products,
another. This makes risk management an activity which is
Congress may ban a certain company’s products from being
individualized for each entity or sector. However, there are
purchased or used by federal agencies. While such a
policy areas in which Congress may act with regard to C-
prohibition may limit exposure to specific perceived risks
SCRM that can affect its success.
posed by a product, set of products, or a company’s work,
complexities of the global cyber supply chain, business
Clarity of Responsibility
relationships, corporate restructuring, and other factors may
Federal IT management is distributed among many federal
inhibit the intended effectiveness. Such prohibitions have
agencies. The Office of Management and Budget (OMB)
also faced court challenges regarding the banned
creates strategic guidance, NIST creates documents
company’s due process and laws against bills of attainder.
describing implementation, CISA helps agencies with
security management, and agencies themselves have to
Single Evaluator
implement information security programs. Congress may
Currently, agencies are responsible for evaluating risks
consider creating specific responsibilities for federal or
posed by IT for themselves. However, some agencies lack
national supply chain security and assign those
the capability or capacity to perform thorough evaluations
responsibilities across agencies or to a single federal entity.
of their systems for supply chain risks. An option for
Rather than assign a single federal agency with all the
Congress would be to assign a single federal agency the
responsibility for supply chain security, Congress may
responsibility to evaluate supply chain risks in IT for all
identify unique responsibilities and parse those out to
other agencies. This agency would examine IT hardware
agencies; such as intelligence gathering, technical expertise,
and software for potential risks. In order to do so, the
the development and promulgation of defensive measures,
agency would likely need access to threat intelligence,
and coordinating federal efforts. While this approach may
technical expertise, business relationships of the vendors,
provide clarity, its effectiveness may depend on the scope
building products, and security experts, among other
of authority Congress grants and resource allocations to the
factors.
designated entity or entities.
This strategy would align with the Trump Administration’s
Increased Awareness
initiative to increase shared services. FedRAMP is a
The federal government may increase the information
program Congress may look to in establishing such a
available from open and restricted government sources to
program. In FedRAMP, one agency evaluates cloud service
all agencies and the information technology sector. To
providers and creates documentation on the security of
assist with increased awareness, the federal government
those services available to all agencies. This avoids the
could undertake activities to better understand the business
duplicate efforts of every agency examining the same
relationships involved in the design or delivery of an IT
product, and allows agencies to assess the product relative
product or service, and assess those businesses for potential
to their specific concerns.
risks. Rather than barring corporate activity, the
government could alert industry and consumers of those
Chris Jaikaran, Analyst in Cybersecurity Policy
risks so that they may make informed decisions on whether
and how they may use those products or services.
IF10920
https://crsreports.congress.gov

Cyber Supply Chain Risk Management: An Introduction


Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.

https://crsreports.congress.gov | IF10920 · VERSION 5 · UPDATED