How SCS 9001 Operationalizes the Prague Proposals

By Mike Regan, Vice President of Business Performance, TIA

Various trade and standards organizations as well as government agencies from around the world have been developing recommendations to help the global response to rising threats to cybersecurity. For example, the Center for Strategic International Studies (CSIS) developed their Criteria for Security and Trust in Telecommunications Networks and Services. One of the most significant collaborations was initiated by The Czech Republic’s National Cyber and Information Security Agency (NCISA), who hosts the annual Prague 5G Security Conference.

About the Prague Proposals
The Prague 5G Security Conference was founded in 2019 with the intent to raise awareness about the importance of 5G infrastructure in the context of national and international security. It is a leading global forum dedicated to the security of 5G infrastructure that gathers leading government officials, representatives of international and regional organizations, researchers from universities and think-tanks, and subject-matter experts.

Throughout the conference, attendees participate in international dialogues on the strategic significance of 5G infrastructure and encouraging participants to share emerging best practices, approaches and lessons learned. as they pertain to security.

The outcome of the first Prague 5G Security Conference was a document that became what is now known as the Prague Proposals. They are a set of recommendations on both technical and non-technical risks that should be considered when planning, building, launching, and operating 5G infrastructure around the world.

The Prague Proposals on Cyber Security of Emerging and Disruptive Technologies (EDTs) were presented at the 2019 conference. The participating countries agreed on possible principles for a future approach to disruptive technologies. The document mentions, for example, an approach based on consideration of technical and non-technical risks, supply chain security, transparency, trustworthiness, and diversification, as well as democratic and ethical values in the context of 5G infrastructure.

The most recent conference resulted in a second set of proposals, the Prague Proposals on Telecommunications Supplier Diversity, which are intended to guide efforts in advancing and promoting diverse suppliers and open, interoperable networks.

Putting the Proposals into Action
While the Prague Proposals presented a solid foundation of what steps can and should be taken to deploy and operate safe and secure global networks, what’s missing is a process to implement these proposals and verify the security recommendations are in place. Afterall, supplier trust needs to be earned, and to build that trust, organizations need the means for an independent, third-party verification to ensure that networks are built with trusted hardware and software components.

Given the much larger role of software in our networks, unverified trust in suppliers is no longer worth the risk. In IBM’s annual cost of data breach report, they state that the global average cost of a data breach has risen 10% from 2020 to 2021 to $4,240,000 USD per breach, noting it is the highest amount since they began producing the report. The same study also cited that for the United States in 2021, the average cost per data breach was $9,005,000 USD.

Enter SCS 9001
The Telecommunications Industry Association’s (TIA) newly published standard, SCS 9001™ Supply Chain Security Management System is a voluntary, industry-led, process-based standard that operationalizes several well-known industry best practices and guidelines like the Prague Proposals. SCS 9001 aims to help service providers, operators, managed service providers, and their suppliers, developers, and manufacturers verify critical security measures, processes, and controls are in place to help mitigate risks to supply chain-based cyber-attacks. Additionally, organizations are encouraged to verify compliance by obtaining certification through an audit from one of TIA’s authorized and accredited certification bodies.

The SCS 9001 architecture includes core components that work together to meet the various technical goals of the Prague Proposals:

• Certified QMS and Adherence to Principles of Trust;
• Zero Trust Network Architecture and Asset Inventory Management;
• Seven Supply Chain Processes including Provenance, Secure Development, Software Usage, Counterfeit Parts, Risk Assessment, Technical Vulnerability Management, and Incident Management;
• Ten Security Domains containing 55 controls in total.

In addition to the recommendations of the Prague Proposals, SCS 9001 will also produce anonymized industry performance benchmarking data based on company contributed information that will enable companies to compare themselves to the industry average across various categories. Having industry performance data will help organizations continually improve their own security performance over time and as technologies evolve. The benchmarking engine is what sets this standard apart from any others being worked that do not consider the totality of how to improve security in networks and businesses.

For a full description of the specific ways that SCS 9001 operationalizes the Prague Proposals and helps suppliers and network providers, CLICK HERE to download our comparative analysis.

To learn more about SCS 9001, CLICK HERE.