SCS 9001™ : Frequently Asked Questions (FAQs)
The Telecommunications Industry Association (TIA) ensures optimum performance, security and sustainability of products and services used within the Information and Communication Technology (ICT) industry. Through our Technology Programs, QuEST Forum and Government Advocacy communities, we provide a neutral ground for the industry to collaborate and solve common challenges. Our members and participants have powered advancements in communications for 90+ years.
The TIA QuEST Forum is pleased to announce the release of SCS 9001TM Supply Chain Security Management System, a process-based standard focused on supply chain security for the global ICT industry.
This paper addresses Frequently Asked Questions. It is a living document and will be updated as new questions are raised. For additional information, visit our web site and contact us: About Telecommunications Industry Association | TIA Online
QuEST Forum is the business performance improvement community within TIA. QuEST Forum was established in the mid-1990’s by leading global service providers and equipment manufacturers to develop the first quality management system (QMS) for the telecom industry. The output was TL 9000, which has been updated many times over the years and is still the industry’s leading measurable and verifiable QMS with 1000’s of locations being certified. When developing standards, TIA QuEST Forum follows international standards development procedures and guidelines.
SCS 9001 is the first supply chain security standard developed for the specific needs of the ICT industry. The objective of SCS 9001 is to define a certifiable, process-based standard with benchmarking to improve security across ICT supply chains. Because TIA understands that security is a subset of quality, and you can’t have a high-quality product without it being secure, we are using many of the same process-based methodologies in SCS 9001 that we’ve used for the past 2 decades.
Additional information is available at TIA Supply Chain Security Program | TIA Online.
Over 60 participants from a diverse collection of 34 organizations and working within a TIA QuEST Forum working group developed the SCS 9001 standard. A draft of the standard was provided to nearly 100 organizations including government agencies for review and commentary. The 250 individuals who reviewed the draft provided nearly 500 comments and suggestions. Each of these were discussed and most adopted in delivering the final, first release of the standard.
SCS 9001 was actively developed over approximately two years during 2020 and 2021.
A major difference between SCS 9001 and ISO 27001 is SCS 9001’s detailed supply chain security measurements and benchmarking. In addition to the requirements and controls that an organization must demonstrate having implemented to achieve certification, they must also submit quarterly supply chain security performance measurements into TIA’s secure repository. The data is aggregated and reported out anonymously. That is, for each specific measurement, trend data is shown for the industry average, best and worst in class performance.
There are several other requirements, such as zero trust architecture, software traceability, counterfeiting, supply chain management, and cloud controls, where SCS 9001 adds security requirements beyond ISO 27001.
A comparison of SCS 9001 and ISO 27001 is available at: SCS-9001- Comparison.pdf (tiaonline.org)
No, although it is strongly recommended to take advantage of the preferred pricing provided to Participants including other benefits. More information of TIA Membership including QuEST Forum Participation is available at: Telecommunications Industry Association Membership | TIAOnline.org.
No. While recognizing the industry need, and prior to developing the standard, the SCS 9001 Workgroup reviewed dozens of standards produced Page 3 of 8 by other standards bodies. These include ISO, NIST, ENISA, ATIS, CISA, O-RAN Alliance, O-RAN Coalition, BSIMM, amongst others. Numerous government agency policy directives were also considered.
We found none were complete in meeting the specific needs of the ICT industry.
SCS 9001 certification is achieved through an audit and resulting assessment by an accredited SCS 9001 Certification Body (CB). CBs are highly trained and must pass rigorous testing prior to being approved to conduct audits.
Further, the audit results delivered by all CBs are reviewed quarterly to ensure that consistent results are delivered across all certifications. Where anomalies are detected, CBs are directed to areas for their own improvement and must provide corrective action to maintain their accreditation.
A full SCS 9001 certification is projected to take 2 – 4 business days. The timeframe will vary based on several factors, including but not limited to the size of the organization, complexity of its operations, existing quality management systems in place, scope of registration, complexity of the supply chain, and the amount of dedicated internal and external resources available in support of the certification effort.
We will update estimates based on empirical evidence collected during the initial certifications.
At this time, accredited Certification Bodies are DNV, DQS, NQA, Schullman and TuV AM.
All currently accredited CBs can be viewed at: AB/CB & Auditors - TIA Online
The TIA QuEST Forum authorization process defines organizations called Accreditation Bodies whose responsibility is to certify and provide oversight of CBs. Before a CB can perform any audits of conformance to SCS 9001, it must first be accredited by an AB.
ABs assure that the CB is competent in its ability to provide assessments and conform to TIA QuEST Forum and global IAF rules.
Requirements to become a CB are available at: SCS 9001 Auditor Requirements
TIA QuEST Forum maintains information related to ABs, CBs, and SCS 9001 registrations on the Registration Management System (RMS) and much of this information is available at: Registration - TIA Online.
Yes. TIA QuEST Forum defines a variety of levels of Participation for organizations of all types and sizes. ABs and CBs are expected to be active members of our community as Liaison Participants.
A granted SCS 9001 certification will require annual surveillance audits and a re-certification every 3-years. Surveillance audits are annual checks using a subset of the certification process to ensure an organization has remained consistent with the requirements of SCS 9001.
Yes. As a comprehensive management system, organizations making an investment in SCS 9001 certification should account for the following:
- TIA QuEST Forum Participation Fees: based on the size (annual revenue) of an organization, this is an annual fee to be a Participant in the TIA QuEST Forum. TIA QuEST Forum Participants receive discounts on documents, have access to benchmarking data for all standards, and can participate in all working groups, including future work on the SCS 9001 Supply Chain Security Working Group standard. Details on the benefit of Participation are detailed at: Telecommunications Industry Association Membership | TIAOnline.org.
- SCS 9001 Surveillance Audit: the annual Surveillance Audit cost, paid directly to the CB.
- SCS 9001 Certification Fee: a fee paid for each certification and 3-year recertification.
- SCS 9001 Administrative Fee: an annual fee paid by non-participants to cover the overhead and costs of managing and maintaining their performance data.
- SCS 9001 Handbook purchase(s): the Handbook describes the SCS9001 requirements and performance data. Volume discounts are available and preferred pricing is offered to Participants.
- Training: there are numerous training courses available, both live-instructor led, in-person, remote and computer based in meeting the needs of organizations desiring SCS 9001 certification, as well as those desiring to become a Certification Body.
- Performance Data Reports (PDRs): these reports provide the quarterly results of all certified organizations and how their submitted (anonymous) measurement data compares to other organizations and industry averages.
Yes. Organizations can certify individual lines of business and/or products if desired. It is our expectation, that as supply chain processes are often standardized, that in many cases a single certification will suffice.
The best way to get involved with the development and continued evolution of SCS 9001 is to join TIA’s QuEST Forum community and participate in the Supply Chain Security Working Group. Joining QuEST Forum enables you to provide insight and comments on SCS 9001 and to vote on the release of this and other standards under development.
At the official launch of SCS 9001 we will have a website with comprehensive information regarding SCS 9001. Our public website will have information detailing the certification process, approved certification bodies and accreditation bodies, and a link to an e-commerce site to purchase the standard and training documentation.
The standard is available from the TIA QuEST Forum website at Buy Handbook - TIA Online. The standard is also available from the IHS Markit standards store at their web site IHS Markit Standards Store | Engineering & Technical Information.
Volume discounts are available and TIA QuEST Forum participants receive preferred pricing.
The standard is not offered in hard copy, it is only available electronically.
At this time, 4 comprehensive courses are available:
1. Understanding the SCS 9001 Standard
2. Understanding SCS 9001 Measurements
3. Auditor Training
4. Implementation Training
Courses can be combined and tailored for the specific needs of the
organization being trained. Currently, courses are conducted in-person or
Additional training information is available at: Training - TIA Online.
At this time, Omnex is the sole training organization approved to provide SCS 9001 training.
Omnex’s SCS 9001 training offerings and other information is available at TIA initiative - SCS 9001 (omnex.com).
Training is quoted individually by certified training organizations based on the specific needs of organizations seeking such training.
Contact an approved training organization at the following link for additional information: Training - TIA Online.
The SCS 9001 standard will initially be available in English with language translations anticipated based on the needs of interested organizations.
Contact the TIA QuEST Forum for availability information.
TIA and our members believe that the development of all standards and policy initiatives needs to be done collaboratively and address the input of both industry and global governments.
SCS 9001 has been developed in response to industry needs and recent government initiatives such as U.S. Executive Order 14028 (Improving the Nation’s Cybersecurity), the EU’s Cybersecurity Act and the Prague Principles.
SCS 9001 will continue to be refined as new industry needs are expressed and regulations from international governments are ratified.
Yes. Benchmarking is an important component of SCS 9001 and differentiates the standard from others. Once sufficient certifications have been completed to make the data to be statistically relevant, and at least four quarters of benchmarking data have been aggregated, Performance Data Reports will be available.
Contact TIA QuEST Forum for availability
Yes. An sBOM is a mandatory element of having a comprehensive supply chain security process covering software development and delivery.
Yes. SCS 9001 advocates many best-practices in managing general and open-source software.
No. While an sBOM is an important measure in developing a comprehensive supply chain security policy, it is just one element of doing so successfully. A fully defined Software Development Lifecycle (SDLC) is required to address software security and defining requirements in areas of provenance, change management, patch management, vulnerability assessment, entitlement, testing, response and mitigation, and many other topics.
While the recent log4j problem is of high interest, and while it is an opensource component, the topic of software security should not be limited to open source. Malicious actors will always test software security and defenses and expose new vulnerabilities. There is no complete fail-safe in avoiding software vulnerabilities.
The best practices detailed in SCS 9001 will significantly reduce the potential for vulnerabilities in ensuring products have been designed and developed with security as a design requirement, extensive vulnerability testing, and as importantly, the standard defines requirements for mitigation and response to vulnerabilities over the entire product lifecycle.
SCS 9001 is a valuable addition to existing quality management systems with a focus on securing the manufacturer’s supply chain. Organizations who are certified are expected to be viewed favorably by their customers as preferred vendors. SCS 9001 is applicable to anyone participating in the ICT industry and is not limited to traditional telecommunications suppliers. SCS 9001 is equally powerful to those companies operating cable networks, satellite systems, hosted data centers, global cloud platforms and contact centers, as examples.
Service providers and other network operators will benefit greatly by joining TIA QuEST Forum and specifically the SCS 9001 working group. Participants can directly contribute to this and future standards work, receive discounted pricing, and have access to our Performance Data Reports.
A tremendous benefit of SCS 9001 is that all certified organizations are required to submit quarterly data on their performance against key measures identified within the standard. TIA QuEST Forum anonymizes the data and publishes reports on supplier performance. Service providers can leverage these reports in determining the effectiveness of their suppliers.