SCS 9001™ : Frequently Asked Questions (FAQs)
The Telecommunications Industry Association (TIA) ensures optimum performance, security and sustainability of products and services used within the Information and Communication Technology (ICT) industry. Through our Technology Programs, QuEST Forum and Government Advocacy communities, we provide a neutral ground for the industry to collaborate and solve common challenges. Our members and participants have powered advancements in communications for 90+ years.
The TIA QuEST Forum has developed the SCS 9001 Cyber and Supply Chain Security Management System, the first process-based standard for measuring and verifying trusted suppliers in the global ICT industry.
If your questions are not addressed in these FAQs, submit them to us at supplychainsecurity@tiaonline.org and we will promptly respond.
QuEST FORUM
QuEST Forum is the business performance improvement community within TIA. QuEST Forum was established in the mid-1990’s by leading global service providers and equipment manufacturers to develop the first quality management system (QMS) for the ICT industry. The result was TL 9000, which has been updated many times over the years and is still the industry’s leading measurable and verifiable QMS with 1000’s of certified locations.
When using the term ICT Industry, we are referring to the Information and Communications Technology Industry. The ICT industry essentially covers any modern network, organizations that build and operate such networks, and the vendors who supply devices and services deployed within that network. It includes traditional wireline telecommunications, cable systems, cloud platforms, multi-national enterprise networks, hosted data centers, home networks, Smart Buildings, Satellite Communications, and the Internet of Things, as examples.
No, although it is strongly recommended to take advantage of the preferred pricing provided to Participants including other benefits.
More information of TIA Membership including QuEST Forum Participation is available at: Telecommunications Industry Association Membership | TIAOnline.org.
SCS 9001 Standard
SCS 9001 is the first cyber and supply chain security standard developed for the specific needs of the ICT industry. SCS 9001 is a certifiable, process-based standard with optional benchmarking to improve network security and especially security across ICT supply chains.
TIA understands that security is a subset of quality and that you cannot have a high-quality product without it being secure. We have applied many of the same process-based methodologies in SCS 9001 that we’ve used for the past 2 decades with great results.
Additional information is available at TIA Supply Chain Security Program | TIA Online.
Over 60 participants from a diverse group of 34 organizations within the ICT industry and working within a TIA QuEST Forum working group developed the SCS 9001 standard. A draft of the standard was provided to nearly 100 organizations including government agencies for review and commentary. The 250 individuals who reviewed the original draft provided nearly 500 comments and suggestions. Each of these were discussed and most adopted in delivering the first release of the standard.
As SCS 9001 is an evolving standard, R2 has now incorporated nearly 200 additional recommendations from industry to make the standard even more powerful.
Version 2 contains a variety of improvements including but not limited to:
- General improvements from lessons learned from the Pilot Program
- General improvements from feedback during initial engagements
- Increased coverage of hardware provenance requirements
- Improved coverage of hardware development requirements
- Improved coverage for cloud based services
- Increased coverage of procurement, shipping and logistics requirements
- Improved support for global government requirements and policy direction
- Improved mapping to controls of CSA CCM 4.0 & ISO 27002
- Removed the underlying requirement of a QMS while maintaining a process basis.
- Maintains the ISO Annex SL format for ease of integration for organizations currently certified to ISO standards
- Reorganized and reformatted to better support mapping exercises to other standards and publications.
A variety of requests were received promoting this change. Quality and security teams are often separate functions. This change was in response to industry feedback that adoptees require organizational flexibility in applying quality and security standards for different purposes, by different functions and in different locations.
No. While recognizing the industry need, and prior to developing the standard, the SCS 9001 Workgroup reviewed dozens of standards produced by other standards bodies. These include ISO, NIST, ENISA, ATIS, CISA, O-RAN Alliance, O-RAN Coalition, BSIMM, amongst others. Numerous government agency policy directives were also considered.
We found none were complete in meeting the needs of the ICT industry.
The standard is available from the TIA QuEST Forum website at Buy Handbook - TIA Online. The standard is also available from the IHS Markit standards store at their web site IHS Markit Standards Store | Engineering & Technical Information.
Volume discounts are available and TIA QuEST Forum participants receive preferred pricing.
The SCS 9001 standard will initially be available in English with language translations anticipated based on the needs of interested organizations.
Contact the TIA QuEST Forum for availability information.
The best way to get involved with the development and continued evolution of SCS 9001 is to join TIA’s QuEST Forum community and participate in the Supply Chain Security Working Group. Joining TIA QuEST Forum enables you to provide insight and comments on SCS 9001 and to vote on the release of this and other standards under development.
SCS 9001 Certification
SCS 9001 certification is achieved through an audit and resulting assessment by an accredited SCS 9001 Certification Body (CB). CBs are highly trained and must pass rigorous testing prior to being approved to conduct audits.
Further, the audit results delivered by all CBs are reviewed quarterly to ensure that consistent results are delivered across all certifications. Where anomalies are detected, CBs are directed to areas for their own improvement and must provide corrective action to maintain their accreditation.
A full SCS 9001 certification is projected to take 2 – 4 business days. The timeframe will vary based on several factors, including but not limited to the size of the organization, complexity of its operations, existing quality management systems in place, scope of registration, complexity of the supply chain, and the amount of dedicated internal and external resources available in support of the certification effort.
Estimates are regularly updated based on empirical evidence collected during certifications. Contact TIA for your specific questions.
A newly completed certification last for 3 years. Surveillance audits are typically performed annually and have a duration of 1/3 of the original audit time. Surveillance audits are annual checks using a subset of the certification process to ensure an organization has remained consistent with the requirements of SCS 9001. A 3-year recertification is projected to take approximately 2/3 of the initial audit days. This aligns with ISO 9001.
TIA has created an audit assessment tool to help organizations project their certification duration and costs. Contact TIA for availability.
SCS 9001 will be a valuable addition to existing quality and security management systems with a focus on securing the network operator’s supply chain. Organizations who are certified are expected to be viewed favorably by their customers as preferred vendors.
SCS 9001 is applicable to anyone participating in the ICT industry and is not limited to traditional telecommunications suppliers. SCS 9001 is equally powerful to those companies operating cable networks, satellite systems, hosted data centers, global cloud platforms and contact centers, as examples.
Any organization that operates a network and those vendors providing products and services used in those networks will benefit from SCS 9001.
Organizations of any size will benefit from SCS 9001.
Large organizations can be geographically distributed with many people and processes supporting a complex infrastructure. Existing processes may be insufficient to address new security challenges. Smaller, new entrants can be immature when it comes to quality and security practices and have limited capacity to develop internal processes to address security needs. SCS 9001 will help in both cases and everything in between.
Yes. Organizations can certify individual lines of business and/or products if desired. It is our expectation, as supply chain processes are often standardized, that in many cases a single certification will suffice.
As a comprehensive management system, organizations making an investment in SCS9001 certification should account for the following:
- TIA QuEST Forum Participation Fees: based on the size (annual revenue) of an organization, this is an annual fee to be a Participant in the TIA QuEST Forum. TIA QuEST Forum Participants receive discounts on documents, have access to benchmarking data for all standards, and can participate in all working groups, including future work on the SCS 9001 Supply Chain Security Working Group standard.
Details on the benefit of Participation are detailed at: Telecommunications Industry Association Membership | TIAOnline.org.
- SCS9001 Surveillance Audit: the annual Surveillance Audit cost, paid directly to the CB.
- SCS 9001 Certification Fee: a fee paid for each certification and 3-year recertification.
- SCS 9001 Administrative Fee: an annual fee paid by non-participants to cover the overhead and costs of managing and maintaining their performance data.
- SCS9001 Handbook purchase(s): the Handbook describes the SCS9001 requirements and performance data. Volume discounts are available and preferred pricing is offered to Participants.
- Training: there are numerous training courses available, both live-instructor led, in-person, remote and computer based in meeting the needs of organizations desiring SCS 9001 certification, as well as those desiring to become a Certification Body.
- Performance Data Reports (PDRs): these reports provide the quarterly results of all certified organizations and how their submitted (anonymous) measurement data compares to other organizations and industry averages.
No! ISO 27001 is an important standard that focuses on Information Security. It has a large number of requirements and controls addressing that purpose. In some ways, SCS 9001 can be viewed as a superset of ISO 27001. SCS 9001 provides many similar controls but goes much further in assessing the operational practices of organizations and their supply chains.
A comparison of SCS 9001 and ISO 27001 is available at: SCS-9001-Comparison.pdf (tiaonline.org).
This question deals with different conformity assessment models. A conformity assessment is the manner in which an organization applies and potentially certifies to a standard. Conformity assessment is defined in ISO/IEC 170001 as the "demonstration that specified requirements relating to a product, process, system, person or body are fulfilled".
When it comes to conformity assessment, the following are defined:
- First Party: an organization assesses itself, sometimes providing a self-attestation of compliance and possibly producing evidence of security practices in meeting customer requests.
- Second Party: an organization directly assesses its vendors for compliance with its security requirements.
- Third Party: an independent organization (such as TIA’s Certification Bodies) conduct an audit of an organization seeking certification.
TIA supports all conformity assessment models but is an advocate of Third Party (independent certifications) due to the importance of solving today’s security challenges.
Government Policies on Cyber Security
The challenges of cyber and supply chain security have been recognized by global governments. Governments are issuing policy directives and in cases approving new legislation to drive improvements. TIA and our members believe in the benefits of private: public partnerships in solving complex challenges such as improved security for the ICT industry.
SCS 9001 has been developed in response to industry needs and recent government initiatives such as U.S. Executive Order 14028 (Improving the Nation’s Cybersecurity), the EU’s Cybersecurity Act, the U.K.’s Telecommunications Security Act and the Prague Principles.
SCS 9001 will continue to be refined as new industry needs are expressed and regulations from international governments are ratified.
On July 18, 2023, Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel announced in a press release the new U.S. Cyber Trust Mark program. The intent of the program is to improve the cybersecurity and resilience of network-attached consumer devices with a set of baseline requirements such as strong password protections, data encryption, event logging and the ability to perform software updates, as examples.
This labeling program is expected to be implemented in late 2024 with an initial goal to “raise the bar for cybersecurity across common devices, including smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers, and more”. Additional work is anticipated targeting home networking devices, such as modems and Wi-Fi routers.
The SCS 9001 aligns with many existing global government requirements. While the details of U.S. Cyber Trust Mark labelling program have not yet been developed, TIA will work to align to the requirements once known. Additionally, the labelling program is focused on providing guidelines for operational security. SCS 9001 supplements such guidelines with extensive coverage of the vendor’s operational practices including secure development practices and supply chain management. This extensive coverage provides assurance that proper operational practices have been used to deliver inherently higher security products and services devoid of latent vulnerabilities.
Accreditation and Certification Bodies
At this time, the sole authorized SCS 9001 Accreditation Body is ANSI-ASQ National Accreditation Board (ANAB). ANAB’s web site is at ANSI National Accreditation Board | ANAB.
All currently approved ABs can be viewed at: AB/CB & Auditors - TIA Online.
At this time, accredited Certification Bodies are DNV, DQS, NQA, Schullman and TuV AM.
All currently accredited CBs can be viewed at: AB/CB & Auditors - TIA Online
The TIA QuEST Forum authorization process defines organizations called Accreditation Bodies whose responsibility is to certify and provide oversight of CBs. Before a CB can perform any audits of conformance to SCS 9001, it must first be accredited by an AB.
ABs assure that the CB is competent in its ability to provide assessments and conform to TIA QuEST Forum and global IAF rules.
Requirements to become a CB are available at: SCS9001 Auditor Requirements
TIA QuEST Forum maintains information related to ABs, CBs, and SCS 9001 registrations on the Registration Management System (RMS) and much of this information is available at: Registration - TIA Online.
Yes. TIA QuEST Forum defines a variety of levels of Participation for organizations of all types and sizes. ABs and CBs are expected to be active members of our community as Liaison Participants.
SCS 9001 Training
There are 4 comprehensive courses available:
- Understanding the SCS 9001 Standard
- Implementation Training
- Auditor Training
- Understanding SCS 9001 Measurements
Courses can be combined and tailored for the specific needs of the organization being trained.
The current list of available courses is available at: Training - TIA Online.
Omnex is TIA’s partner, and the sole training organization approved to provide SCS 9001 training.
Omnex’s SCS 9001 training offerings and other information is available at TIA initiative - SCS 9001 (omnex.com)
Each training course has a list price, but training needs can vary. We can provide customized training based on the specific needs of your organization.
Contact an approved training organization at the following link for additional information: Training - TIA Online.
Software and Supply Chain Security
Yes. An sBOM is a mandatory element of having a comprehensive supply chain security process covering software development and delivery.
Yes. SCS 9001 advocates many best-practices in managing open-source software.
No. While an sBOM is an important measure in developing a comprehensive supply chain security policy, it is just one element of doing so successfully. A fully defined Software Development Lifecycle (SDLC) is required to address software security and defining requirements in areas of provenance, change management, patch management, vulnerability assessment, entitlement, testing, response and mitigation, and many other topics.
The log4j attack remains of high interest, and while it is an open-source component, the topic of software security should not be limited to open source. Malicious actors will always test software security and defenses and expose new vulnerabilities. There is no complete fail-safe in avoiding software vulnerabilities.
The best practices detailed in SCS 9001 will significantly reduce the potential for vulnerabilities in ensuring products have been designed and developed with security as a design requirement, extensive vulnerability testing, and as importantly, the standard defines requirements for mitigation and response to vulnerabilities over the entire product lifecycle.
IoT Supply Chain Security
Internet of Things or IoT is a general term typically applied to network attached devices used for a variety of purposes such as home automation, industrial controls, entertainment and healthcare devices. As network attached devices, the growth of IoT has expanded the attack surface of networks. Security must be considered end to end and accordingly, the IoT industry must improve its security posture.
TIA is a technology agnostic organization. Unlike certain other Standards Development Organizations (SDOs), TIA takes a neutral approach to network architectures and their underlying technologies.
SCS 9001 is a comprehensive standard that can be applied and provide benefit in many applications such as traditional wireline service providers, mobile network operators, cable companies, cloud service providers, data centers, satellite communications, smart buildings, and yes, the Internet of Things industry. Organizations operating networks and those building products deployed in those networks will find value in the standard.
All of them! Difficult lessons are being learned as to the vulnerability of such devices. Factory control systems have been compromised, baby monitoring cameras have had their video streams intercepted, and theft prevention systems of cars have been compromised.
TIA’s position is that it would be imprudent for the IoT industry to believe it is immune and has lesser needs for cyber and supply chain security than any other. There are a growing number of examples of attacks targeting IoT devices and support systems.
There are a number of helpful publications and standards that have been introduced to improve IoT security. The focus of these works have centered on baseline requirements for improving operational cyber security. Examples include the Consumer Technology Association (CTA) standard “ANSI/CTA -2088” titled “CTA Standard Baseline Cybersecurity Standard for Devices and Device Systems” and the National Institute of Standards and Technology’s (NIST) publication “NIST IR 8245 Profile of the IoT Core Baseline for Consumer IoT Products”.
These works focus on improving operational IoT device cybersecurity whereas SCS 9001 addresses many of those aspects but distinguishes itself with building assurance of a network operator or vendor’s supply chain practices.
The best practices detailed in SCS 9001 will significantly reduce the potential for vulnerabilities in ensuring products have been designed and developed with security as a design requirement, extensive vulnerability testing, and as importantly, the standard defines requirements for mitigation and response to vulnerabilities over the entire product lifecycle.
Contemporary IoT standards and published guidance have focused on a limited set of cyber security requirements. There has been limited focus on supply chain security, which is a strength of SCS 9001.
TIA publishes collateral to contrast SCS 9001 against other standards, publications and government guidance. Refer to our web site at TIA Supply Chain Security Program | TIA Online and under the SUPPLY CHAIN SECURITY TECHNICAL BULLETINS section for available collateral.
TIA has produced a technical bulletin that contrasts SCS 9001 with the Consumer Technology Association’s (CTA) Standard ANSI/CTA -2088 and titled “CTA Standard Baseline Cybersecurity Standard for Devices and Device System”.
In summary, ANSI/CTA-2088 is a standard with an important but limited focus of improving the cybersecurity and resilience of network-attached consumer devices with a heavy focus on secure communications and data and access controls.
SCS 9001 has been purpose-built to address today’s cyber and supply chain security challenges, providing coverage for many different types of networks and the devices operating within those networks. It is a comprehensive standard developed by premier organizations operating within the ICT industry. The challenge of cyber and supply chain security is significant with no single standard or work being sufficient to address all needs.
ANSI/CTA-2088 and SCS 9001 can be used together as an effective combination to provide a higher level of security and resilience for the consumer device (IoT) industry.
Refer to our web site at TIA Supply Chain Security Program | TIA Online and under the SUPPLY CHAIN SECURITY TECHNICAL BULLETINS section for a Technical Bulletin contrasting the two standards.
Executive Order 14028, Improving the Nation’s Cybersecurity, was issued on May 12, 2021.
This order charges multiple agencies, including the National Institute of Standards and Technology (NIST), with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain. EO 14028 also directs NIST to initiate a labeling program on cybersecurity capabilities of IoT consumer devices.
Refer to our web site at TIA Supply Chain Security Program | TIA Online and under the SUPPLY CHAIN SECURITY TECHNICAL BULLETINS section for Technical Bulletins discussing how SCS 9001 helps organizations align with the goals of EO 14028 in addition to meeting the expectations of the labeling program.