In an increasingly connected world, the security and reliability of networks are critical to ensuring that consumers and businesses can realize the full potential of next-generation technology. Since nearly every sector of the networked economy relies on a dynamic and global ICT supply chain, every actor in that supply chain has a responsibility to manage the risks they face. That’s why TIA supports consensus-based approaches and public-private partnerships to address supply chain risk management. In addition, TIA supports targeted whole-of-government action where necessary to address certain, specific national security risks to the ICT supply chain.
TIA WHITE PAPER:
Presenting SCS 9001, the first-of-its-kind process-based standard for measuring and verifying trusted suppliers in the global ICT industry.
SECURING THE ICT SUPPLY CHAIN
ICT supply chains are global, dynamic, and complex, therefore supply chain risk management works best through consensus-based, industry-led processes. Industry-driven standard-setting efforts and public-private partnerships also play key roles.
TIA generally supports an approach that aligns input with expertise to empower organizations to make informed risk-based decisions, without compromising their ability to meet organizational objectives. Customers, including consumers, enterprises, carriers, and governments, must have access to trusted ICT suppliers and the ability to communicate that trust to those that rely on the products they buy.
Meanwhile, as the U.S. federal government responds to growing national security concerns about certain suppliers of communications products, TIA supports targeted action to protect telecommunications networks from suppliers deemed to pose a national security threat.
Our guiding principle is that both product security and information security are critical elements of quality. You can’t have a quality product unless it is secure. Therefore, our standard will be built upon top a foundation of a globally recognized Quality Management System (QMS) such as ISO 9001 or TL 9000. We have decided that a management system based on the PDCA (plan-do check-act) model, will ensure that organizations use methods that are self-policing and self-improving to achieve security goals.
While our subject-matter experts and their teams are developing the Supply Chain Security Standard requirements and measurements, we are simultaneously developing a model for certification to the new standard. QuEST Forum members, who are experts in the certification field, such as ANAB and several certification bodies (CBs), expect to be prepared for a pilot certification program in 2021.
Components of the standard will address:
- Secure software development,
- Validation methods for ensuring software ID and source traceability
- Validation methods for ensuring hardware ID and source traceability
- Product security
- Governmental requirements about source of origin and transparency of internal controls
Since ISO 9001 will be the foundation for the new standard, suppliers who are already certified to ISO 9001, TL 9000, or similar standards should have a head start on preparing for certification. Certification to such quality management system standards is already widespread in the ICT industry.
Our workgroups are meeting weekly to develop the new standard's content. Volunteer members of these workgroups have the opportunity to influence the structure, requirements, and governance of this new process based standard. Many organizations have found that having representatives participate standards development helps them ensure that their needs and expectations are considered, and that they themselves are well positioned to achieve certification.
To coordinate all necessary activities for creating the standard, we have formed a steering committee of subteam leaders and interested executives. The steering committee meets biweekly to general security education and to hear of progress from the following 10 subteams. New participants are welcome!
- Asset Team: Determine requirements for Asset Identification, Asset Classification, Acceptable Risk Threshold, and Residual Risk Acceptance
- Cyber Security Processes: Determine requirements for Incident Management (including reporting), Risk Mitigation, and Counterfeit SW, HW or components Process
- Secure SDLC: Determine requirements for Secure Coding Principals, Secure LCM Development (documented), Secure Software Testing, Secure Packaging & Deployment, and Other components
- SW Validation Team: Determine requirements for FOSS or OSS Update & Validation, Methods of determining SW origin, Methods of determining SW version, Methods of determining SW has not been tampered with
- HW Validation Team: Determine requirements for methods of determining HW or component origin, Methods of determining HW or component version, Methods of determining HW or component has not been tampered with
- Countermeasures and Controls Team: Determine the requirements for determining controls from NIST, determining controls from CMMC, determining controls from ISO 27001 series, others
- Trust/External Influences Team: Determine requirements for Financial data sharing, Information sharing
- Measurements Team: Determine measurements definitions for Number of security incidents (Crit., Maj., Min.), Effectivity of Technical Vulnerability Management, Secure Software Testing, Methods of HW (physical access) methodologies, Others
- Interface to QMS Team: Determine requirements from industry segment QMS’s that need to be added to ISO 9001, Maintenance of SSC Appendix draft, Links to clauses 1-10 of annex SL QMS, Corrective Action (in addition to ISO 9001), Internal Audits (in addition to ISO 9001), Management Responsibility (in addition to ISO 9001), Goals and Objectives (in addition to ISO9001)
- Oversight (OSWG): Determine requirements for planning training and the Certification Scheme we will follow