Continuing its efforts to create a capability to assess risks to cyber supply chains, the Department of Homeland Security is conducting market research to learn about industry capabilities to identify and mitigate risks in the supply chains of information and communications technology (ICT).
An Aug. 17 Request for Information (RFI) says the government is interested in cyber risks to ICT hardware, software, devices and cloud services. The request identifies two categories of capability offerings that are of interest, supply chain risk due diligence information, and tools, products or system solutions used to deliver due diligence information.
The Trump administration and some Republicans in Congress in July proposed legislation aimed at helping federal agencies strengthen the security of their cyber supply chains and DHS has said it is developing a risk framework for the supply chain. In June, a bipartisan group of senators introduced a bill to create a federal council that would assess national security risks to the IT supply chain and July DHS stood up the National Risk Management Center, which centralizes collaborative risk management efforts to better protect the nation's critical infrastructures.
"The government anticipates due diligence research will be conducted on selected suppliers that provide products, services, or solutions which connect in any way to a stakeholder information system or which contain, transmit, or process information provided by or generated for the stakeholder to support the operations and assets of a stakeholder entity," the DHS RFI says. "Possible subjects of due diligence research include all companies directly involved in delivery of products, services, and solutions to stakeholders, through all tiers of the supply chain."
Among other things, the supply chain risk management capability that DHS plans to create to support stakeholders will enable information sharing, be an "automated process supported by threat analysis," minimize duplication of efforts, and align with current practices. Responses are due by Oct. 10.