DOCSLIB.ORG

Mitigating ICT Supply Chain Risks with Qualified Bidder And

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Mitigating ICT Supply Chain Risks with Qualified Bidder And CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY MITIGATING ICT SUPPLY CHAIN RISKS WITH QUALIFIED BIDDER AND MANUFACTURER LISTS Recommendations on the Use of Qualified Lists and Considerations for the Evaluation of Supply Chain Risks April 2021 CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY This page is intentionally left blank. i CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY MITIGATING ICT SUPPLY CHAIN RISKS WITH QUALIFIED BIDDER AND MANUFACTURER LISTS Recommendations on the Use of Qualified Lists and Considerations for the Evaluation of Supply Chain Risks Executive As Information and Communications Technology (ICT) products and services Summary evolve to provide increasing functionality, the supply chains that deliver them continue to grow more sophisticated and complex. Often hundreds of entities in multiple countries contribute in some fashion to a final product, from the mining of rare earth metals to the production of processing chemicals to sophisticated integrated circuits and software. The complexity and, to a degree, the proprietary nature and obscurity of ICT supply chains have made them increasingly at risk. This includes risk of exposure of sensitive or classified data that may imperil an organization’s mission. There are currently no uniformly agreed upon and broadly adopted security standards, assurance standards, or criteria to evaluate the ICT products or processes to develop and produce them. The scope of this working group centered primarily on security and cybersecurity risks, not general risks (e.g., assurance of supply and labor compliance). Cyber supply chain risks arise from threats to and through ICT. When an organization acquires an ICT product or relies upon an ICT service, they inherit these ICT cyber supply chain risks and their potential exposure to harm. With few exceptions, organizations rely upon ICT to perform their functions, and to process, store, and share data and information. As the criticality of these functions, or the value or sensitivity of their associated information increases, so does the level of trust an organization needs to have in the person or product performing a critical function, or that has access to important information. Establishing and utilizing vetted, qualified sources of supplies can limit an organization’s exposure to risk. Incorporating cyber-SCRM-focused qualification criteria into existing or new qualification list processes can provide a targeted and effective means for providing assurance that an ICT supplier or product is sufficiently trustworthy. The Cybersecurity and Infrastructure Security Agency’s (CISA) ICT Supply Chain Risk Management (SCRM) Task Force established the Qualified Bidders List (QBL)/Qualified Manufacturers List (QML) Working Group (WG3) with the goal of providing realistic, actionable, economically feasible, and risk-based recommendations surrounding the use of “Qualified Lists” as one tool among many that can help organizations better manage ICT supply chain risk. This report is the result of the efforts by the QBL/QML WG3. It explains the purpose and benefits of qualified lists, provides a description of factors that inform a decision to build/rely on a QBL/QML for ICT products and services, and proposes actionable recommendations for incorporating SCRM considerations into new and existing ICT-related qualified list criteria and program processes. ii CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY Contents EXECUTIVE SUMMARY ................................................................................................................................................ IIii QUALIFIED BIDDERS LIST (QBL)/QUALIFIED MANUFACTURERS LIST (QML) WORKING GROUP MEMBERS .......... 1 BACKGROUND AND APPROACH .................................................................................................................................. 3 CONSIDERATIONS FOR USE OF QUALIFIED LISTS TO ENHANCE C-SCRM ................................................................ 5 Qualified List Benefits ............................................................................................................................................. 5 Qualified List Costs and Risks ................................................................................................................................ 5 Establishing Qualified Lists: Considerations and Best Practices ......................................................................... 7 Purpose and Value of Addressing SCRM in a QL .................................................................................................. 8 Supply Chain Risk Categories ................................................................................................................................ 9 CATEGORICAL SCRM CONSIDERATIONS AND RECOMMENDATIONS ..................................................................... 10 Supply Chain Security ........................................................................................................................................... 10 PHYSICAL SECURITY ........................................................................................................................................ 10 CYBERSECURITY ............................................................................................................................................... 12 PERSONNEL SECURITY .................................................................................................................................... 15 SUPPLY CHAIN INTEGRITY ............................................................................................................................... 16 SUPPLY CHAIN QUALITY ................................................................................................................................... 26 SUMMARY .................................................................................................................................................................. 27 APPENDICES .............................................................................................................................................................. 28 Appendix A: Background on Qualified Lists ......................................................................................................... 29 WHAT IS A QUALIFIED LIST AND ITS PURPOSE? ............................................................................................. 29 WHO IS RESPONSIBLE FOR A QUALIFIED LIST? ............................................................................................. 29 FEDERAL ACQUISITION POLICY REGARDING QUALIFIED LIST REQUIREMENTS ........................................... 31 WHAT VARIATIONS IN QUALIFIED LISTS EXIST? ............................................................................................. 32 BEST PRACTICES FOR QUALIFIED LIST BUILDING .......................................................................................... 32 QUALIFIED LISTS SUPPORT GOVERNANCE, COMPLIANCE AND RISK MANAGEMENT OBJECTIVES ............ 33 Appendix B: Additional Recommendations for Incorporating SCRM into ICT QLs ............................................ 39 KEY PRACTICES ................................................................................................................................................ 39 VALIDATION....................................................................................................................................................... 39 LIFECYCLE CONSIDERATIONS ......................................................................................................................... 39 ADVERSE QUALIFICATION DECISIONS............................................................................................................. 40 Appendix C: Summary of Use Case Reviews ...................................................................................................... 41 CONTINUOUS DIAGNOSTICS MITIGATION (CDM) ............................................................................................ 41 GENERAL SERVICES ADMINISTRATION (GSA) CATEGORY MANAGEMENT ................................................... 42 FEDERAL INFORMATION PROCESSING STANDARDS (FIPS) 201 EVALUATION PROGRAM AND APL ........ 42 DOD CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) .............................................................. 43 THE NATIONAL AERONAUTICS AND SPACE ADMINISTRATION (NASA) SOLUTIONS FOR ENTERPRISE-WIDE PROCUREMENT (SEWP) ................................................................................................................................... 43 Appendix D: Examples of QLs and Program Activities ....................................................................................... 45 Appendix E: Hardware Integrity Resources ......................................................................................................... 49 EXAMPLE OF USE OF STANDARDS TO ADDRESS HARDWARE SECURITY ..................................................... 56 Appendix F: References ........................................................................................................................................ 57 iii CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY Tables Table 1: Summary of Benefits, Costs, and Risks Associated with Qualified Lists .................................................. 6 Table 2: Worksheet: Evaluating the Utility and Feasibility of Qualified Lists ........................................................
Load more

Recommended publications
  • Validators Report
    National Information Assurance Partnership ® TM Common Criteria Evaluation and Validation Scheme Validation Report IBM Global Security Kit (GSKit) 8.0.14 Report Number: CCEVS-VR-VID10394-2011 Dated: 2012-03-06 Version: 1.0 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9800 Savage Road STE 6740 Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6740 ACKNOWLEDGEMENTS Validation Team Jim Brosey Orion Security Fort Meade, Maryland Jandria S. Alexander Aerospace Fort Meade, Maryland Vicky Ashby The MITRE Corporation McLean, Virginia Evaluation Team Alejandro Masino, Trang Huynh, Courtney Cavness atsec Information Security Corporation Austin, Texas Table of Contents 1. EXECUTIVE SUMMARY ........................................................................................................................................ 4 2. IDENTIFICATION .................................................................................................................................................... 4 3. CLARIFICATION OF SCOPE ................................................................................................................................. 6 3.1. PHYSICAL SCOPE ................................................................................................................................................... 6 3.2. LOGICAL SCOPE ....................................................................................................................................................
    [Show full text]
  • Cen Workshop Agreement Cwa 14722-3
    CEN CWA 14722-3 WORKSHOP August 2004 AGREEMENT ICS 35.240.15 Supersedes CWA 14722-3:2004 English version Embedded financial transactional IC card reader (embedded FINREAD) - Part 3: Functional and Security Specifications This CEN Workshop Agreement has been drafted and approved by a Workshop of representatives of interested parties, the constitution of which is indicated in the foreword of this Workshop Agreement. The formal process followed by the Workshop in the development of this Workshop Agreement has been endorsed by the National Members of CEN but neither the National Members of CEN nor the CEN Management Centre can be held accountable for the technical content of this CEN Workshop Agreement or possible conflicts with standards or legislation. This CEN Workshop Agreement can in no way be held as being an official standard developed by CEN and its Members. This CEN Workshop Agreement is publicly available as a reference document from the CEN Members National Standard Bodies. CEN members are the national standards bodies of Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, Switzerland and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMITÉ EUROPÉEN DE NORMALISATION EUROPÄISCHES KOMITEE FÜR NORMUNG Management Centre: rue de Stassart, 36 B-1050 Brussels © 2004 CEN All rights of exploitation in any form and by any means reserved worldwide
    [Show full text]
  • Part 3: Security Assurance Components
    Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components September 2012 Version 3.1 Revision 4 CCMB-2012-09-003 Foreword This version of the Common Criteria for Information Technology Security Evaluation (CC v3.1) is the first major revision since being published as CC v2.3 in 2005. CC v3.1 aims to: eliminate redundant evaluation activities; reduce/eliminate activities that contribute little to the final assurance of a product; clarify CC terminology to reduce misunderstanding; restructure and refocus the evaluation activities to those areas where security assurance is gained; and add new CC requirements if needed. CC version 3.1 consists of the following parts: Part 1: Introduction and general model Part 2: Security functional components Part 3: Security assurance components Trademarks: UNIX is a registered trademark of The Open Group in the United States and other countries Windows is a registered trademark of Microsoft Corporation in the United States and other countries Page 2 of 233 Version 3.1 September 2012 Legal Notice: The governmental organisations listed below contributed to the development of this version of the Common Criteria for Information Technology Security Evaluation. As the joint holders of the copyright in the Common Criteria for Information Technology Security Evaluation, version 3.1 Parts 1 through 3 (called “CC 3.1”), they hereby grant non- exclusive license to ISO/IEC to use CC 3.1 in the continued development/maintenance of the ISO/IEC 15408 international standard. However, these governmental organisations retain the right to use, copy, distribute, translate or modify CC 3.1 as they see fit.
    [Show full text]
  • Facilitating Project Management Through Effective Quality Management: the Need for Implementing ISO 9000 in Construction
    Built-Environment-Sri Lanka -Vol. 03, Issue 02:2003 Facilitating project management through effective quality management: the need for implementing ISO 9000 in construction N.D. Gunawardena Abstract This paper describes the relationship between project management and quality management. It identifies the similarity between the recognised project quality management processes and the ISO 9001 quality management system; then it illustrates how ISO 9001 quality requirements could be applied to construction project management. The paper also presents the results of a survey carried out to identify quality management practices adopted by local construction companies, using ISO 9001 standard as a yardstick. According to the survey, the companies had some shortcomings with respect to quality management during the construction stage. The results indicate that the lack of proper quality management could, in turn, affect the project management adversely; this point is supported by the Project Management Process Maturity Model, which is a quality improvement model that uses five levels to determine the relative maturity of any organisation and its ability to achieve cost and schedule objectives of a project. Finally, the paper suggests that the quality managements systems based on ISO 9000 could be very effective in facilitating the project management efforts in the construction industry. Introduction A project can be defined as a complex, non-routine, parties must have mutual understanding as to what one-time effort limited by time, budget, resources and services are to be provided by the contractor in return performance specifications (Gray and Larson, 2000). for the agreed consideration; this usually is ensured by Project Management is the application of knowledge, a set of documents such as drawings and specifications skills, tools and techniques to project activities in order that define the scope and the performance aspects of to meet or exceed stakeholder need and expectations the product.
    [Show full text]
  • Influence of ISO 9001 Certification on Project Management Performance in Software Industry
    European Online Journal of Natural and Social Sciences 2018; www.european-science.com Vol. 7, No.3(s) Special Issue on Contemporary Research in Social Sciences ISSN 1805-3602 Influence of ISO 9001 certification on project management performance in software industry Anum Safder*, Samina Yousaf Comsats Institute of Information Technology, Lahore, Pakistan *E-mail: [email protected] Abstract For the success of software projects, the Project Management is considered as an important tool. Organizations can understand Project Management Performance in an improved way if they exercise Quality Management System. This empirical study investigates the impact of ISO 9001 certification on Project Management Performance (six constructs of PMP) and how PM Performance varies for ISO- certified software houses and Non-certifies software houses. Data was collected from project managers of both ISO-certified and Non-certificated software organizations registered under P@SHA and PSEB of Pakistan. 192 questionnaires were used for analysis. Independent Sample t- test was used for conducting the analysis and results concluded that software houses with ISO- certification show a better PM Performance than with no certification. Keywords: Project Management, ISO 9001 certification, software industry. Introduction Currently, project management is being extensively used in business. Quality management and project management are two interlinked terms and can be described in similar manner. The situation in which there is a strong influence of repetitious processes, the quality management is most successful field. In reference to the project management process, how to conduct a project is a scenario where there is a very vivid effect of QM which is slightly ignored or a limited focus is paid on its effect by academic professional.
    [Show full text]
  • IT Gurus and Gadgets
    a Volume 2, No. 10, November-December 2011 ISSN 1729-8709 IT gurus and gadgets • Guest Interview : Sony and the value of standards th • ISO 34 General Assembly INDIA a Contents Comment Sadao Takeda, ISO Vice-President (policy) Tech-timing – Creating tomorrow’s gadgets today ................................................... 1 ISO Focus+ is published 10 times a year World Scene (single issues : July-August, November-December) International events and international standardization ............................................ 2 It is available in English and French. Guest Interview Bonus articles : www.iso.org/isofocus+ ISO Update : www.iso.org/isoupdate Ken Wheatley – Sony Electronics, Inc. .................................................................... 3 The electronic edition (PDF file) of ISO Special Report Focus+ is accessible free of charge on the Daring visions – Laying the foundations for innovation .......................................... 8 ISO Website www.iso.org/isofocus+ An annual subscription to the paper edition Gurus and ICT standards – Translating visions into technical success stories ....... 10 costs 38 Swiss francs. Cloud computing – Building firm foundations for standards development ............. 12 Publisher Entertainment of the future – From 3D to virtual reality ........................................ 15 ISO Central Secretariat (International Organization for Zoomed in – The evolving landscape of digital photography .................................. 18 Standardization) 1, chemin de la Voie-Creuse Driving
    [Show full text]
  • ISO Focus, November 2008.Pdf
    ISO Focus The Magazine of the International Organization for Standardization Volume 5, No. 11, November 2008, ISSN 1729-8709 e - s t a n d a rdiza tio n • Siemens on added value for standards users • New ISO 9000 video © ISO Focus, www.iso.org/isofocus Contents 1 Comment Elio Bianchi, Chair ISO/ITSIG and Operating Director, UNI, A new way of working 2 World Scene Highlights of events from around the world 3 ISO Scene Highlights of news and developments from ISO members 4 Guest View Markus J. Reigl, Head of Corporate Standardization at ISO Focus is published 11 times a year (single issue : July-August). Siemens AG It is available in English. 8 Main Focus Annual subscription 158 Swiss Francs Individual copies 16 Swiss Francs Publisher ISO Central Secretariat (International Organization for Standardization) 1, ch. de la Voie-Creuse CH-1211 Genève 20 Switzerland Telephone + 41 22 749 01 11 Fax + 41 22 733 34 30 E-mail [email protected] Web www.iso.org Manager : Roger Frost e-standardization Acting Editor : Maria Lazarte • The “ nuts and bolts” of ISO’s collaborative IT applications Assistant Editor : Janet Maillard • Strengthening IT expertise in developing countries Artwork : Pascal Krieger and • The ITSIG/XML authoring and metadata project Pierre Granier • Zooming in on the ISO Concept database ISO Update : Dominique Chevaux • In sight – Value-added information services Subscription enquiries : Sonia Rosas Friot • Connecting standards ISO Central Secretariat • Standards to go – A powerful format for mobile workers Telephone + 41 22 749 03 36 Fax + 41 22 749 09 47 • Re-engineering the ISO standards development process E-mail [email protected] • The language of content-creating communities • Bringing the virtual into the formal © ISO, 2008.
    [Show full text]
  • ISO 9000: Is It Worth It? ISO 9000: an Ineffective Quality System Chris Heffner, Steven C
    ISO 9000: Is It Worth It? ISO 9000: An Ineffective Quality System Chris Heffner, Steven C. "Swede" Larson, Barney "Tim" Lowder and Patti Stites ISO 9000 was created as a family of models in 1987, based on a wartime British manufacturing standard, as the answer to perceived manufacturing problems with quality and safety. The program was originally published in 1987 by the International Organization for Standardization (ISO), which is a specialized international agency that focuses on the standardization of organizational processes. The organization is composed of standards from organizations representing 90 countries. ISO 9000 was quickly adopted as the premier standard to ensure uniform manufacturing and auditing processes. The program went through a major revision in 2000 and now includes ISO 9000:2000 (definitions), ISO 9001:2000 (requirements) and ISO 9004:2000 (continuous improvement). But even after these major revisions, the program is often criticized as ineffective for a wide variety of reasons. We agree. Overemphasis on Inspection First, many researchers believe ISO 9000 is ineffective because it is based on conservatism, overemphasizes inspections and audits, and fails to encourage real improvement. Barnes (2000), for example, said that the current commercial certification process results in a "pursuit of quality certificates, as opposed to a pursuit of quality." Johannsen (1995) also asserted that the ISO concept does not incorporate the advances of Total Quality Management because it is "narrow, static and emphasize[s] conformance to specifications" (p. 234). After overseeing more than 50 ISO registrations, Bill Robinson (cited in Clifford, 2005), argued that ISO is not one of the better systems that can be used for process improvement.
    [Show full text]
  • Ccdb-2009-03-001
    Supporting Document Mandatory Technical Document Application of Attack Potential to Smartcards March 2009 Version 2.7 Revision 1 CCDB-2009-03-001 Foreword This is a supporting document, intended to complement the Common Criteria version 3 and the associated Common Evaluation Methodology for Information Technology Security Evaluation. Supporting documents may be “Guidance Documents”, that highlight specific approaches and application of the standard to areas where no mutual recognition of its application is required, and as such, are not of normative nature, or “Mandatory Technical Documents”, whose application is mandatory for evaluations whose scope is covered by that of the supporting document. The usage of the latter class is not only mandatory, but certificates issued as a result of their application are recognized under the CCRA. Technical Editor: BSI Document History: V2.7 March 2009 (technical update of rating categories and update on usage of open samples based upon corresponding JIL document version 2.7) V2.5 December 2007 (explicit statements added that the points for identification and exploitation have to be added at the end to achieve the final attack potential value, references updated) V2.3 April 2007 (evaluation time guideline and rules regarding the use of open samples added and updated for use with both CC version 2 and 3) V2.1 April 2006 (classification as mandatory technical document, several updates to the tables) V1.1, July 2002 (draft indicator deleted, references updated, same content as V1.0) General purpose: The security properties of both hardware and software products can be certified in accordance with CC. To have a common understanding and to ensure that CC is used for hardware integrated circuits in a manner consistent with today’s state of the art hardware evaluations, the following chapters provide guidance on the individual aspects of the CC assurance work packages in addition to the Common Evaluation Methodology [CEM].
    [Show full text]
  • Microsoft Windows Common Criteria Evaluation Security Target
    Windows 10, Server 2012 R2 Security Target Microsoft Windows Common Criteria Evaluation Microsoft Windows 10 Microsoft Windows Server 2012 R2 Security Target Document Information Version Number 1 Updated On March 17, 2016 Microsoft © 2016 Page 1 of 97 Windows 10, Server 2012 R2 Security Target This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs- NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious.
    [Show full text]
  • NGDA Baseline Standards Inventory Companion Guide
    The Companion Guide: Achieving an NGDA Baseline Standards Inventory A Baseline Assessment to Meet Geospatial Data Act, Federal Data Strategy, and Other Requirements Federal Geographic Data Committee August 31, 2020 Contents Introduction .................................................................................................................................................. 1 Approach ....................................................................................................................................................... 2 Outcomes ...................................................................................................................................................... 2 How to Use this Document ........................................................................................................................... 2 Geospatial Data and Metadata Standards .................................................................................................... 3 Data Standards Categories ............................................................................................................................ 5 Data Content Standards Category Definitions .......................................................................................... 5 Data Exchange Standards Definitions ....................................................................................................... 8 Metadata Standards Categories ..................................................................................................................
    [Show full text]
  • Validators Report
    National Information Assurance Partnership ® TM Common Criteria Evaluation and Validation Scheme Validation Report SGI Red Hat Enterprise Linux Version 5.1 Report Number: CCEVS-VR-VID10286-2008 Dated: 2008-04-21 Version: 1.0 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9800 Savage Road STE 6740 Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6740 ACKNOWLEDGEMENTS Validation Team The Aerospace Corporation Columbia, MD Noblis Falls Church, VA atsec Information Security Corporation Austin, TX Table of Contents 1. EXECUTIVE SUMMARY ........................................................................................................................................4 2. IDENTIFICATION ....................................................................................................................................................5 3. SECURITY POLICY .................................................................................................................................................6 3.1. I&A.......................................................................................................................................................................6 3.2. AUDITING ..............................................................................................................................................................6 3.3. DISCRETIONARY ACCESS CONTROL ......................................................................................................................7
    [Show full text]