This week the Congressional Research Service (CRS) published a report on “Cyber Supply Chain Risk Management: An Introduction”. This is an overview type report without links or footnotes to the associated reference material.
The report does note that there are two different components to supply chain security for cyber related products. Traditional supply chain concerns relate to the uninterrupted access to products and services. That remains a concern when discussing supply chain for cyber products. An additional concern is that vendors (or actors making changes to products after manufacturing) could adulterate a cyber product with vulnerabilities that could pose a cyber threat to end users. This report does not discuss a third component to cyber supply chain risk, the existence of unrecognized vulnerabilities in third-party components of the products.
This report focuses on information technology and communications technology products, but the same supply chain risks exist in operational technology products.
The report closes with a discussion about potential items of interest to Congress:
• Clarity of Responsibility,
• Increased Awareness,
• Oversight,
• Prohibition on Specific Companies,
and
• Single Evaluator
No comments:
Post a Comment