(Updated 10/25/12 -- See below under Agenda, you will find a link to the final agenda and workshop presentations in same PDF file.)
Risk from the information and communications technology (ICT) supply chain is widely recognized as a principle concern for federal departments and agencies. This risk is seen as the cumulative effect of the growing sophistication of ICT, mounting scale of information systems, and growing speed and complexity of a distributed global supply chain. Federal departments and agencies currently lack sufficient visibility and control throughout the ICT supply chain, which makes it increasingly difficult for federal departments and agencies to understand their exposure and manage the associated supply chain risks. This, in turn, increases the risk of exploitation of the supply chain through a variety of means including counterfeit materials, malicious software, or untrustworthy products.
There is a great demand from federal departments and agencies for supply chain risk management (SCRM) guidance. However, the ICT supply chain discipline is in an early stage of development with diverse perspectives on foundational ICT supply definitions and scope, disparate bodies of knowledge, and fragmented standards and best practice efforts. Additionally, there is a need to identify the available and needed tools, technology, and research related to ICT supply chain risk and better understand their benefits and limitations.
NIST seeks to engage all stakeholders to:
- 1) Discuss the fundamental underpinnings of ICT SCRM (terms, definitions, characterizations),
- 2) Identify and evaluate current and needed commercially reasonable ICT SCRM-related standards and practices (need, scope, and development approach),
- 3) Identify current and needed ICT SCRM tools, technology and techniques useful in securing the ICT supply chain, and
- 4) Identify current and needed research and resources.
All interested stakeholders are invited to participate. Results of this workshop will help direct future NIST efforts in the area of ICT SCRM.