About Our Service
The ICT SCRM team conducts supply chain risk assessments on information and communication technology (ICT) products and services acquired by the Agency. This includes, but is not limited to, commercial off-the-shelf (COTS) hardware, software and cloud services. The ICT SCRM assessment service was established to:
- Address pressing challenges related to ICT globalization with a proactive risk mitigation approach.
- Ensure the quality, security, integrity and resilience of all mission-critical systems and components.
- Empower and inform NASA’s IT community to address key mission success factors through education and threat awareness.
Understanding Our Area of Responsibility
U.S. critical infrastructure and governments at all levels rely heavily on Information and Communications Technology (ICT). Ensuring resilience and trust in our ICT supply chain is more than just a cybersecurity issue – it touches national security, economic security, and public health and safety.
Effective supply chain risk management is a national imperative. This effort will require a whole of government and whole of society approach. Continued technological advancement in the ICT supply chain – with welcomed developments in 5th Generation (5G) mobile communications – only increases the necessity to take this issue seriously.
- Information technology, as defined in section 11101 of title 40, including cloud computing services of all types;
- telecommunications equipment or telecommunications service, as those terms are defined in section 3 of the Communications Act of 1934 (47 U.S.C. 153);
- the processing of information on a Federal or non-Federal information system, subject to the requirements of the Controlled Unclassified Information program; or
- hardware, systems, devices, software, or services that include embedded or incidental information technology.
“Substantial or essential component” means any component necessary for the proper function or performance of a piece of equipment, system, or service.
ICT SCRM News & Updates
President Biden Signs New Law
On June 16, 2022, President Biden signed the Supply Chain Security Training Act into law. This requires the General Services Administration (GSA) to develop a training program for officials with Supply Chain Risk Management (SCRM) responsibilities at Federal agencies.
“GSA will work in coordination with the Departments of Defense and Homeland Security, as well as the Office of Management and Budget (OMB) to create the training program. OMB will also create guidelines for how Federal agencies adopt, use, and select employees to participate in the training.
Laws, Policies, and Procedures
Consolidated Appropriations Act, 2021 – Issued by Congress requiring Federal agencies to perform risk assessments.
OMB A-130 – Management of Federal Information Resources.
FISMA 2014 – Federal Information Security Modernization Act – 2014.
FITARA – Enables enterprise-wide strategy for making smarter, business, enabling IT investments.
FAR Guidance – Issued by Congress requiring Federal agencies to perform risk assessments.
Guide SP 800-37 – Guide for Applying the Risk Management Framework to Federal Information Systems.
John S. McCain National Defense Authorization Act. 2019 – Authorizes FY2019 appropriations and sets forth policies regarding the military activities of DoD.
ICT SCRM Agency Lead & Service Owner
NASA Office of the Chief Information Officer (OCIO)
Supply Chain Risk Management (SCRM)