In an increasingly connected world, 网络的安全性和可靠性对于确保消费者和企业能够充分发挥下一代技术的潜力至关重要. 由于网络经济的几乎每个部门都依赖于一个动态的全球ICT供应链, 供应链中的每一个参与者都有责任管理他们所面临的风险.

这就是为什么TIA支持以共识为基础的方法和公私合作来解决供应链风险管理问题.

In addition, TIA支持有针对性的全政府行动,以解决某些问题, specific national security risks to the ICT supply chain.

Sign up for updates about TIA's new SCS 9001 standard

Scheduled to release in 2022, “SCS 9001”是一项基于流程的新标准,将可衡量和验证值得信任的ICT供应商和企业供应商, governments and consumers.

TIA Supply Chain Security Resources

TIA WHITE PAPER:

Presenting SCS 9001, 首个基于流程的标准,用于测量和验证全球ICT行业中可信赖的供应商.

Download Now


Supply Chain Security Blogs

Zero Trust for Supply Chains: A Critical Aspect of the SCS 9001 Standard >READ NOW

Software Identification and Traceability: Essential to Securing the ICT Supply Chain >READ NOW

SECURING THE ICT SUPPLY CHAIN

ICT supply chains are global, dynamic, and complex, 因此,基于共识的供应链风险管理工作最好, industry-led processes. 由行业推动的标准制定工作和公私伙伴关系也发挥着关键作用.

TIA通常支持一种方法,将输入与专业知识相结合,使组织能够做出知情的基于风险的决策, 而不影响他们满足组织目标的能力. Customers, including consumers, enterprises, carriers, and governments, 必须能够接触到值得信赖的信息和通信技术供应商,并有能力将这种信任传达给那些依赖其所购买产品的人.

Meanwhile, as the U.S. 联邦政府回应了对某些通信产品供应商日益增长的国家安全担忧, TIA支持有针对性的行动,以保护电信网络不受被认为对国家安全构成威胁的供应商的影响.

Supply Chain Security Filings >>

我们的指导原则是,产品安全和信息安全都是质量的关键因素.  You can’t have a quality product unless it is secure.  Therefore, 我们的标准将建立在全球公认的质量管理体系(QMS)的基础上,如ISO 9001或TL 9000. 我们决定建立一个基于PDCA(计划-执行-检查-行动)模型的管理系统, 是否确保组织使用自我监督和自我改进的方法来实现安全目标.

而我们的主题专家和他们的团队正在开发供应链安全标准的要求和测量, 我们同时也在开发新标准的认证模式. QuEST Forum members, who are experts in the certification field, such as ANAB and several certification bodies (CBs), expect to be prepared for a pilot certification program in 2021.

Components of the standard will address:

  • Secure software development,
  • Validation methods for ensuring software ID and source traceability
  • 确保硬件ID和来源可追溯性的验证方法
  • Product security
  • 政府对货源和内部控制透明度的要求

Since ISO 9001 will be the foundation for the new standard, suppliers who are already certified to ISO 9001, TL 9000, 或类似的标准应该在准备认证方面有一个良好的开端. 此类质量管理体系标准的认证已经在信息通信技术行业广泛存在.

我们的工作小组每周开会来制定新标准的内容. 这些工作组的志愿成员有机会影响结构, requirements, and governance of this new process based standard. 许多组织发现,让代表参与标准开发有助于确保他们的需求和期望得到考虑, 并且他们自己已经做好了取得认证的准备.

To coordinate all necessary activities for creating the standard, 我们成立了一个由小组领导和感兴趣的高管组成的指导委员会.  指导委员会每两周举行一次一般安全教育会议,听取以下10个小组的进展情况.  New participants are welcome!

  • Asset Team: Determine requirements for Asset Identification, Asset Classification, Acceptable Risk Threshold, and Residual Risk Acceptance
  • 网络安全过程:确定事件管理(包括报告)的要求, Risk Mitigation, and Counterfeit SW, HW or components Process
  • Secure SDLC: Determine requirements for Secure Coding Principals, Secure LCM Development (documented), Secure Software Testing, Secure Packaging & Deployment, and Other components
  • SW Validation Team: Determine requirements for FOSS or OSS Update & Validation, Methods of determining SW origin, Methods of determining SW version, Methods of determining SW has not been tampered with
  • HW验证团队:确定确定HW或部件来源的方法要求, Methods of determining HW or component version, Methods of determining HW or component has not been tampered with
  • 对策和控制团队:确定从NIST确定控制的要求, determining controls from CMMC, determining controls from ISO 27001 series, others
  • 信任/外部影响团队:确定财务数据共享的需求, Information sharing
  • 测量团队:确定安全事件数量(Crit)的测量定义., Maj., Min.), Effectivity of Technical Vulnerability Management, Secure Software Testing, Methods of HW (physical access) methodologies, Others
  • 与质量管理体系团队的接口:确定需要添加到ISO 9001的行业部门质量管理体系的需求, Maintenance of SSC Appendix draft, Links to clauses 1-10 of annex SL QMS, Corrective Action (in addition to ISO 9001), Internal Audits (in addition to ISO 9001), Management Responsibility (in addition to ISO 9001), Goals and Objectives (in addition to ISO9001)
  • 监督(OSWG):确定我们将遵循的计划培训和认证计划的需求

Please send an email to supplychainsecurity@www.casehuffsanchez.com 如果你有兴趣做志愿者或学习更多关于供应链安全标准的知识.