IT Supply Chain Security Controls

Effective Date: 03/20/2008

Review Date: 12/01/2023

PURPOSE

The purpose of this policy is to provide guidance to State agencies on identifying, assessing, selecting and implementing risk management processes and controls throughout the enterprise to manage IT supply chain risk.  Threats to the IT supply chain come from a variety of malicious actors: counterfeiters, insiders, foreign intelligence services, terrorists, industrial spies and cyber criminals.  Risks include the introduction of malicious hardware and software, theft, tampering, and insecure manufacturing, development and production practices.

SCOPE and AUTHORITY

O.C.G.A 50-25-4(a)(10) – State Government, Georgia Technology, General Powers

O.C.G.A 50-25-4(a)(21) - State Government, Georgia Technology, General Powers

PM-04-001 – Information Technology Policies, Standards and Guidelines

PS-08-005 – Enterprise Information Security Charter

TERMS AND DEFINITIONS

Supply Chain - linked set of resources and processes between acquirers, integrators, and suppliers that begins with the design of information and communications technology (ICT) products and services and extends through development, sourcing, manufacturing, handling, and delivery of ICT products and services to the acquirer.

Supply Chain Risk - risks that arise from the loss of confidentiality, integrity, or availability of information or information systems.

Supply Chain Risk Management - the process of identifying, assessing, and mitigating the risks associated with the global and distributed nature of ICT product and service supply chains.

POLICY

The Georgia Technology Authority (GTA) shall, through the authority granted by state law, develop and maintain policies, standards and guidelines to mitigate IT supply chain risk. The standards shall be based on guidance developed by the National Institute of Standards and Technology (NIST) and published in NIST Special Publication 800-161 (Supply Chain Risk Management Practices for Federal Information Systems and Organizations).

All agencies shall follow established State policies and standards to implement mitigation strategies to combat supply chain threats whether presented by the supplier, product or supply chain.

Agencies shall include IT supply chain risk management into their risk management framework and ensure that their service providers are appropriately managing their supply chain risk.

RELATED ENTERPRISE POLICIES, STANDARDS AND GUIDELINES

PS-08-031 Information Security – Risk Management

SS-08-041 Risk Management Framework

REFERENCES

NIST Special Publication 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations

 

 

 

 

Related Files