IT Supply Chain Security Controls Policy (PS-20-002)
IT Supply Chain Security Controls
Effective Date: 03/20/2008
Review Date: 12/01/2023
PURPOSE
The purpose of this policy is to provide guidance to State agencies on identifying, assessing, selecting and implementing risk management processes and controls throughout the enterprise to manage IT supply chain risk. Threats to the IT supply chain come from a variety of malicious actors: counterfeiters, insiders, foreign intelligence services, terrorists, industrial spies and cyber criminals. Risks include the introduction of malicious hardware and software, theft, tampering, and insecure manufacturing, development and production practices.
SCOPE and AUTHORITY
O.C.G.A 50-25-4(a)(10) – State Government, Georgia Technology, General Powers
O.C.G.A 50-25-4(a)(21) - State Government, Georgia Technology, General Powers
PM-04-001 – Information Technology Policies, Standards and Guidelines
PS-08-005 – Enterprise Information Security Charter
TERMS AND DEFINITIONS
Supply Chain - linked set of resources and processes between acquirers, integrators, and suppliers that begins with the design of information and communications technology (ICT) products and services and extends through development, sourcing, manufacturing, handling, and delivery of ICT products and services to the acquirer.
Supply Chain Risk - risks that arise from the loss of confidentiality, integrity, or availability of information or information systems.
Supply Chain Risk Management - the process of identifying, assessing, and mitigating the risks associated with the global and distributed nature of ICT product and service supply chains.
POLICY
The Georgia Technology Authority (GTA) shall, through the authority granted by state law, develop and maintain policies, standards and guidelines to mitigate IT supply chain risk. The standards shall be based on guidance developed by the National Institute of Standards and Technology (NIST) and published in NIST Special Publication 800-161 (Supply Chain Risk Management Practices for Federal Information Systems and Organizations).
All agencies shall follow established State policies and standards to implement mitigation strategies to combat supply chain threats whether presented by the supplier, product or supply chain.
Agencies shall include IT supply chain risk management into their risk management framework and ensure that their service providers are appropriately managing their supply chain risk.
RELATED ENTERPRISE POLICIES, STANDARDS AND GUIDELINES
PS-08-031 Information Security – Risk Management
SS-08-041 Risk Management Framework
REFERENCES
NIST Special Publication 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations