Skip to main content
U.S. flag

An official website of the United States government

Cybersecurity & Supply Chain Risk Management

As threats to the Federal IT supply chain grow, the federal acquisition workforce must keep pace with cybersecurity and other risk management efforts in the products, services, and solutions we buy. These risks are present in all items that connect in any way to a government information system that contain, transmit, process, and communicate information for a Federal agency. Cybersecurity extends to all companies directly involved in delivery of products, services, and solutions to the Federal government, and through all tiers of the global supply chain.

To assist the Federal acquisition workforce with understanding cybersecurity and other risks, below are educational resources dedicated to cybersecurity & supply chain risk management.

Know the Risk - Raise Your Shield: Supply Chain Risk Management

Prepared by the Office of the Director of National Intelligence's National Counterintelligence and Security Center, Know the Risk - Raise Your Shield: Supply Chain Risk Management, is an awareness video about cybersecurity and other risks in the products, services, and solutions we buy. These risks are present in all items that connect in any way to a government information system and/or which contain, transmit, or process information provided by or generated for the government to support the operations and assets of a Federal agency. The concerns extend to all companies directly involved in delivery of products, services, and solutions to the government, and through all tiers of the global supply chain.

Introduction to Cybersecurity in Acquisitions

This presentation introduces supply chain risk management and cybersecurity risks issues in acquisition processes.   It also discusses the requirements that must be adhered to when a product that has risk enters the Federal Supply system. It also identifies common issues to avoid and provides information that should be included in all contracts.

Risk Management Framework (RMF) Acquisition of Secure Information Systems

This training covers:

  • How Acquisition Professionals address information system risk management. 
  • The NIST SP 80037, Rev. 1, methodology that incorporates the Federal Information Security Modernization Act (FISMA) into the NIST security standards.
  • Guidance to provide a holistic approach for managing risk to an organization’s information and information system.

The Internet of Things (IoT): An Overview on How to Acquire "Things" Securely

This training focuses on two phases of the procurement process:  Product Evaluation and Contract Negotiation.

  • Product Evaluation Phase:  Provide Acquisition Professionals with security and privacy considerations that should be discussed when entering contract negotiations for purchasing IoT solutions, products, and services.
  • Contract Negotiation Phase:  Explain how Acquisition Professionals may address IoT risk management during the contract negotiation process.

Product Tampering and Counterfeiting (PTC) Awareness for Acquisition Professionals

The purpose of this training is to improve the awareness of Acquisition Professionals regarding the potential threats, impacts, and countermeasures of PTC.

Supply Chain Risk Management (SCRM) Response Plan (RP) Training

This training provides:

  • The different roles and responsibilities in managing and handling incidents.
  • A framework for organizing the SCRM Response Team (RT), key contacts, and supporting materials to assist in managing and executing the incident response.
  • SCRM RP best practices.