Information and Communications Technology Supply Chain Risk Management Task Force: Threat Evaluation Working Group: Threat Scenarios [open pdf - 841KB]
From the Executive Summary: "Cyber Supply Chain Risk Management (C-SCRM) is the process of identifying, assessing, preventing, and mitigating the risks associated with the distributed and interconnected nature of Information and Communications Technology (ICT) (including the Internet of Things) product and service supply chains. C-SCRM covers the entire life cycle of ICT, and encompasses hardware, software, and information assurance, along with traditional supply chain management and supply chain security considerations. [...] Working Group 2 (WG2), Threat Evaluation, was established for the purpose of the identification of processes and criteria for threat-based evaluation of ICT suppliers, products, and services. WG2 focused on threat evaluation as opposed to the more comprehensive task of risk assessment which considers threats as well as an organization's tolerance for risk, the criticality of the specific asset or business/mission purpose, and the impact of exploitation of specific vulnerabilities that might be exploited by an external threat."
U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency: https://www.cisa.gov/