Operationalizing the Vendor Supply Chain Risk Management Template for Small and Medium-Sized Businesses [open pdf - 591KB]
From the Executive Summary: "The 31.7 million small and medium-sized businesses (SMBs) across the United States account for 41.7 percent of private sector employees and nearly half of the nation's gross domestic product. The Information and Communications Technology Supply Chain Risk Management (ICT SCRM) Task Force (Task Force) established an SMB working group (Working Group) to focus on the specific ICT [Information and Communications Technology] supply chain needs of IT [Information Technology] and Communications SMBs. For the purposes of this report, IT or Communications small or medium-sized businesses are defined as, 'Organizations with up to 500 employees while expecting most of these organizations to have fewer than 100 employees.' The Working Group identified use cases commonly encountered by small and medium-sized IT and communications providers, using the ICT SCRM Vendor Supply Chain Risk Management Template ('Vendor Template'). This template includes standardized questions intended to communicate ICT supply chain risk posture from the perspective of the Acquirer, Integrator, and Supplier in order to achieve better outcomes as reflected in figure 1."
U.S. Cybersecurity and Infrastructure Security Agency: https://www.cisa.gov/