From the Introduction: "A supply chain consists of the system of organizations, people, activities, information, and resources that provide products or services to consumers. Like other types of goods, a global supply chain exists for the development, manufacture, and distribution of information technology (IT) products (i.e., hardware and software) and information communications technology (ICT). As with other goods and services, risks exist to this cyber supply chain. This field is known as cyber supply chain risk management (C-SCRM or Cyber SCRM). Congress and federal agencies have taken actions to bolster cyber supply chain security. In 2017, the U.S. Department of Homeland Security (DHS) ordered federal agencies to remove Kaspersky security products from their networks because of the risk posed. Legislation was subsequently enacted codifying that order. In addition, Congress in 2018 instructed federal agencies and contractors not to use ICT made by certain Chinese companies. Congress established the Federal Acquisition Security Council (FASC), which issued an initial rule in 2020. The Cybersecurity and Infrastructure Security Agency (CISA, a part of DHS) hosts a public-private ICT SCRM Task Force. The Federal Communications Commission authorized the use of Universal Service Fund money to rip-and-replace certain ICT. The U.S.-China Economic and Security Review Commission issued a report highlighting supply chain concerns. Additional legislation has been debated as part of national economic competition bills (e.g., the U.S. Innovation and Competition Act of 2021 and the America COMPETES act of 2022). While interest in cyber supply chain security has increased recently, there have been other periods of intense scrutiny on supply chain issues. [...] This In Focus reviews C-SCRM, discusses ways in which it is currently managed, and highlights issues that Congress may consider for federal agencies."
CRS In Focus, IF10920
Congressional Research Service: https://crsreports.congress.gov/