U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.


We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

Cyber Supply Chain Risk Management C-SCRM

Software and Supply Chain Assurance Forum



Forums are held several times a year and are FREE and OPEN TO THE PUBLIC; registration is required.

Our next SSCA Forum Virtual Event will be held on Wednesday, September 22nd at 10:30 am to 1:00 pm Eastern Time.  We have a great line-up of speakers and you will not want to miss this Forum.  Our first two sessions feature talks from officials from the Israeli and United Kingdom Governments, respectively.  This will be followed by two sessions focused on the telecommunications sector.  The agenda, below, provides additional details about the speakers and their topics.  We hope you can join us! 


10:30  Opening remarks

10:35 Session One:  Steps Taken by Israel to Address Cyber Attacks in the Supply Chain

Speaker: Yuval Segev, Director of Emerging Technologies, Israel National Cybersecurity Directorate 

Abstract:   Cyber ​​attacks that originate in the supply chain have become very common in recent years.  The reasons for this are known and clear to professionals, both on the defensive side and the attacking side.
As part of his session, Yuval will share about the steps taken by the Israeli National Cybersecurity Directorate in order to help the economy better manage these risks, and what their next steps.

11:10 Second Session:  How Many Petals on the Supply Chain Security Flower?

Speaker: Ian Bryant, Branch Chief for Info-Cyber Protection Policy for the UK Ministry of            Defence (MOD)

Abstract:  Although the term Supply Chain Security it widely used, there is a lack of consensus as to what it encompasses, in terms of what industry is doing (for instance, safeguarding its customers’ information, or providing goods and services to the customers), who is the customer, and of the relationship with the ultimate customer (ranging from direct to a multiple levels of indirection).   This talk summarizes some current UK Ministry of Defence (MOD) work to codify these aspects, as a basis for possible consensus definitions.

11:45 Third Session:  ATIS 5G Supply Chain Standard: Creating the Foundation for Assured 5G Networks

Speaker:  Tom Anderson, ATIS Principal Technologist; Mike Nawrocki, Vice President - Technology and Solutions

Abstract: This presentation will cover the foundational concepts being incorporated into the development of ATIS’s 5G supply chain standard. 5G innovation is continuing to drive new mobile technology deployments spanning vertical markets, massive IoT connectivity, public and private networks, and government applications. Massive connectivity and expansion into additional markets is placing new demands on the global 5G supply chain. The ATIS 5G supply chain initiative is a collaboration between industry, government and academia to develop a standard that can be operationalized to deliver assured 5G networks.

Foundational to this approach is the development of a layered 5G supply chain model that addresses the full lifecycle of hardware and software components, from design to post-operation. This layered model enables a flexible approach for applying threat mitigation, controls and requirements to a broad range of 5G use cases and network designs. ATIS plans to discuss the foundational aspects of this important work undertaken with government and industry stakeholders. Recognizing the increasing integration of software into 5G products and solutions, the 5G supply chain standard will incorporate SBOM and other secure software approaches to drive a greater level of assurance for public and private networks.

12:20 Fourth Session: TIA’s 9000 Supply Chain Security Standard

Speaker:  Ken Koffman, TIA’s CTO & SVP, QuEST Forum Community

Abstract:  This presentation will cover TIA’s comprehensive Supply Chain Security standard, SCS 9001.  It’s a process-based security standard built upon a quality management system foundation that incorporates performance measurements in order to drive continual improvement.  The international information and communications technology (ICT) standard, designed by TIA’s QuEST Forum’s community of industry subject matter experts, ensures end-to-end cyber and physical security across ICT infrastructure.  It incorporates the latest concepts and best practices necessary to address the serious security challenges experienced today and our rapidly changing technology.  It includes unique supply chain requirements throughout the full lifecycle for the organization’s products and services, as well as its internal operations.  It addresses counterfeiting of electronic components and provenance for software components.  The standard has application to service providers, ICT equipment manufacturers, and their suppliers, contractors, and subcontractors.   All requirements, controls, and measures are to be certified using a proven 3rd party assessment process.

TIA has been developing international standards for 80+ years and manages the ICT Industry’s Quality Management System called TL9000, which has been securely providing anonymized industry performance results for over 20 years.  SCS 9001 will be utilize the same concepts in its benchmarking.  The presentation will provide an overview of the standard, how its unique, and where additional information can be accessed.

 12:55 SSCA Co-Chair will close out event


Cyber risk has become a topic of core strategic concern for business and government leaders worldwide and is an essential component of an enterprise risk management strategy. The Software and Supply Chain Assurance Forum (SSCA) provides a venue for government, industry, and academic participants from around the world to share their knowledge and expertise regarding software and supply chain risks, effective practices and mitigation strategies, tools and technologies, and any gaps related to the people, processes, or technologies involved.

The effort is co-led by the National Institute of Standards and Technology (NIST), the Department of Homeland Security (DHS), the Department of Defense (DoD), and the General Services Administration (GSA). Participants represent a diverse group of career professionals including government officials, chief information security officers, those in academia with cybersecurity and supply chain specialties, system administrators, engineers, consultants, vendors, software developers, managers, analysts, specialists in IT and cybersecurity, and many more fields. 

SSCA forums are held 2-3 times/year and are free and open to all interested parties

While the general intent is to share information, the SSCA Forum also offers government and private sector participants, including international participants, an opportunity to openly collaborate by presenting and receiving feedback on current and potential future work. Most events are two to three days long and contain a mixture of discussion and presentation; interaction is always strongly encouraged. To encourage open interaction, SSCA Forum meetings operate under the Chatham House Rule, meaning “participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed,” though many speakers allow NIST to post their presentations on this website.

To receive information about upcoming meetings and related publications and activities, please sign up for the sw.assurance Google Group - operated by NIST - here: https://groups.google.com/a/list.nist.gov/forum/#!forum/sw.assurance


The forum, initially called the Software Assurance (SwA) Forum and Working Groups, was initiated in 2003 as a Department of Homeland Security (DHS)-sponsored Cross-Sector Cyber Security Working Group (CSCSWG) established under auspices of the Critical Infrastructure Partnership Advisory Council (CIPAC) that provides legal framework for public-private collaboration and participation. Its purpose was to bring together a stakeholder community to protect the Nation’s key information technologies, most of which are enabled and controlled by software.  Over time, the community evolved and broadened the scope to include additional focus on the supply chain. Events were held quarterly; Summer and Winter sessions were intended for working group-type discussions while the Spring and Fall sessions were reserved for more traditional forum presentations.


Forums are held 2-3 times / year and are FREE and OPEN TO THE PUBLIC; registration is required.

Our next SSCA Forum Virtual** Event will be held on Wednesday, June 16 at 11 am eastern time.    Our two sessions feature speakers from the Health Sector and the Energy Sector.   While each sector has their own unique characteristics and challenges, many of the cyber-supply chain risk management and software and hardware assurance practices, tools, and security controls are cross-cutting in nature and can be applied by any organization.  We hope you can join us to learn about some of the great work occurring in these two sectors.  We will close out the event by providing a brief update on NIST’s efforts related to Executive Order 14028.


SSCA Co-Chair will provide opening remarks, review Chatham House Rules

First Session: Health Sector Coordinating Committee C-SCRM Guidance and Initiatives

Chris van Schijndel, Cybersecurity Director for Global Supply, Johnson & Johnson & Co-chair of the Health Sector Coordinating Council Sub-Group for Supply Chain

Vish Gadgil -  Subject Matter Expert and Co-chair of the Health Sector Coordinating Council Sub-group for Supply Chain

The co-chairs of the HSCC Sub-group for supply chain will discuss their second release of the Health Industry Cybersecurity Supply Chain Risk Management Guide (HIC-SCRiM), targeted at smaller and mid-sized health organizations.   They will also describe several C-SCRM related initiatives currently underway.  

Second Session: Department of Energy Cyber Discovery Programs

Cheri Caddy, Senior Advisor, Cybersecurity, Office of Cybersecurity, Energy Security and Emergency Response (CESER), Department of Energy

The Office of Cybersecurity, Energy Security & Emergency Response will describe DOE’s programs for working with operational technology manufacturers and energy sector asset owners to discover, mitigate, and engineer out cyber vulnerabilities in digital components in Energy Sector critical supply chains.

Brief update on NIST’S efforts related to Executive Order on Improving the Nation’s Cybersecurity (14028)

 SSCA Co-Chair will close out event

As of 2014, the Forums are operated under the Chatham House Rule, meaning “participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed”. On occasion, a speaker may wish to provide their slides to the group, in which case links to those presentations will be embedded in the corresponding agendas here:

Agendas and presentations for events prior to 2014 are not available.

  • June 25-27, 2013
  • March 5-7, 2013
  • September 18-20, 2012
  • June 26-28, 2012 (Part 2)
  • June 26-28, 2012 (Part 1)
  • March 26-29, 2012
  • November 28-December 2, 2011
  • September 12-16, 2011
  • February 28-March 4, 2011
  • December 14-16, 2010
  • June 21-23, 2010

Created May 24, 2016, Updated September 21, 2021