Cyber Supply Chain Risk Management (C-SCRM) Plan
An interactive overview of IGS's commitment to supply chain integrity, quality, and security.
Foundation
Built on the principles of our ISO 9001:2015 QMS and CMMC Level 1 compliance to ensure robust, repeatable processes.
Scope
Applies to all suppliers of critical ICT components and services that impact IGS and its clients.
Goal
To identify, assess, and mitigate supply chain risks, ensuring the authenticity and integrity of all provided products and services.
Supplier Risk Profile
This chart illustrates the risk assessment breakdown of IGS's current critical ICT suppliers.
SCRM Policy & Governance
Policy Statement
IGS is committed to establishing and maintaining a comprehensive Cyber Supply Chain Risk Management (C-SCRM) program. This program is designed to identify, assess, and mitigate risks associated with the global supply chain for Information and Communications Technology (ICT) products and services. IGS requires that all suppliers of critical ICT components provide only authorized products and adhere to strict security and quality standards, ensuring the integrity, authenticity, and resilience of IGS's offerings and protecting IGS's clients from counterfeit, tampered, or malicious components.
Governance Framework
This SCRM Plan is an integral component of IGS's overall Quality Management System (QMS) and cybersecurity posture, adhering to the principles of ISO 9001:2015 and the requirements of CMMC Level 1. The plan is reviewed annually as part of the Management Review process (QSP 9.2) and is subject to IGS's Document Control procedure (QSP 7.2). Governance is overseen by the President, with operational execution managed by the Technology, Operations, and Service departments.
Compliance
This plan and its execution adhere to relevant federal regulations and standards, including the Federal Acquisition Supply Chain Security Act of 2018 (Title II of the SECURE Technology Act), Section 889 of the National Defense Authorization Act (NDAA), and guidance from NIST SP 800-161. All suppliers are required to comply with the Trade Agreements Act (TAA).
Interactive Supplier Lifecycle Management
This section outlines the end-to-end process for managing suppliers of critical ICT components. Click on any stage to see more details about the controls and procedures involved.
1. Vetting & Onboarding
Potential suppliers undergo a rigorous vetting process managed under QSP 8.3 Purchasing. This includes TAA compliance checks, verification of authorized reseller status, and a mandatory submission of the supplier’s own SCRM plan for review against federal standards. Only suppliers who pass this vetting are added to the Approved Vendor Listing (QCF-10).
2. Contracting & Procurement
All contracts and purchase orders contain specific anti-counterfeit language. They stipulate requirements for component authenticity, traceability, incident handling, and notification of subcontractor changes. Security requirements are flowed down to ensure compliance with IGS standards and client obligations.
3. Performance Monitoring
Supplier performance is continuously monitored for quality, delivery, and compliance. Any defects in third-party products are managed via QSP 8.1 Control of Non-Conforming Product, Service. Data from nonconformances and audits are analyzed to identify trends and inform the supplier re-evaluation process.
4. Offboarding
When a supplier relationship ends, a formal offboarding process is initiated. This includes final performance reviews, ensuring all contractual obligations are met, and formally removing the supplier from the Approved Vendor Listing (QCF-10). All associated access to IGS systems or information is formally revoked.
Key Supply Chain Risks & Mitigations
This section details the primary cyber supply chain risks IGS manages and the corresponding mitigation strategies in place. These risks are assessed under the framework of IGS's ISO Risk Management policy (QSP 6.1).
Risk: Counterfeit Components
The introduction of unauthorized, fraudulent, or imitation ICT components into the supply chain, which can lead to system failure, security vulnerabilities, and non-compliance.
Mitigation Strategies:
- Authorized Sourcing: IGS's Purchasing procedure (QSP 8.3) mandates that all critical ICT components are procured exclusively through authorized and certified distributors or directly from Original Equipment Manufacturers (OEMs).
- Supplier Vetting: Rigorous supplier vetting process requires verification of authorized reseller status and TAA compliance before inclusion on the Approved Vendor Listing (QCF-10).
- Contractual Requirements: Supplier agreements include anti-counterfeit clauses requiring certification of product authenticity and origin.
- Traceability: QSP 8.2 Identification and Traceability is applied to track components from receipt to installation.
Departmental SCRM Responsibilities
Supply chain integrity is a shared responsibility. Use the filter below to view the specific SCRM roles and responsibilities for each department at IGS, including examples of Federal Contract Information (FCI) they might handle.
Supply Chain Incident Response
This section provides a high-level guide for responding to a suspected or confirmed supply chain security incident, such as the discovery of a counterfeit component.
1. Preparation & Detection
Any employee who discovers a potential supply chain incident (e.g., suspected counterfeit part, unusual component behavior) must immediately report it to their supervisor and the Technology department. The item should be treated as non-conforming product under QSP 8.1 and immediately segregated.
2. Analysis & Containment
The Technology department, in conjunction with Operations, will analyze the component to confirm the incident. If confirmed, they will take immediate steps to contain the impact, which may include halting further use of the component, identifying all affected systems or projects, and isolating them if necessary.
3. Recovery & Post-Incident
A corrective action will be initiated under QSP 10. This includes replacing the affected components with authentic parts, restoring any affected systems, and documenting the incident. The incident details will be used to re-evaluate the supplier's performance and risk level. The President will be notified of all significant supply chain incidents.