Skip to content

Illustration by iStock

Six ICT Supply Chain Risks to Watch Out For

Small and medium businesses play a vital role in today’s economy, especially in the information technology (IT) and communications sectors. In the United States alone, 160,000 of these companies (dubbed the ICT sector) fit into the small and medium-sized business category to provide services to millions of customers.

To help them better secure their supply chains, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Information Technology Sector Coordinating Council (ITSCC), and the Communications Sector Coordinating Council (CSCC) released a resource handbook in January 2023 to offer their guidance.

“Developed by the ICT Supply Chain Risk Management Task Force, the handbook provides an overview of the highest supply chain risk categories commonly faced by ICT SMBs, including cyber risks, and contains several use cases that can assist ICT SMBs in identifying the necessary resources to implement ICT supply chain security practices,” according to CISA.

Here are the six key ICT supply chain risk categories highlighted in the handbook:


Cyber Expertise: The “availability of knowledge, skills, and experience” needed to create, install, and manage supply chain risk management practices. The handbook adds that collaboration is key for effective investment in cyber expertise.


Executive Commitment: Company leadership that is both knowledgeable of cybersecurity risks to the business and willing to create an “organization-wide cyber risk awareness culture, prioritize cybersecurity risk management, and enable secure supply chain practices” to “protect the company, its assets, employees, and customers.”


ICT Supply Chain Risk Management: Processes and practices that ensure supply chain integrity while improving the ability to identify, assess, and mitigate risks associated with IT products and services.


Single Source Supplier: Lone service or product suppliers who may be the “sole supplier” for the organization.


Supplier Disruption: Disruption—via various means—to an ICT provider’s supply chain that impacts operations, causes damage, or breaches data on the provider’s system or network.


Supplier Visibility: Lack of ability to monitor third-party cybersecurity practices.

The ICT Supply Chain Risk Management Task Force was created in December 2018 as a public-private partnership charged with identifying and developing consensus risk management strategies to enhance global ICT supply chain security.

“This is a moment when we need increased effort countering strategic risks that we see from—particularly—foreign adversaries in the cybersecurity space, including supply chain,” said Bob Kolasky, director of the National Risk Management Center and task force cochair in a prior interview with Security Management. “There is an urgency of government and industry coming together to take this threat seriously and come up with solutions to address the threat and reduce risk.”

For more information on supply chain risk visit the CISA webpage or the task force’s webpage.