米国 CISA 中小企業向け:強靭なサプライチェーンリスクマネジメント計画策定のためのリソースガイド
こんにちは、丸山満彦です。
CISAが中小企業向け:強靭なサプライチェーン・リスクマネジメント計画策定のためのリソースガイドを公表していますね。。。
中小企業を含むサプライチェーン全体の保護というのは難しいですよね。。。特に中小企業がお金がないとかいうので...
でも、考えてみれば大元であるOEMが責任を持つ体制を取ればよいのではと思うんですよね。。。自分のものを作る環境を整える話なのだから。。。個別の部品の買取単価にいれるもよし、自分で作業環境を整えて、その環境でつくってもらうもよし、、、
● CISA
・2023.10.23 CISA Releases New Resource to Help Small and Medium-Sized Businesses Develop Supply Chain Resilience Plans
| CISA Releases New Resource to Help Small and Medium-Sized Businesses Develop Supply Chain Resilience Plans | CISA、中小企業のサプライチェーン・レジリエンス計画策定を支援する新リソースを発表 |
| RELATED TOPICS | 関連トピック |
| IINFORMATION AND COMMUNICATIONS TECHNOLOGY SUPPLY CHAIN SECURITY, RISK MANAGEMENT | 情報通信技術 サプライチェーンセキュリティ リスクマネジメント |
| WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) released a new resource guide today, Empowering Small and Medium-Sized Businesses (SMB): A Resource Guide for Developing a Resilient Supply Chain Risk Management Plan, which provides Information and Communications Technology (ICT) SMBs with a starting point develop and tailor a supply chain risk management (SCRM) plan that meets the needs of their business. | ワシントン - サイバーセキュリティ・インフラセキュリティ庁(CISA)は本日、新たなリソースガイド「中小企業(SMB)の力強化:サプライチェーン・リスクマネジメント計画策定のためのリソースガイド」を発表した。これは、情報通信技術(ICT)の中小企業に対し、事業のニーズに合ったサプライチェーン・リスクマネジメント(SCRM)計画を策定し、調整するための出発点を提供するものである。 |
| When it comes to the costs and complexity of supply chain risk management, SMBs often lack dedicated risk management and SCRM expertise to mitigate risk of disruption to their supply chain. This guide was developed by the ICT SCRM Task Force, of which CISA is a tri-chair, which has a subgroup that specifically focuses on the needs of SMBs. | サプライチェーン・リスクマネジメントのコストと複雑さについて言えば、中小企業には、サプライチェーンの混乱によるリスクを軽減するためのリスクマネジメントやSCRMの専門知識が不足していることが多い。このガイドは、CISAが三委員長を務めるICT SCRMタスクフォースによって作成されたもので、同タスクフォースには、特に中小企業のニーズに焦点を当てたサブグループがある。 |
| "In acknowledging the resource challenges faced by small and medium-sized businesses amidst today's complex supply chain risks, we're committed to offering vital support,” said Mona Harrington, CISA Assistant Director for the National Risk Management Center. “Our unique qualifications, along with valuable partner collaboration in crafting this guide, underscore our dedication to these businesses' role in enhancing ICT supply chain resilience." | 「今日の複雑なサプライチェーンリスクの中で中小企業が直面しているリソースの課題を認識し、我々は重要なサポートを提供することを約束する」と、CISAのモナ・ハリントン国家リスクマネジメントセンター副所長は述べた。「このガイドの作成における貴重なパートナーの協力とともに、我々のユニークな資格は、ICTサプライチェーンのレジリエンス強化におけるこれらの企業の役割に対する我々の献身を強調するものである。 |
| Enhancing ICT supply chain security and resilience stands as one of CISA's foremost priorities. By working together with government and industry partners, the agency aims to fortify the ICT supply chain's security posture. Given the profound interconnectivity between sectors and the scale of supply chain risks faced by both government and industry, the Task Force exemplifies CISA's collective defense approach to bolster ICT supply chain resilience. | ICTサプライチェーンのセキュリティとレジリエンスの強化は、CISAの最優先課題の一つである。政府や産業界のパートナーと協力することで、CISAはICTサプライチェーンのセキュリティ体制を強化することを目指している。セクター間の相互接続が深く、政府と産業界の両方が直面するサプライチェーンリスクの規模が大きいことを考えると、タスクフォースは、ICTサプライチェーンのレジリエンスを強化するためのCISAの集団的防衛アプローチを例証するものである。 |
| To view this Resource Guide, visit: [web] | このリソース・ガイドを見るには、[web] を参照のこと。 |
| To register for a webinar to learn more, visit: Empowering SMBs: Developing a Resilient Supply Chain Risk Management Plan | CISA | ウェビナーへの登録は、以下を参照のこと: 中小企業に力を与える: サプライチェーンリスクマネジメント計画の策定|CISA |
・[PDF] Empowering Small and Medium-Sized Businesses (SMB): A Resource Guide for Developing a Resilient Supply Chain Risk Management Plan,
・[DOCX] 仮訳
Appendixがよいですね。。。
Primary Resources:
“The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes”.
The purpose of this publication is to provide “...guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations”.
“This document provides the ever-increasing community of digital businesses a set of Key Practices that any organization...”, regardless of size, scope, or complexity, “...can use to manage cybersecurity risks associated with their supply chains”.
This rule, which was promulgated pursuant to the Federal Acquisition Supply Chain Security Act of 2018 implements “...requirements of the laws that govern the operation of the FASC, the sharing of supply chain risk information, and the exercise of the FASC’s authorities to recommend issuance of removal and exclusion orders to address supply chain security risks”.
“...a list of communications equipment and services (Covered List) that are deemed to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons...”.
Provides a set of questions regarding an ICT supplier/provider’s implementation and application of industry standards and best practices that can help small and medium-sized businesses guide supply chain risk planning in a standardized way.
Information and Communication Technology Risks
This handbook provides an overview of the highest supply chain risk categories commonly faced by ICT small and medium-sized businesses (SMBs), including cyber risks, and resources that can assist SMBs.
Secondary Resources and Executive Orders (EO):
- CISA: Secure by Design
- OMB Memorandum M-23-16
- SECURE Technology Act: Establishment of the Federal Acquisition Security Council
- Federal Acquisition Supply Chain Security Act graphic
- R.7327 SECURE Technology Act
- DNI ICD 731 Supply Chain Risk Management for the Intelligence Community
- DNI ICS 731-01 Supply Chain Criticality Assessment 20151002
- DNI ICS 731-02 Supply Chain Threat Assessments 20160517
- DNI ICS 731-03 Supply Chain Information Sharing
- DNI ICS 731-04 Supply Chain Vulnerability Assessments
- DNI ICS 731-05 Supply Chain Risk Assessments
- NIST: Security Measures for “EO-Critical Software” Use
- NIST: Software Supply Chain Security Guidance Under Executive Order (EO) 14028
- EO 13636 Improving Critical Infrastructure Cybersecurity 7
- EO 13806 Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States
- EO 13873 Securing the Information and Communications Technology and Services Supply Chain
- Executive Order 13806 Report
- EO 13913 Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector
- EO 13984 Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities
- EO 14005 Ensuring the Future Is Made in All of America by All of America’s Workers
- EO 14017 America’s Supply Chains
- EO 14024 Blocking Property with Respect to Specified Foreign Activities of the Government of the Russian Federation
- EO 14028 Improving the Nation’s Cybersecurity
- EO 14034 Protecting Americans’ Sensitive Data from Foreign Adversaries
Comments