The Telecommunications Industry Association (TIA) released a supply chain security standard, SCS 9001, developed specifically for the information and communications technology (ICT) industry.
SCS 9001 is relevant for all ICT industry products, including software, hardware, and the services that connect to our global networks.
The objective of SCS 9001 is to verify end-to-end cyber and physical security across ICT network infrastructure. To accomplish this, SCS 9001 was created as a process-based standard with an independent audit and certification program for suppliers and service providers to verify that critical security controls and processes are in place for their products and solutions.
The new standard is unique because it is built around a Quality Management System (QMS) which operationalizes industry guidelines and best practices, such as ISO 27001, the Prague Proposals, relevant NIST standards, and the CSIS Criteria for Security and Trust.
“Our global community depends on connectivity and while technology continues to outpace security, we now have a process-based, verifiable standard to significantly mitigate threats to the ICT supply chain,” said David Stehlin, CEO of TIA. “We thank the members of our industry Working Group and all those who contributed to this important standard. Two years ago, they set an aggressive timeline to develop this critical new standard to help make our networks more secure and address the global rise in supply chain breaches; and today, we are proud to release SCS 9001.”
SCS 9001 was officially approved for release on 31 December 2021 after 20 months of work by TIA’s QuEST Forum Supply Chain Security Working Group and its subcommittees of dedicated industry technology and security experts.
The final stages of the development process included an invitation for feedback and comments on the draft standard to over 90 companies and governments worldwide. This generated nearly 500 different comments that have all been reviewed and addressed by the Working Group.
“Improving the performance of our suppliers by defining outcome-based delivery models has been a key component of building our global communications network. Never more so has this been important with the growing role of software and agile transformation in the network ecosystem,” said Sankaran “Ram” Ramanathan, Executive Director, Network Systems, Verizon. “Given the current global landscape and the increased complexity and diversity of the ICT supply chain, a standard like SCS 9001 can help verify which suppliers and manufacturers are building security into their solutions and enhancing trust. Key contributions to this standard came from Verizon India – one of our strategic and innovation hubs.”
The Working Group identified all the known coverage gaps that existed in the ICT standards landscape and then addressed them by using proven and focused measures, controls and processes that help organizations significantly reduce their risk to cyber infiltrations and attacks.
A key differentiator of SCS 9001 is how organizations can verify that their products meet the industry-approved standard with an independent audit and certification program.
In addition, organizations that leverage SCS 9001 will be provided with anonymized quarterly and annual security benchmark reports to track their organization’s performance against the industry’s best, worst, and average results. This data will help drive continual industry-wide improvement, especially as technologies advance and evolve.