In this Help Net Security interview, Mike Regan, VP of Business Performance at TIA, discusses SCS 9001 Release 2.0, a certifiable standard crafted to assist organizations in operationalizing the NIST and other government guidelines and frameworks.
Enhancing its predecessor, the SCS 9001 2.0 standard presents a more comprehensive global cybersecurity and supply chain security framework adaptable to various communication networks across industries and sectors. Its design ensures compliance with the ICT market, heightened government legislation, and expanding industry initiatives.
How does the SCS 9001 2.0 standard differ from its predecessor regarding cybersecurity and supply chain security?
SCS 9001 2.0 expands upon the prior release, SCS 9001, with improved coverage for hardware provenance and development, cloud-based services, procurement, and shipping/logistics as primary examples. Additional improvements have been made for certain government initiatives such as secure software development, cyber and supply chain security risk management, and creation of bills of materials. Finally, enhancements were made to update and more closely align to the newly issued controls of CSA Cloud Controls Matrix 4.0 and ISO 27001/2.
Moreover, SCS 9001 2.0 aligns with the Annex SL format for ease of creating integrated management systems with other complementary standards.
Can you discuss the standard’s global reach, particularly in supply chain procurement, shipping, and logistics?
Even with current initiatives of re-shoring or near-shoring, modern supply chains in the ICT industry are global in nature with materials and software components traversing many national boundaries. SCS 9001 2.0 is designed as a global standard without national or regional biases to promote global adoption. Considering the global nature of ICT supply chains, SCS 9001 2.0 includes requirements for procurement, shipping, and logistics to alleviate the potential for tampering or insertion of fraudulent or tainted components in the supply chain.
In what ways does SCS 9001 2.0 distinguish itself from other operational cybersecurity standards?
From its conception, SCS 9001 has had a focus on supply chain security for the ICT industry. It is used to build confidence and trust in the relationship between the consumer and supplier through assessment of the security practices of suppliers, including the level of integrity and transparency in which they operate their businesses.
Many contemporary publications and standards have focused on cyber and operational security, which is undoubtedly important. However, TIA’s stance is that security must be considered in a more holistic fashion and goals of improved security must account for improvements in all aspects of organizational practices and are not mutually exclusive. That said, SCS 9001 can be used in harmony with other popular standards, each with their own primary focus, to deliver the requisite set of broader protections.
Could you elaborate on the enhanced coverage for product origin, component traceability, and authenticity of provenance in SCS 9001 2.0?
The ability to provide evidence of the origin of every software and hardware component used in a product is one of the most important and difficult goals in improving supply chain security. Manufacturers must be able to demonstrate complete control of their supply chains with bills of material demonstrating the origin and versions of every software and hardware component used in their products.
To address this challenge, innovative software companies have emerged, developing tools that automate and support the requirements of provenance as outlined in SCS 9001 2.0. These tools generate the necessary evidence to fulfill the provenance-related standards.
How does SCS 9001 2.0 align with the increasing cybersecurity requirements from governments and regulators, especially in protecting critical network infrastructure?
TIA, with the help of its Government Advocacy team, keeps a close eye on global government activities and initiatives that aim to introduce guidance, if not new legislation, to promote enhanced cyber and supply chain security. As the SCS 9001 standard continues to evolve, it will be continuously improved to support these activities, providing a certifiable standard that can be utilized to operationalize and demonstrate alignment with government initiatives and newly implemented regulatory powers.
In addition, with the steep rise in cyberattacks, governments and regulators around the world are becoming more prescriptive in their cybersecurity requirements for organizations, especially when it comes to protecting critical network infrastructure.
As an example, the National Telecommunications and Information Administration (NTIA) recently adopted a measure that includes new cybersecurity and supply chain risk management (SCRM) requirements for the U.S. Department of Commerce’s $42.5 billion Broadband Equity Access and Deployment (BEAD) program rules.
Internationally, Costa Rica became the first government in Latin America to mandate that vendors certify to the TIA SCS 9001 standard following a disruptive attack on its critical network infrastructure in 2022.
Who are the key stakeholders in developing and implementing the SCS 9001 2.0 standard?
TIA is a member-driven organization where dedicated volunteers contribute their time and expertise to drive industry advancements. Our industry standards are developed by members of the ICT industry, ensuring they are tailored to benefit the industry as a whole. SCS 9001 2.0 is the result of contributions and expertise of numerous subject matter experts from diverse organizations. These organizations are at the forefront of building and operating modern networks, supplying cutting-edge products and services deployed in those networks.
Contributors to SCS 9001 2.0 include professionals responsible for leadership, security, quality, network design, engineering, product testing, purchasing, and logistics. SCS 9001 2.0 goes beyond traditional public service providers and delivers benefits to operators of various modern networks, such as cloud platforms, data centers, IoT, satellite communications, and enterprises.