TIA’s SCS 9001 Cyber and Supply

Chain Security Standard - Update

BUSINESS PROCESS EXCELLENCE FOR THE ICT INDUSTRY

Mike Regan
January, 2023
TIA: THE TRUSTED INDUSTRY ASSOCIATION FOR
THE CONNECTED WORLD

GOVERNMENT AFFAIRS
§ Advocate for ICT manufacturers and suppliers (U.S. & Globally)
§ Advancement of policy positions on wide range of issues
§ Impacting ICT industry globally

STANDARDS DEVELOPMENT
§ ANSI Accredited
§ > 3,600 global standards and technical documents

TECHNOLOGY PROGRAMS
Innovative technologies for an increasingly connected world
§ Smart Buildings
§ Edge Data Centers

QuEST FORUM COMMUNITY

§ SCS 9001 Cyber and Supply Chain Security
§ TL 9000 Quality Management System
§ Sustainability, Secure Software Development, Benchmarking
SCS 9001 Introduction
A BIG STANDARD TO HELP W/ A BIG PROBLEM

WHAT IS IT?
§ The first certifiable, process-based standard with measurements and benchmarking developed
for the specific needs of the ICT industry.
§ The standard builds upon existing works and aligns with government initiatives; it adds critical
but unaddressed requirements
WHAT’S DIFFERENT ABOUT IT?
§ There was no supply chain security standard for the entire ICT industry
§ SCS 9001 is certifiable and process-based, providing measurements and benchmarking
§ Comprehensive: provides requirements and controls must cover the entire product lifecycle
including the complete supply chain of software, hardware, systems and the security practices of
the certifying organization itself

3
SCS 9001 History
• History
– Developed over nearly 2 calendar years now representing 100+ person-years of effort
– 35+ standards were reviewed from organizations such as ATIS, ISO, IAQG, NIST, CISA, CSA, ENISA, O-RAN
Alliance, MITRE, O-RAN Coalition, and others
• Work Group
– Over 60 contributing participants from 34 organizations
– Diversity of contributing organizations - manufacturers, service providers, and systems integrators
– Diversity of expertise - network operations, network architecture, product development, quality management,
security, and supply chain / logistics
• Review prior to release
– The standard was reviewed by ~100 organizations including government agencies
– The draft was sent to ~250 individuals who returned ~500 unique comments and suggestions
– Each comment was reviewed and most adopted in delivering the first release of the standard, the balance are
in the backlog for future consideration

FOOTER 4
SCS 9001 Status
• Availability
– SCS 9001 R1.0 is approved, released and available.
– SCS 9001 R2.0 targeted for H1 2023
• Certification Support
– ANSI-ASQ National Accreditation Board (ANAB) is the first Accreditation Body
– Five Certification Bodies have been trained: DNV, DQS, NQA, Schullman, TuV AM
• Training
– Omnex has developed training courses and offers formal training.
– Current courses: (1) Understanding the SCS 9001 Standard, (2) Understanding SCS 9001 Measurements,
(3) Auditor Training, (4) Implementation Training
• Pilot Program
– 5 varied organizations conducted gap-assessments through March, 2022. Essentially a beta test.
– Feedback being collected, reviewed and will be accounted for in the next iteration of the standard
• Collateral
– Large and growing amount of content: comparisons to other standards, operationalization of government
directives and EOs, review of prominent cyber breaches
FOOTER 5
SCS 9001 R2.x Update
§ Improvements through-out from lessons learned from the Pilot Program and a variety of other input
§ Increased coverage of hardware provenance, hardware development and cloud-based services
§ Increased coverage of procurement, shipping and logistics requirements
§ Enhancements in support of government initiatives such as:
o EO14028 & OMB Memo M-22-18 (secure software development)
o Baseline requirements as set by the BEAD NOFO
o U.K. Telecommunications (Security) Act 2021
§ Updated mapping to newly issued controls of CSA CCM 4.0
§ Updated mapping to newly issued controls of ISO 27002
§ Decoupling from the ISO 9001 standard while maintaining process basis
o In response to feedback of providing adoption flexibility
o Maintains the ISO Annex SL format for ease of integration with other ISO standards
§ Reorganized and reformatted to better support mapping exercises to other standards and publications

Ø Availability H1, 2023. Contact TIA for more information and availability.

FOOTER 6
R2.0 Statistics
§ Big standard for a big problem.
§ Organized around the Annex SL document
structure from ISO/IEC with specific requirements
in Chapters 5 – 10.
§ ~ 150 pages
§ There are 116 requirements:
§ Most are multi-part
§ Provides over 750 specific touch points
§ There are 60 controls
§ There are 7 measurements

FOOTER 7
 116 Categories of Requirements
5.1.1 ‒ Top management governance 7.4.2 ‒ Customer Communication Methods 8.3.16 ‒ Security Vulnerability Resolution Configuration Management
5.1.2 ‒ Customer security requirements 7.4.3 ‒ Organization Feedback 8.3.17 ‒ Component Substitutions
5.2.1 ‒ Establishing the security policies 7.5.1 ‒ General 8.4.1 ‒ Supplier Selection
5.2.2 ‒ Security Policies 7.5.2 ‒ Creating and updating 8.4.2 – Data Sub-processors
5.2.3 ‒ Media Management Policy 7.5.3 ‒ Control of documented information 8.4.3 ‒ Supply Chain Provenance
5.2.4 ‒ Human Resource (HR) Security Policy 7.5.4 ‒ Access, Distribution, and Maintenance 8.4.4 ‒ Extent of Control of Critical Supplier(s)
5.2.5 ‒ Acceptable Use of Assets Policy 7.5.5 ‒ Protection of Personally Identifiable Information (PII) 8.4.5 ‒ Verification of Externally Supplied Products
5.2.6 ‒ Workspace Policy 7.5.6 ‒ Audit Logging 8.4.6 – Verification of Externally Supplied Services
5.2.7 ‒ Access Control Policy 8.1.1 ‒ Life Cycle Model 8.5.1 ‒ Network Security Requirements Definition Process
5.2.8 ‒ Least Privilege Policy 8.1.2 ‒ Security Risk Management 8.5.2 ‒ Network Architecture Definition Process
5.2.9 ‒ Asset Management Policy 8.1.3 ‒ Technical Vulnerability Management 8.5.3 ‒ Secure Network Operations
5.2.10 ‒ Mobile Device Policy 8.1.4 ‒ Secure Network Planning 8.5.4 ‒ Secure Systems Operations
5.2.11 ‒ Bring Your Own Device (BYOD) Control Policies 8.1.5 ‒ Secure Systems Planning 8.5.5 ‒ Event and Incident Management Process
5.2.12 ‒ Cryptographic Control Policies 8.1.6 ‒ Secure Wireless Network Procedures 8.5.6 ‒ Incident Reporting
5.2.13 ‒ Fraudulent/Counterfeit Parts Mitigation Policy 8.1.7 ‒ Maintenance of Organizational Systems 8.5.7 ‒ Change Management Process
5.3.1 ‒ Management Responsibility for Supply Chain Security 8.1.8 ‒ Information Backup 8.5.8 ‒ Monitoring Access Control
5.3.2‒ Process Ownership 8.1.9 ‒ Prevention of Counterfeit Parts 8.5.9 ‒ Software Malware Protection
5.3.3 ‒ Segregation of Duties 8.2.1 ‒ Problem Escalation 8.5.10 ‒ Secure Logistics Processes
6.1.1 ‒ Security Program Planning 8.2.2 ‒ Problem Report Feedback 8.5.11 ‒ Disposal Process
6.1.2 ‒ Asset Inventory 8.2.3 ‒ Product Replacement 8.6.1 ‒ Release of products and services
6.1.3 ‒ Ownership of Assets 8.2.4 ‒ Notification About Critical Security Problems 8.7.1 ‒ Control of nonconforming outputs
6.1.4 ‒ Residual Risk Information Availability 8.2.5 ‒ Notification About Critical Service Disruption 8.7.2 ‒ Nonconformance records
6.1.5 ‒ Asset Classification 8.2.6 ‒ Identify Customer and Stakeholder Security Needs 9.1.1 ‒ General
6.1.6 ‒ Supply Chain Security Risk Identification 8.2.7 ‒ Security Contract Review 9.1.2 ‒ Security Management System Evaluation
6.1.7 ‒ Security Risk Analysis 8.2.8 ‒ Changes to requirements for products and services 9.1.3 ‒ Security Process Measurements
6.1.8 ‒ Supply Chain Security Risk Treatment 8.3.1 ‒ Secure Development Models 9.1.4 – Required Security Measurements
6.1.9 ‒ Establish the Acceptable Level of Risk 8.3.2 ‒ Development Process 9.2.1 ‒ Internal Audit Program
6.1.10 ‒ Organization’s Statement of Applicability (SoA) 8.3.3‒ Security Requirements of Project Planning 9.2.2 ‒ Internal Audits
6.1.11 ‒ Business Impact Analysis 8.3.4 ‒ Security Requirements Definition Process 9.3.1 ‒ General
6.1.12 ‒ Business Continuity Planning 8.3.5 ‒ Product or Service Architecture Definition Process 9.3.2 ‒ Corporate Governance Review inputs
6.1.13 ‒ Zero Trust Architecture (ZTA) Plan 8.3.6 ‒ Security Test Planning 9.3.3 - Corporate governance review outputs
6.1.14 ‒ Automation Planning 8.3.7 ‒ Integration Planning 10.1.1 - General ‒ Improvement Opportunities
6.2.1 ‒ Security objectives 8.3.8 ‒ Requirements Traceability 10.1.2 ‒ Employee Participation
6.2.2 – Management of security objectives 8.3.9 ‒ Security Test Verification and Validation Process Controls 10.2.1 ‒ Nonconformity and corrective action
6.3.1 – Supply chain management system changes 8.3.10 ‒ Software Provenance 10.2.2 ‒ Supplier Corrective Action
7.1.1 ‒ People, Infrastructure, and Environment 8.3.11 ‒ Software Bill of Materials (sBOM) 10.3.1 ‒ Continual improvement
7.1.2 ‒ Monitoring, verification, and validation of resources 8.3.12 – Hardware Provenance
7.2.1 ‒ Determining and Ensuring Competence 8.3.13 – Hardware Bill or Materials (BOM)
7.3.1 ‒Security Awareness Training 8.3.14 ‒ Design and Development Change Management Process
7.4.1 ‒ Internal and external Communications 8.3.15 ‒ Informing Customers of Security Design Changes

FOOTER 8
9
U.S. Govt Is Getting Serious
§ The Broadband Equity, Access & Deployment
Program (BEAD) allocates ~$42B for State
Broadband Grants
§ In the recent Notice Of Funding Opportunity
(NOFO), there are ‘baseline requirements’ stated for
Eligible Entities to receive grants with a focus on:

Cybersecurity Risk Management

– NIST Cybersecurity Framework
– EO 14028

Supply Chain Security Risk Management

– NISTIR 8276 Key Practices in Cyber Supply Chain Risk
Management
– NIST 800-161 Cybersecurity Supply Chain Risk Management
Practices for Systems and Organizations

10
BEAD Success Summit
§ TIA has organized the BEAD Success
Summit

§ The Summit is for the benefit of State

BBOs in managing to expectations of
the BEAD program as described in the
NOFO

§ Attendees will include State BBOs,

Speakers from agencies of the U.S.
Federal Government, service providers
and equipment vendors

• Wide array of topics, keynotes, vendor

displays

• Consult https://tiaonline.org/ for

additional information.
FOOTER 11
Future Focus Areas
§ Collaborations with U.S. Govt Agencies and peer SDOs
§ Submission to NIST National Online Informative References Program (OLIR)
§ MITRE System of Trust and associated collateral
§ Evaluate new Conformity Assessment Models
§ Broadening target verticals
§ Continue to track evolving challenges and continue to revise and improve as appropriate

FOOTER 12
In closing… Key take-aways
§ SCS 9001 is a certifiable, process-based Cyber and Supply Chain Security Standard
for the ICT industry
§ Built using the subject matter expertise of TIA’s diverse membership
§ Measurements & benchmarking builds on the proven success of the TL 9000 QMS
§ Potential users include all network operators; this problem is NOT unique to to SPs
§ More options for using the standard are coming
§ SCS 9001 is well aligned with initiatives from global governments and their agencies
§ SCS 9001 is well-aligned with publications from peer SDOs
§ It took A LOT of effort to develop SCS 9001… and we’re not done.

A global standard, available NOW to help solve problems that exist NOW!

FOOTER 13
THANK YOU
Mike Regan
TIA QuEST Forum - VP Business Performance
Email: [email protected]

14