On 27 July 2020 the National Information Security Standardisation Technical Committee published the Information Security Technology – Security Requirements for the Supply Chain of Information Technology Products (Draft for Comment) for public consultation.(1) The consultation period ended on 26 September 2020.
The requirements, as a recommended national standard, will apply to the security management activities of the IT product supply chain for government information systems and critical information infrastructure. They will also provide a reference for the supply chain security management activities of other information systems.
According to the draft requirements, IT product suppliers should, among other things:
- undertake a supply chain security risk assessment;
- develop a traceability strategy for purchased IT products and components, recording and retaining such information as the origin and original supplier of the IT products and components; and
- establish and implement a safety development process for IT products, clarifying development management requirements, safety control measures and personnel codes of conduct, among other things.
Further, customers should, among other things:
- establish and maintain a catalogue of qualified suppliers; and
- regularly assess the risk of:
- IT product supply being interrupted;
- authorisation being suspended; and
- product upgrades or technical support services being refused.