Supply chain information and communications technology (ICT) related risks are increasing nationwide. They are potentially more harmful to small and medium-sized businesses (SMBs), especially compared to larger entities. Data from the U.S. Small Business Administration shows SMB information technology (IT) and communications providers represent more than 160,000 companies in the United States; connect millions of households and businesses to the internet every day; and acquire, build, and integrate technology solutions for themselves and their customers.  Implementing supply chain security practices is therefore critical for these ICT entities. For many, knowing where to start — and how an SMB can take on the financial, personnel, or other resources necessary to implement certain ICT supply chain practices — can seem overwhelming. As a result, the ICT Supply Chain Risk Management (SCRM) Task Force SMB Working Group (WG), was tasked with identifying ICT-related supply chain risks that an IT and communications SMB might encounter with a focus on cyber risks and how those risks might be different than in larger companies (hereinafter referred to as “ICT supply chain risk(s)”). The WG used a variety of approaches and techniques to gain insight into the highest ICT supply chain risk categories commonly faced by IT and communications SMBs. Part of that process included a focus-group made up of communications SMBs, conversations with various industry groups, government agencies, and subject matter experts. The WG also received feedback from approximately 100 IT SMBs, 64 percent of whom had 100 or fewer employees. More than a dozen ICT supply chain risk categories were initially identified. Following further scoping and refinement, the following six categories emerged as the highest priority ICT supply chain risk categories for IT and communications SMBs.

Recognizing that many IT and communications SMBs do not have dedicated risk management experts or functions internally, the WG prepared this resource handbook. This handbook includes six use cases to help these SMBs recognize common ICT supply chain risk challenges as well as provides practical and actionable measures they can take to mitigate these risks. The use cases are based on fictional ICT companies and present scenarios that these SMBs may face. They also highlight one or more of the six risk categories, propose potential options that the fictional company may consider, provide a short summary of costs and benefits associated with implementing the proposed options, and provide a section of government and industry mitigation resources that can be accessed for more detail. While the target audience for the resource handbook is IT and communications SMBs, the categories, use cases, and suggested resources are relevant to SMBs of all industries.

Securing Small and Medium-Sized Business Supply Chains: A Resource Handbook to Reduce Information and Communication Technology Risks (cisa.gov)