ABOUT NPCC Careers Contact Us Governance & Corporate Membership Resources Leadership Team PROGRAM AREAS Standards & Criteria Compliance RAPA SAIS COMMITTEES DER/VER Forum Gov/Reg Affairs Reliability Coordinating Regional Standards NEWS Search SIGN IN

Posted: 01/17/2023

Securing Small and Medium-Sized Businesses (SMB) Supply Chains: A Resource Handbook to Reduce Information and Communication Technology Risks

Supply chain information and communications technology (ICT) related risks are increasing nationwide. They are potentially more harmful to small and medium-sized businesses (SMBs), especially compared to larger entities. Data from the U.S. Small Business Administration shows SMB information technology (IT) and communications providers represent more than 160,000 companies in the United States; connect millions of households and businesses to the internet every day; and acquire, build, and integrate technology solutions for themselves and their customers.  Implementing supply chain security practices is therefore critical for these ICT entities. For many, knowing where to start — and how an SMB can take on the financial, personnel, or other resources necessary to implement certain ICT supply chain practices — can seem overwhelming. As a result, the ICT Supply Chain Risk Management (SCRM) Task Force SMB Working Group (WG), was tasked with identifying ICT-related supply chain risks that an IT and communications SMB might encounter with a focus on cyber risks and how those risks might be different than in larger companies (hereinafter referred to as “ICT supply chain risk(s)”). The WG used a variety of approaches and techniques to gain insight into the highest ICT supply chain risk categories commonly faced by IT and communications SMBs. Part of that process included a focus-group made up of communications SMBs, conversations with various industry groups, government agencies, and subject matter experts. The WG also received feedback from approximately 100 IT SMBs, 64 percent of whom had 100 or fewer employees. More than a dozen ICT supply chain risk categories were initially identified. Following further scoping and refinement, the following six categories emerged as the highest priority ICT supply chain risk categories for IT and communications SMBs.

Recognizing that many IT and communications SMBs do not have dedicated risk management experts or functions internally, the WG prepared this resource handbook. This handbook includes six use cases to help these SMBs recognize common ICT supply chain risk challenges as well as provides practical and actionable measures they can take to mitigate these risks. The use cases are based on fictional ICT companies and present scenarios that these SMBs may face. They also highlight one or more of the six risk categories, propose potential options that the fictional company may consider, provide a short summary of costs and benefits associated with implementing the proposed options, and provide a section of government and industry mitigation resources that can be accessed for more detail. While the target audience for the resource handbook is IT and communications SMBs, the categories, use cases, and suggested resources are relevant to SMBs of all industries.

Securing Small and Medium-Sized Business Supply Chains: A Resource Handbook to Reduce Information and Communication Technology Risks (cisa.gov)




Compliance Bulletin Decisions & Notices ERO Enterprise Media Release NERC NPCC Regional Entities & Others Reliability Assessment Security Bulletin


  Upcoming Events

  News Highlights

Summer Reliability Assessment Forecasts Adequate Electricity Supplies

June 05, 2024

IBR Registration Initiative Reference Guide

May 16, 2024

Security Notice

This is a Northeast Power Coordinating Council, Inc. (NPCC) information system. You have no reasonable expectation of privacy regarding communications or data transiting or stored on NPCC’s information system. At any time and for any lawful purpose, NPCC may monitor, intercept, record, and search any communications or data transiting or stored on this information system. At NPCC’s sole discretion, NPCC may disclose pertinent information to the U.S. Government and its authorized representatives to protect the security of critical infrastructure and key resources, ensure information security, or to comply with any applicable law, regulation, legal process, or enforceable governmental request. By continuing, you acknowledge that you understand and consent to the terms and conditions described in this notice. The actual or attempted unauthorized access, use, or modification of this system is strictly prohibited and may subject violators to criminal, civil, and/or administrative action.