TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
Summary: The Federal Communications Commission (FCC) maintains a Covered List (weblink below) of communications equipment and services that have been determined by the U.S. government to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons to national security pursuant to the Secure and Trusted Communications Networks Act of 2019.
As the 6th annual National Supply Chain Integrity Month concludes, CISA reminds all critical infrastructure owners and operators to take necessary steps in securing the nation’s most critical supply chains. CISA urges organizations to incorporate the Covered List into their supply chain risk management efforts, in addition to adopting recommendations listed in Defending Against Software Supply Chain Attacks—a joint CISA and NIST (weblink below) resource that provides guidance on using NIST’s Cyber Supply Chain Risk Management (C-SCRM) framework (weblink below) to identify, assess, and mitigate risks. All critical infrastructure organizations are also urged to enroll in CISA’s free Vulnerability Scanning service (weblink below) for assistance in identifying vulnerable or otherwise high-risk devices such as those on FCC’s Covered List.
To learn more about CISA’s supply chain efforts and to view resources, visit CISA.gov/supply-chain-integrity-month.
FCC Covered List: hxxps://www.fcc[.]gov/supplychain/coveredlist
Defending Against Software Supply Chain Attacks: hxxps://www.cisa[.]gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508.pdf
Cyber Supply Chain Risk Management: hxxps://csrc.nist[.]gov/publications/detail/sp/800-161/rev-1/final
CISA Vulnerability Scanning Service: hxxps://www.cisa[.]gov/resources-tools/services/cisa-vulnerability-scanning
NYSIC CAU Analyst Note: The covered equipment listed by the FCC originates from countries who pose a threat to U.S. national security. At a recent roundtable during the RSA 2023 Conference, the NSA Director of Cybersecurity Rob Joyce noted Russia wants to target Western supply chains in order to disrupt the support given to Ukraine. He further commented about observations of intelligence gathering into western countries to include the U.S. in that logistics supply chain.
Author: Federal Communications Commission, Cybersecurity and Infrastructure Security Agency and National Institute of Standards and Technology.
This information has been forwarded by NYSIC to:
NYSIC CAU Contacts – CPWG
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – DHSES CIRT
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – County Information Contacts
NYSIC CAU Contacts – Critical Infrastructure Partners: All
For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.
TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
CONFIDENTIALITY NOTICE: This e-mail, including any attachments, may contain highly sensitive and confidential information. It is intended only for the individual(s) named. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.