Integration Technologies Group, Inc. (ITG) is committed to providing a diverse, secure, and robust supply of ICT products and supporting services to the Government. ITG will stand behind and help ensure the success of its partners, mitigate supply chain risks, and collaborate with Government program offices.
This C-SCRM Plan is part of the Company’s Integrated Best Practices Framework composed of US Government Information Security Standards compliance, CMMI-DEV and CMMI-SVC Level 3, ISO 9001:2015, ISO/IEC 20243-1:2018 (O-TTPS), ISO 27001:2022, and ISO 20000-1:2018.
To ensure that everyone within the organization, from the SCRM professionals to stakeholders of the SCRM processes, and all personnel associated with applicable federal contracts are aware, mandatory Supply Chain Risk Management awareness training is provided on an annual basis and during the on boarding process.
Purpose and Scope of Plan
The purpose of this plan is to ensure the Company’s compliance with relevant US Government regulations and its scope spans the breadth of our ICT transactions, which provision US Government Agencies with applicable equipment and services.
The Plan addresses the following sources of supply:
- Original Equipment Manufacturers: Designs, develops, and builds products, responsible for ensuring the validity of software and hardware components, establishing measures to prevent the introduction of counterfeit components or materials and/or malware or malicious code. Establishes relationships with acquirers, component suppliers, resellers/integrators, and distribution channels. Responsible for creating a secure supply chain with component manufacturers, software sources and suppliers, and distributors/resellers by establishing authorized channels. Contributes to the development of standards and certifications.
- Distributors: Supplies components and products to resellers, typically as established partners. Responsible for proving that their products meet specifications, potentially through certain criteria, certifications, or through vendor documentation, test, and evaluation procedures. Responsible for ensuring that products are purchased from trusted sources and OEMs, managing the distribution of products to facilitate secure delivery to the reseller or acquirer, by ensuring that anti-counterfeit policies are implemented and that products remain untampered, protected from access by unauthorized individuals, and are transported safely.
- Resellers: Offers COTS and ICT products directly to the acquirer or with the addition of features or services to an existing ICT product, offered as an integrated product or solution. Responsible for ensuring that product specifications meet customer technical, quality, and security requirements. May provide integration and manages the delivery of products until an order is fulfilled.
- Acquirers: Defines expectations, product specifications, and any additional requirements. The acquirer role is that of the customer, or the entity that is acquiring products.
Methodology
ITG ’s C-SRCM Plan identifies and analyzes the potential risk of failure points within the supply chain. When risks materialize, we are prepared to report these events to applicable authorities and take corrective actions.
Our methodology focuses on the following areas to provide governance and control:
- Risk Management
- Supplier Management
- Change Management
- Incident Management
Through active monitoring of industry councils and procurement standards committees that directly address supply chain risk, (e.g., Open Group Trusted Technology Forum, NIST, and the International Organization for Standardization), ITG adopts and advocates supply chain practices and policies that help ensure a low risk, secure supply chain. We have established enterprise-wide supply chain relationships, processes, and practices to prevent risks such as maliciously tainted and counterfeit products entering the supply chain during our custody. We are committed to the use of mechanisms that ensure the integrity of COTS and ICT products that we provide to our Government customers.
For example, ITG has:
- adopted a Supply Chain Risk Management (C-SCRM) Plan based on NIST and ISO standards
- partnered with industry leaders in secure supply chain management
- implemented policies/controls to prevent purchasing from unauthorized sources
- provided C-SCRM training and awareness company-wide as a part of our compliance program
Authorities and Audience
The C-SCRM Plan is implemented under the authority of our Executive Management team. Specifically, C- SCRM Plan is under the direction control of the Best Practices Management Review Board (the quality steering committee responsible for establishing policies and procedures and providing oversight to monitor and control quality and security compliance), which is chaired and directly managed by the Executive Management team. Table 1 provides the list of standards used to define requirements for our C-SCRM Plan:
Table 1: Standards of Authority for the development of ITG’s C-SCRM Plan, Methods, and Procedures
| Organization/Number | Summary of the intended application and use of guidelines/requirements |
| CNSSI No. 1253, Appendix D | Provides guidance on the first two steps of the Risk Management Framework |
| NIST SP 800-53 | Provides guidance on requirements and controls to protect Federal information systems |
| NIST SP 800-161r1 | Provides guidance on requirements and controls to
manage supply chain risks for Federal Information Systems and Organizations |
| NIST SP 800-171 Rev.2 | Provides guidance on requirements and controls to protect CUI that is processed on the information
systems of Federal contractors |
| CMMI for Development | Provides a framework for recommended software and systems engineering practices |
| CMMI for Services | Provides a framework for recommended practices to
employ when delivering services |
| ISO/IEC 20243-1:2018 (O-TTPS) | Provides guidelines to enhance the security of the global supply chain and the integrity of COTS and ICT
products and information |
| ISO 28000:2022 | Provides a standard for expected supply chain practices to manage and integrate supply chain
requirements |
| ISO 9001:2015 | Provides a standard for expected risk-based quality management methods to facilitate quality control and quality assurance |
| ISO 27001:2022 | Provides a standard for recommended information security controls to protect the confidentiality,
integrity, and availability of information |
| ISO 20000-1:2018 | Provides a standard to effectively deliver services in accordance with expected service levels as well as capacity, availability, and continuity needs |
Audience
The audience for our C-SCRM Plan includes ITG personnel, Team Members as applicable, OEM’s, associated suppliers, and relevant Government personnel. ITG has established a high-level summary of stakeholders in Table 2, and will continue to refine, update, and share a list of internal and external stakeholders, with full contact details post award.
Table 2: High Level Summary of Internal and External Stakeholders (Interested Parties)
| Interested Party Stakeholder | Relationship Owner | Needs and Expectations of Interested Parties/Stakeholders |
| Regulatory Authorities (External Stakeholders) |
EVPO |
Compliance with legal, statutory, and regulatory requirements. |
| Customers
(External Stakeholders) |
Govt. Agency Program Manager |
Technical and functional requirements of contract are met on time and to expected level of quality. All contractual terms are met including any quality, security, or regulatory requirements are met.
All reports, invoices, and deliverables are accurate and submitted on time. |
| Team Members
(External Stakeholders) |
Business Development Managers | Adherence by ITG to contractual requirements; meets customer’s needs and expectations; participates in C-SCRM Plan activities to manage a secure supply chain. |
| Subcontractors
(External Stakeholders) |
Purchasing/ Subcontract Relationship Manager | Meets requirements defined by customer and ITG. Provides services and deliverables to defined quality levels; adheres to security requirements; and takes corrective action on any necessary feedback on complaints. SLAs are met, and invoices are accurate and submitted on time. Adheres to all C-SCRM requirements. |
| Vendors
(External Stakeholders) |
Purchasing/ Subcontract Relationship Manager | Products meet specifications; provides on-time delivery with trusted carriers; and product is within acceptable level of quality and security expectations for product. Adheres to all C-SCRM requirements and participates in securing the supply chain through implementing
policies and controls. |
| Executive Management Team (Internal Stakeholders) | CEO |
Management and employees meet policy requirements. Provides direction and guidance as well as necessary resources. |
| Project or Functional Managers (Internal Stakeholders) | EVPO | Adherence to policy and procedures; monitors and measures performance to achieve objectives; monitors supply chain activities; adheres to security policies; reports risks and incidents; and promotes continual improvement. Adheres to all C-SCRM requirements. |
| Business Development Managers | President | Identifies customer requirements and properly communicates to operations and project managers; reports risks to Executive team; and communicates with teaming partners on ITG requirements.
Adheres to all C-SCRM requirements. |
| Chairs of Management Review Boards | EVPO | Allocation of time and resources to fulfill obligations to ensure conformance and compliance with standards, policies, and procedures to manage quality, security, risks, services, and supply chain requirements. |
Communication Plan
The BPRM coordinates internal and external communications relevant to the quality and security of the supply chain; this is executed through meetings, emails, reviews, and training. Per contract specific requirements, ITG will provide a detailed communication plan that describes the mechanism used, producer, audience, frequency, and the content for communication and reporting activities. ITG’s Standard C-SCRM Communication Plan to ensure that ICT supply chain interdependencies are addressed includes:
- Holding a kick-off meeting and monthly reviews with Suppliers/Team Members
- Providing training that includes C-SCRM Plan relevant information
- Providing a briefing and vendor checklist for all suppliers, requiring compliance
- Communicating updates and changes via email
- Defining requirements for handling and reporting incidents
- Briefing appropriate individuals including those responsible for addressing deficiencies
