AGENCY:

National Telecommunications and Information Administration, U.S. Department of Commerce.

ACTION:

Notice.

SUMMARY:

The National Telecommunications and Information Administration (NTIA) announces the establishment of the Communications Supply Chain Risk Information Partnership (C-SCRIP) in support of the requirements of Section 8 of the Secure and Trusted Communications Network Act of 2019 (Act). The Act directs NTIA, in cooperation with other designated federal agencies, to establish a program to share supply chain security risk information with trusted providers of advanced communications service and suppliers of communications equipment or services.

DATES:

Applicable on July 8, 2020.

ADDRESSES:

C-SCRIP, National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue NW, Washington, DC 20230.

FOR FURTHER INFORMATION CONTACT:

Megan Doscher, National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue NW, Room 4725, Washington, DC 20230; telephone (202) 482-2503; mdoscher@ntia.gov. Please direct media inquiries to NTIA's Office of Public Affairs, (202) 482-7002, or at press@ntia.gov.

SUPPLEMENTARY INFORMATION:

Section 8 of the Secure and Trusted Communications Network Act of 2019 (Act) directs NTIA, in cooperation with the Office of the Director of National Intelligence (ODNI), the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Federal Communications Commission (FCC), to establish a program to share “supply chain security risk” information with trusted providers of “advanced communications service” and suppliers of communications equipment or services.^[1] Through this Notice, NTIA is announcing the establishment of the Communications Supply Chain Risk Information Partnership (C-SCRIP), a partnership to share supply chain security risk information with trusted communications providers and suppliers.

NTIA is collaborating with the ODNI, DHS, FBI, and FCC to establish the program. This program is aimed primarily at trusted small and rural communications providers and equipment suppliers, with the goal of improving their access to risk information about key elements in their supply chain.^[2] C-SCRIP will allow for regularly scheduled informational briefings, with a goal of providing more targeted information for C-SCRIP participants as the program matures over time. NTIA will aim to ensure that the risk information identified for sharing under the program is relevant and accessible, and will work with its government partners to enable the granting of security clearances under established guidelines when necessary.

NTIA is using a phased approach to establish the C-SCRIP program, in cooperation with its government partners. In Phase 1, NTIA establishes the program and develops the required report to Congress on NTIA's plan to work with its interagency partners on: (1) Declassifying material to help share information on supply chain risks with trusted providers; and (2) expediting and expanding the provision of security clearances for representatives of trusted providers.^[3] During Phase 1, NTIA will coordinate closely with its federal partners to take advantage of the existing processes and procedures in place for the processing of security clearances and the declassification of threat intelligence and to develop a strategic implementation plan for the C-SCRIP program to establish primary goals and operating principles for the partnership. The strategic implementation plan is intended to harmonize the C-SCRIP program with other government programs to ensure cohesion and to avoid overlap.

In Phase 2, NTIA will operationalize the program, informed by public comments, and will establish the methods and means to initiate and sustain the partnership community of providers and suppliers that are eligible under the Act to receive supply chain security risk information.^[4] Phase 2 will be driven by the strategic implementation plan. In particular, NTIA expects to establish partnership guidelines during Phase 2, as driven by the Act's requirements. NTIA will also initiate ad hoc briefings to trusted providers during Phase 2 on an as-needed basis.

In Phase 3, NTIA will refine its methods and means for generating and sharing information with the C-SCRIP partnership community to best secure U.S. communications networks against supply chain threats. NTIA also expects to formalize its process and schedule for briefings and alerts during this phase, and to establish mechanisms for ongoing coordination and communication.

During Phase 4, NTIA will evaluate the initiation period of the program and make recommendations for adjustments or enhancements to advance the goal of diminishing supply chain risk among program participants.

Footnotes