Principles to Establishing Trust in ICT Suppliers

Technical risks and other vulnerabilities associated with the Suppliers’ products or services are reasonably understood and properly managed or mitigated:

1. Technology is designed, developed, and deployed pursuant to a transparent, testable, open, consensus standards-based, and process-oriented framework for identifying, assessing, and managing risk through the anticipated lifecycle of the product or service, including:
2. There is demonstration of provenance, pedigree, and integrity of code, including open-source code to ensure securability of resulting products and compliance with intellectual property rights;
3. Technology has standards-based conformance testing of controls specifically implemented to manage risk—and also of ensuring repeatability of build processes such that tested code can be validated against code in a finished offering deployed and used in an operating environment;
4. Verifiable technical measures are implemented to ensure the application of access controls that effectively limit access to authorized users, authorized processes acting on behalf of authorized users, or authorized devices;
5. Vulnerability handling, remediation, and disclosure policies consistent with international standards (e.g., ISO/IEC 29147) and best practices are adopted, transparently communicated, regularly used, and capable of assessment to ensure compliance;
6. Information security and privacy practices for the protection of personal data and respecting individual rights are adopted, transparently communicated, and assessed to ensure compliance; and
7. Controls, mitigations, policies, and procedures adopted by the Supplier should be clearly communicated and flowed through to:
8. Stability of the supply of products and services is secured and business continuity planning is prepared.

Suppliers demonstrate adherence to generally recognized norms of corporate behavior, including:

1. Public “codes of business conduct” outlining the Suppliers’ core values, principles, and practices;
2. Public trading of equity, or equivalent mechanisms, to ensure decision-making in accordance with commercial considerations with regard to procurement, investment, and contracting through transparency of ownership, partnerships, governance structures, and funding sources;
3. Public demonstration of compliance with auditing and accounting standards generally adopted in the marketplace (e.g., Generally Accepted Accounting Principles or International Financial Reporting Standards) designed to ensure the absence of hidden, opaque, or otherwise non-commercially competitive sources of funding, financing, or subsidy;
4. Internal governance mechanisms clearly articulated, enforced, and subject to external review demonstrating a commitment to protect:

Suppliers operate subject to both international commercial norms as well as national and international laws and standards, but make decisions on the basis of commercial considerations and in response to market forces rather than undue direct governmental control or influence over internal governance and operations as demonstrated by:

1. Absence of arbitrary access to company data, facilities, resources, or operations and of mandates to cooperate with government directives – as demonstrated by transparency and reasonable access to due process mechanisms allowing for challenge of such demands to be heard by an independent judiciary or other neutral arbiter.
2. Absence of requirements to include government officials in corporate structures or decision-making processes that limit ability of Supplier to act as an independent entity operating under market-driven – as demonstrated by transparency and public disclosure of organizational/governance structure, ownership interests; and

Suppliers are headquartered, formed, and operate under the laws of a nation that:

1. Govern networks and connectivity services by demonstrating respect for the rule of law, shown by clear legal or judicial limitations on the exercise of power by the government;
2. Govern subject to the rule of law with adequate separation of powers protected by an independent judiciary or other neutral arbiter of due process and protected rights; and
3. Uphold internationally agreed norms, standards, and treaties essential to global human development, such as the UN Sustainable Development Goals —including being good stewards of environmental resources, implementing fair labor practices, protecting intellectual property, protecting public health and well-being and respecting privacy and human rights—in the procurement and acquisition of ICT.
4. Adheres to and implements ICT/cybersecurity international best practices such as the European Union’s 5G Risk Mitigation Tool Kit, the U.S. government guidelines (i.e., National Institute of Standards and Technology Cybersecurity Supply Chain Risk Management (C-SCRM), CSIS Criteria for Security and Trust in Telecommunications Networks and Services)

About the authors

Vincent Voci

Vice President for Cyber Policy and Operations in the Cyber, Intelligence, and Supply Chain Security Division at the U.S. Chamber of Commerce

Read more