1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

ISO 20243 vs AS5553 vs CISA ICT SCRM

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Pfrice, May 22, 2023.

  1. Pfrice

    Pfrice Member

    Joined:
    Feb 26, 2018
    Messages:
    13
    Likes Received:
    4
    Trophy Points:
    2
    Hi everyone!

    I'm not sure this is the correct forum, but it seems to fit better than most.

    I've searched the site, but I can't find any related information about the ISO 20243:2018 standard (Information technology - Open Trusted Technology Provider Standard (O-TTPS) - Mitigating maliciously tainted and counterfeit products) vs. AS5553 Standard (Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition) vs CISA ICT CRM (Cybersecurity & Infrastructure Security Agency Information and Communications Technology Supply Chain Risk Management). I work for a small-disadvantaged business. We are currently a pass-through re-seller on a Government GWAC. The Government Program Office is requesting all re-sellers on the GWAC complete an ISO 20243 self-assessment. While I'm familiar with the Supplier requirements of ISO 9001:2015 and we have documented processes and forms for that, the requirements for ISO 20243 are much, much more stringent. Has anyone on this forum gone through an ISO 20243 self-assessment or third party assessment? I'm looking for any thoughts or recommendations on how to move forward without implementing a huge number of procedures and forms. Thanks!
     
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    We really don't have a forum for InfoSec questions. But that might be rectified!

    I'm not sure why AS5553 has much to do with InfoSec requirements like ISO 20243 and CISA CRM. The two approaches are (almost) poles apart. As 5553 is for (mainly) distributors of electronic components and is supply chain oriented and is a requirement which an organization can be 3rd party assessed and certified. The 20243 is a guideline more towards design and manufacture of (hardware and software) products, not electronic devices (like AS5553 is). As such a guideline isn't appropriate for 3rd party certification use. I'm not sure why a reseller would be performing a self-assessment against ISO 20243, since large portions of it would be "N/A"...

    Can you seek relief, if you apply AS5553?
     
    John C. Abnet likes this.
  3. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    Good day @Pfrice ;
    The ISO 20243 standard is not a type "A", nor "B", nor "MS" (ISO classifications). Therefore, an organization can not be certified to this standard via normal avenues.
    While it is recognized by ISO as evident by the title/numbering, it is a it is a product of an organization called "The Open Group".

    Any awarded certification must be through the "Open Group's" accreditation program...i.e. the certification appears to be available ONLY to assessors and not to organization's.

    I have reached out to NIST for further clarification....

    Be well.
     
  4. Pfrice

    Pfrice Member

    Joined:
    Feb 26, 2018
    Messages:
    13
    Likes Received:
    4
    Trophy Points:
    2
    Thanks John and Andy for your thoughts.

    Andy you are correct. Of the 3 sections of ISO 20423, we will only self-assess against the Supply Chain Security section. Our GWAC is for NASA SEWP. NASA has added the certification for ISO 20423 as desired for the current contract holders. It is required to be able to bid on the follow on Contract. So, opting for AS5553 compliance won't work for us. Right now, we follow the guidelines for AS5553 compliance as well as the ISO 9001:2015 requirements for external providers. However, what ISO 20423 requires for Supply Chain Security is well above those two standards. I was hoping that somebody on this forum had to do an "upgrade" from those to ISO 20243.

    John - The certification is not only for assessors, but also for individual companies who can either self-assess or have a third party assessment performed. The certification comes from an approved assessor through the Open Group in either case. People from NIST have been involved in creating the ISO 20423 standard. There's a white paper that provides mapping between ISO 20423 and many of the NIST standards. I'm hoping to leverage work that we've done on NIST 800-161 to fill some of the gaps that we have.
     
    John C. Abnet likes this.
  5. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    Thanks for the feedback @Pfrice . (It's odd the information I have used the term "accreditation", which lead me to believe only for assessors. Thanks for the clarification).

    Be well.
     
  6. Pfrice

    Pfrice Member

    Joined:
    Feb 26, 2018
    Messages:
    13
    Likes Received:
    4
    Trophy Points:
    2
    You too!