Cybersecurity attacks happen daily and are constantly evolving. In the past 20 years, cyberattacks have progressed from tiny hacks by college students to very costly ransomware attacks. In April 2021, many drivers on the US East Coast waited in long gas lines after a cyberattack shut down Colonial Pipeline, the largest fuel pipeline in the US. This was followed at the end of May when another cyberattack forced meat producer JBS USA to temporarily shut down its operations. Unfortunately, the number and frequency of cybersecurity attacks is increasing, and the impact is becoming more significant and costly.
The Telecommunications Industry Association (TIA) has developed the first ever global supply chain security management systems standard, SCS 9001.
SCS 9001 Development
TIA, telecommunications organizations, accreditation bodies (e.g., ANAB), and certification bodies teamed together to develop the standard. ISO 9001, the globally recognized quality management system standard, is the foundation for the new standard. Certification to ISO 9000 will be a pre-requisite for organizations seeking SCS 9001 certification. Organizations that are already certified to ISO 9001 or an ISO 9001 based standard (e.g., TL 9000, AS9100, ISO 15378) should have a head start preparing for this new certification.
The initial draft of the standard has been distributed for comments and will be piloted with five organizations during summer 2021 with certification bodies and accreditation bodies participating in the pilot audits. The FDIS is scheduled to be released in mid-September 2021, and SCS 9001 Release 1.0 is scheduled for issue in late November 2021.
SCS 9001 Auditor Requirements Development
TIA QuEST Forum, the scheme owner that developed the TL 9000 quality management system to meet the supply chain quality requirements of the telecommunications industry, will also be the scheme owner for the supply chain security standard (SCS 9001). The TIA QuEST Forum AB/CB Team is in the process of developing auditor competence requirements and determination of audit duration procedures. SCS 9001 auditors will be required to meet the competence requirements in ISO/IEC 17021-1:2015, ISO/IEC 27006:2015, and ISO/IEV 27006:2015-AMD 1:2020, plus additional requirements (e.g., zero trust, technical vulnerability management, counterfeit HW and SW parts) identified by the AB/CB development Team. Training for auditors should be available through TIA QuEST Forum approved training organizations by late summer.
Accreditation for SCS 9001 Management System Certification Bodies
TIA QuEST Forum currently plans to approve accreditation body(s) for SCS 9001 by August 1. Accreditation bodies will not be required to be approved to offer accreditation for TL 9000 to apply for SCS 9001 approval, but the approval process will be abbreviated for those ABs already approved by TIA QuEST Forum. CBs also will not have to be accredited for TL 9000 to apply to approved accreditation bodies for SCS 9001 accreditation.