In today’s interconnected world, the security of Information and Communications Technology (ICT) extends beyond individual systems or agencies. Information Systems Security Officers (ISSOs) at government agencies like the Centers for Medicare & Medicaid Services (CMS) play a crucial role in protecting information systems’ integrity, confidentiality, and availability. A key responsibility is managing supply chain risks, which has become increasingly complex and urgent over the past decade.

This article explores the evolution of Supply Chain Risk Management (SCRM) responsibilities for ISSOs, influenced by executive orders from the White House and major cybersecurity events. It also highlights emerging trends reshaping the ISSO role. 

Executive Orders (EO) shaping ISSO responsibilities for SCRM

Foundational frameworks - Pre‑2019

Under FISMA and the NIST Risk Management Framework, ISSOs were tasked with overseeing security throughout a system’s life cycle. While vendor risk was addressed, supply chain security was generally a secondary concern. NIST Special Publication 800‑161 (now NIST SP 800-161 Rev. 1), issued in 2015, offered the first comprehensive Federal guidance on ICT SCRM.

EO 13873 - May 15, 2019

“Securing the Information and Communications Technology and Services Supply Chain” prohibits transactions involving ICT from 'foreign adversaries' posing undue risk. It requires agencies to consider geopolitical risk in procurement. For ISSOs, this means incorporating prohibited-vendor screening and documenting supplier risk as a part of system authorization.

EO 14017 - February 24, 2021

“America’s Supply Chains” calls for comprehensive reviews of supply chains in critical sectors, including ICT. The order aims to strengthen resilience by identifying vulnerabilities and recommending mitigation strategies. ISSOs became active participants in supply chain assessments, providing technical insight to acquisition and procurement teams.

EO 14028 - May 12, 2021

“Improving the Nation’s Cybersecurity” places supply chain integrity at the forefront. It mandates secure software development practices, the use of Software Bills of Materials (SBOMs), and adoption of NIST SP 800‑161 Rev. 1. ISSOs are tasked with ensuring vendor compliance, integrating SBOM analysis into monitoring activities, and coordinating with the Cybersecurity and Infrastructure Agency (CISA) on incident response.

EO 14123 - June 14, 2024

“White House Council on Supply Chain Resilience” institutionalizes government-wide supply chain reviews every four years. ISSOs or their representatives serve as liaisons, ensuring agency-level vulnerabilities and mitigation measures are documented and reported.

EO 14144 - January 16, 2025 

“Strengthening and Promoting Innovation in the Nation’s Cybersecurity” expands SCRM requirements by embedding them into enterprise risk management frameworks. Agencies must provide annual SCRM status reports to the Office of Management and Budget (OMB). ISSOs lead the operational side, ensuring compliance, guiding acquisition strategy, and advising on risk-based contract clauses.

EO 14306 - June 6, 2025

“Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144” does not remove supply chain risk management requirements – it changes how they are applied. Instead of requiring formal vendor attestations, the focus is now on updating and encouraging secure software development standards through NIST. ISSOs should keep using the Secure Software Development Framework (SSDF) practices in their supply chain risk management, even though attestations are no longer federally mandated.  

How SCRM requirements have evolved  

Baseline - Pre‑2019

Supply chain considerations were largely limited to verifying vendor legitimacy and compliance with general security requirements.

Post ‑ EO 13873

Vendor screening processes expanded to account for geopolitical risks, prohibited entities, and multi-tier supplier mapping.

Post ‑ EO 14017

ISSO responsibilities expanded to support interagency supply chain reviews, ensuring technical risks were considered alongside procurement criteria.

Post ‑ EO 14028

Integration of SBOMs, secure software attestations, and vendor testing into continuous monitoring became standard practice.

Post - EO 14123 

In coordination with the White House Supply Chain Council, ISSOs serve as the operational bridge between agency leadership and Federal oversight bodies, ensuring accurate resilience reporting and risk tracking.

Post ‑ EO 14144

ISSO duties now include embedding SCRM into agency-wide risk management processes, leading compliance audits, and aligning acquisition planning with federal SCRM objectives.

Drivers of change

Major cybersecurity incidents have redefined SCRM priorities. The SolarWinds breach (2020) revealed how compromised software updates could serve as vectors for nation-state intrusions. The Log4Shell vulnerability (2021) demonstrated the difficulty of securing open-source components. These events reinforced the need for transparency in software supply chains, timely patching, and proactive vendor engagement.

Geopolitical tensions, increased reliance on foreign-manufactured ICT components, and global supply disruptions have also shaped policy. Legislation like the Secure and Trusted Communications Networks Act (2019) and pandemic-related supply shortages pushed supply chain security higher on the national agenda.

Summary of key Executive Orders and ISSO implications

Supply Chain Risk Management has become a central operational and strategic responsibility for ISSOs. Executive Orders have refined these expectations in response to cyber incidents and geopolitical realities. As the federal approach to SCRM becomes more structured, ISSOs will ensure policies translate into effective security outcomes.

About the author: Michael “Hobie” Hobert supports Supply Chain Risk Management (SCRM) within the Division of Strategic Information (DSI) at the Centers for Medicare & Medicaid Services (CMS), applying his broad experience in healthcare, technology, and banking to expand security awareness at CMS.