Supply chain integrity risk assessments: Evaluation criteria (ITSAP.10.071)

Supply chain integrity (SCI) risk assessments are carried out on information and communication technology products and services that will be deployed in Government of Canada (GC) infrastructure as part of an SCI review. The review supports safeguarding the confidentiality, integrity, and availability of GC communications and data by fostering resilience against digital supply chain vulnerabilities and compromises.

SCI risk assessments consider sources of potential threats, identify product vulnerabilities, and evaluate possible impacts of compromises. These are an integral input into an organization’s overall risk management framework that considers comprehensive and broad risks to systems^{Footnote 1}.

This publication provides a high-level overview of the criteria used by the GC in SCI risk assessments. This can serve as useful baseline for any organization wishing to evaluate supply chain risks.

On this page

• Criteria for supply chain integrity risk assessments
  • Geopolitical context
  • Foreign ownership, control and influence
  • Business practices
  • Cyber maturity
  • Product vulnerability
  • Exploitation of vulnerabilities

Criteria for supply chain integrity risk assessments

The following sections provide details on the criteria associated with conducting an SCI risk assessment. You should review each factor carefully and weigh the risks in accordance with your organization's risk management framework.

Geopolitical context

Where a company is located, or maintains operations, is important. A company’s headquarters, subsidiaries, research and development, manufacturing facilities, and operation centres may be located in countries, where governments and/or legal frameworks differ significantly from Canada’s. These countries may not uphold democratic values and beliefs, abide by the rule of law, maintain judicial independence, respect civilian rights and freedoms, and other characteristics of likeminded countries. As a result, a company’s operations in these countries may be exposed to geopolitical, legal, and operational risks that could jeopardize the company’s assets, reputation, and business operations.

Your organization should consider the following factors when assessing the geopolitical context of a country:

• Political climate: A country's political climate (i.e. unrest, government regulations, trade policies, diplomatic relations, etc.) can significantly impact suppliers leading to operational disruptions, as well as legal and regulatory non-compliance. For the GC, this could lead to an increase in national security concerns.
• Data, intelligence and surveillance laws: Some countries have extensive data, intelligence and surveillance laws which require cooperation with the host country’s intelligence services
  • In some cases, these countries may require data residency
  • Data residency laws can increase concerns around the confidentiality, integrity and availability of Canadian data
• Manufacturing locations: In some countries, suppliers and their subsidiaries (including manufacturing, R&D, etc.) are deeply tied to, or susceptible to pressure from, the military and intelligence apparatus. In some cases, commercial facilities may be used to produce dual use goods that support military use, data collection and/or potential espionage
• Democratic institutions: Working with vendors whose host countries share common values can facilitate confident collaboration and mutual trust. Common values may include
  • free and fair elections
  • separation of powers
  • independent judiciary
  • human rights protections
  • environmental protections
  • privacy and data protection
• Adversarial nations: Countries that demonstrate adversarial intent towards Canada and persons in Canada represent increased risks to our national security, safety and economic well-being. Hostile nations may be interested in gaining commercial or technological advantage, supply chain dominance, imposing their political ideologies, or engaging in espionage activities. These objectives may be achieved through a variety of means, including influence and interference activities, and cyber exploitation. The state-sponsored cyber programs of countries that are listed in the Canadian Centre for Cyber Security’s National Cyber Threat Assessments are deemed to pose the most sophisticated and active cyber threats to Canada.

Foreign ownership, control and influence

Foreign ownership, control and influence (FOCI) occurs when a foreign government or threat actor can influence or direct the management or operations of a company. This can result in the compromise of a company’s technology or unauthorized access to its systems or data.

FOCI can be broken down into:

1. Ownership - foreign investment and/or ownership stakes in company, subsidiaries, and affiliates (include venture capital)
2. Control - over decision-making process via appointment of key personnel, board members, etc.
3. Influence - e.g. economic and financial leverage, strategic partnerships; including over reliance on limited R&D partners, clients, suppliers, etc.

Your organization should consider the following factors that may contribute to increased FOCI risks:

• Executive and board member connections: Executives and board members may be vectors for influence and control of a company if they have connections to foreign militaries, intelligence agencies and governments from countries that demonstrate adversarial intent toward Canada
• Ownership: Companies whose ownership is held (in whole or in part) by state-owned enterprises or receive funding from foreign government entities may be susceptible to control and influence. Unknown or obscure ownership structures may be indicative of efforts to hide such connections
• Foreign partnerships and investors: Foreign partners may hold undue leverage over companies in which they invest or maintain strategic engagements

Business practices

Business practices refer to the methods, procedures and behaviours exhibited by a company in its day-to-day operations. Past and current business practices provide insight into the degree to which a company exhibits ethical business activities. Unethical business practices can increase reputational, financial, security and legal risks.

Your organization should consider the following factors that may indicate risky or unethical business practices:

• Sanctions: Partnerships or strategic engagements with foreign entities that are listed on Five Eyes (FVEY) or European Union (EU) sanctions
• Lawsuits and violations: Companies that have been found guilty in legal settlements or that have breached rules and regulations in FVEY and/or EU countries
• Corruption: Evidence of corruption, deceptive rebranding (for example, purposefully hiding identity change) or fraudulent business practices
• Trade practices: Engagement in unfair trade practices including, but not limited to, bribery, fraud or money laundering
• Transparency: A lack transparency or openness about ownership, operations, policies and processes

Cyber maturity

Cyber maturity refers to the extent to which an organization has developed and implemented effective cyber security practices to protect its own information systems and data.

Your organization should consider the following factors that contribute to understanding cyber maturity:

• Standards and certifications: Adherence to international technology standards and certifications in design, production and maintenance of products and services facilitates confidence and trust
• Incident response and communication: Organizations should establish comprehensive cyber security polices and maintain appropriate incident response plans to effectively handle and recover from cyber incidents. An inability to manage or respond to cyber security issues and events increases risk
• Data protection: Organizations should demonstrate an ability to protect data from unauthorized access throughout the data lifecycle

Product vulnerability

A product vulnerability is a flaw or weakness in the design, manufacturing or implementation of a product or service that could be exploited to adversely affect its security, integrity or functionality.

Your organization should consider the following factors that contribute to understanding product vulnerabilities:

• Vulnerability history: Research into the history of a vulnerability includes how and when a vulnerability was discovered, tracking the number of occurrences over time and assessing how broadly it affects a product
• Volume, scale and severity: A higher number of cases, or more severe vulnerabilities, may be indicative of poor security practices, a lack of secure development lifecycle or a complex product with many potential weak points

Exploitation of vulnerabilities

Exploitation of vulnerabilities refers to the act of taking advantage of weaknesses in software, hardware, or systems to gain unauthorized access, disrupt operations, or steal data. This is a core tactic used by cyber threat actors, including cybercriminal groups, nation-states and hacktivists.

Exploitation history involves assessing whether a product has been actively targeted or exploited by threat actors. This assessment helps to understand and characterize a product’s real-world risk.

Product sensitivity

Product sensitivity characterizes the product or service based on several factors including its functionality, where it will reside within an organization’s network infrastructure, and both the type and volume of data it will process. This part of the assessment helps to determine the potential impact on an organization’s operations and infrastructure in the event of a supply chain compromise.

Your organization should consider the following factors that contribute to understanding the sensitivity of a product:

• Functionality: The role a product or service plays, and the impact on data confidentiality, availability and integrity if a compromise or disruption occurs are important considerations
  • Products that perform core or mission-critical functions, such as authentication or system control, are considered more sensitive
  • Their compromise may have cascading effects across systems
• Location: Where a product is deployed in a system, and the surrounding architecture, can affect risk. For example, edge/Internet-connected devices have greater exposure to security risks than isolated/air-gapped networks because their direct connection to the Internet makes them easily discoverable and accessible
• Type and volume of data processed: The type of data processed by a product or service may affect the attractiveness of the system to cyber threat actors. Whether data is classified or unclassified, as well as the overall volume or aggregation of data processed by a product can make it inherently more sensitive