search menu icon-carat-right cmu-wordmark

CERT to Hold Symposium on Managing Supply Chain Cybersecurity Risk

Press Release

Incidents Highlight Concerns over Supplier Security Practices

Pittsburgh, Pa., December 9, 2014—Cybersecurity risks of complex global supply chains for information and communications technology (ICT) are increasing. To address this important issue, the CERT Division of the Software Engineering Institute at Carnegie Mellon University will hold a free Symposium on Supply Chain Risk Management Thursday, January 15, 2015, at the SEI office in Arlington, Va.

Supply chain risk management (SCRM) addresses problems such as breaches of confidential information and the risks organizations face because of their external dependencies for the ongoing use and sustainment of ICT—the so-called service supply chain.

The CERT symposium will examine these threats. Speakers will include

  • U.S. Congressman Mike Doyle, 14th District of Pennsylvania
  • Alan Levine, chief information security officer, Alcoa
  • Jon Boyens, senior adviser, Computer Security Division, National Institute of Standards and Technology (NIST)
  • Roberta Stempfley, deputy assistant secretary for cybersecurity and emergency communications, Department of Homeland Security

Recent incidents, such as the Target breach, the HAVEX series of attacks on the energy infrastructure, and the recently disclosed series of intrusions affecting Department of Defense (DoD) TRANSCOM contractors, highlight supply chain risk management as a cross-cutting cybersecurity problem.

SCRM focuses on managing the risks of depending on external entities to support key services or mission capabilities. These external dependencies may consist of vendors that provide equipment, cloud services such as data processing or storage, or public infrastructures like transportation channels or the electric grid.

SCRM has increasingly become an area of concern for both the federal government and private critical infrastructure providers. Many defense capabilities and critical infrastructure services depend on complex supply chains outside the direct control of the organization that is ultimately accountable.

Attendance at the symposium is limited to 150 participants. There is no fee, but registration is required. For more information or to register, visit

About the Software Engineering Institute
The Software Engineering Institute (SEI) is a federally funded research and development center sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University. The SEI helps organizations make measurable improvements in their software engineering capabilities by providing technical leadership to advance the practice of software engineering. For more information, visit the SEI website at The CERT Division of the SEI is the world's leading trusted authority dedicated to improving the security and resilience of computer systems and networks and a national asset in the field of cybersecurity. For more information, visit

Media Contact
Richard Lynch
Software Engineering Institute