Supply Chain Security Practices

 

Driving Security Through the Supply Chain

Intel’s Supply Chain Risk Management (SCRM) program and award-winning supply chain practices provide assurance to customers, complement our product security capabilities, and are a critical component of Compute Lifecycle Assurance.

Intel’s SCRM program is aligned to industry-recognized frameworks such as those published by the U.S. National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO).

Elements of Intel’s SCRM include:

  • Use of top-tier suppliers, OEMs, and authorized distributors
  • Certifications and standards conformance
  • Standardized operating procedures
  • Industry recognized continuous supplier quality management program

Examples of how Intel practices SCRM include the following:

  • After strategically identifying top-tier suppliers, security posture is monitored throughout the supplier lifecycle, from request for information (RFI) and selection, to end of life.
  • Security expectations are established in supplier contracts, reinforced through required trainings and recurring assessments.
  • Critical vendors are required to maintain applicable certifications and attestations such as:
  • ISO 9001:2015, ISO 27001
  • U.S. Customs Trade Partnership Against Terrorism (C-TPAT)
  • Transported Asset Protection Association (TAPA)
  • Our long-standing Supplier Quality Improvement program (EPIC) builds strong supplier relationships, best-in-class performance, and helps ensure security expectations are met through quarterly report cards, Quality Audits and award incentives.
  • Cybersecurity-specific SCRM practices include:
  • On-site and remote Information Security audits by qualified Intel and third-party auditors
  • Continuous monitoring of supplier-provided software applications for security compliance
  • Real-time continuous cybersecurity monitoring through a third-party platform
  • Assessment of supplier business continuity & recovery plans, including cyberattack readiness