Abstract
The risks to the Nation's ICT infrastructure and products, both in defense and in the private sector, are well understood. Yet nearly ten years after the initial classified initiative to address supply chain vulnerabilities in the telecommunications sector, the United States still lacks a broadly-accepted process to remedy them. These risks currently pose the greatest single gap in this nation's perimeter defenses. This paper presents a novel approach to making the remediation of supply-chain risks at all levels of the public and private sectors feasible, affordable and enforceable, based on establishing PGP style networks of hierarchically trusted suppliers.