- Home
- News Releases
- Back Issues
- April FY2025
- Interim Report Released on Discussions to Establish a Cybersecurity Measures Evaluation System for Strengthening Supply Chains
Interim Report Released on Discussions to Establish a Cybersecurity Measures Evaluation System for Strengthening Supply Chains
April 14, 2025
The Ministry of Economy, Trade and Industry (METI) has been proceeding with discussions to establish a system that presents the cybersecurity measures each supply chain company should fulfill in view of their importance in the supply chain and that visualizes the implementation status of their cybersecurity measures. Today, METI released the outline of the discussions in the form of an Interim Report on Discussions to Establish a Cybersecurity Measures Evaluation System for Strengthening Supply Chains.
With the aim of implementing the system in FY2026, METI will conduct demonstration projects, prepare a platform for operating the system, and implement measures to promote its use.
1. Background and purpose
In recent years, against the backdrop of cyber incidents attributable to supply chains, companies are required to ensure that cybersecurity measures are taken in their corporate transactions. While order-receiving suppliers are requested by different client companies to fulfill a variety of cybersecurity standards, the clients are facing difficulties in evaluating whether their suppliers are taking appropriate measures.
To address such issues, METI has been aiming to establish a system that presents the cybersecurity measures each supply chain company should fulfill in view of their importance in the supply chain and that visualizes the implementation status of their cybersecurity measures (Cybersecurity Measures Evaluation System for Strengthening Supply Chains). To this end, METI has been discussing, with experts and the industrial community, the objectives and positioning of the system, details of requirements and evaluation criteria, measures needed to popularize the system, and other matters in the Study Group for Industrial Cybersecurity Working Group 1 (Systems, Technologies and Standardization) Sub-working group for a Cybersecurity Measures Evaluation System for Strengthening Supply Chains). The outline of the discussions has been compiled in the form of an Interim Report.
2. Overview of the Interim Report
The Interim Report presents an outline of the Cybersecurity Measures Evaluation System for Strengthening Supply Chains. The following introduces the policies of the evaluation system.
Purpose of the evaluation system
- By prompting suppliers to obtain a certification mark based on the evaluation system, companies can encourage them to implement appropriate cybersecurity measures against risks in the business/IT/service supply chains, including information security risks and the risk of product/service supply disruption caused by cyberattacks and unauthorized access via transaction networks, for the purpose of enhancing the standard of cybersecurity measures across the entire supply chain.
- Specifically, in a transaction agreement between two companies, the client company is presumed to inform the order-receiving supplier of the expected level of cybersecurity (★), urge the supplier to implement the indicated measures of the expected level, and check whether the measures are implemented.
Targeted effect
- While the evaluation system targets supply chain risks, necessary measures will be presented in accordance with each company’s standpoint to facilitate the selection of appropriate measures.
- The system is for all supply chain companies, but it is especially effective for small and medium-sized enterprises (SMEs) within a supply chain, as their resources for taking cybersecurity measures are limited and it is highly challenging for them to implement such measures in consideration of their own risks.
Evaluation criteria
- The required cybersecurity measures are expected to be categorized into three tiers—★3, ★4, and ★5—in consideration of each company’s importance in and impact on the supply chain. Specifically, the categories will be organized based on (1) the business perspective (importance in terms of data protection and business continuity) and (2) the computer system perspective (presence of connectivity).
Note: The categories in the evaluation system are Tier ★3 and above, as Tiers ★1 and ★2 are allocated to SECURITY ACTION, a self-evaluation system that precedes this system. - In view of the above approach, similar systems overseas (Cyber Essentials of the United Kingdom) and domestic industrial guidelines (JAMA/JAPIA Cybersecurity Guidelines) and other sector-specific industrial guidelines, and based on the Cybersecurity Framework 2.0 issued by the National Institute of Standards and Technology (NIST), the sub-group first clarified the criteria, action items, and requirements for Tiers ★3 and ★4, from the perspectives of risk governance, supplier management, risk identification, computer system protection, detection of cyberattacks, and response to and recovery from incidents.
How tiers are set in the evaluation system
- ★3 Basic: Primarily basic computer system protection and framework development measures, which all supply chain companies should implement as the minimum required cybersecurity measures. (25 self-evaluation items)
- ★4 Standard: Comprehensive measures, including organizational governance/supplier management, computer system protection/detection, and incident response, which supply chain companies and others should aim to implement as standard cybersecurity measures. (44 third-party evaluation items*)
*Evaluation should be conducted by a third party in principle, but details are yet to be considered from the perspective of reducing evaluation costs. - ★5:Measures for computer systems based on best practices at this time, which supply chain companies and others should pursue as the ultimate goal by organizing improvement processes required for their own organization based on risk-based thinking in international standards (third-party evaluation [action items to be considered]).
Note: Higher-tier criteria cover requirements set forth in the lower-tier criteria, which means that ★4 can, for example, be obtained without acquiring ★3 first.
Collaboration and coordination with related domestic and overseas systems
- METI aims to develop the system in mutually complementary ways with SECURITY ACTION, which is a preceding self-evaluation program configured in two tiers (★1 and ★2), the JAMA/JAPIA Cybersecurity Guidelines, an international standard ISMS Conformity Assessment Scheme, and so forth.
- Specifically, the tentative requirements for Tiers ★3 and ★4 are consistent with the JAMA/JAPIA Cybersecurity Guidelines to a certain extent. Furthermore, METI will discuss coordination methods with the guidelines’ administrative body, including how the guidelines should be utilized when conducting self-evaluations under the system. In addition, METI will also continue studying similar systems overseas and exchange views on such, bearing in mind the possibility of mutual recognition arrangements in the future.
3. Planned schedule
With the aim of implementing the system in FY2026, METI will develop the evaluation system in concrete terms through demonstration projects and consider measures to promote the use of the system.
Related Materials (in Japanese)
- Interim Report on Cybersecurity Measures Evaluation System for Strengthening Supply Chains (Summary)(PDF:1,591KB)
- Interim Report on Cybersecurity Measures Evaluation System for Strengthening Supply Chains(PDF:3,027KB)
- [Reference material] Tentative requirements / Evaluation criteria for Tiers ★3 and ★4(PDF:952KB)
Related Links (in Japanese)
- METI Study Group for Industrial Cybersecurity Working Group 1 (Systems, Technologies and Standardization) Sub-working group for Cybersecurity Measures Evaluation System for Strengthening Supply Chains
- Supply-Chain Cybersecurity Consortium(SC3) Industry Coordination WG
Division in Charge
Cybersecurity Division, Commerce and Information Policy Bureau
Download(To Adobe site)