A new publication from the National Institute of Standards and Technology (NIST) provides companies, government agencies, and other organizations with a set of practices that any organization can use to manage growing cybersecurity risks associated with their supply chains. NIST researched and compiled these practices knowing that organizations can no longer protect themselves by simply securing their own infrastructures; their "electronic perimeters" now are not meaningful and threat actors can and do intentionally target the suppliers of more cyber-mature organizations by taking advantage of the weakest links.
The report, Key Practices in Cyber Supply Chain Risk Management (C-SCRM): Observations from Industry (NISTIR 8276), can be used to establish or enhance a robust Cyber Supply Chain Risk Management (C-SCRM) function at an organization of any size, scope, or complexity. These practices combine the information contained in existing C-SCRM government and industry resources with insights gathered from 2015-2019 during a NIST research project studying industry best practices. The key practices also include 24 actionable recommendations that synthesize how these practices can be implemented from a people, process, and technology perspective.
The Key Practices are:
- Integrate C-SCRM Across the Organization
- Establish a Formal C-SCRM Program
- Know and Manage Critical Suppliers
- Understand the Organization's Supply Chain
- Closely Collaborate with Key Suppliers
- Include Key Suppliers in Resilience and Improvement Activities
- Assess and Monitor Throughout the Supplier Relationship
- Plan for the Full Life Cycle
NIST conducts research and collaborates with a large number and variety of stakeholders to produce information resources which help organizations with their Cyber Supply Chain Risk Management - or C-SCRM. By statute, federal agencies must use NIST's C-SCRM and other cybersecurity standards and guidelines to protect non-national security federal information and communications infrastructure. The SECURE Technology Act and FASC Interim Final Rule gave NIST specific authority to develop C-SCRM guidelines. NIST also is a member of the Federal Acquisition Security Council (FASC).
NIST soon will propose a revision to "Supply Chain Risk Management Practices for Federal Information Systems and Organizations" (SP 800-161). That is a key NIST Cyber-Supply Chain Risk Management (C-SCRM) document relied upon heavily in the private and public sectors.