As part of the The National Institute of Standards and Technology (NIST) cyber supply chain risk management (C-SCRM) program’s output this latest publication has been created to provide the ever-increasing community of digital businesses a set of Key Practices that any organisation can use to manage cybersecurity risks associated with their supply chains.
The Key Practices presented in this document can be used to implement a robust C-SCRM function at an organisation of any size, scope, and complexity. These practices combine the information contained in existing C-SCRM government and industry resources with the information gathered during the 2015 and 2019 NIST research initiatives.
The Key Practices are:
- Integrate C-SCRM Across the Organisation
- Establish a Formal C-SCRM Program
- Know and Manage Critical Suppliers
- Understand the Organisation’s Supply Chain
- Closely Collaborate with Key Suppliers
- Include Key Suppliers in Resilience and Improvement Activities
- Assess and Monitor Throughout the Supplier Relationship
- Plan for the Full Life Cycle
Each Key Practice includes a number of recommendations that synthesise how these practices can be implemented from a people, process, and technology perspective.
Selected key recommendations include:
- Create explicit collaborative roles, structures, and processes for supply chain, cybersecurity, product security, physical security, and other relevant functions.
- Integrate cybersecurity considerations into the system and product life cycle.
- Determine supplier criticality by using industry standards and best practices.
- Mentor and coach suppliers to improve their cybersecurity practices.
- Include key suppliers in contingency planning (CP), incident response (IR), and disaster recovery (DR) planning and testing.
- Use third-party assessments, site visits, and formal certification to assess critical suppliers.
These and several other recommendations are mapped to each of the Key Practices to assist in and support the implementation of effective C-SCRM practices within an organisation.
Abstract
In today’s highly connected, interdependent world, all organisations rely on others for critical products and services. However, the reality of globalisation, while providing many benefits, has resulted in a world where organisations no longer fully control—and often do not have full visibility into—the supply ecosystems of the products that they make or the services that they deliver. With more and more businesses becoming digital, producing digital products and services, and moving their workloads to the cloud, the impact of a cybersecurity event today is greater than ever before and could include personal data loss, significant financial losses, compromise of product integrity or safety, and even loss of life. Organisations can no longer protect themselves by simply securing their own infrastructures since their electronic perimeter is no longer meaningful; threat actors intentionally target the suppliers of more cyber-mature organisations to take advantage of the weakest link.
That is why identifying, assessing, and mitigating cyber supply chain risks is a critical capability to ensure business resilience. The multidisciplinary approach to managing these types of risks is called Cyber Supply Chain Risk Management (C-SCRM). This document provides the ever-increasing community of digital businesses a set of Key Practices that any organisation can use to manage cybersecurity risks associated with their supply chains. The Key Practices presented in this document can be used to implement a robust C-SCRM function at an organisation of any size, scope, and complexity. These practices combine the information contained in existing C-SCRM government and industry resources with the information gathered during the 2015 and 2019 NIST research initiatives.
You’re Only As Strong As Your Weakest Link
There’s never been a more vital time to ensure the resilience of your organisation and the supply chain you rely on. DVV Solutions are here to help with a range of managed services and solutions proven to improve your ability to assess, analyse and manage more supply chain and third-party cybersecurity domains.
For more information on enhancing your supply chain transparency:
Call Us: +44 (0) 161 476 8700
Contact Us: Complete our Contact Form, or
Learn more about What We Do
