Information and operational technology (IT/OT) relies on a complex, globally distributed, and interconnected supply chain ecosystem to provide highly refined, cost-effective, and reusable solutions. This ecosystem is composed of various entities with multiple tiers of outsourcing, diverse distribution routes, assorted technologies, laws, policies, procedures, and practices, all of which interact to design, manufacture, distribute, deploy, use, maintain, and manage IT/OT products and services.
Organizations are increasingly at risk of supply chain compromise, whether intentional or unintentional. The factors that allow for low-cost, interoperability, rapid innovation, a variety of product features, and other benefits, also increase the risk of a compromise to the cyber supply chain, which may result in risks to the end user. Managing cyber supply chain risks require ensuring the integrity, security, and resilience of the supply chain and its products and services, with their quality also being ensured. Cyber supply chain risks may include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the cyber supply chain.
Cyber Supply Chain Risk Management (C-SCRM) is the process of identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of IT/OT product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an IT/OT product or service at any stage.
The NIST C-SCRM program started in 2008, when it initiated the development of C-SCRM practices for non-national security systems, in response to Comprehensive National Cybersecurity Initiative (CNCI) #11, “Develop a multi-pronged approach for global supply chain risk management.”
Since then, NIST has worked with diverse stakeholders from across government, industry, and academia to identify and evaluate effective technologies, tools, techniques, practices, and standards useful in securing the cyber supply chain. NIST has and continues to research the state of C-SCRM in both the public and private sectors, related standards and initiatives, effective practices, and metrics. In addition, NIST has given several grants to conduct research in this area as well as to develop a web-based risk assessment and collaboration tool.
NIST’s approach to C-SCRM encompasses the following key points:
- Foundational Practices: C-SCRM lies at the intersection of cybersecurity and supply chain risk management. Existing cybersecurity and supply chain practices provide a foundation for building an effective C-SCRM program.
- Organization-wide: Effective C-SCRM is an organization-wide activity that involves each organizational tier (Organization, Mission/Business Processes, and Information Systems), various organizational functions (cybersecurity, supply chain management, acquisition/procurement, legal, engineering, etc.) and is implemented throughout the system development life cycle.
- Risk Management Process: C-SCRM should be implemented as part of overall enterprise risk management activities. Activities should involve identifying and assessing applicable risks, determining appropriate mitigating actions, developing an C-SCRM Plan to document selected policies and mitigating actions, and monitoring performance against that Plan. Because cyber supply chains differ across and within organizations, the C-SCRM Plan should be tailored to individual organizational contexts.
- Risk: Cyber supply chain risks are associated with a lack of visibility into, understanding of, and control over many of the processes and decisions involved in the development, acquisition, and delivery of IT/OT products and services.
- Threats and Vulnerabilities: Effectively managing cyber supply chain risks requires a comprehensive view of threats and vulnerabilities. Threats can be either “adversarial” (e.g. tampering, counterfeits) or “non-adversarial” (e.g. poor quality, natural disasters); vulnerabilities may be “internal” (e.g. organizational procedures) or “external” (e.g. part of an organization’s supply chain).
- Critical Systems: Cost-effective supply chain risk mitigation requires agencies to identify those systems/components that are most vulnerable and will cause the greatest organizational impact if compromised.