Federal cyber leaders and government agencies are pushing forward with Supply Chain Risk Management (SCRM) and Cybersecurity Supply Chain Risk Management (C-SCRM) initiatives to address vulnerabilities and prevent further incidents from compromising critical systems.
Federal officials elaborated on existing guidance and initiatives to help Federal agencies and their industry partners combat these threats during a virtual summit hosted by FCW on October 20.
More than ever, organizations are concerned about the risks associated with products and services that may contain potentially malicious functionality, be counterfeit, or be vulnerable due to poor manufacturing and development practices within the cyber supply chain.
“These risks can decrease an enterprise’s visibility into and understanding of how the technology that they acquire is developed, integrated, and deployed,” Jon Boyens, deputy chief for the Computer Security Division at the National Institute of Standards and Technology (NIST), said at the summit. “They can also affect and be affected by the processes, procedures, and practices used to ensure the security, resilience, reliability, safety, integrity, and quality of products and services.”
NIST released a framework to guide Federal agencies in the implementation of an SCRM/C-SCRM program.
“This guidance is designed to better organizations’ ability to identify, assess, and respond to cyber supply chain risks,” Boyens said.
SP 800-161, which NIST released for comments from April to June 2021, incorporated next-generation C-SCRM controls, strategies, policies, plans, and risk assessments into broader enterprise risk management activities by applying a multi-level approach.
The Cybersecurity Intelligence Security Agency (CISA) also released a SCRM/C-SCRM essential framework, providing Federal leaders and their staff with actionable steps to start implementing organizational best practices to improve their overall security resilience.
Brian Paap, the lead for CISA’s C-SCRM efforts, explained that supply chain risk management requires building an effective supply chain management practice and understanding extended supply chains that consist of suppliers, vendors, and service providers.
“We realized that departments and agencies were struggling with how to implement their C-SCRM program,” Paap said. “This guidance provided a step-by-step look at how to build an effective SCRM practice.”
The SCRM Essential provides six crucial steps to building an effective SCRM practice:
- Identify: Determine who from your organization needs to be involved
- Manage: Develop your supply chain security policies and procedures
- Assess: Understand the hardware, software, and services that you procure
- Know: Map your supply chain to understand better what components you procure
- Verify: Determine how your organization will assess the security culture of suppliers
- Establish: Establish timeframes and systems for checking supply chain practices against guidelines
Additionally, protecting an organization’s information in a digitally connected world demands an understanding of third-party vendor supplier security. Therefore, agencies need to consider which organizations are in their supply chain and whether they trust the hardware, software, and services they receive, Paap concluded.