There are many facets to Supply Chain Risk Management (SCRM), from building trust with vendors and users to assessing manufacturing specs. During a virtual summit hosted by FCW on Oct. 20, current and former officials from NASA explained the must-have factors in the agency’s SCRM to decide what products are safe to use for applications.
For the agency’s former CIO Renee Wynn, building a process that can be scalable was critical. Especially because risk assessment for every product was different, and the agency had to be adaptable in their SCRM practices.
“As an agency, we had to be aware of changes that may be necessary. And we had to implement SCRM practices that could adapt to change,” Wynn said. However, these practices all utilized recent SCRM frameworks and guidance from the National Institute of Standards and Technology and the Cybersecurity Intelligence Security Agency, she added.
NIST released a framework to guide Federal agencies in the implementation of an SCRM/Cyber-SCRM program. SP 800-161, which NIST released for comments from April to June 2021, incorporated next-generation C-SCRM controls, strategies, policies, plans, and risk assessments into broader enterprise risk management activities by applying a multi-level approach. And CISA released an SCRM/C-SCRM essential framework, providing Federal leaders and their staff with actionable steps to implement organizational best practices to improve their overall security resilience.
“These frameworks serve as a foundation to us implementing our SCRM practices, making sure that the devices we use are reliable and secure,” said NASA SEWP Program Manager Joanne Woytek.
Additionally, building trust with users and contractors involved in this process is an important practice in SCRM. To achieve this, according to Woytek, it all starts with communication and constant contact.
“It’s important not just to get to know your users and contractors but to keep that line of communication open. It ensures that you are aware of your contractor’s process in manufacturing this device you have acquired. It also allows you to provide constant and reliable information to your users,” Woytek said.