National Institute of Standards and Technology Archives

A blueprint for cyber supply chain risk management

One challenge for supply chain security practitioners is choosing which of the multitude of guidance documents and best practice frameworks to use when building a cyber supply chain risk management (C-SCRM) program. There is no touchstone in this arena; instead, we have shades and gradations of goodness and a plurality of approaches.

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST), SAFECode, The East-West Institute, Critical Infrastructure Coordinating Councils, and many others have published guidance on methods to address cyber supply chain risks. But to date, there is little evidence that C-SCRM practices are effective in stopping or reducing cyberattacks.

This lack of objective evidence of efficacy makes it difficult for a practitioner to choose which guidance or practices or framework to use in our own operations.

When faced with this problem several years ago, at the outset of developing a C-SCRM function for a large enterprise, I created a compilation of different practices from various publications. This article is based on the compilation and provides a short narrative about why certain practices are included.

The compilation is primarily derived from practices described in NIST Special Publication 800-161, Cyber Supply Chain Risk Management Practices for Systems and Organizations, the results of a NIST-GSA-University of Maryland study (Sandor Boyson, Technovation), SAFECode supply chain guidance, the Build Security In Maturity Model (BSIMM), and a variety of other articles, blog posts, and documents in the public domain.

Much like the publications it is derived from, the compilation is intended to be used as a catalog of practices that is tailored by the user based on the particular circumstances of the supply chain that is being managed and which phase of the procurement lifecycle the practices are being used in.

The starting point is to identify which of the various practices in the document are best suited to your supply chain. For example, if you’re purchasing hardware, chain of custody and traceability practices are probably more important than they would be for a software purchase, and for software, secure development life cycle practices are probably more important than traceability practices.

The next steps are to incorporate the selected practices into your supply chain management processes, from onboarding to performance to closeout.

If you have opinions, please write to use in the comment box below. Subscribe to us for more updates.

Facebook

Twitter

Counter-measure Offers Cyber Protection for Supply Chains

The supply chain is ground zero for several recent cyber breaches. Hackers, for example, prey on vendors that have remote access to a larger company’s global IT systems, software and networks. In the 2013 Target breach, the attacker infiltrated a vulnerable link: a refrigeration system supplier connected to the retailer’s IT system.

A counter-measure, via a user-ready online portal, has been developed by researchers in the Supply Chain Management Center at the University of Maryland’s Robert H. Smith School of Business.

The CyberChain portal is based on a new management science called “cyber supply chain risk management.” It combines conventionally-separate disciplines cybersecurity, enterprise risk management and supply chain management.

Funded by the National Institute of Standards and Technology, the UMD researchers developed the formula, in part, after surveying 200 different-sized companies in various industries.

Do you have any opinions? Share with us in the comment box. Subscribe this blog to get the latest updates in your inbox.