Cybersecurity Supply Chain Risk Management (C-SCRM)
Cybersecurity Supply Chain Risk Management (C-SCRM or SCRM) is focused on managing cybersecurity-related supply chain risk to ensure the integrity, security, quality, and resilience of the supply chain and its products and services.
It is important to understand that the US National Institute of Standards and Technology (NIST) is the authoritative source on SCRM-related matters and provides authoritative guidance on the subject for the US Government:
- Section 1323 of the Secure Technology Act tasked NIST with identifying and recommending development of "supply chain risk management standards, guidelines, and practices for executive agencies to use when assessing and developing mitigation strategies to address supply chain risks..."
- Section 201.301(d) of the Federal Acquisition Supply Chain Security Act (FASCSA) requires the Federal Acquisition Security Council (FASC) to consultation with NIST and participate in FASC activities as a member to advise the FASC on NIST standards and guidelines issued under 40 U.S.C. 11331, including ensuring that any recommended orders do not conflict with such standards and guidelines.
NIST has several publications that directly frame or support SCRM:
- NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations
- NIST IR 8276, Key Practices in Cyber Supply Chain Risk Management: Observations from Industry
- NIST IR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM)
Keep in mind that the NIST publications are merely guidance and there is no formal implementation guidance for SCRM.
SCRM Addresses A Tiered Approach To Risk (Strategic, Operational and Tactical Considerations)
When you read through NIST SP 800-161, you will see that it leverages the concept for a multi-tiered risk model from NIST SP 800-37 to organize risk into three distinct tiers:
- Tier 1 - Organizational (strategic risk)
- Tier 2 - Business Processes (operational risk)
- Tier 3 - Systems, Applications & Services (tactical risk)
When you look at it in a slightly different layout, you can see how that can start applying to a business when you overlay the realities of what needs to be managed:
How Do I "Do SCRM" In A Practical Manner?
At the heart of SCRM are cybersecurity and data protection controls. NIST SP 800-161 is a bit dated (2015) and a new release is supposed to come out in 2021, based on the recent release of NIST SP 800-53 R5. However, NIST SP 800-161 does have a list of NIST SP 800-53 R4 controls that are tagged as being applicable to SCRM, as well as what risk tier those controls apply to (Tier 1, 2 or 3). However, when you start looking at how do you "do SCRM" in a practical manner, it is more than just a control set, where a SCRM program needs to have authority over the following four domains:
- Secure Development Practices
- Procurement Practices
- Risk Management Practices
- Systems, Applications & Services Management Practices
SCRM - Secure Development Practices
SCRM is an enterprise-wide activity that is implemented throughout the System Development Life Cycle (SDLC). Within the concept of secure development practices, in order to ensure SCRM is operational it takes the following to exist and be functional:
- Maintain close working relationships through frequent visits and communications.
- Mentor and coach suppliers on C-SCRM and actively help suppliers improve their cybersecurity and supply chain practices.
- Invest in common solutions.
- Require the use of the same standards within the acquirer organizations and by suppliers, thereby simplifying communications about cybersecurity risk and mitigations and helping to achieve a uniform level of quality throughout the ecosystem.
Resilience and improvement activities include:
- Rules and protocols for information sharing between acquirers and suppliers, sometimes within larger critical infrastructure sector ecosystems.
- Joint development, review, and revision of incident response, business continuity, and disaster recovery plans.
- Protocols for communicating vulnerabilities and incidents.
- Responsibilities for responding to cybersecurity incidents.
- Coordinated communication methods and protocols.
- Coordinated restoration and recovery procedures.
- Collaborative processes to review lessons learned.
- Updates of coordinated response and recovery plans based on lessons learned.
SCRM - Procurement Practices
SCRM lies at the intersection of cybersecurity and supply chain risk management. Existing supply chain and cybersecurity practices provide a foundation for building an effective risk management program. Therefore, within the concept of procurement practices, in order to ensure SCRM is operational it takes the following to exist and be functional:
- Increased Executive Board or Executive Level involvement for establishing SCRM as a top business priority and to ensure proper oversight.
- Clear governance of SCRM activities that includes cross-organizational roles and responsibilities with clear definitions and designation/distribution of these roles among enterprise risk management, supply chain, cybersecurity, product management and product security (if applicable), and other relevant functions appropriate for the organization’s business.
- Standards-based policies and procedures that provide guidance to different business units detailing their SCRM activities.
- Same policies used internally and with suppliers.
- Integration of cybersecurity considerations into the system and product development life cycle.
- Use of cross-functional teams to address specific enterprise-wide risks.
- Clear definition of roles of individuals responsible for cybersecurity aspects of supplier relationships (which may be different than those responsible for procurement activities with specific suppliers).
- Establishment of centers of excellence to identify and manage best practices.
- A set of measures of success used to facilitate decision-making, accountability, and improvement.
- Approved and banned supplier lists.
- Use of software and hardware component inventory (e.g., bill of materials) for third-party components.
- Prioritization of suppliers based on their criticality.
- Establishment of testing procedures for the most critical components.
- Establishment of a known set of security requirements or controls for all suppliers, especially robust security requirements for critical suppliers to be used in procurement (sometimes known as master specifications).
- Service-level agreements (SLA) with suppliers that state the requirements for adhering to the organization’s cybersecurity policy and any controls required of the supplier.
- Establishment of intellectual property rights agreements.
- Shared supplier questionnaires across like organizations, such as within the same critical infrastructure sector.
- Upstream propagation of acquirer’s security requirements within the supply chain to sub-tier suppliers.
- Assurance that suppliers have only the access they need in terms of data, capability, functionality, and infrastructure; bounding this access by specific time frames during which suppliers need it.
- Use of escrow services for suppliers with a questionable or risky track record.
- Provision of organization-wide training for all relevant stakeholders within the organization, such as supply chain, legal, product development, and procurement; this training may also be extended to key suppliers.
- Identification of alternative sources of critical components to ensure uninterrupted production and delivery of products.
- Secure requirements guiding disposal of hardware that contains regulated data (e.g., personally identifiable information [PII] or protected health information [PHI]) or otherwise sensitive information (e.g., intellectual property).
- Protocols for securely terminating supplier relationships to ensure that all hardware containing acquirer’s data has been properly disposed of and that the risks of data leakage have been minimized.
SCRM - Risk Management Practices
SCRM needs to be implemented as part of overall risk management activities (e.g., NIST SP 800-39 & NISTIR 8286). These risk management practices involve identifying and assessing applicable risks, determining appropriate response actions, developing a SCRM strategy. Within the concept of risk management practices, in order to ensure SCRM is operational it takes the following to exist and be functional:
- Activities should involve identifying and assessing applicable risks, as well as determining appropriate response actions.
- Developing a SCRM strategy and implementation plan to document selected response actions and monitoring performance against that plan.
- Manage risks: Cyber supply chain risk is associated with a lack of visibility into, understanding of, and control over many of the processes and decisions involved in the development and delivery of cyber products and services acquired by federal agencies.
- Manage threats and vulnerabilities: Effectively managing cyber supply chain risks requires a comprehensive view of threats and vulnerabilities. Threats can be either “adversarial” (e.g., tampering, counterfeits) or “non-adversarial” (e.g., poor quality, natural disasters). Vulnerabilities may be “internal” (e.g., organizational procedures) or “external” (e.g., part of an organization’s supply chain).
SCRM - Systems, Applications & Services Management Practices
SCRM requires organizations to identify critical systems, applications and services, as well as sensitive data, that are most vulnerable and can cause the largest organizational impact if compromised. Within the concept of systems, applications & services management practices, in order to ensure SCRM is operational it takes the following to exist and be functional:
- Whether a supplier processes critical data, such as regulated data (e.g., CUI, PII, PHI) or intellectual property.
- Whether a supplier has access to the acquirer’s system and network infrastructure.
- Whether a supplier can become an attack vector by being compromised and allowing threat actors access to the organization.
- For technology companies, whether a supplier can become an attack vector for the technology company’s products or services delivered to customers.
- Volume of data a supplier has access to or hosts.
- Revenue contribution of suppliers.