Cybersecurity Supply Chain Risk Management C-SCRM
External References
***Disclaimer: Items in the following lists are provided for research purposes, and do not imply endorsement by NIST.***
- Committee on National Security Systems Directive (CNSSD) 505 - "...provides the guidance for organizations that own, operate, or maintain [National Security Systems (NSS)] to address supply chain risk and implement and sustain SCRM capabilities".
- Comprehensive National Cybersecurity Initiative (CNCI) Number 11– “This initiative will enhance Federal Government skills, policies, and processes to provide departments and agencies with a robust toolset to better manage and mitigate supply chain risk at levels commensurate with the criticality of, and risks to, their systems and networks.”
- Defense Microelectronics Activity Trusted IC Supplier Accreditation Program – designated by the Department of Defense as the accrediting authority for trusted design, aggregator/broker, mask and wafer fabrication, packaging and test services across a broad technology range for specialized governmental applications both classified and unclassified.
- DoD Supply Chain Integration - “responsible for the orchestration, synchronization, and integration of global supply chain integration and its operational execution”
- Government-Industry Data Exchange Program (GIDEP) – “contains information on equipment, parts, and assemblies which are suspected to be counterfeit.”
- International Center for Enterprise Preparedness (InterCEP) Supply Chain Working Group – “Currently, the U.S. Department of Homeland Security is engaged in the process to fulfill its charge under the law to initiate the national voluntary certification program. InterCEP seeks to serve as a catalyst for business sector involvement and plans to work with other organizations to promote both awareness of the program and input into its development.”
- National Strategy for Global Supply Chain Security – Establishes “the United States Government’s policy to strengthen the global supply chain in order to protect the welfare and interests of the American people and secure our Nation’s economic prosperity”
- OMB Circular A-130 - "...designed to help drive the transformation of the Federal Government and the way it builds, buys, and delivers technology...".
Back to Top
- Logistics / Supplier Management
- ARP9113 – Aerospace Supply Chain Risk Management Guidelines
- AS9120 – Aerospace Requirements for Stockist Distributors
- ASIS International - Supply Chain Risk Management: A Compilation of Best Practices – “Provides a framework for collecting, developing, understanding, and implementing current best practices for supply chain risk management (SCRM).”
- ISO/IEC 27036 – Information Technology – Security Techniques – Information Security for Supplier Relationships (Four Parts)
- PAS 7000:2014 – Supply Chain Risk Management – Supplier Prequalification
- Integrity / Quality / Asset Management
- Counterfeit Products
- ANSI Best Practices in the Fight Against Global Counterfeiting (2011)
- IDEA/STD 1010-B – Acceptability of Electronic Components Distributed in the Open Market
- Open Trusted Technology Provider™ Standard (O-TTPS) - Mitigating Maliciously Tainted and Counterfeit Products - “an open standard containing a set of organizational guidelines, requirements, and recommendations for integrators, providers, and component suppliers to enhance the security of the global supply chain and the integrity of Commercial Off The Shelf (COTS) Information and Communication Technology (ICT).”
- SAE AS5553 – Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition
- SAE AS6462A – Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition Verification Criteria
- Systems Engineering / Software Development
- IT Risk Management
- ASTM E1578 –Standard for Laboratory Informatics
- ISO/IEC 27001 – Information Technology – Security Techniques – Information Security Management Systems – Requirements
Back to Top
For NIST / NIST-Sponsored Publications, please see https://csrc.nist.rip/Projects/Supply-Chain-Risk-Management
- Bartol, Nadya (2015). Utilities Telecom Council Cyber Supply Chain Risk Management For Utilities – Roadmap for Implementation. Utilities Telecom Council. Washington, DC. View
- Bloomberg (2011). Supply Chain Cybersecurity. Bloomberg View Cybersecurity Conference. New York, NY. View
- Charney, S., Werner, E. (2011). Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and Trust. Microsoft Corporation.View
- Darrell M. West. (2013). Twelve Ways to Build Trust in the ICT Global Supply Chain. Issues in Technology Innovation. Center for Technology Innovation at Brookings. View
- Ellison, R., Goodenough, J., Weinstock, C., & Woody, C. (2010). Evaluating and Mitigating Software Supply Chain Security Risks. (CMU/SEI-2010-TN-016). Retrieved February 08, 2013, from the Software Engineering Institute, Carnegie Mellon University website: View
- Filsinger, J., Fast, B., Wolf, D.G., Anderson, M. (2012). Supply Chain Risk Management Awareness. Armed Forces Communication and Electronics Association Cyber Committee. View
- Gorman, C. (2012). Counterfeit Chips on the Rise. Spectrum, IEEE. 49 (6), 16-17. View
- IATAC. (2010). Risk Management for the Off-the-Shelf (OTS) Information Communications Technology (ICT) Supply Chain [For Official Use Only]. SOAR.
- Information Security Forum (2012). Securing the Supply Chain: Preventing your suppliers’ vulnerabilities from becoming your own. View
- Institute for Defense Analyses (2011). Challenges in Cyberspace. IDA Research Notes. View
- Kimmins, J. (2011) Telecommunications Supply Chain Integrity: Mitigating the supply chain security risks in national public telecommunications infrastructures. Cybersecurity Summit (WCS), 2011 Second Worldwide. 1-4.View
- Qiu, X. (2011) Architectural Solution Integration to contain ICT supply chain threats. Cybersecurity Summit (WCS), 2011 Second Worldwide. 1-4. View
- Siegfried, M. (2012). Defending Cyberspace: Businesses search for ways to protect their computer networks and supply chains against relentless attacks by cybercriminals. Inside Supply Management. View
- Simpson, S. (2008). Fundamental Practices for Secure Software Development: A guide to the Most Effective Secure Development Practices in Use Today. SAFECode. View
- Simpson, S. (2009). The Software Supply Chain Integrity Framework: Defining Risks and Responsibilities for Securing Software in the Global Supply Chain. SAFECode. View
Back to Top
- National Defense Industrial Association (NDIA) Systems Engineering Division – Seeks “to promote the widespread use of systems engineering (SE) in the Department of Defense (DoD) acquisition process
- International Council on Systems Engineering (INCOSE) – “champions the art, science, discipline, and practice of systems engineering.”
- International Electronics Manufacturing Initiative – “iNEMI roadmaps the future technology requirements of the global electronics industry, identifies and prioritizes technology and infrastructure gaps, and helps eliminate those gaps through timely, high-impact deployment projects.”
- Information Technology Industry Council (ITI) – “ITI navigates the relationships between policymakers, companies, and non-governmental organizations, providing creative solutions that advance the development and use of technology around the world.”
- International Electronics Manufacturing Initiative (iNEMI) – a not-for-profit, R&D consortium whose mission is to “forecast and accelerate improvements in the electronics manufacturing industry for a sustainable future.”
- Information Security Forum – “This project will focus on creating a methodology and supporting toolkit to help Members secure their supply chains end-to-end.”
- Internet Security Alliance – Seeks to provide “practical security measures necessary for the Design, Fabrication, Pre-assembly, Assembly, Distribution, and Maintenance Phases, along with reviewing the legal contractual conditions necessary for implementing the other security measures.”
- International Standards Organization (ISO) – “the world’s largest developer of voluntary International Standards… covering almost all aspects of technology and business.”
- IT Sector Coordinating Council – “the principal entity for coordinating with the government on a wide range of critical infrastructure protection activities and issues.”
- SAFECode – “SAFECode is dedicated to increasing trust in information and communications technology products and services through the advancement of proven software assurance methods. To this end, SAFECode unites subject matter experts with unparalleled experience in managing complex global processes for software development, integrity controls and supply chain security.”
- Semiconductor Industry Association (SIA) – “The SIA promotes policies and regulations that fuel innovation, propel business and drive international competition in order to maintain a thriving semiconductor industry in the United States.”
- Supply Chain Management Association – “the principal source of supply chain training, education and professional development in [Canada].”
- The Open Group Trusted Technology Forum
- The Trustworthy Software Initiative (TSI) – a United Kingdom “public good initiative supported and funded through the UK Government’s National Cyber Security Programme (NCSP) with a mission to ‘Make Software Better’.”
- American National Standards Institute (ANSI) – “The ANSI Federation’s primary goal is to enhance the global competitiveness of U.S. business and the American quality of life by promoting and facilitating voluntary consensus standards and ensuring their integrity.”
- Common Criteria - “the driving force for the widest available mutual recognition of secure IT products.”
- GS1 – “The GS1 System is an integrated system of global standards that provides for accurate identification and communication of information regarding products, assets, services and locations.”
- Independent Distributors of Electronics Association (IDEA) – “a non-profit trade association representing quality and ethically oriented independent distributors of electronic components.”
- US Resilience Project - examples of the kinds of capabilities and competencies that companies are creating to manage disasters and to identify their priorities for partnering with government.
- US-Cert “Build Security In” - Build Security In is a collaborative effort that provides practices, tools, guidelines, rules, principles, and other resources that software developers, architects, and security practitioners can use to build security into software in every phase of its development.
- SAE International - a global association of more than 128,000 engineers and related technical experts in the aerospace, automotive and commercial-vehicle industries
- Utilities Telecom Council (UTC) – “the source and resource for information and communications technology (ICT) solutions, collaboration, and advocacy for utilities and other critical infrastructure industries.”
Back to Top
Last Updated: 10/2016
Project Links
Additional Pages
Topics
Security and Privacy:
controls assessment, cybersecurity supply chain risk management, information sharing, malware, risk assessment, security controls, security measurement, security programs & operations, systems security engineering, vulnerability management
Technologies:
cloud & virtualization, hardware, software & firmware
Applications:
communications & wireless, cybersecurity framework
Laws and Regulations:
Comprehensive National Cybersecurity Initiative, Cybersecurity Enhancement Act, Cybersecurity Strategy and Implementation Plan, Cyberspace Policy Review, Executive Order 13636, Federal Acquisition Regulation, Federal Information Security Modernization Act, Homeland Security Presidential Directive 12, OMB Circular A-130
Topics
Security and Privacy:
controls assessment, cybersecurity supply chain risk management, information sharing, malware, risk assessment, security controls, security measurement, security programs & operations, systems security engineering, vulnerability management
Technologies:
cloud & virtualization, hardware, software & firmware
Applications:
communications & wireless, cybersecurity framework
Laws and Regulations:
Comprehensive National Cybersecurity Initiative, Cybersecurity Enhancement Act, Cybersecurity Strategy and Implementation Plan, Cyberspace Policy Review, Executive Order 13636, Federal Acquisition Regulation, Federal Information Security Modernization Act, Homeland Security Presidential Directive 12, OMB Circular A-130
Created May 24, 2016, Updated May 12, 2022