The NIST Framework for Improving Critical Infrastructure Cybersecurity ("the Framework") released in February 2014 was published simultaneously with the companion Roadmap for Improving Critical Infrastructure Cybersecurity. The Roadmap identified Cyber Supply Chain Risk Management (Cyber SCRM) as an area for future focus. Since the release of the Framework and in support of the companion Roadmap, NIST has researched industry best practices in cyber supply chain risk management through engagement with industry leaders.
In 2014 and 2015, NIST interviewed a diverse set of organizations and developed 18 Cyber SCRM Case Studies describing how various industry organizations approach Cyber SCRM, including specific tools, techniques, and processes.
In 2019, NIST conducted new research aimed at identifying how Cyber SCRM practices have evolved. For this newest set of Cyber SCRM Case Studies, NIST conducted interviews with 16 subject matter experts across a diverse set of six companies in separate industries. These interviews informed a Summary of Findings and Recommendations document describing trends, correlations, and novel findings garnered from an analysis of the interviews as a whole.
NIST has used the SCRM Case Studies published in 2015 and 2019, prior NIST initiatives, and a number of standards and industry best practices as a basis for NISTIR 8276, Key Practices in Cyber Supply Chain Risk Management: Observations from Industry (February 2021).
2019
2015
In October 2015, NIST held a workshop to discuss research findings. The following are briefing papers given to workshop attendees:
Security and Privacy: controls assessment, cybersecurity supply chain risk management, information sharing, malware, risk assessment, security controls, security measurement, security programs & operations, systems security engineering, vulnerability management
Technologies: cloud & virtualization, hardware, software & firmware
Applications: communications & wireless, cybersecurity framework
Laws and Regulations: Comprehensive National Cybersecurity Initiative, Cybersecurity Enhancement Act, Cybersecurity Strategy and Implementation Plan, Cyberspace Policy Review, Executive Order 13636, Federal Acquisition Regulation, Federal Information Security Modernization Act, Homeland Security Presidential Directive 12, OMB Circular A-130