Information, communications, and operational technology (ICT/OT) users rely on a complex, globally distributed, and interconnected supply chain ecosystem to provide highly refined, cost-effective, and reusable solutions. This ecosystem is composed of various entities with multiple tiers of outsourcing, diverse distribution routes, assorted technologies, laws, policies, procedures, and practices, all of which interact to design, manufacture, distribute, deploy, use, maintain, dispose of, and otherwise manage products and services. These aspects of the supply chain include IT, OT, Communications, Internet of Things (IoT), and Industrial IoT.

The NIST Cybersecurity Supply Chain Risk Management (C-SCRM) program helps organizations to manage the increasing risk of supply chain compromise related to cybersecurity, whether intentional or unintentional. The factors that allow for low-cost, interoperability, rapid innovation, a variety of product features, and other benefits also increase the risk of a compromise to the supply chain, which may result in risks to the end user. Managing cybersecurity risks in supply chains requires ensuring the integrity, security, quality and resilience of the supply chain and its products and services. Risks may include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the cybersecurity-related elements of the supply chain.

C-SCRM involves identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of ICT/OT product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction). NIST conducts research, provides resources, and convenes stakeholders to assist organizations in managing these risks.

Two new NIST efforts relate to the May 12, 2021 Executive Order 14028, Improving the Nation’s Cybersecurity, and a National Initiative for Improving Cybersecurity in Supply Chains.

NIST APPROACH

NIST is responsible for developing reliable and practical standards, guidelines, tests, and metrics to help protect non-national security federal information and communications infrastructure. Private sector and other government organizations also rely heavily on these NIST-produced resources. That includes organizations developing or using information, communications, and operational technologies which depend upon complex, globally distributed and interconnected supply chains.

Since 2008, NIST has conducted research and collaborated with a large number and variety of stakeholders to produce information resources which help organizations with their C-SCRM.  By statute, federal agencies must use NIST’s C-SCRM and other cybersecurity standards and guidelines to protect non-national security federal information and communications infrastructure. The SECURE Technology Act and FASC Interim Final Rule gave NIST specific authority to develop C-SCRM guidelines. NIST also is a member of the Federal Acquisition Security Council (FASC).

NIST has given several grants to conduct research in this area as well as to develop a web-based risk assessment and collaboration tool.

Managing cybersecurity risk in supply chains rrequires ensuring the integrity, security, quality, and resilience of the supply chain and its products and services. NIST focuses on:

• Foundational practices: C-SCRM lies at the intersection of information security and supply chain management. Existing supply chain and cybersecurity practices provide a foundation for building an effective risk management program.
   
• Enterprise-wide practices: Effective C-SCRM is an enterprise-wide activity that involves each tier (Organization, Mission/Business Processes, and Information Systems) and is implemented throughout the system development life cycle.
   
• Risk management processes: C-SCRM should be implemented as part of overall risk management activities. That involves identifying and assessing applicable risks and determining appropriate response actions, developing a C-SCRM Strategy and Implementation Plan to document selected response actions, and monitoring performance against that plan.
  • Risk: Cybersecurity-related supply chain risk is associated with a lack of visibility into, understanding of, and control over many of the processes and decisions involved in the development and delivery of cyber products and services.
  • Threats and Vulnerabilities: Effectively managing cybersecurity risks in supply chains  requires a comprehensive view of threats and vulnerabilities. Threats can be either “adversarial” (e.g., tampering, counterfeits) or “non-adversarial” (e.g., poor quality, natural disasters). Vulnerabilities may be “internal” (e.g., organizational procedures) or “external” (e.g., part of an organization’s supply chain).
     
• Critical systems: Cost-effective supply chain risk mitigation requires organizations to identify those systems/components that are most vulnerable and will cause the largest organizational impact if compromised.

NIST Cyber SCRM Fact Sheet (updated 05/25/2021)