Key Practices in Cyber Supply Chain Risk Management: Observations from Industry

Boyens, Jon; Paulsen, Celia; Bartol, Nadya; Winkler, Kris; Gimbi, James

doi:https://doi.org/10.6028/NIST.IR.8276-draft

NISTIR 8276 (Draft)

Key Practices in Cyber Supply Chain Risk Management: Observations from Industry

Date Published: February 2020
Comments Due: March 4, 2020 (public comment period is CLOSED)
Email Questions to: scrm-nist@nist.gov

Author(s)

Jon Boyens (NIST), Celia Paulsen (NIST), Nadya Bartol (Boston Consulting Group), Kris Winkler (Boston Consulting Group), James Gimbi (Boston Consulting Group)

Announcement

Since the release of the Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) and its companion, Roadmap for Improving Critical Infrastructure Cybersecurity in 2014, NIST has researched industry practices in cyber supply chain risk management (C-SCRM) through engagement with industry leaders.

This publication is based on: an analysis of interviews with companies in 2015 and 2019, which led to the development of 24 case studies; prior NIST research in cyber supply chain risk management; and a number of standards and industry best practices documents. NISTIR 8276 is intended to provide a high-level summary of practices deemed by subject matter experts to be foundational to an effective cyber supply chain risk management program.

NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

For additional information, see the NIST news article, NIST Offers Strategies to Help Businesses Secure Their Cyber Supply Chains.

Abstract

In today’s highly connected world, all organizations rely on other organizations for critical products and services. However, today’s world of globalization, while providing many benefits, has resulted in a world where organizations no longer fully control—and often do not have full visibility into—the supply ecosystems of the products that they make or the services that they deliver. With more and more businesses becoming digital, producing digital products and services, and moving their workloads to the cloud, the impact of a cybersecurity event today is greater than ever before and could include personal data loss, significant financial losses, compromise of safety, and even loss of life. Organizations can no longer protect themselves by simply securing their own infrastructures since their electronic perimeter is no longer meaningful; threat actors intentionally target the suppliers of more cyber-mature organizations to take advantage of the weakest link.

Keywords

best practices; cyber supply chain risk management; C-SCRM; external dependency management; information and communication technology supply chain risk management; ICT SCRM; key practices; risk management; supplier; supply chain; supply chain assurance; supply chain risk; supply chain risk assessment; supply chain risk management; supply chain security; third-party risk management