Case Studies in Cyber Supply Chain Risk Management: Summary of Findings and Recommendations

This document is part of Case Studies in Cyber Supply Chain Risk Management-new research that builds on the CSD C-SCRM program's 2015 publications aimed at identifying how C-SCRM practices have evolved. For this case study series, NIST conducted interviews with 16 subject matter experts across a diverse set of six companies in separate industries, including: digital storage, consumer electronics, renewable energy, consumer foods, healthcare, and enterprise cybersecurity. These interviews informed the production of all documents in this series, including six individual company case studies, a summary of findings and recommendations, and a key practices document. This document summarizes findings and recommendations from the case studies. It describes trends, correlations, and novel findings garnered from an analysis of the interviews as a whole and may cover information not reported in any particular individual case study.

This document also contains recommendations for further research, study, and guidance development. The research concludes that C-SCRM is an evolving discipline that requires further attention from the user and research communities. While varied practices exist at mature organizations, less mature organizations are in need of further practical guidance and methods for implementing and evolving C-SCRM programs and practices. Proposed follow-up research opportunities include: quantitative cyber supply chain risk analysis and metrics; requirements to consider adding to supplier terms and conditions; sample supplier tiering structure (especially if an organization has a large number of suppliers) or other methods of applying criticality; and creating additional case studies that showcase successful C-SCRM programs that can be used by aspiring organizations as guidance.