Try the new CSRC.nist.gov and let us know what you think!
(Note: Beta site content may not be complete.)
Best Practices in Cyber Supply Chain Risk Management
October 1-2, 2015
NIST Gaithersburg, MD.
{April 2015} -- NIST is pleased to announce the release of NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations.
{Dec. 2012} -- NIST is pleased to announce a report by the University of Maryland’s Supply Chain Management Center: Proof of Concept for an Enterprise ICT SCRM Assessment Package
General Inquires
scrm-nist@nist.gov
Jon Boyens
Project Lead
boyens@nist.gov
301-975-5549
Celia Paulsen
Technical Lead
celia.paulsen@nist.gov
301-975-5981
The Predictive Analytics Modeling Project seeks to research and build the tools necessary to measure and assess the effectiveness of cybersecurity and related supply chain strategies and controls. The effort will use voluntary, secure and anonymized risk assessments based on the Cybersecurity Framework to begin developing a large-scale anonymized data set that seeks, for the first time, to demonstrate cause and effect relationships between cybersecurity and supply chain capability levels and organizational performance outcomes over time.
To take the assessment, please visit: https://cyberchain.rhsmith.umd.edu/
Frequently Asked Questions
1. What is the purpose of the assessment and why should my organization participate?
2. What is the benefit to the larger cybersecurity community of participating in this research?
3. How will my organization’s privacy be assured?
4. What about the security of our company’s data?
5. Who developed the assessment and contributed to the questions set being asked?
6. How can we reach NIST or the University of Maryland if we have further questions?
1. What is the purpose of the assessment and why should my organization participate?
The main purpose of this assessment is to support NIST's Cyber SCRM Program by providing organizations a convenient, secure way to self-evaluate and benchmark their cybersecurity practices.
The assessment will help organizations to clearly identify areas of strength where their cybersecurity practices meet or exceed established benchmarks; and other areas where more work and investment are needed. Finally, organizations will be able to anonymously compare their cybersecurity and supply chain strategies and controls against those attained by Standard Industrial Classification-derived industry peer groups.
2. What is the benefit to the larger cybersecurity community of participating in this research?
This research project will conduct a rigorous statistical analysis of the effectiveness of common cybersecurity and supply chain practices. It will match our sample universe's assessment results with publically-reported breach data to provide evidence about the efficacy of cybersecurity practice in helping organizations to anticipate risks; and to target investments in areas of cybersecurity with significant operational payback. Such evidence-based research is scarce or non-existent and is important to the advancement of the cybersecurity and supply chain disciplines and enterprise risk management more broadly.
3. How will my organization’s privacy be assured?
See FAQ #4 at: https://cyberchain.rhsmith.umd.edu/FAQ
4. What about the security of our company’s data?
See FAQ #5 at: https://cyberchain.rhsmith.umd.edu/FAQ
5. Who developed the assessment and contributed to the questions set being asked?
The assessment is the joint product of a public-private research team composed of cybersecurity professionals from NIST, the General Services Administration (GSA), the Department of Homeland Security (DHS), Zurich Insurance, Beecher Carlson and the University of Maryland’s R.H. Smith School of Business. The assessment combines expertise in information security, supply chain and risk management; and builds on a decade of cybersecurity assessment research by team members.
6. How can we reach NIST or the University of Maryland if we have further questions?
For NIST, please contact Mr. Jon Boyens at: jon.boyens@nist.gov; or 301-975-5549.
For the University of Maryland, please contact Dr. Sandor Boyson at:
sboyson@rhsmith.umd.edu; or 301-405-2205.