Key Practices in Cyber Supply Chain Risk Management (C-SCRM): Observations from Industry

Executive Summary

The National Institute of Standards and Technology (NIST) cyber supply chain risk management (C-SCRM) program was initiated in 2008 to develop C-SCRM practices for non-national security systems in response to Comprehensive National Cybersecurity Initiative (CNCI) #11: Develop a multi-pronged approach for global supply chain risk management. Over the last decade, NIST has continued to develop publications and conduct further research on industry best practices for C-SCRM. This document presents Key Practices and recommendations that were developed as a result of the research conducted in 2015 and 2019, including expert interviews, development of case studies, and analysis of existing government and industry resources.

The Key Practices presented in this document can be used to implement a robust C-SCRM program or function at an organization of any size, scope, or complexity. These practices combine the information contained in existing C-SCRM government and industry resources with the information gathered during the 2015 and 2019 NIST research initiatives. The Key Practices are:

1. Integrate C-SCRM Across the Organization
2. Establish a Formal C-SCRM Program
3. Know and Manage Critical Suppliers
4. Understand the Organization’s Supply Chain
5. Closely Collaborate with Key Suppliers
6. Include Key Suppliers in Resilience and Improvement Activities
7. Assess and Monitor Throughout the Supplier Relationship
8. Plan for the Full Life Cycle

Each Key Practice includes a number of recommendations that synthesize how these practices can be implemented from a people, process, and technology perspective. Selected key recommendations include:

• Create explicit collaborative roles, structures, and processes for supply chain, cybersecurity, product security, physical security, and other relevant functions.
• Integrate cybersecurity considerations into the system and product life cycle.
• Determine supplier criticality by using industry standards and best practices.
• Mentor and coach suppliers to improve their cybersecurity practices.
• Include key suppliers in contingency planning (CP), incident response (IR), and disaster recovery (DR) planning and testing.
• Use third-party assessments, site visits, and formal certification to assess critical suppliers.

These and several other recommendations are mapped to each of the Key Practices to assist in and support the implementation of effective C-SCRM practices within an organization. Additional C-SCRM resources, including industry-specific best practices, can be found in Appendix B, Government and Industry Resources.