Supply chain security presents a significant challenge because it can be difficult to manage, even for organisations with great internal security.
The National Institute of Standards and Technology (NIST) recently updated its guidance to offer support for key practices and approaches involved in successful cyber security supply chain risk management (C-SCRM). In this blog post, we provide an overview of the update and what it means for organisations.
In May 2022, NIST updated its cyber security supply chain risk management (C-SCRM) guidance, which aims to help organisations protect themselves effectively as they acquire and use technology products and services. While it is written for U.S.-based organisations, much of the guidance applies across the world.
The revised publication, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST Special Publication 800-161 Revision 1), provides support on how to identify, assess and respond to security risks in supply chains. Released following a lengthy development process, the update is part of NIST’s response to Executive Order 14028: Improving the Nation’s Cybersecurity, specifically Sections 4(c) and (d), which focus on enhancing the security of the software supply chain.
Aimed at “acquirers and end users of products, software and services,” the revised guidance is designed around the fact that cyber security risks can occur at any stage in the life cycle and can be associated with any connection within the supply chain. With research showing that supply chain cyber-attacks rose by 51% in 2021, the updated guidance is timely.
The revised guidance:
- Sets out key cybersecurity supply chain risk management (C-SCRM) practices that organisations can use to ensure the security, safety and quality of services and manage cyber security risks both in and across their supply chains. This includes balancing costs against resource requirements, integrating C-SCRM into the enterprise-wide risk management process, knowing and managing critical products, services, and suppliers, understanding an enterprise’s supply chain, closely collaborating with critical suppliers, and other key activities.
- Outlines key roles and responsibilities and the importance of a coordinated team-based approach to managing supply chain risks. As part of this, the guidance outlines the stakeholders and teams that should be included within C-SCRM process, such as information security and privacy, system developers, procurement, legal, and HR. The document also highlights how the process requires engagement from stakeholders from inside and outside an organisation in order to be successful.
- Discusses the benefits of establishing and maintaining a C-SCRM capability, such as helping companies to understand how vulnerable their critical assets are to supply chain weaknesses, and reducing the likelihood of supply chain compromise by enhancing the ability to detect, respond to, and recover from events that disrupt businesses.
How Kroll can help
We provide comprehensive support to mitigate the potential risks in your supply chain through our third-party cyber risk management services. Benefit from our powerful blend of unique insight gained through handling more than 3,200 diverse cyber incidents every year, supported by today’s most advanced technology. We can help you assess, identify and remediate with confidence and can deploy remote solutions quickly and/or be on-site within hours.