Cyber Supply Chain Risk Management: Key Practices for Federal Contractors

Efforts to raise the cybersecurity posture of the federal supply chain and constituent contracting have placed supply chain security in the forefront of the minds of federal contractors as they grapple with new requirements from the government and look for the way forward in managing their own supply chain security.

But there is help available. Recently, the Computer Security Resource Center at the National Institute of Standards and Technology (NIST) released Key Practices in Cyber Supply Chain Risk Management: Observations from Industry (NISTIR 8276), a document that provides businesses a set of actions they can take to implement cyber supply chain risk management (C-SCRM) policies and functions based in part on a set of Cyber SCRM Key Practices and Case Studies and other research and initiatives that NIST has undertaken over the last several years.

NIST’s’ eight C-SCRM Key Practices are:

1. Integrate C-SCRM Across the Organization – Establish councils or committees that include executives from across the organization, including supply chain/procurement, information technology, cybersecurity, operations, legal, enterprise risk management (ERM), etc. to proactively set and review risk mitigation plans and initiatives across the enterprise. The more SCRM is integrated and aligned across the enterprise, the better.
2. Establish a Formal C-SCRM Program – A formal C-SCRM program with established governance, policies and procedures, processes, and tools ensures organizational accountability for managing cyber supply chain risks. Taylor the program to meet your firm’s size and complexity.
3. Know and Manage Critical Suppliers – Identify those suppliers that provide your firm with components/products, services or support critical business missions which, if disrupted, would negatively impact your business. To support a company’s assessment of their critical suppliers NIST has free resources, including a methodology and tool, that helps businesses identify the impact of suppliers to their organization.
4. Understand the Organization’s Supply Chain – Establish real-time visibility into the production processes of your outsourced manufacturers to understand defect rates and causes and to ensure proper testing before shipment. Use software tools and other methods to provide visibility and transparency, to reduce the risk of tampering and counterfeiting, and to improve security and quality. In addition, obtain insight into how your suppliers vet their personnel, to whom they are outsourcing, and who has access to your company’s data.
5. Closely Collaborate with Key Suppliers – Establish close relationships with your suppliers, up to and including creating shared ecosystems between acquirers and suppliers to increase coordination and simplify the management of complex shared supply chains. The sophistication and level of formality of acquirer-supplier relationships increase with the maturity of the C-SCRM practices.
6. Include Key Suppliers in Resilience and Improvement Activities – Work to include critical suppliers, products, and assets in your firm’s contingency planning, incident response, and disaster recovery – whether the disruption comes from a cyber incident, geopolitical unrest, or act of natural. Test these plans with key suppliers to guarantee their readiness and the effectiveness of the plan. This ensures that critical procedures and protocols are established and well-understood ahead of any significant event.
7. Assess and Monitor Throughout the Supplier Relationship – Establish supplier-monitoring programs that cover the entire supplier relationship life cycle and monitor a variety of risks, including security, privacy, quality, financial, and geopolitical risks. Validate that suppliers are meeting cybersecurity and other key SLA requirements. Supplier assessment and monitoring mechanisms may include self-assessment, supplier attestation, third-party assessments, formal certifications, and site visits. Partner with other acquirers to establish shared assessments to reduce the burden on suppliers.
8. Plan for the Full Life Cycle – Plan for unexpected interruptions to the supply chain that come from supplier product obsolescence or other supplier business changes. Under normal life cycles, suppliers will stop supporting obsolete hardware and software, discontinue production of components, or change business direction due to acquisition or other management changes. Consider options to manage this risk by purchasing reserves of critical components, establishing supply through approved resellers or by acquiring ailing component manufacturer companies.

NIST’s research and the resulting guidance to raise federal supply chain security have evolved in parallel with other federal efforts, ranging from numerous provisions in the annual National Defense Authorization Act (NDAA) to the Cybersecurity Maturity Model Certification (CMMC) program at the Department of Defense (DoD). These efforts, as well as the cybersecurity impacts of the COVID-19 pandemic response, will continue to underscore supply chain security as one of the most central issues in cybersecurity for the foreseeable future.