Digitalization has been a necessary step for many organizations to remain competitive in today's globalized world. This transformation spans all industries. It has led to the spread of digital products and services and subsequent digital management of supply chains. It also creates added complexity for companies, which must now monitor their entire supply chain ecosystem. Protecting oneself is no longer a sufficient risk management strategy, given the interdependencies at play; it requires taking a broader view, because any supplier could be a target of malicious cyber activity that will have a spillover effect across the supply chain. There are many examples of this occurring almost on a daily basis.
Given these challenges, in February 2021 the National Institute of Standards and Technology (NIST) released a report titled "Key Practices in Cyber Supply Chain Risk Management: Observations from Industry" (NISTIR 8276). The report discusses a NIST initiative called a Cyber Supply Chain Risk Management Program (C-SCRM). The overarching goal of the program is to address supply chain cybersecurity risks by promoting the implementation of a C-SCRM program by non-national security organizations in their respective supply chains.
What are the Eight Keys to C-SCRM?
The NIST report lists eight key practices (and further recognizes 24 key recommendations) that could be used by supply chain actors of any size, scope, or complexity to identify, communicate, and address cyber supply chain risks:
1. Integrate C-SCRM across the organization: Organizations should set up a supply chain risk council that includes executives from throughout their supply chains, in order to proactively review relevant risks and risk mitigation plans. Such councils should specify specific roles, structures, and processes to enable better collaboration in addressing supply chain, cybersecurity, product security, and physical security risks.
2. Establish a formal C-SCRM program: Organizations should, depending on their size and activities, establish a formal C-SCRM program that ensures organizational accountability for managing cyber supply chain risks. This program must establish a clear governance structure for the program, to address, for example, suppliers' access to an organization's data, capability, and infrastructure or establishment of approved suppliers' lists.
3. Know and manage critical components and suppliers: Organizations should identify critical suppliers by using appropriate criteria (e.g., the revenue contribution of suppliers, whether they process critical data, whether they could become an attack vector, etc.) and establish supplier requirements depending on their criticality. In particular, organizations should include enhanced security requirements in critical suppliers' contracts.
4. Understand the organization's supply chain: Organizations should create mechanisms to ensure real-time visibility into the production processes of outsourced manufacturers. This could be done through the use of software and hardware component inventory, and by auditing the origin of materials and products that are used by suppliers. To capture the causes of cybersecurity failures, organizations should also verify how their suppliers' vet their personnel, who they are outsourcing to, and who has access to the organizations' data.
5. Closely collaborate with key suppliers: Organizations should establish close relationships with their suppliers. To do so, organizations could mentor suppliers on C-SCRM and agree on common cybersecurity standards and solutions. The aim of such collaboration would be to achieve a uniform level of quality throughout the supply chain.
6. Include key suppliers in resilience and improvement activities: Organizations should ensure their resilience by adopting critical protocols and procedures ahead of any significant incident. To do so, organizations should include their critical suppliers in their contingency planning, and jointly develop and review incident response, business continuity, and disaster recovery plans.
7. Assess and monitor throughout the supplier relationship: It is not enough to assess a supplier at the beginning of the relationship. Organizations should set up a supplier-monitoring program that covers the entire supplier relationship life cycle. This program would help to monitor a variety of security, privacy, financial, and geopolitical risks. To assess their suppliers on a regular basis, organizations could use various mechanisms (e.g., self-assessment, supplier attestation, formal certification, site visits, cybersecurity rating solutions provided by a third-party, etc.).
Organizations might also use shared assessment (i.e., several organizations create a single assessment methodology and questionnaire that may be applied to a large number of suppliers), but those assessments must fit their own particular needs.
8. Plan for the full life cycle: To ensure business continuity, organizations should plan for unexpected interruptions to the supply chain. To manage this particular risk, organizations may purchase reserve quantities of critical components and establish relationships with approved resellers that are likely to stay in business. Organizations should also contemplate bringing ailing component manufacturers in-house.
Details of how the 24 Key Recommendations fit into the eight Key Practices can be found here. The report also maps the Key Recommendations and industry-specific resources in order to identify best practices depending on the industry they belong to.
How do the NIST Keys Fit with the EU Cyber Keychain?
In recently-published work – for example, on cybersecurity aspects of industry 4.0 and cybersecurity challenges of the Internet of Things in supply chains – the EU Agency for Cybersecurity (ENISA) issued principles-based recommendations that are very similar to the key practices and key recommendations promoted by NISTIR 8276.
In contrast with the US approach, however, the EU combines such guidance-type tools with sets of prescriptive rules, at least in sectors that fall within the scope of either the Critical Infrastructure directive or the Security of Network and Information Systems directive (NIS). Under such frameworks, major actors designated by member states in key sectors (e.g., energy, transport, water distribution, financial sector, health) need to comply with high threshold cybersecurity requirements. These requirements range from governance to incident preparation, as well as notification and response; further, those sets of rules affect, by contract, the entire supply chain, with entities in scope passing on the requirements to which they are subject across the supply chain ecosystem.
The EU is currently contemplating further extending the scope of the NIS with a December 2020 proposal that seeks to impose wider rules to more sectors (and within those sectors in scope, directly across the supply chain). Among the contemplated rules are new requirements for supply chain management and threat information sharing, as well as higher fines for non-compliance (up to 10 million, or 2% of worldwide turnover). This proposal is highly significant and should be watched closely on both sides of the Atlantic, along with other EU efforts to address cybersecurity resilience of supply chains by alternative mechanisms such as increased use of technical standards or certification mechanisms.