Managing the cybersecurity threats in your supply chain should be embedded into every part of your business. Every single vendor relationship, every third-party supplier from the front office to the far depths of your supply chain, can introduce a risk to your entire business.
To be clear, supply chain risk management (SCRM) and cyber supply chain risk management (C-SCRM) are not solely the responsibility of the IT department. Both are part of your business’s risk management framework, which is developed based on the level of risk tolerance you are comfortable with.
When we hear “supply chain” we think of physical components that have to be available at a certain time — materials to complete a construction project, for example.
The cyber supply chain works the same way, except without the physical parts. Instead of focusing on the logistics of delivering nuts and bolts at a specific time, the cyber supply chain focuses on business continuity by linking software applications and vendors together so you can get your job done.
NIST Best Practices for Cyber Supply Chain Risk Management
The National Institute of Standards and Technology (NIST) released a set of best practices for cyber supply chain risk management in 2016, and followed up with a newer paper, Key Practices in Cyber Supply Chain Management, in 2021.
NIST identifies eight supply chain risk management areas to consider when you develop a cyber supply chain risk management system (C-SCRM):
- Integrate C-SCRM across your organization.
- Establish a formal C-SCRM program that is evaluated and updated in real-time.
- Know your critical suppliers and how to manage them.
- Understand your organization’s supply chain.
- Collaborate with your key suppliers and incorporate them in your supplier risk management program.
- Include key suppliers in your resilience and improvement activities, for instance as part of your vendor risk assessment process.
- Constantly and vigorously provide continuous monitoring of your C-SCRM.
- Have a plan for all business operations, not just for what appears to be the most critical parts of your organization’s various functions.
Cyber Supply Chain Principles and Supply Chain Risks
NIST identifies three primary principles for successful C-SCRM:
- Develop your organizational defenses with “assume breach” in mind. Assuming a breach means that an organization approaches its cybersecurity posture by anticipating that all of its networks, systems, and applications are already compromised. Treating an internal network as if it’s as open as the internet readies the network for a variety of threats and compromises.
- Cybersecurity is a people, process, and technology problem. People, process, and technology are the triad of solving problems. Supply chain management also focuses on these three areas to enhance supply chain performance, make it more secure, and do more with less.
- Security is broad, and when one says “security” you must look at the entire landscape. There are multiple security domains that interact with each other in a variety of cybersecurity frameworks and best practices. A few examples are the NIST Cybersecurity Framework (CSF), Center for Internet Security (CIS) Controls, and the International Organization for Standardization (ISO) series.
To be efficient and flexible, your C-SCRM should follow the guidelines established by your third-party risk management program. That is especially important today where outsourcing is common. Always remember that your cyber supply chain risk management program is only as good as the data security provided by your least secure third- or fourth- party supplier.
Here are some of the risk areas to consider:
- Third-party Software-as-a-Service providers
- Subpar information security practices by vendors
- Hardware and software with compromised parts
- Security vulnerabilities in supplier systems
- Malware embedded into counterfeit hardware
- Third-party data storage with questionable security controls
The principles and risks apply to critical infrastructure, business processes, and intellectual property.
Cyber Supply Chain Risk Management Best Practices
An organization can employ a variety of best practices in its cyber supply chain risk management program. Best practices are not perfect, but they have shown over time an ability to identify and mitigate potential risks, and they include remediation practices to apply if you experience a data breach.
Here is a list of some of the best practices to keep in mind as you set to work on your cyber supply chain risk management program:
- Security requirements need to be defined in request for proposals (RFP). Use security questionnaires to hone in on the safety standards of your bidders and vendors, as part of your regular vendor risk management process.
- Supply chain vendors need to be assessed by an organization’s security team and vulnerabilities must be remediated before sharing information, data, or goods and services. Assign security ratings and limits depending on what you find.
- In the event that software or hardware is found to be counterfeit and if provided by a vendor, the vendor is immediately removed from consideration on future opportunities.
- Engineers must follow Secure Software Development Programs and keep up to date on training.
- Software updates need to be available to patch systems for vulnerabilities, and they must be downloaded and installed in real-time.
- Source code needs to be included when software is purchased for analysis.
- Secure boot is leveraged on endpoints to ensure authentication and authorization.
- Dedicate staff to supply chain cybersecurity activities.
- Tight access controls to service vendors are implemented and enforced.
- End of life hardware and software must include mitigating controls to address ongoing vulnerabilities.
Take Time to get to Know Your Vendors and Suppliers
NIST recommends a plethora of questions to ask suppliers, vendors, and third parties on C-SCRM. Vendors must have a vulnerability management program and notify its customers on how best to mitigate discovered vulnerabilities in its products, and how to assure security throughout the lifecycle of its product.
NIST recommends that questions also focus on the vendors’ cybersecurity framework and goes into detail about how configuration management is performed. Vendors and suppliers must show a secure distribution process and tightly controlled distribution channels, as well as a high service level with a complete mitigation plan in case a data breach does happen.
We Are All Part of the Global Supply Chain
Today, disruptions on the other side of the world can have a direct effect on our procurement and sourcing ability — leading to difficulties with business continuity and financial risk. Because the world is so interconnected and every business relies on outside organizations to stay in business, cyber supply chain risk management is important.
Holding vendors and service providers accountable by enforcing supply chain risk management practices is paramount not just to your own organization, but to a plethora of other stakeholders who deal with the same vendor around the world. Good supply chain security involves the entire business and all business units, not just the cybersecurity or IT departments.
C-SCRM is an integral part of an information technology program that addresses security in a holistic manner and keeps you ahead of the worst cybersecurity risks.
Discover the full power of ZenGRC!
ZenGRC lets you easily manage and monitor your cyber supply chain risk and compliance in a worry-free way. Our automated solution does much of the work so you don’t have to be on high alert 24-7. Instead, you can focus on your customers and your bottom line. To find out more, contact us for your free consultation today.